V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
V2EX 提问指南
quxuanxuan
V2EX  ›  问与答

v 友帮忙分析下这次 https 劫持

  •  
  •   quxuanxuan · 2023-06-02 11:48:27 +08:00 · 907 次点击
    这是一个创建于 532 天前的主题,其中的信息可能已经有所发展或是发生改变。

    这是在 k8s 的某个 pod 里面执行的 curl 命令,然后被劫持到了 http://144.dragonparking.com

    而且是偶发的,有段时间会劫持有段时间就正常

    宿主机上执行 curl 没出现过劫持

    这个是怎么实现的

    以下是劫持返回的 html

    <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>tencentcloudapi.com</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <script type='text/javascript' language='JavaScript'> var domain = 'tencentcloudapi.com'; var uniqueTrackingID = 'MTY4NTU3OTcwNi4xODgzOmZlODk3NWU3ODcyMjg1MDg2YWNlZGU1NTM5YWZlMTBmNDFmMWQyYzIzZTQ5MGY0OTA2MDE1ZTViN2I3ZDEwYTU6NjQ3N2U3YmEyZGZiOA=='; var clickTracking = false; var themedata = ''; var xkw = ''; var xsearch = ''; var xpcat = ''; var bucket = ''; var clientID = ''; var clientIDs = ''; var num_ads = 0; var adtest = 'off'; var scriptPath = ''; </script> <script src='//d38psrni17bvxu.cloudfront.net/scripts/js3.js' type='text/javascript' language='JavaScript'></script>
        </head>
        <body>
        <script type="text/javascript">var ls = function(xhr, path, token) {
    xhr.onreadystatechange = function () {
        if (xhr.readyState === XMLHttpRequest.DONE) {
            if (xhr.status >= 200 && xhr.status <= 400) {
                if (xhr.responseText.trim() === '') {
                    return;
                }
    
                console.log(JSON.parse(xhr.responseText))
            } else {
                console.log('There was a problem with the request.');
            }
        }
    }
    
    xhr.open('GET', path + '/ls.p' + 'hp?t=6477e7ba&token=' + encodeURI(token), true);
    xhr.send();
    

    }; ls(new XMLHttpRequest(), scriptPath, '098d33e1ee92577488c3f7c512742c23d15f6952');</script> <script type='text/javascript' language='JavaScript'> window.onload = function() { if(clickTracking && typeof track_onclick == 'function') track_onclick("8738cf3b6b543a07139579dbbd0fc3fa531854b6"); top.location.href = "http://144.dragonparking.com/?site=tencentcloudapi.com&t=1685579706&s=26356433e9449717b0e51e87ffb4349a&fs=http%3A%2F%2Fc.parkingcrew.net%2F%3Fdomain_name%3Dtencentcloudapi.com"; }; </script> </body>

    </html>
    2 条回复    2023-06-02 16:20:20 +08:00
    ysc3839
        1
    ysc3839  
       2023-06-02 13:10:26 +08:00 via Android
    建议宿主机抓包看看
    quxuanxuan
        2
    quxuanxuan  
    OP
       2023-06-02 16:20:20 +08:00
    @ysc3839 找到原因了,是 dns 解析的问题,搜索域底下可以解析这个域名
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   5523 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 23ms · UTC 06:53 · PVG 14:53 · LAX 22:53 · JFK 01:53
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.