[no eyes] uncover the underground porn induction website, get on the bus!

Posted by deaguero at 2020-03-24

1. Unexpected discovery

A few days ago, a friend was chasing the American drama "Quan 7", so occasionally he would drag me to find resources: "do you have the resources of Quan 7? "Help me find the cooked meat? Although I have been tucking up, I am not going to open a membership or Baidu / Google search, but I think again, for many friends in the non technology circle, many people always make complaints about this: the Internet is rich in resources, and Baidu Google is no longer a cow, and it is no better than a computer repair friend.

Well, look at the face of a crawfish, I will search for all kinds of keywords according to the name of the resource, and then send him "cooked meat" (HD no code with subtitles), and send him the website and links by the way, indicating that you can find the updated ones. After a week, the friend was embarrassed and said, "it seems that the resources of that website have stopped changing? Do you want to stop looking for help? ".

For the sake of two meals of crayfish, I repeated the previous actions, but this time, what I got was not only crayfish, but also an unexpected discovery. Before the search, the browser hung Adblock and other plug-ins, so we seldom saw web ads. on that day, we just had an upgrade, so we used a backup browser.

With the same keywords, I strolled around to various resource stations. Because some websites did not produce cooked meat version when searching resources, I closed the website and then went to other resource stations. In this way, I bounced back and forth several resource websites. And then they are always hot eyes from time to time on the following pop-up pages... Basically in this format:

The domain names of the websites visited by Mingming are different, but the contents of the pop-up boxes are almost the same. There are basically two possibilities:

First of all, these movie resource websites are linked by the horse, playing the box passively;

Second, the significance of these movie resource websites is to actively guide other "anchor", "live", "Pan porn" and "pornographic" websites.

Relying on the experience of **** and vaguely feeling that it is not the right way, I decided to take a look at the situation.

2. On earth

① Website content

In order to find out, I click these pop-up pictures on different websites in turn, and then jump to the corresponding website. Now I find that this matter is more and more strange. Except for the domain name, the whole layout of these websites is almost the same. Moreover, they are not "Pan pornographic" beauty websites, but pornographic websites! (it hurts to hit your hand with a code...)

② Induced payment

After analyzing the structure of the website and the layout of the content, it basically follows a rule: pictures are free to watch, videos can only be tried, all of which need to be paid for. For example, click on any video here, and then go to such a page to introduce = >

Click to play it now?

I've been loading, which is not quite the right way. I've only got 100m speed, and I haven't intercepted the page, so I guess this video is broken. Let's take another look?

Click again to play it now?

Still in [data loading], without seeing any preview, the website started to pop up the payment page again at this time (it seems that I want to tell you: spend more than ten or twenty yuan quickly, and you can no longer wait to see it immediately. The payment guide also explains "enjoy the wonderful journey! > = >

Most of them are operated by Uncle Xiaojiao = >

Yo, the current pornographic website, the user experience does so well? Also on the mobile payment train, WeChat and Alipay can be paid. From the product point of view, this induced payment can also be done. Whether you click the video pop-up box or click the [open Vip] button in the upper right corner of the website, different temptation pictures can pop up every time, and the price is very "people-friendly", which is more than 20 yuan.

However, after many pages of analysis, I guess that these websites may be just a shell, there is no video service at all, and the ultimate goal is to induce users to use WeChat or Alipay small payment, and then consumers will eat up. (to put it bluntly, it's a small amount of financial fraud based on pornographic inducement)

Well, I'm just guessing whether it's like this or not. It needs to be verified step by step later.

(the following content is relatively technical. If you are not interested, you can drag it to the end of the article to see the survey conclusion.)

3. Information collection

Intuitively, these websites should use the same kind of CMS (content management system), more directly, "pornographic CMS", and some pornographic gray production teams may be operating behind them. Since they are all CMS websites, they have the same banner, website logo, developer information and so on, that is, "website fingerprint".

① Check the website source code and find out the "website fingerprint", similar to this = >

Observe these websites. Each website has corresponding fingerprint information in the head and footer tags in the front-end code.

② Through Google or Bing, search according to website fingerprint and keyword syntax (such as Intel or intitle) = > (Note: to search such websites, it is recommended to turn off the security search function, otherwise the content searched is very small)

According to the situation obtained by several search engines, so many similar websites and pages should be a team in this industry. All of them purchased the same or similar CMS, then built it up by themselves, through search engine SEO or all kinds of resource websites, and promoted the payment through WeChat or Alipay.

It seems that this is more than just a few pornographic websites. It should involve the large-scale operation of pornographic induced fraud industry.

③ Next, we need to do further information collection, such as where the servers of these websites are located? Are they operating at home or abroad? What is contact information? See if there is relevance, is it decentralized or a large team operating? We detect the information of these pornographic website servers. Here, we use Shodan (Satan, the legendary "dark search engine") to analyze:

Website 1:

Open port: 21, 80

Server area: Qingdao, Shandong

Hosting service provider: Shanghai anxix network

Whois domain name information:

Filing information: not filed

Whois information: with security protection enabled, you can only see the information of the domain name service provider, without the personal information of the website operator

Website 2:

IP address: 103.229. X.x

Open port: 80

Server region: Hong Kong

Hosting service provider: Sun Network Ltd, new network (Hong Kong) Co., Ltd

Filing information: not filed

Domain name registrant: Wang XX

Contact information of registrant: [email protected]

Domain name service provider: Beijing lanxxx Technology Co., Ltd

Website 3:

IP address: 107.154. X.x

Open ports: 80, 81, 88, 443 Server region: Overseas (US)

Hosted service provider: incapsula

Whois domain name information:

Filing information: not filed

Domain name service provider: GoDaddy (domain name protection enabled, no registration information)

Website 4:

IP address: 107.151. X.x

Open ports: 80, 21, 88, 443

Server region: Overseas (US)

Hosted service provider: vpsqan

Whois domain name information: domain name protection is enabled, no registrant information

Website 5:

IP address: 103.234. X.x

Open ports: 80, 21, 443, 12345

Server region: Hong Kong

Whois domain name information: domain name protection is enabled, no registrant information

Website 6:

IP address: 23.23. X.x

Open ports: 80, 21, 5985

Server region: Overseas (US)

Filing information: not filed

Registered in Fujian Province

Domain name service provider: Godaddy

Domain name registrant: lixx

Contact information of registrant: [email protected]


Through the analysis of more than 20 websites, it is found that no matter server region, server trusteeship, domain name registrar, registrant information, etc., are very scattered. But some information is still available:

a. 80% of these websites are hosted in Hong Kong and overseas (US);

b. No formal record has been made;

c. Most of them don't leave the information of the registrant. Some of them will leave QQ email.

Summary: after the above four steps of information collection, we can get the basic situation: these pornographic websites are operated by many small teams in a decentralized way, and they are built and operated by purchasing similar "pornographic CMS"; in addition, in order to avoid domestic supervision, most of them choose to host servers to major service providers in Hong Kong and the United States, and rarely leave a registered contact Information. (follow up can be further tracked through WeChat and Alipay, website database, etc.)

4. Vulnerability mining

If the entrapment process is normal, the most direct way is to use "Fishing law enforcement", such as direct WeChat or Alipay payment, and then see if it can be added to friends, then directly uncover behind the operator (if the other side uses the trumpet, and Tencent and Ali do not intervene, this method is not feasible).

So before that, let's see if we can make a breakthrough in technology. For example, can we get the backstage database, find the backstage management page, take over the website directly, or find more detailed administrator account information through the database, or even get the whole server permission through the server's right promotion? And the premise to achieve these is: can we find the loophole of this set of "pornographic CMS"?

Considering that this kind of web software is "underground", unlike the well-known discuz forum, there are many open vulnerabilities and penetration tools that can be directly used. So, first use the web leak scan to see if you can find the regular vulnerability. First of all, I started to work on several pornographic websites hosted in foreign countries, and found that they are all PHP + MySQL architectures, many of which run on Windows + IIS. Fortunately, SQL injection and XSS cross site scripting vulnerabilities can be found generally. Of course, whether these vulnerabilities can be used or not needs to be further verified.

(Note: burp / awvs / appscan is optional for the above-mentioned missed scanning. More specific use is omitted here.)

5. SQL injection penetration

Next, look for a few injection points manually. Click the classification list of the website to get a link similar to "PHP? Id = x" = >

Here we collect a batch of injection points from different websites, and then we take the artifact sqlmap out for a walk. Different websites have different protection conditions (for example, WAF is installed), and the injection effect is different. One command cannot go black. It is necessary to adjust the injection parameters, such as whether to lengthen the time delay, whether to use random head, and whether to increase the injection level. According to this idea, we need to use these instructions:

① SQL injection gets database and administrator information

[email protected]:~# -u http://txxxcom/list.php?id=1 --dbs --users [email protected]:~# -u http://txxxcom/list.php?id=1 --dbs --users --dbms mysql [email protected]:~# -u http://txxxcom/list.php?id=1 --dbs --users --time-sec 2 --dbms mysql --level=2 --risk=2 --random-agent

② According to the injected database, obtain the data table in the database -u http://txxxcom/list.php?id=1 --tables -D "aaaaaa" -u http://txxxcom/list.php?id=1 --tables -D "aaaaaa" --random-agent

③ Get administrator data sheet or violent pants removal -u http://txxxcom/list.php?id=1 --dump -T "xxadminxx" -D "aaaaaa" -u http://txxxcom/list.php?id=1 --dbms mysql --dump-all -D "aaaaaa"

(injection failed)

(injection succeeded, downloading database and obtaining administrator account password)

(the injection is successful, and the administrator password is cracked. Here, the hash value does not run out. It needs to be cracked with the help of online MD5 tool.)

Screenshot of some successful websites under dump database:

6. Password explosion and background login management

① Through the above SQL injection, we get the administrator user name and password hash value (MD5 value) of these websites. We need to crack MD5 violently. The success rate of cracking is still uncertain. If the hash value is "salted", the success rate will be greatly reduced, so we can only take chances.

Here you can find several online MD5 websites and run around to have a look:

This is a six digit number. It can break in seconds. Try the next = >

This one can't be cracked. It's estimated that the password length is relatively long. Continue to try other = >

8-digit password, the same second break. In addition, different online MD5 websites have different hash storage capacity and computing speed. Some back ends also include leaked social worker database information, so multiple websites can try.

② After getting the password of the administrator account corresponding to most websites, you can enter the background management to find out, but how to enter? The front page of the website does not have "management", "background" and other words for us to click to enter.

Some of these websites can enter the backstage by default with the management of Some of them have changed the backstage address and need to be detected by the backstage scanner (havij, Yujian, burp).

Directly use admin as the background management page:

There are some changes in the background path:

Although the domain names as like as two peas are different, even the operators are different. The background management page is exactly the same.

③ Then I entered the backstage, and then I was a little shocked: it has been clearly stated as "induced payment, induced payment"! In other words, there is a professional team specializing in the production of such pornographic inducement websites. This is just a "pornographic CMS" I accidentally found. There must be a lot more

Let's see how the "induced payment" system works?

a. Management account

b. Add resources: videos and pictures on the website are added here

b. Resource addition: most pictures and video links are external links. In addition to pictures, some videos are empty at all, and some are invalid links (fake)

b. Resource addition: the pictures in the library list are all stored in the external chain instead of local storage

c. Classification settings: you can make simple changes to the picture classification on the homepage of the website

d. Payment settings: This is the key! Change the QR code to your own, and you can wait for the fool to pay! (much better than bitcoin.)

Summary: through the analysis of the background system, I basically sat down to my initial guess: these so-called pornographic websites are themselves "shells", all the pictures are external chains, and almost all of the videos are fake. Even if someone really paid for it through WeChat or Alipay, after seeing the jump, it will always be a "resource loaded" black screen page. 。 (this is really "the money has been paid, and the pants have been taken off. Show me this?! "..."

In short, this kind of "tempting payment" system, dressed in pornographic skin, takes the car of mobile payment and deceives the majority of "consumers". Because of the "particularity" of the service, most of the servers are set up abroad, and the transaction finance is small. Such users are basically suffering from dumb losses, most of which is to leave a "shit" and learn a little bit.

Tips: when writing an article, I suddenly have a curious search, and then I see someone asking questions on some Q & A pages = >

Do you want to tell him the truth?

Next, what else can I do after I get the background management authority of the website? You can also think about lifting the right to take down the whole server, but it's not the focus of this article. Here's a general idea: you can pop out the physical path, consider a sentence of picture Trojan horse (you need to consider naming filter), and then try to use kitchen knife or other webshell tools to manage = >

7. At the end of the article

① According to the above content, we can show the whole chain of pornographic induction in the following pictures = >

② Next, do you want to find out these pornographic inducers? (remember, this is pornographic fraud, not "1024" or "Cao Liu") this is beyond my ability. The number is too large to be measured. Who can I find out?

And there must be a similar one to get rid of a station, which needs cloud providers (providing server hosting), mobile payment platforms (WeChat payment, Alipay payment), internet police, and all sectors of society.

③ There has always been a saying that "more than half of the Internet traffic and funds belong to pornography and 'spinach'", which I didn't believe before, but now I believe a little. A large number of "underground" websites are not on the table, and how "black" or "dark" these websites are, is beyond our imagination and our bottom line.

④ This pornographic fraud case is only one of "grey industry"; with the rapid development of cloud services and the extreme convenience of mobile social networking and payment, this kind of "grey industry" service has gradually penetrated into our lives. Have you ever encountered similar or other cases? How did you solve it?

(in addition, if you love your friends, show them to him, and don't let him get hurt any more...)


This is the beginning of the "no look" series, involving penetration testing, web security, WiFi security and other topics. Occasionally, the facts of grey production reduction are decrypted, and occasionally cross updated with the [graphic] series. Next series: discuss IP protocol principle, packet structure, address structure, IP attack and defense (fragment attack, spoofing attack)


Illustration of ARP protocol (3) ARP defense chapter - how to find out "inner ghost" and "elegant counter attack"?

Zhihu column: learn from Jiege about network and security

Sina Weibo: @ Chen Xinjie

WeChat official account: Chen Xinjie, the dean of the pingsec, can be concerned.

College: (it college focusing on network, security, operation and maintenance)