玩一个钓鱼网站

今天突然发现了一个好玩的钓鱼网站，只要你qq在线点击他的网址就会被盗号，http://url.cn/48ZHq3H?uuid=vRJnzhHTcG。

当你qq在线时，会自动登录，然后不断调转，初步估计和QQ的自动登录插件有关，接下去看看，虚拟机里没qq，点开。由web狗的嗅觉：

https\x3A\x2F\x2Fui.ptlogin2.qq.com\x2Fcgi-bin\x2Flogin\x3Fstyle\x3D9\x26appid\x3D522005705\x26daid\x3D4\x26s_url\x3Dhttp\x253A\x252F\x252Fsk.qq.com\x252Fjumpstat\x253Frdtype1\x253D82090001\x2526rdtype2\x253D4\x2526rdtype3\x253D3002529\x2526rdurl\x253Dhttp\x253A\x252F\x252Fptlogin2.qq.com\x252Fjump\x253Fu1\x253Dhttp\x253A\x252F\x252Fgrouproam.qq.com\x252Fcgi-bin\x252Fhttpconn\x253Fhtcmd\x253D0x6ff0080\x2526u\x253Dhttp\x253A\x252F\x252Fptlogin2.fm.qq.com\x252Fjump\x253Fu1\x253Dhttp\x253A\x252F\x252Fptlogin2.tenpay.com\x252Fjump\x253Fuin\x253DzvPIwC1I\x2526skey\x253D\x25407bmBHm0XLp\x2526u1\x253Dhttp\x253A\x252F\x252Fcf.qq.com\x252Fcomm-htdocs\x252Fmilo_mobile\x252Flogin.html\x253Fs_url\x253Dhttp\x253A\x252F\x252Flol.qq.com\x252Fcomm-htdocs\x252Fmilo_mobile\x252Flogin.html\x253Fs_url\x253Dhttp\x253A\x252F\x252Fdnf.qq.com\x252Fcomm-htdocs\x252Fmilo_mobile\x252Flogin.html\x253Fs_url\x253Dhttp\x253A\x252F\x252Fhtdata2.qq.com\x253A80\x252Fcgi-bin\x252Fhttpconn\x253Fhtcmd\x253D0x6ff0080\x2526u\x253Dhttp\x253A\x252F\x252Fgrouproam.qq.com\x252Fcgi-bin\x252Fhttpconn\x253Fhtcmd\x253D0x6ff0080\x2526u\x253Dhttp\x253A\x252F\x252Fptlogin2.fm.qq.com\x252Fjump\x253Fu1\x253Dhttp\x253A\x252F\x252Fptlogin2.tenpay.com\x252Fjump\x253Fuin\x253Dduw2zjRQ\x2526skey\x253D\x25407bmBHm0XLp\x2526u1\x253Dhttp\x253A\x252F\x252Fhtdata2.qq.com\x253A80\x252Fcgi-bin\x252Fhttpconn\x253Fhtcmd\x253Dhttp\x253A\x252F\x252Fgg.dxy.cn\x252Fwww\x252Fdelivery\x252Fck.php\x253Foaparams\x253D2__bannerid\x253DFb2h6Rva__zoneid\x253DmgPM7cOC__OXLCA\x253D1__cb\x253Da33bac67e7__oadest\x253D0x6ff0080\x2526u\x253D\x252568\x252574\x252574\x252570\x25253A\x25252F\x25252F\x25256D\x25252E\x252562\x252561\x252569\x252564\x252575\x25252E\x252563\x25256F\x25256D\x25252F\x252574\x252563\x25253F\x252572\x252565\x252566\x25253D\x252573\x252572\x252564\x25253D\x252531\x252526\x25253D\x252564\x252569\x252563\x252574\x25253D\x252532\x252532\x252561\x252561\x252537\x252533\x252538\x252536\x252530\x252536\x252562\x252530\x252537\x252531\x252530\x252533\x252526\x252562\x252564\x252565\x25256E\x252563\x25253D\x252531\x252526\x25256E\x252573\x252572\x252563\x25253D\x252549\x25256C\x252550\x252554\x252532\x252541\x252545\x252570\x252574\x252579\x25256F\x252541\x25255F\x252579\x252569\x252578\x252543\x252546\x25254F\x252578\x252558\x25256E\x252541\x25254E\x252565\x252564\x252554\x252536\x252532\x252576\x252533\x252549\x252545\x252551\x252547\x252547\x25255F\x252579\x252574\x25254E\x25255F\x25257A\x252565\x252536\x252570\x25256F\x252533\x252573\x252561\x252550\x25254F\x252561\x252555\x252562\x252533\x2526clientuin\x253D576910438\x26uuid\x3DvRJnzhHTcG14\x3A03\x3A42

。估计这里面有坑，解码解码解码：

://ui.ptlogin2.qq.com/cgi-bin/login?style=9&appid=522005705&daid=4&s_url=http://sk.qq.com/jumpstat?rdtype1=82090001&rdtype2=4&rdtype3=3002529&rdurl=http://ptlogin2.qq.com/jump?u1=http://grouproam.qq.com/cgi-bin/httpconn?htcmd=0x6ff0080&u=http://ptlogin2.fm.qq.com/jump?u1=http://ptlogin2.tenpay.com/jump?uin=zvPIwC1I&skey=@7bmBHm0XLp&u1=http://cf.qq.com/comm-htdocs/milo_mobile/login.html?s_url=http://lol.qq.com/comm-htdocs/milo_mobile/login.html?s_url=http://dnf.qq.com/comm-htdocs/milo_mobile/login.html?s_url=http://htdata2.qq.com:80/cgi-bin/httpconn?htcmd=0x6ff0080&u=http://grouproam.qq.com/cgi-bin/httpconn?htcmd=0x6ff0080&u=http://ptlogin2.fm.qq.com/jump?u1=http://ptlogin2.tenpay.com/jump?uin=duw2zjRQ&skey=@7bmBHm0XLp&u1=http://htdata2.qq.com:80/cgi-bin/httpconn?htcmd=http://gg.dxy.cn/www/delivery/ck.php?oaparams=2__bannerid=Fb2h6Rva__zoneid=mgPM7cOC__OXLCA=1__cb=a33bac67e7__oadest=0x6ff0080&u=http://m.baidu.com/tc?ref=srd=1&=dict=22aa738606b07103&bdenc=1&nsrc=IlPT2AEptyoA_yixCFOxXnANedT62v3IEQGG_ytN_ze6po3saPOaUb3&clientuin=576910438&uuid=vRJnzhHTcG

：把后面部分地址提出来，得到最后的木马地址是 http://www.cmiaok.org/：这是一个钓鱼的lol地址，看来骗子好像还做了两手准备，这年头骗子也不容易了。另外有一个跳转地址是： http://gg.dxy.cn/www/delivery/ck.php?oaparams=2__bannerid=Fb2h6Rva__zoneid=mgPM7cOC__OXLCA=1__cb=a33bac67e7__oadest=0x6ff0080，是一个药公司的，估计服务器没管好，被人做鸡了。由于晚上该网站被封了，包括whois都查不到了，本来还准备渗透搞一波的呢，哎哎，结束收工。

（ps：作者水平低，如有什么地方错误，请各位大佬指正。）