今天遇到个 985.so 开头的短链接随机跳转到非法网站的事情,好奇就抓了下包,发现其利用了 https://changyan.sohu.com/api/oauth2/nobody/hack?to_url= 的 api 做跳转,具体抓到的包内容如下,目标网址已打码,内容不堪入目:
HTTP/1.1 302 Moved Temporarily
Server: Tengine
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive
Date: Mon, 16 Sep 2019 13:48:50 GMT
Location: https://changyan.sohu.com/api/oauth2/nobody/hack?to_url=http://63353xe.*****.cn/19072101.html?refer=65828OTg1YlA2Qg==&yug=gnvd63353mmoi
Ali-Swift-Global-Savetime: 1568641730
Via: cache9.l2cn1824[7,302-0,M], cache20.l2cn1824[8,0], kunlun7.cn24[13,302-0,M], kunlun7.cn24[14,0]
X-Cache: MISS TCP_MISS dirn:-2:-2
X-Swift-SaveTime: Mon, 16 Sep 2019 13:48:50 GMT
X-Swift-CacheTime: 0
Expires: 15
Timing-Allow-Origin: *
EagleId: 7ae122a515686417306761959e