Title: Analyzing the entire process and routine of recording the Internet scammer's site

This is a long and ups and downs story. Friends, please sit there and bring your own refreshments; the full text includes a detailed process of information collection and conquering, as well as an analysis and disassembly of this type of fraud ideas to improve prevention awareness;

0x00 The beginning of the dream

It was a sunny afternoon. I received a company email during the daily brick-moving process.

Seeing this familiar wording, I glanced at the attachment below, and a familiar breath came to my face and saved it;

Then the administrator immediately discovered something was wrong and sent a message saying that the employee's account was stolen. Don't trust the content of the email easily. The original email was also marked as spam (the last time the similar email was deleted too suddenly, and the matter ended before it even started. This time I couldn't escape (￣_,￣ ). As a good young man and a good five-star citizen, it's time to carry forward the spirit of living Lei Feng);

And this picture became where all dreams began.

0x01 Information Collection

0x001 Review Domain Name

The starting information is very limited. The beginning picture is the plot, and the plot is all based on guessing, but this entry is enough. Let’s take out the guy to analyze the information in the QR code:

There is no extra data, only a string of web page links. Looking at the domain name, the corner of your mouth rises slightly; first analyze the domain name:

The domain name cannot be parsed until the article was written, and the rectification was quite fast. Fortunately, there was a backup before, and the domain name changed constantly. It was not found that it used CDN, and all traffic was to the source station. I checked it and it was a server in Hong Kong:

Then whois to collect relevant information:

As expected, it is a three-party registration agency that uses no additional useful information, but the registration time is quite interesting. This month, the scammers are moving quite fast; next time, they can only go to the other party’s website to take a look;

It’s Western Digital again, which seems to be a bit popular. The website provides a privacy protection mechanism, and the registration information is not disclosed to the public, and useful information cannot be obtained for the time being;

0x002 Review IP

The only clue now is the IP that was parsed before. Take it step by step, first, scan the port service to collect more information:

Yes, it's okay. I saw a few familiar figures, continued to follow the process, and went down the default script to analyze the port service information:

There is no detecting anonymous ftp, http supports TRACE, no httponly is set, there is an opportunity to execute XSS, so write down the small notebook first; then the old rules are the default dictionary directional blasting first, and you still have to try it, what if that happens:

I tried all the remaining ports, as expected, I didn’t get much. It seems that I still have basic password strength awareness; in addition, the previous scan, the port 8888 appeared. Remember this is the default background entrance of the Pagoda panel of the server management tool. Please try it:

There is entry verification, at least it proves that it is indeed a pagoda panel. However, this explosion should not be possible. Remember that the entry url suffix is about 8 digits of any upper and lower case letters and numbers by default, which is 62 to the power of 8, about 20 trillion, which is quite bald. Let's put it later. Next, continue to move to other directions;

0x003 Review Page

All of them are here. Since scanning the code is a link to jump to the page, and the ports are also open 80 and 443, of course, you need to open the web page to visit Kangkang, and at the same time, you need to open the developer tools to see what small actions are there:

Oh, it also recognizes the model. This targeted the user is quite clear, so let's cut it into a mobile terminal and take a look:

emmm.How to say it, it smells so good. I can't tell at first glance. I'm quite imitating it (but I'm really brave and I'm doing it on government websites). Then I looked at the header information returned by the interface and found that the Windows IIS 7.5 + ASP.NET service used:

Remember this first, it is useful to dig out the loopholes later. After interviewing, I found that the page is empty, and only the pop-up window at the processing entrance can jump. The jump page is:

The description is quite complete so that everyone can get the right number. Click here to apply now:

Then a one-stop service for collecting personal information was started, first with the name and ID number. In addition, pay attention to the name of the loaded PNG header image displayed next to it. Uh, is this a crazy hint from the developer? Here you can enter the information and check it out:

There is actually verification, please click a breakpoint to see the source code logic:

It's really troublesome to check a number so complete, but the front-end verification is all paper tigers, so there is no need for any folk remedies here. You just use the source code editing and overwrite function of the developer tool, and directly return true to the verification function:

Then check and go to the next step:

Here is to collect the bank card number and password and the bound mobile phone number. Alas, the intention is very obvious. There is no need to transfer money and transfer the other party's password. Here is also to fill in it casually. Use the same method to bypass the bank card verification, but I found something interesting in one of the loaded script files:

The developer does not even delete the debugging data in the source code. The Alibaba Pay interface is used to use the other party's debugging account (again proves that as a developer, the importance of removing code comments in the production environment=_=):

Then I entered the next page and collected the name and ID number, as well as the bank card balance again (here should be a survey of the user's real situation and other unknown operations), and subconsciously checked my balance. As expected, I didn't even have the courage to lie here. T_T, fill it out immediately and move on to the next step:

Then the page will be loaded and refreshed continuously, and there will be no other jumps. It should be to provide time for the scammers to operate. Then the relevant operations of the web page will come to an end for the time being. I have a rough understanding of some operation steps, and then explore other directions;

0x02 Vulnerability mining

0x001 SQL injection

The information collection is almost done, so let’s break it one by one. Start with the most familiar web page. There are many submission forms and input boxes when reviewing the page before, which are potential breakthrough points; which mining technology is better, first use the magical artifact Burp and intercept the form data of the previous submission of the bank card number and password:

Then make a simple injection attempt to check the error message:

There is no response, there should be basic verification, and then change it:

There was a reaction, and it seemed that I saw hope. Although the return is garbled, it should be the problem of the other party's program handling it. However, looking at the sentence structure, it seems that SQL error was reported, and I tried several of them in succession, and the same returns were also returned. So, let's leave the remaining complicated work to the tool, take out the SQLmap and run it out:

After several rounds of parameters, I didn't succeed. The filtering mechanism should be relatively thoughtful. Then when I tested another page, I discovered the original meaning of the error message:

Well, I'm still too young, I'd be wrong. The program should have identified the SQL keyword in the field value. In addition, I recall that the service scanned before may contain TRACE-related vulnerabilities. After testing, it should be that the server has not yet supported it:

Then I thought about it again. When designing the database table field for the password field, I should consider the characteristics of low character digits to reduce space occupation, because this is the bank card password, and everyone knows it is a 6-digit number. Here is a big number to see if there are any surprises:

The embarrassment is because of surprise or not. It should be because there is no special treatment, and it is directly reported as a server-side error. I changed several pages one after another, but there was no big gain after the test. The scene was once in a deadlock and I could only temporarily move to the battlefield;

0x002 Metasploit penetration

Finally came to Metasploit, ready to go,

First search for known vulnerabilities in IIS:

There are many, so let’s try a few matching conditions first. I will only give you an example here, so I won’t show them one by one:

Then there are several other ports and services, which were tested one by one, but there was no breakthrough. It seems that the patches were all very complete. At present, it is temporarily stuck in a dead end. Although there are still many modules to use for msf, I am not ready to continue to test in depth, because I think there is another important thing that has not been done yet;

0x003 Site Directory Enumeration

Site directory scanning, how can this important thing be missing? There are many tools to choose from, such as dirbuster, etc. Here we use the Discovery content tool in Burp Suite's Engagement tools to perform directory blasting:

The large number of built-in dictionaries are enough to use, but it involves network requests, and the process is also extremely long. However, you can run in the background and do not affect other things. Here is a scan result:

Call me a good guy! I didn't know if I didn't scan it, and I was shocked to come out. I missed so many hidden entrances. I wrote down the notebook first and explored one by one. However, my vision couldn't help but locked onto the file called upload.asp. There was no need for me to say such obvious hints from the developer (ヨ( ▔, ▔ )ㄏ);

There is no return data when accessing directly, is it because the method is wrong? Change it to POST form file data and try again:

It seems that uploading this way is useless. Maybe you need additional verification parameters and so on. I just scanned a bunch of pages I haven't seen before. Now I go back and analyze the source code of the page one by one, and maybe you will get some benefits:

Sure enough, in one of the pages, the form that calls this upload interface is found, which is a hidden element. Combined with the page content, it should be used to collect certain document information uploaded by the user, ID card photos, etc. and then I looked at the corresponding js source code, and there are indeed some checksum interface parameters:

It's too difficult to analyze and call these functions here and then upload files. This is not a hidden form. It's so easy to directly modify the code and operate it through the UI (¬‿¬):

Although it looks a bit simple, it doesn’t matter if it’s enough to run. Just upload a file to try:

Then visit again to see the effect:

What a guy, capitalize it is exciting! The corners of my mouth rise slightly again, but calm down first, and then try to check if there is any file type verification. The service is ASP.NET, so just pass on an asp program. The following code will run the name of the service on the page:

%response.write(Request.ServerVariables('SERVER_SOFTWARE')) %

Then upload it and check it out:

This.what else can I say? Silence is better than sound at this time, but this is not the end, this is just a good starting point, everything has just begun (¬‿¬);

0x004 Unexpected harvest

In fact, there is another very interesting directory in the website directory, which is called jieliuzi. Although I have figured out the habit of object developers who like Chinese pinyin naming, this meaning has never been understood. I have not even understood the method of guessing and input. I even went in and found out after exploring the details=_=. Chinese culture is really profound; no matter what, look at the page access results:

It is a login page, very concise, and it is actually a PC site page. The scammers are quite romantic in some aspects. The reason why they are not displayed here is because the whole picture is too exciting (how to say it, um, this login box is really white), and I am afraid that I can't pass the review; in addition, pay attention to the title name at the top of this page, and the first reaction is that it should not be simple literal meaning, and it doesn't sound like a good word. I went to Baidu specifically for this: