数据采集触发防火墙
通过dns分析,目标网站使用阿里云ECS云盾.网站流量先经过aliyunddos1001.com服务器
经过反复尝试将之前Curl请求改成基于HTTP_Request2的Socket请求,顺利绕过防火墙.
通过tcpdump抓包比较
# socket 23:37:37.498916 IP localhost.58718 > localhost.http: Flags [S], seq 258486799, win 65495, options [mss 65495,sackOK,TS val 2617808352 ecr 0,nop,wscale 7], length 0 23:37:37.498928 IP localhost.http > localhost.58718: Flags [S.], seq 169719058, ack 258486800, win 65483, options [mss 65495,sackOK,TS val 2617808352 ecr 2617808352,nop,wscale 7], length 0 23:37:37.498937 IP localhost.58718 > localhost.http: Flags [.], ack 1, win 512, options [nop,nop,TS val 2617808352 ecr 2617808352], length 0 23:37:37.499064 IP localhost.58718 > localhost.http: Flags [P.], seq 1:702, ack 1, win 512, options [nop,nop,TS val 2617808352 ecr 2617808352], length 701: HTTP: POST /test/rec HTTP/1.1 23:37:37.499086 IP localhost.http > localhost.58718: Flags [.], ack 702, win 507, options [nop,nop,TS val 2617808352 ecr 2617808352], length 0 23:37:37.499113 IP localhost.58718 > localhost.http: Flags [P.], seq 702:1023, ack 1, win 512, options [nop,nop,TS val 2617808352 ecr 2617808352], length 321: HTTP 23:37:37.499117 IP localhost.http > localhost.58718: Flags [.], ack 1023, win 506, options [nop,nop,TS val 2617808352 ecr 2617808352], length 0 23:37:40.723682 IP localhost.http > localhost.58718: Flags [P.], seq 1:552, ack 1023, win 512, options [nop,nop,TS val 2617811577 ecr 2617808352], length 551: HTTP: HTTP/1.1 200 OK 23:37:40.723708 IP localhost.58718 > localhost.http: Flags [.], ack 552, win 508, options [nop,nop,TS val 2617811577 ecr 2617811577], length 0 23:37:40.723747 IP localhost.http > localhost.58718: Flags [P.], seq 552:557, ack 1023, win 512, options [nop,nop,TS val 2617811577 ecr 2617811577], length 5: HTTP 23:37:40.723751 IP localhost.58718 > localhost.http: Flags [.], ack 557, win 508, options [nop,nop,TS val 2617811577 ecr 2617811577], length 0
# curl 23:41:52.868064 IP localhost.58728 > localhost.http: Flags [S], seq 3967945018, win 65495, options [mss 65495,sackOK,TS val 2618063721 ecr 0,nop,wscale 7], length 0 23:41:52.868075 IP localhost.http > localhost.58728: Flags [S.], seq 779881226, ack 3967945019, win 65483, options [mss 65495,sackOK,TS val 2618063721 ecr 2618063721,nop,wscale 7], length 0 23:41:52.868083 IP localhost.58728 > localhost.http: Flags [.], ack 1, win 512, options [nop,nop,TS val 2618063721 ecr 2618063721], length 0 23:41:52.868135 IP localhost.58728 > localhost.http: Flags [P.], seq 1:1012, ack 1, win 512, options [nop,nop,TS val 2618063721 ecr 2618063721], length 1011: HTTP: POST /test/rec HTTP/1.1 23:41:52.868139 IP localhost.http > localhost.58728: Flags [.], ack 1012, win 504, options [nop,nop,TS val 2618063721 ecr 2618063721], length 0 23:41:55.913340 IP localhost.http > localhost.58728: Flags [P.], seq 1:552, ack 1012, win 512, options [nop,nop,TS val 2618066766 ecr 2618063721], length 551: HTTP: HTTP/1.1 200 OK 23:41:55.913401 IP localhost.58728 > localhost.http: Flags [.], ack 552, win 508, options [nop,nop,TS val 2618066766 ecr 2618066766], length 0 23:41:55.913483 IP localhost.http > localhost.58728: Flags [P.], seq 552:557, ack 1012, win 512, options [nop,nop,TS val 2618066766 ecr 2618066766], length 5: HTTP 23:41:55.913491 IP localhost.58728 > localhost.http: Flags [.], ack 557, win 508, options [nop,nop,TS val 2618066766 ecr 2618066766], length 0
发现Curl请求少了一次Ack, 不知道是不是这个原因导致.
不过得出用Socket可以成功绕过
// php 方案
$headers = [
'Host' => 'xxxxxxxxxx.com',
'accept' => 'application/json, text/plain, */*',
'user-agent' => 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36 MicroMessenger/7.0.9.501 NetType/WIFI MiniProgramEnv/Windows WindowsWechat',
'clienttype' => 'MINI_PROGRAM',
'content-type' => 'application/json',
'prebuy' => 'true',
'source' => 'applet',
'userkey' => '',
'version' => '1.12.20',
'referer' => 'https://servicewechat.com/wxxxxxxxxxxxxxxx/349/page-frame.html',
];
$host = "xxxxxxxxxx.com";
$port = 443;
$path = "/user/window/classifyWindows";
$poststring = '{"clientType":"MINI_PROGRAM","storeId":66880000913072,"areaId":105,"openBrandHouse":"OPEN"}';
$fp = fsockopen("ssl://" . $host, $port, $errno, $errstr, $timeout = 30);
if ($fp) {
fwrite($fp, "POST $path HTTP/1.1\r\n");
foreach ($headers as $key => $value) {
fwrite($fp, "{$key}: {$value}\r\n");
}
fwrite($fp, "Content-length: " . strlen($poststring) . "\r\n");
fwrite($fp, "Connection: close\r\n\r\n");
fwrite($fp, $poststring . "\r\n\r\n");
while (!feof($fp)) {
echo fgets($fp, 4096);
}
fclose($fp);
}
// nodejs
const headers = {
'Host': 'xxxxxxxxxx.com',
'accept': 'application/json, text/plain, */*',
'user-agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36 MicroMessenger/7.0.9.501 NetType/WIFI MiniProgramEnv/Windows WindowsWechat',
'clienttype': 'MINI_PROGRAM',
'content-type': 'application/json',
'prebuy': 'true',
'source': 'applet',
'userkey': '',
'version': '1.12.20',
'referer': 'https://servicewechat.com/wxxxxxxxxxxx/349/page-frame.html',
}
const body = '{"clientType":"MINI_PROGRAM","storeId":66880000913072,"areaId":105,"openBrandHouse":"OPEN"}'
const tls = require("tls")
let client = tls.connect(443, 'xxxxxxxxxx.com', {
rejectUnauthorized: false
})
client.write("POST /user/window/classifyWindows HTTP/1.1\r\n");
Object.keys(headers).map(key => {
client.write(`${key}: ${headers[key]}\r\n`)
})
client.write("Content-length: " + body.length + "\r\n");
client.write("Connection: close\r\n\r\n")
client.write(body + "\r\n\r\n")
client.on("data", function (data) {
data = data.toString().replace(/(\n)/gm, "");
client.end();
console.log(data)
});
client.on('error', () => {})
client.on('end', () => {
})
Leave a Comment