curl http://182.131.4.1 -H "Host: www.jd.com" -A "Mozilla/5.0 (Windows; x86_64) AppleWebKit/537.36 (KHT ML, like Gecko) Chrome/70.0.3538.80 Safari/537.36"
第一次返回
<!DOCTYPE html><html><head><meta name="referrer"content="never"></head><body>
<script>window.location.href="/*union 地址*/";</script>
</body></html>
再请求一次返回
<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>JDWS/2.0</center>
</body>
</html>
抓包结果中恶意的 200 响应是抢答内容
tcpdump -i eth0 -n ne t 182.131.4.0/24
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
12:31:25.053674 IP ___MY_IP___.46396 > 182.131.4.1.80: Flags [S], seq 2750153281, win 29200, options [mss 1460,sackOK,TS val 1274758968 ecr 0,nop,wscale 7], length 0
12:31:25.098860 IP 182.131.4.1.80 > ___MY_IP___.46396: Flags [S.], seq 529135627, ack 2750153282, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 9], length 0
12:31:25.098894 IP ___MY_IP___.46396 > 182.131.4.1.80: Flags [.], ack 1, win 229, length 012:31:25.098994 IP ___MY_IP___.46396 > 182.131.4.1.80: Flags [P.], seq 1:167, ack 1, win 229, length 166: HTTP: GET / HTTP/1.1
12:31:25.144171 IP 182.131.4.1.80 > ___MY_IP___.46396: Flags [.], ack 167, win 31, length 0
12:31:25.144246 IP 182.131.4.1.80 > ___MY_IP___.46396: Flags [FP.], seq 1:326, ack 167, win 1026, length 325: HTTP: HTTP/1.1 200 OK
12:31:25.144263 IP 182.131.4.1.80 > ___MY_IP___.46396: Flags [P.], seq 1:389, ack 167, win 31, length 388: HTTP: HTTP/1.1 302 Moved Temporarily
12:31:25.144282 IP ___MY_IP___.46396 > 182.131.4.1.80: Flags [R], seq 2750153448, win 0, length 0
水落石出 #385 @JDSecOffical
感谢您的支持和关注,京东已监测到这一问题,发现该劫持在到达京东 CDN 节点前已发生,涉及到的相关第三方公司的行为严重违反了京东规定,京东已终止与其合作,并将对其违规行为进行严肃处理。
401
xiaochocking 2018-11-27 11:31:38 +08:00
|
402
xiaochocking 2018-11-27 11:33:43 +08:00
大佬怎么看
|
403
mytsing520 2018-11-27 11:33:47 +08:00
换页了~
|
405
sdksang 2018-11-27 12:19:50 +08:00
关注
|
406
u3u 2018-11-27 14:10:06 +08:00
@xiaochocking 我怎么没看到这条微博
|
407
MaxLv 2018-11-27 14:21:33 +08:00
昨天特意提交到 jd 的 src 那边给的消息是“该问题内部已知,目前正处于修复阶段,感谢支持京东安全!”
|
409
xiaochocking 2018-11-27 15:38:58 +08:00
@u3u #406 这是原博下面的评论
|
410
lzsadam 2018-11-28 21:49:36 +08:00
昨晚还复现了,看来还没解决
|