Security Analysis and Exploitation of a QQ Phishing Website
The article documents a step‑by‑step security investigation of a QQ phishing site, detailing its fake login page, POST endpoint, Python‑based credential flooding, network reconnaissance, port scanning, vulnerability scanning, and discovery of the backend control panel, while discussing the challenges of XSS and brute‑force attacks.
The author discovered a phishing website that mimics a QQ login page, captures entered QQ numbers and passwords, and allows login without verification, indicating a simple credential‑stealing operation.
The site is accessed via a shortened link (e.g., http://mfspfgp.top ) which redirects to a page containing a login dialog; the form submits a POST request to http://mfspfgp.top/lollove.php with only two parameters: name and pass .
Using Python, the author forged browser headers, generated random QQ numbers and passwords, and employed the requests library to repeatedly POST dummy credentials to the endpoint, sending roughly 10,000 requests to flood the target server.
Network reconnaissance began with a ping to the domain, revealing the IP address 103.98.114.75 located in Hong Kong. Whois lookup returned a QQ email address and a phone number, though their authenticity is uncertain.
Further investigation uncovered additional related domains (e.g., http://fjkskda.top , http://jligyts.top , http://pfdqlql.top , http://yiqilin.top , http://zykjgkd.top , http://mfspfgp.top ) that host similar phishing pages with identical credential‑stealing mechanisms.
Port scanning with Nmap identified many open ports on the server, including common services such as tcpmux, echo, discard, and others, indicating a potentially vulnerable surface.
A vulnerability scan using w3af produced a sensitive URL http://103.27.176.227/OGeU3BGx.php , which displayed an error page containing the phrase "Powered by wdcp". Visiting the WDCP panel revealed a demo site ( http://demo.wdlinux.cn ) and the backend address http://103.27.176.227:8080 .
Attempts to exploit the login form with sqlmap found no SQL injection points, and the admin account could not be altered without a captcha, suggesting brute‑force attacks might be the only viable method.
The author concludes that while DDoS attacks could temporarily disrupt such phishing sites, the operators can quickly spin up new instances, potentially increasing victim exposure.
Python Programming Learning Circle
A global community of Chinese Python developers offering technical articles, columns, original video tutorials, and problem sets. Topics include web full‑stack development, web scraping, data analysis, natural language processing, image processing, machine learning, automated testing, DevOps automation, and big data.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.