请选择 进入手机版 | 继续访问电脑版

技术控

    今日:2| 主题:54680
收藏本版 (1)
最新软件应用技术尽在掌握

[其他] Studying the Internet Censorship in South Korea

[复制链接]
难拥友 发表于 2016-10-17 20:09:42
226 5

立即注册CoLaBug.com会员,免费获得投稿人的专业资料,享用更多功能,玩转个人品牌!

您需要 登录 才可以下载或查看,没有帐号?立即注册

x
TL;DR: Please go directly to theto discover how (in)effective the censorship of Internet in South Korea is. This blogpost can be served for you to remind how HTTP requests work.
  Table of contents

   1. First contact with the censorship system
   2. Locating the censorship system in the networks
   3. Inner work of the censorship system
   3.1. Different answers provided by censorship systems
   3.1.1. Direct HTML as an answer
   3.1.2. Direct HTML as an answer (censorship system A)
   3.1.3. 302 Temporary redirect (censorship system B)
   3.3. Let's debug the censorship system - From HTTP/0.9 to HTTP/1.1
   3.5 More tricky requests with HTTP
   3.5.2. HTTP requests methods
   3.5.3. Having fun with HTTP/1.1 persistent connection
   3.5.4. HTTP vs. HTTPS
   3.5.5. Random behaviors provided by the censorship system
   3.5.6. CDN for content (VOD/images)
   3.5.7. HTTP2 for http URIs
   3.5.9. HTTP2 for https URIs
   3.5.10. Readline vs. buffered HTTP requests
   4. Using HTTP proxies
   6. Bypassing the filter
   6.1. By using a different vhost (easy-PoC)
   6.2. By using HTTP persistent connection: HEAD then GET (PoC)
   6.3. By using HTTP persistent connection: GET then GET (PoC)
   6.4. By using \n instead of \r\n in the HTTP requests (unreliable method, PoC)
   6.5. By using HTTP invalid methods (PoC)
   6.6. By sending HTTP requests line by line (PoC)
   6.7. By using a method ONLY if there is a censorship
   6.9. By using HTTPS websites/proxies
   8. Credits and Greetings
   9. Personal note to http://www.warning.or.kr/ administrator
  0. Introduction

  As staying in South Korea, I was curious and wanted to know more about the censorship as stated in Wikipedia.
   Wikipedia: Censorship in South Korea :
  KCSC (Korea Communications Standards Commission) is responsible for online control and requires Korean citizens to enter government issued ID numbers in order to post political comments online. The KCSC has the right to suspend or delete any web posting or articles for 30 days as soon as a complaint is filed (to combat cyberbullying in South Korea). Every week, portions of the Korean web are taken down by the KCSC. In 2013, around 23,000 Korean webpages were deleted and another 63,000 blocked by the KCSC.
  Korean officials' rhetoric about censored material, including that it is "subversive", "illegal", "harmful" or related to "pornography and nudity", has been noted as similar to that of their Chinese counterparts. Critics also say that the government takes prohibitions on profanity as "a convenient excuse to silence critics" and chill speech.
  This designation persisted in 2012, where the report suggests South Korea's censorship is similar to those of Russia and Egypt.
  You may have seen the infamous message "This webpage is illegal" when you try to get into some websites. By the way, if you don't speak Korean, I wish you a good luck trying to copy/paste texts from an image and understand what is going on:
   

Studying the Internet Censorship in South Korea

Studying the Internet Censorship in South Korea-1-技术控-effective,Internet,contents,directly,discover

   Wikipedia lists a short list of websites forbidden to visit in South Korea, but I used https://github.com/aredo/porn-site-list/blob/master/sites.json to get a list of potentially banned websites (a lot of them are actually blocked) in South Korea.
  As you see, quite a large number of websites are currently blocked. They include the websites that are considered containing "socially harmful" or subversive contents such as adult or gambling websites as well as political matters notably related to North Korea. Social medias are very much censored too (online comments are massively removed).
  This research excludes any politically sensitive items as this analysis is intended to be limited to a technical side and I am not making any political judgment. I am trying, from an external point of view, to evaluate the technical level of the current censorship system. Social medias are out of scope of this analysis.
  This study was done in September 2016 using 3 major ISPs: KT, SK Telecom (SKT) and LG U+.
  1. First contact with the censorship system

   We will use telnet to understand how the censorship system works.
   If you go on a censored website, you will see this webpage:

Studying the Internet Censorship in South Korea

Studying the Internet Censorship in South Korea-2-技术控-effective,Internet,contents,directly,discover

  Let's dig:
  A standard (and very basic) HTTP request is:
  1. GET / HTTP/1.1
  2. Host: www.remote-server.com\r\n\r\n
复制代码
Trying this on a censored website:
  1. [email protected]:~$ telnet xhamster.com 80
  2. Trying 88.208.29.24...
  3. Connected to www.xhamster.com.
  4. Escape character is '^]'.
  5. GET / HTTP/1.1
  6. Host: xhamster.com
  7. HTTP/1.0 302 Redirect
  8. Location: http://www.warning.or.kr
  9. [email protected]:~$
复制代码
  By changing the Host value to a banned website, it seems we can trigger the censorship system:
  1. [email protected]:~$ telnet xhamster.com 80
  2. Trying 88.208.29.24...
  3. Connected to www.xhamster.com.
  4. Escape character is '^]'.
  5. GET / HTTP/1.1
  6. Host: wutwut
  7. HTTP/1.1 301 Moved Permanently
  8. Server: nginx
  9. Date: Fri, 01 Oct 2016 00:00:00 GMT
  10. Content-Type: text/html; charset=UTF-8
  11. Transfer-Encoding: chunked
  12. Connection: keep-alive
  13. Location: http://xhamster.com/
  14. [email protected]:~$
复制代码
  This request seems to work and the Nginx server from xhamster.com will reply to us. So, at least, the censorship system is analyzing the Host header in the HTTP request.
  2. Locating the censorship system in the networks

   We will use wget to customize the request in order to understand where is the filtering process.
   We ask the Google.ru webpage (note: I made a configuration to ensure www.google.ru resolves to a Google server not located in South Korea. 216.58.214.131 is located in Europe).
  I, then, will use Google servers located in South Korea to see if the censorship is really analyzing every Host header on every HTTP connection or only targeting a few IPs.
  We will eventually determine where this censorship system is located.
  We are doing a name resolution to get a Google server outside South Korea:
  1. [email protected]:~$ host google.ru 8.8.8.8
  2. Using domain server:
  3. Name: 8.8.8.8
  4. Address: 8.8.8.8#53
  5. Aliases:
  6. google.ru has address 216.58.197.227
  7. google.ru has IPv6 address 2404:6800:4005:802::2003
  8. google.ru mail is handled by 50 alt4.aspmx.l.google.com.
  9. google.ru mail is handled by 30 alt2.aspmx.l.google.com.
  10. google.ru mail is handled by 20 alt1.aspmx.l.google.com.
  11. google.ru mail is handled by 10 aspmx.l.google.com.
  12. google.ru mail is handled by 40 alt3.aspmx.l.google.com.
  13. [email protected]:~$
  14. [email protected]:~$  traceroute -n 216.58.197.227
  15. traceroute to 216.58.197.227 (216.58.197.227), 30 hops max, 60 byte packets
  16. 1  100.114.55.252  3.915 ms  4.052 ms  4.495 ms
  17. 2  100.114.27.169  4.503 ms  4.498 ms  4.495 ms
  18. 3  1.255.24.48  4.806 ms  5.027 ms  5.026 ms
  19. 4  61.98.54.109  5.380 ms  5.376 ms  5.372 ms
  20. 5  58.229.4.16  7.384 ms 58.229.4.12  13.247 ms 58.229.4.8  10.801 ms
  21. 6  118.221.7.46  9.586 ms  5.669 ms  5.596 ms
  22. 7  39.115.132.69  5.062 ms 58.229.15.213  5.038 ms 39.115.132.69  5.030 ms
  23. 8  72.14.216.77  41.280 ms 72.14.215.199  38.651 ms  38.296 ms
  24. 9  216.239.54.1  39.183 ms  39.033 ms 209.85.142.95  38.461 ms
  25. 10  209.85.142.185  43.401 ms 216.239.40.11  43.397 ms 209.85.142.185  40.657 ms
  26. 11  72.14.238.35  64.533 ms 216.58.197.227  36.478 ms  37.243 ms
  27. [email protected]:~$
复制代码
Google.ru resolves to a foreign IP which is far away.
  Ok let's debug:
  1. [email protected]:~$ wget -O- http://www.google.ru/ | grep -ai google|head -n 1
  2. --2016-10-01 XX:XX:XX--  http://www.google.ru/
  3. Resolving www.google.ru (www.google.ru)... 216.58.214.131, 2a00:1450:4001:813::2003
  4. Connecting to www.google.ru (www.google.ru)|216.58.214.131|:80... connected.
  5. HTTP request sent, awaiting response... 200 OK
  6. Length: unspecified [text/html]
  7. Saving to: 'STDOUT'
  8. <!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="ru"><head><meta content="Google." name="description"><meta content="noodp" name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"><title>Google</title><script>(function(){window.google={kEI:'9kbBV4mEM8nt0gSfvbGQCg',kEXPI:'3700062,3700283,3700389,4029815,4031109,4032678,4036509,4036527,4038012,4039268,4043492,4045841,4048347,4052304,4058543,4061154,4062702,4063879,4065786,4065793,4066654,4066708,4067175,4067860,4068550,4068816,4069839,4069841,4069905,4070127,4070220,4070598,4071231,4071575,4071603,4071842,4072000,4072289,4072364,4072653,4072682,4072773,4073231,4073405,4073419,4073958,4073980,4074426,4074801,4075122,4075451,4075464,4075781,4075788,4075860,4075966,4075976,4076018,4076096,4076115,4076117,4076797,4076931,4077219,4077221,4077384,4077391,8300096,8300273,8502184,8503585,8504846,8505150,8505152,8505585,8505677,8505816,8506585,10200083',authuser:0,kscs:'c9c918f0_24'};google.kHL='ru';})();(function(){google.lc=[];google.li=0;google.getEI=function(a){for(var b;a&&(!a.getAttribute||!(b=a.getAttribute("eid")));)a=a.parentNode;return b||google.kEI};google.getLEI=function(a){for(var b=null;a&&(!a.getAttribute||!(b=a.getAttribute("leid")));)a=a.parentNode;return b};google.https=function(){return"https:"==window.location.protocol};google.ml=function(){return null};google.wl=function(a,b){try{google.ml(Error(a),!1,b)}catch(c){}};google.time=function(){return(new Date).getTime()};google.log=function(a,b,c,e,g){a=google.logUrl(a,b,c,e,g);if(""!=a){b=new Image;var d=google.lc,f=google.li;d[f]=b;b.onerror=b.onload=b.onabort=function(){delete d[f]};window.google&&window.google.vel&&window.google.vel.lu&&window.google.vel.lu(a);b.src=a;google.li=f+1}};google.logUrl=function(a,b,c,e,g){var d="",f=google.ls||"";if(!c&&-1==b.search("&ei=")){var h=google.getEI(e)
  9. [email protected]:~$
复制代码
Yeah! We can access to Google.
   Now, question: Does it work when we try to contact Google server in South Korea? ( 1.255.22.242 is an IP for www.google.co.kr, located in South Korea, as shown below):
  Google inside Korean IP space:
  1. [email protected]:~$ host google.co.kr
  2. google.ru has address 1.255.22.241
  3. google.ru has address 1.255.22.237
  4. google.ru has address 1.255.22.217
  5. google.ru has address 1.255.22.216
  6. google.ru has address 1.255.22.227
  7. google.ru has address 1.255.22.251
  8. google.ru has address 1.255.22.242
  9. google.ru has address 1.255.22.232
  10. google.ru has address 1.255.22.226
  11. google.ru has address 1.255.22.247
  12. google.ru has address 1.255.22.236
  13. google.ru has address 1.255.22.222
  14. google.ru has address 1.255.22.221
  15. google.ru has address 1.255.22.212
  16. google.ru has address 1.255.22.231
  17. google.ru has address 1.255.22.246
  18. google.ru has IPv6 address 2404:6800:400a:806::2003
  19. google.ru mail is handled by 10 aspmx.l.google.com.
  20. google.ru mail is handled by 40 alt3.aspmx.l.google.com.
  21. google.ru mail is handled by 20 alt1.aspmx.l.google.com.
  22. google.ru mail is handled by 50 alt4.aspmx.l.google.com.
  23. google.ru mail is handled by 30 alt2.aspmx.l.google.com.
  24. [email protected]:~$ tcptraceroute -n 1.255.22.242 80
  25. Running:
  26.     traceroute -T -O info -n -p 80 1.255.22.242
  27. traceroute to 1.255.22.242 (1.255.22.242), 30 hops max, 60 byte packets
  28. 1  100.114.55.252  3.759 ms  4.431 ms  4.556 ms
  29. 2  100.114.27.169  4.553 ms  4.551 ms  4.547 ms
  30. 3  1.255.24.48  5.182 ms  5.668 ms  5.900 ms
  31. 4  61.98.54.109  5.900 ms  6.452 ms  6.992 ms
  32. 5  58.229.4.28  10.786 ms 58.229.4.20  12.408 ms 58.229.4.36  10.783 ms
  33. 6  58.229.4.163  10.713 ms  7.037 ms  7.370 ms
  34. 7  1.255.22.242<syn,ack>  6.621 ms  7.737 ms  7.798 ms
  35. [email protected]:~$ ping 1.255.22.242
  36. PING 1.255.22.242 (1.255.22.242) 56(84) bytes of data.
  37. 64 bytes from 1.255.22.242: icmp_seq=1 ttl=58 time=4.32 ms
  38. ^C
  39. --- 1.255.22.242 ping statistics ---
  40. 1 packets transmitted, 1 received, 0% packet loss, time 0ms
  41. rtt min/avg/max/mdev = 4.328/4.328/4.328/0.000 ms
  42. [email protected]:~$
复制代码
  4.32ms to contact 1.255.22.242 ! - this IP is located in South Korea (and whois 1.255.22.242 will confirm it - SK Broadband Co Ltd ).
   Fetching a webpage located at 1.255.22.242 :
  1. [email protected]:~$ wget -O- http://1.255.22.242/ >/dev/null
  2. --2016-10-01XX:XX:XX--  http://1.255.22.242/
  3. Connecting to 1.255.22.242:80... connected.
  4. HTTP request sent, awaiting response... 301 Moved Permanently
  5. Location: http://www.google.com/ [following]
  6. --2016-10-01 XX:XX:XX--  http://www.google.com/
  7. Resolving www.google.com (www.google.com)... 74.125.203.103, 74.125.203.105, 74.125.203.106, ...
  8. Connecting to www.google.com (www.google.com)|74.125.203.103|:80... connected.
  9. HTTP request sent, awaiting response... 302 Found
  10. Location: http://www.google.co.kr/?gfe_rd=cr&ei=n3nCV9PEPM-T9QWY36ywCg [following]
  11. --2016-10-01 XX:XX:XX--  http://www.google.co.kr/?gfe_rd=cr&ei=n3nCV9PEPM-T9QWY36ywCg
  12. Resolving www.google.co.kr (www.google.co.kr)... 74.125.23.94, 2404:6800:4008:c01::5e
  13. Connecting to www.google.co.kr (www.google.co.kr)|74.125.23.94|:80... connected.
  14. HTTP request sent, awaiting response... 200 OK
  15. Length: unspecified [text/html]
  16. Saving to: 'STDOUT'
  17. -                                                        [ <=>]  10.78K  --.-KB/s    in 0.001s
  18. 2016-10-01 XX:XX:XX (7.03 MB/s) - written to stdout [11040]
复制代码
  The default webpage will give us a 302 Redirect to http://www.google.co.kr/ .
  We can access to Google servers located in South Korea too!
   Now, we know that browsing the www.xhamster.com webpage will show the warning.or.kr webpage from the first part.
  We can forge the Host header in the HTTP request to understand where the censorship system is located.
   Asking a Google webpage on a Google server located outside South Korea with a custom header with a banned Host ( Host: www.xhamster.com ):
  1. [email protected]:~$ wget -O- --header="Host: www.xhamster.com" http://www.google.ru/
  2. --2016-10-01XX:XX:XX--  http://www.google.ru/
  3. Resolving www.google.ru (www.google.ru)... 216.58.214.131, 2a00:1450:4001:813::2003
  4. Connecting to www.google.ru (www.google.ru)|216.58.214.131|:80... connected.
  5. HTTP request sent, awaiting response... 302 Redirect
  6. Location: http://www.warning.or.kr [following]
  7. --2016-10-01 XX:XX:XX--  http://www.warning.or.kr/
  8. Resolving www.warning.or.kr (www.warning.or.kr)... 121.189.57.82
  9. Connecting to www.warning.or.kr (www.warning.or.kr)|121.189.57.82|:80... connected.
  10. HTTP request sent, awaiting response... 200 OK
  11. Length: 10590 (10K) [text/html]
  12. Saving to: 'STDOUT'
  13. -                             0%[                                            ]       0  --.-KB/s               <html>
  14. <head>
  15. <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  16. <meta name="kcsc" content="blocking" />
  17. <title>www.warning.or.kr</title>
  18. <style type="text/css">
  19. [...]
  20. [email protected]:~$
复制代码
  This request is blocked (see the 302 direction to http://www.warning.or.kr/ ).
  As seen before, we have access to Google servers located inside and outside South Korea.
  If I try to contact a Google server located outside South Korea and ask for a custom censored host, then the request seems to be censored.
  However, if I ask a Google server located in South Korea to provide me with a banned website, this request will work and Google will provide a reply, as shown below.
   Asking www.xhamster.com on a Google Korean Server will result a 404 page from Google (that is, this request is NOT blocked by the censorship system ):
  1. [email protected]:~$ wget -O- --header="Host: www.xhamster.com" http://1.255.22.242/
  2. --2016-10-01XX:XX:XX--  http://1.255.22.242/
  3. Connecting to 1.255.22.242:80... connected.
  4. HTTP request sent, awaiting response... 404 Not Found
  5. 2016-10-01   XX:XX:XX ERROR 404: Not Found.
  6. [email protected]:~$
复制代码
Using telnet for the same request (in HTTP/1.0):
  1. [email protected]:~$ telnet 1.255.22.242 80
  2. Trying 1.255.22.242...
  3. Connected to 1.255.22.242.
  4. Escape character is '^]'.
  5. GET / HTTP/1.0
  6. Host: www.xhamster.com
  7. HTTP/1.0 404 Not Found
  8. Content-Type: text/html; charset=UTF-8
  9. Content-Length: 1561
  10. Date: Fri, 01 Oct 2016 00:00:00 GMT
  11. <!DOCTYPE html>
  12. <html lang=en>
  13. <meta charset=utf-8>
  14. <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
  15. <title>Error 404 (Not Found)!!1</title>
  16. <style>
  17.     *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:[email protected] screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:[email protected] only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) [email protected] only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}
  18. </style>
  19. <a href=//www.google.com/><span id=logo aria-label=Google></span></a>
  20. <p><b>404.</b><ins>That's an error.</ins>
  21. <p>The requested URL <code>/</code> was not found on this server.  <ins>That's all we know.</ins>
  22. Connection closed by foreign host.
  23. [email protected]:~$
复制代码
  But asking www.xhamster.com on a foreign server will result a 302 redirect to www.warning.or.kr :
  1. [email protected]:~$ telnet xhamster.com 80
  2. Trying 88.208.29.24...
  3. Connected to www.xhamster.com.
  4. Escape character is '^]'.
  5. GET / HTTP/1.1
  6. Host: xhamster.com
  7. HTTP/1.0 302 Redirect
  8. Location: http://www.warning.or.kr
  9. [email protected]:~$0
复制代码
From this, we can assume the filtering system only targets HTTP connections from international links.

  Let's do a traceroute and a TCPtraceroute to find out what is happening.
   Using SKT connections, UDP traceroute to www.xhamster.com :
  1. [email protected]:~$ telnet xhamster.com 80
  2. Trying 88.208.29.24...
  3. Connected to www.xhamster.com.
  4. Escape character is '^]'.
  5. GET / HTTP/1.1
  6. Host: xhamster.com
  7. HTTP/1.0 302 Redirect
  8. Location: http://www.warning.or.kr
  9. [email protected]:~$1
复制代码
  Now doing a TCPtraceroute to www.xhamster.com on port 80 shows something fishy:
  1. [email protected]:~$ telnet xhamster.com 80
  2. Trying 88.208.29.24...
  3. Connected to www.xhamster.com.
  4. Escape character is '^]'.
  5. GET / HTTP/1.1
  6. Host: xhamster.com
  7. HTTP/1.0 302 Redirect
  8. Location: http://www.warning.or.kr
  9. [email protected]:~$2
复制代码
  The hop number 10 shows a RCF1918 IP ( 192.168.112.1 ) only when doing a traceroute using TCP.
   Let's target another website ( www.ovh.com , a big European ISP):
  1. [email protected]:~$ telnet xhamster.com 80
  2. Trying 88.208.29.24...
  3. Connected to www.xhamster.com.
  4. Escape character is '^]'.
  5. GET / HTTP/1.1
  6. Host: xhamster.com
  7. HTTP/1.0 302 Redirect
  8. Location: http://www.warning.or.kr
  9. [email protected]:~$3
复制代码
  192.168.112.1 is present (but it's NOT present if we do ICMP/UDP traceroutes).
   Another TCPtraceroute will show a suspicious 192.168.132.1 in hop 10 (in a different date):
  1. [email protected]:~$ telnet xhamster.com 80
  2. Trying 88.208.29.24...
  3. Connected to www.xhamster.com.
  4. Escape character is '^]'.
  5. GET / HTTP/1.1
  6. Host: xhamster.com
  7. HTTP/1.0 302 Redirect
  8. Location: http://www.warning.or.kr
  9. [email protected]:~$4
复制代码
With KT, sometimes, a strange hop will appear when doing a TCP traceroute, as shown below (hop 11):
  1. [email protected]:~$ telnet xhamster.com 80
  2. Trying 88.208.29.24...
  3. Connected to www.xhamster.com.
  4. Escape character is '^]'.
  5. GET / HTTP/1.1
  6. Host: xhamster.com
  7. HTTP/1.0 302 Redirect
  8. Location: http://www.warning.or.kr
  9. [email protected]:~$5
复制代码
And the UDP traceroute:
  1. [email protected]:~$ telnet xhamster.com 80
  2. Trying 88.208.29.24...
  3. Connected to www.xhamster.com.
  4. Escape character is '^]'.
  5. GET / HTTP/1.1
  6. Host: xhamster.com
  7. HTTP/1.0 302 Redirect
  8. Location: http://www.warning.or.kr
  9. [email protected]:~$6
复制代码
  If you read the TCPtraceroutes, you will see a hop located in the edge of the Korean network (hop10 or 11): 192.168.112.1 or 192.168.132.1 or 192.168.144.1 . This router doesn't appear when doing UDP or ICMP traceroutes.
   When doing tcptraceroute to exotic remote ports ( 61721 ), this hop doesn't appear. In fact, this hop appears only for a list of specific ports ( 80 , 8080 , 8000 , 2222 , ...) but the censorship seems to affect every TCP connection.
  Note: This hop appears not every time when using KT or LG U+ connection (but they are still censoring Internet connection). It means that the 2 ISPs are using different methods to censor websites or the censorship system has different network behaviors.
   You can test filtering by yourself with these wget commands, by contacting a remote server and asking to serve HTTP webpages:
   Connecting to ftp.de.freebsd.org and asking HTTP on a FTP server will result errors from the FTP server (which is normal):
  1. [email protected]:~$ telnet xhamster.com 80
  2. Trying 88.208.29.24...
  3. Connected to www.xhamster.com.
  4. Escape character is '^]'.
  5. GET / HTTP/1.1
  6. Host: xhamster.com
  7. HTTP/1.0 302 Redirect
  8. Location: http://www.warning.or.kr
  9. [email protected]:~$7
复制代码
  Now connecting to the same FTP server and providing a Host: www.xhamster.com with the HTTP request will send us a HTTP reply by the censorship system:
  1. [email protected]:~$ telnet xhamster.com 80
  2. Trying 88.208.29.24...
  3. Connected to www.xhamster.com.
  4. Escape character is '^]'.
  5. GET / HTTP/1.1
  6. Host: xhamster.com
  7. HTTP/1.0 302 Redirect
  8. Location: http://www.warning.or.kr
  9. [email protected]:~$8
复制代码
Same with SSH:
   We see the SSH banner on ftp.de.freebsd.org using telnet :
  1. [email protected]:~$ telnet xhamster.com 80
  2. Trying 88.208.29.24...
  3. Connected to www.xhamster.com.
  4. Escape character is '^]'.
  5. GET / HTTP/1.1
  6. Host: xhamster.com
  7. HTTP/1.0 302 Redirect
  8. Location: http://www.warning.or.kr
  9. [email protected]:~$9
复制代码
  Now sending an http request to the sshd server of ftp.de.freebsd.org with a censored Host will trigger the censorship:
  1. [email protected]:~$ telnet xhamster.com 80
  2. Trying 88.208.29.24...
  3. Connected to www.xhamster.com.
  4. Escape character is '^]'.
  5. GET / HTTP/1.1
  6. Host: wutwut
  7. HTTP/1.1 301 Moved Permanently
  8. Server: nginx
  9. Date: Fri, 01 Oct 2016 00:00:00 GMT
  10. Content-Type: text/html; charset=UTF-8
  11. Transfer-Encoding: chunked
  12. Connection: keep-alive
  13. Location: http://xhamster.com/
  14. [email protected]:~$0
复制代码
  FTP.DE.FREEBSD.ORG has other interesting ports, like rsync:
   Sending http requests to open TCP ports ( 873/tcp [rsync] and 5666/tcp ) on ftp.de.freebsd.org with a censored Host will trigger the censorship too:
  1. [email protected]:~$ telnet xhamster.com 80
  2. Trying 88.208.29.24...
  3. Connected to www.xhamster.com.
  4. Escape character is '^]'.
  5. GET / HTTP/1.1
  6. Host: wutwut
  7. HTTP/1.1 301 Moved Permanently
  8. Server: nginx
  9. Date: Fri, 01 Oct 2016 00:00:00 GMT
  10. Content-Type: text/html; charset=UTF-8
  11. Transfer-Encoding: chunked
  12. Connection: keep-alive
  13. Location: http://xhamster.com/
  14. [email protected]:~$1
复制代码
Analysis: the censorship system is a transparent proxy located in hop 10 or 11, located in the edge of Korean network to listen to international links.

  The censorship system only targets HTTP identified connections within ALL TCP connections passing in the international links of South Korea.

  The local traffic inside the country is not filtered.

  3. Inner work of the censorship system

  3.1 Different answers provided by the censorship system

  In the previous section, I illustrated how the censorship system analyses all the HTTP packets looking for the host of the remote website. You can contact a legit remote HTTP server and change the Host Field to trigger the censorship as long as you cross international fiber optic.
  The censorship system is working with different proxy clusters, providing different answers. That is, depending on the transparent proxy you are using, you get different behaviors. You have no control about the transparent proxies you are using.
  In this section, I would like to introduce different behaviors of the censorship that you will face when you visit a banned website in the SKT, KT and LG networks.
  1) Direct HTML as an answer

  This answer seems to be used for a cache proxy.
  When trying to contact a website for the first time, if the remote transparent proxy doesn't reply yet to a browser, it will reply this webpage:
  1. [email protected]:~$ telnet xhamster.com 80
  2. Trying 88.208.29.24...
  3. Connected to www.xhamster.com.
  4. Escape character is '^]'.
  5. GET / HTTP/1.1
  6. Host: wutwut
  7. HTTP/1.1 301 Moved Permanently
  8. Server: nginx
  9. Date: Fri, 01 Oct 2016 00:00:00 GMT
  10. Content-Type: text/html; charset=UTF-8
  11. Transfer-Encoding: chunked
  12. Connection: keep-alive
  13. Location: http://xhamster.com/
  14. [email protected]:~$2
复制代码
Your browser will ask a refresh within 0.1 second of the URI, which will provide a new HTTP answer (see the next two answers):
  2) Direct HTML as an answer (censorship system A)

   Contacting a Google server at 216.58.214.131 (not hosted in South Korea), asking for a censored website:
  1. [email protected]:~$ telnet xhamster.com 80
  2. Trying 88.208.29.24...
  3. Connected to www.xhamster.com.
  4. Escape character is '^]'.
  5. GET / HTTP/1.1
  6. Host: wutwut
  7. HTTP/1.1 301 Moved Permanently
  8. Server: nginx
  9. Date: Fri, 01 Oct 2016 00:00:00 GMT
  10. Content-Type: text/html; charset=UTF-8
  11. Transfer-Encoding: chunked
  12. Connection: keep-alive
  13. Location: http://xhamster.com/
  14. [email protected]:~$3
复制代码
The answer is:
  1. [email protected]:~$ telnet xhamster.com 80
  2. Trying 88.208.29.24...
  3. Connected to www.xhamster.com.
  4. Escape character is '^]'.
  5. GET / HTTP/1.1
  6. Host: wutwut
  7. HTTP/1.1 301 Moved Permanently
  8. Server: nginx
  9. Date: Fri, 01 Oct 2016 00:00:00 GMT
  10. Content-Type: text/html; charset=UTF-8
  11. Transfer-Encoding: chunked
  12. Connection: keep-alive
  13. Location: http://xhamster.com/
  14. [email protected]:~$4
复制代码
The JavaScript code may differ depending on the used ISP (i.e.: KT):
  1. [email protected]:~$ telnet xhamster.com 80
  2. Trying 88.208.29.24...
  3. Connected to www.xhamster.com.
  4. Escape character is '^]'.
  5. GET / HTTP/1.1
  6. Host: wutwut
  7. HTTP/1.1 301 Moved Permanently
  8. Server: nginx
  9. Date: Fri, 01 Oct 2016 00:00:00 GMT
  10. Content-Type: text/html; charset=UTF-8
  11. Transfer-Encoding: chunked
  12. Connection: keep-alive
  13. Location: http://xhamster.com/
  14. [email protected]:~$5
复制代码
You will note the censorship system is banning my request even if I try to contact a remote server from Google that doesn't host a censored website.
  3) 302 Temporary redirect (censorship system B)

   By contacting Google servers located in US and asking a banned vhost, the webpage will show a 302 redirection to http://www.warning.or.kr/ :
  This one is a 302 temporary redirect:
  1. [email protected]:~$ telnet xhamster.com 80
  2. Trying 88.208.29.24...
  3. Connected to www.xhamster.com.
  4. Escape character is '^]'.
  5. GET / HTTP/1.1
  6. Host: wutwut
  7. HTTP/1.1 301 Moved Permanently
  8. Server: nginx
  9. Date: Fri, 01 Oct 2016 00:00:00 GMT
  10. Content-Type: text/html; charset=UTF-8
  11. Transfer-Encoding: chunked
  12. Connection: keep-alive
  13. Location: http://xhamster.com/
  14. [email protected]:~$6
复制代码
The answer is:
  1. [email protected]:~$ telnet xhamster.com 80
  2. Trying 88.208.29.24...
  3. Connected to www.xhamster.com.
  4. Escape character is '^]'.
  5. GET / HTTP/1.1
  6. Host: wutwut
  7. HTTP/1.1 301 Moved Permanently
  8. Server: nginx
  9. Date: Fri, 01 Oct 2016 00:00:00 GMT
  10. Content-Type: text/html; charset=UTF-8
  11. Transfer-Encoding: chunked
  12. Connection: keep-alive
  13. Location: http://xhamster.com/
  14. [email protected]:~$7
复制代码
3.2 Brief analysis

   In short, load-balanced transparent proxies are located somewhere in South Korea and are analyzing the Host header in the HTTP request (or in the URIs if you are using HTTP/0.9 or HTTP/1.0 - we will see that in the next section). These are:
  1/ If the vhost is not blacklisted, forwarding the request to the remote server.
  OR
  2/ If the vhost is blacklisted,
  i) Blocking and providing a HTML webpage asking for a refresh so that a cached webpage will be created and provided to the client.
  AND
  ii) Blocking and providing a 302 HTTP response to the client. The client will follow the 302 response to http://www.warning.or.kr/.
  OR
  iii) Blocking and providing a webpage witha JavaScript redirection to http://www.warning.or.kr/. The client will be directed to the http://www.warning.or.kr/ webpage.
  This will open discussion about HTTP/2, HTTPS, and exotic protocol (websockets). Let's not forget IPv6 as a network layer (this is important) but before, we will speak about the future: HTTP/0.9 and HTTP/1.0.
  OK, let's go browsing censored websites, with more potential options (HTTPS, HTTP/* support...) that will allow us to determine how the censorship works.
  3.3 Let's debug the censorship system - From HTTP/0.9 to HTTP/1.1

  Forging HTTP request manually will show us what is happening in the application layer. No more use of fake HTTP Google servers. Let's try to contact remote censored websites!
  3.3.1 HTTP/0.9

  Firstly, playing with HTTP/0.9:
  1. [email protected]:~$ telnet xhamster.com 80
  2. Trying 88.208.29.24...
  3. Connected to www.xhamster.com.
  4. Escape character is '^]'.
  5. GET / HTTP/1.1
  6. Host: wutwut
  7. HTTP/1.1 301 Moved Permanently
  8. Server: nginx
  9. Date: Fri, 01 Oct 2016 00:00:00 GMT
  10. Content-Type: text/html; charset=UTF-8
  11. Transfer-Encoding: chunked
  12. Connection: keep-alive
  13. Location: http://xhamster.com/
  14. [email protected]:~$8
复制代码
Success! The banned website can now be visited using the bleeding-edge HTTP/0.9 technology.
  It's useless as visiting websites using only HTTP/0.9 will result in a lot of broken resources (no vhost support, good luck).
  3.3.2 HTTP/1.0

   Ok let's play with HTTP/1.0 where the Host header is still not mandatory if we read the RFC1945 - Hypertext Transfer Protocol -- HTTP/1.0 :
  With SKT and KT, you will receive the uncensored webpage:
  1. [email protected]:~$ telnet xhamster.com 80
  2. Trying 88.208.29.24...
  3. Connected to www.xhamster.com.
  4. Escape character is '^]'.
  5. GET / HTTP/1.1
  6. Host: wutwut
  7. HTTP/1.1 301 Moved Permanently
  8. Server: nginx
  9. Date: Fri, 01 Oct 2016 00:00:00 GMT
  10. Content-Type: text/html; charset=UTF-8
  11. Transfer-Encoding: chunked
  12. Connection: keep-alive
  13. Location: http://xhamster.com/
  14. [email protected]:~$9
复制代码
  It works on this censored website, too. Having an old browser without Host support will bypass the censorship (as long as the remote website is serving webpages without providing Host - it depends on the remote configuration of the remote servers). But good luck browsing the Internet without having vhost support :)
  Note that this technique doesn't work with a LG U+ connection:
  1. [email protected]:~$ host google.ru 8.8.8.8
  2. Using domain server:
  3. Name: 8.8.8.8
  4. Address: 8.8.8.8#53
  5. Aliases:
  6. google.ru has address 216.58.197.227
  7. google.ru has IPv6 address 2404:6800:4005:802::2003
  8. google.ru mail is handled by 50 alt4.aspmx.l.google.com.
  9. google.ru mail is handled by 30 alt2.aspmx.l.google.com.
  10. google.ru mail is handled by 20 alt1.aspmx.l.google.com.
  11. google.ru mail is handled by 10 aspmx.l.google.com.
  12. google.ru mail is handled by 40 alt3.aspmx.l.google.com.
  13. [email protected]:~$
  14. [email protected]:~$  traceroute -n 216.58.197.227
  15. traceroute to 216.58.197.227 (216.58.197.227), 30 hops max, 60 byte packets
  16. 1  100.114.55.252  3.915 ms  4.052 ms  4.495 ms
  17. 2  100.114.27.169  4.503 ms  4.498 ms  4.495 ms
  18. 3  1.255.24.48  4.806 ms  5.027 ms  5.026 ms
  19. 4  61.98.54.109  5.380 ms  5.376 ms  5.372 ms
  20. 5  58.229.4.16  7.384 ms 58.229.4.12  13.247 ms 58.229.4.8  10.801 ms
  21. 6  118.221.7.46  9.586 ms  5.669 ms  5.596 ms
  22. 7  39.115.132.69  5.062 ms 58.229.15.213  5.038 ms 39.115.132.69  5.030 ms
  23. 8  72.14.216.77  41.280 ms 72.14.215.199  38.651 ms  38.296 ms
  24. 9  216.239.54.1  39.183 ms  39.033 ms 209.85.142.95  38.461 ms
  25. 10  209.85.142.185  43.401 ms 216.239.40.11  43.397 ms 209.85.142.185  40.657 ms
  26. 11  72.14.238.35  64.533 ms 216.58.197.227  36.478 ms  37.243 ms
  27. [email protected]:~$0
复制代码
  However, if you contact an uncensored website without proving a Host field, the webpage will not be blocked in a LG U+ connection.
  It means that LG has apparently a database of IPs corresponding of censored websites and if you contact them without providing a Host, the request will be blocked.

  Now still with HTTP/1.0:
  1. [email protected]:~$ host google.ru 8.8.8.8
  2. Using domain server:
  3. Name: 8.8.8.8
  4. Address: 8.8.8.8#53
  5. Aliases:
  6. google.ru has address 216.58.197.227
  7. google.ru has IPv6 address 2404:6800:4005:802::2003
  8. google.ru mail is handled by 50 alt4.aspmx.l.google.com.
  9. google.ru mail is handled by 30 alt2.aspmx.l.google.com.
  10. google.ru mail is handled by 20 alt1.aspmx.l.google.com.
  11. google.ru mail is handled by 10 aspmx.l.google.com.
  12. google.ru mail is handled by 40 alt3.aspmx.l.google.com.
  13. [email protected]:~$
  14. [email protected]:~$  traceroute -n 216.58.197.227
  15. traceroute to 216.58.197.227 (216.58.197.227), 30 hops max, 60 byte packets
  16. 1  100.114.55.252  3.915 ms  4.052 ms  4.495 ms
  17. 2  100.114.27.169  4.503 ms  4.498 ms  4.495 ms
  18. 3  1.255.24.48  4.806 ms  5.027 ms  5.026 ms
  19. 4  61.98.54.109  5.380 ms  5.376 ms  5.372 ms
  20. 5  58.229.4.16  7.384 ms 58.229.4.12  13.247 ms 58.229.4.8  10.801 ms
  21. 6  118.221.7.46  9.586 ms  5.669 ms  5.596 ms
  22. 7  39.115.132.69  5.062 ms 58.229.15.213  5.038 ms 39.115.132.69  5.030 ms
  23. 8  72.14.216.77  41.280 ms 72.14.215.199  38.651 ms  38.296 ms
  24. 9  216.239.54.1  39.183 ms  39.033 ms 209.85.142.95  38.461 ms
  25. 10  209.85.142.185  43.401 ms 216.239.40.11  43.397 ms 209.85.142.185  40.657 ms
  26. 11  72.14.238.35  64.533 ms 216.58.197.227  36.478 ms  37.243 ms
  27. [email protected]:~$1
复制代码
Wow, this request was banned even with HTTP/1.0. From this, we can determine the transparent proxies are analyzing the URI too (along with the Host field), looking for forbidden domains.

  3.3.3 HTTP/1.1

  Now we start playing with Host using the "new" HTTP/1.1 technology (RFC 2616, only 17 year old):
   The Host field containing a censored webpage will trigger the censorship system:
  1. [email protected]:~$ host google.ru 8.8.8.8
  2. Using domain server:
  3. Name: 8.8.8.8
  4. Address: 8.8.8.8#53
  5. Aliases:
  6. google.ru has address 216.58.197.227
  7. google.ru has IPv6 address 2404:6800:4005:802::2003
  8. google.ru mail is handled by 50 alt4.aspmx.l.google.com.
  9. google.ru mail is handled by 30 alt2.aspmx.l.google.com.
  10. google.ru mail is handled by 20 alt1.aspmx.l.google.com.
  11. google.ru mail is handled by 10 aspmx.l.google.com.
  12. google.ru mail is handled by 40 alt3.aspmx.l.google.com.
  13. [email protected]:~$
  14. [email protected]:~$  traceroute -n 216.58.197.227
  15. traceroute to 216.58.197.227 (216.58.197.227), 30 hops max, 60 byte packets
  16. 1  100.114.55.252  3.915 ms  4.052 ms  4.495 ms
  17. 2  100.114.27.169  4.503 ms  4.498 ms  4.495 ms
  18. 3  1.255.24.48  4.806 ms  5.027 ms  5.026 ms
  19. 4  61.98.54.109  5.380 ms  5.376 ms  5.372 ms
  20. 5  58.229.4.16  7.384 ms 58.229.4.12  13.247 ms 58.229.4.8  10.801 ms
  21. 6  118.221.7.46  9.586 ms  5.669 ms  5.596 ms
  22. 7  39.115.132.69  5.062 ms 58.229.15.213  5.038 ms 39.115.132.69  5.030 ms
  23. 8  72.14.216.77  41.280 ms 72.14.215.199  38.651 ms  38.296 ms
  24. 9  216.239.54.1  39.183 ms  39.033 ms 209.85.142.95  38.461 ms
  25. 10  209.85.142.185  43.401 ms 216.239.40.11  43.397 ms 209.85.142.185  40.657 ms
  26. 11  72.14.238.35  64.533 ms 216.58.197.227  36.478 ms  37.243 ms
  27. [email protected]:~$2
复制代码
This request is banned.
   The invalid Host www.xhamster.com/aaaaaaaafield containing a censored webpage will trigger the censorship system too:
  1. [email protected]:~$ host google.ru 8.8.8.8
  2. Using domain server:
  3. Name: 8.8.8.8
  4. Address: 8.8.8.8#53
  5. Aliases:
  6. google.ru has address 216.58.197.227
  7. google.ru has IPv6 address 2404:6800:4005:802::2003
  8. google.ru mail is handled by 50 alt4.aspmx.l.google.com.
  9. google.ru mail is handled by 30 alt2.aspmx.l.google.com.
  10. google.ru mail is handled by 20 alt1.aspmx.l.google.com.
  11. google.ru mail is handled by 10 aspmx.l.google.com.
  12. google.ru mail is handled by 40 alt3.aspmx.l.google.com.
  13. [email protected]:~$
  14. [email protected]:~$  traceroute -n 216.58.197.227
  15. traceroute to 216.58.197.227 (216.58.197.227), 30 hops max, 60 byte packets
  16. 1  100.114.55.252  3.915 ms  4.052 ms  4.495 ms
  17. 2  100.114.27.169  4.503 ms  4.498 ms  4.495 ms
  18. 3  1.255.24.48  4.806 ms  5.027 ms  5.026 ms
  19. 4  61.98.54.109  5.380 ms  5.376 ms  5.372 ms
  20. 5  58.229.4.16  7.384 ms 58.229.4.12  13.247 ms 58.229.4.8  10.801 ms
  21. 6  118.221.7.46  9.586 ms  5.669 ms  5.596 ms
  22. 7  39.115.132.69  5.062 ms 58.229.15.213  5.038 ms 39.115.132.69  5.030 ms
  23. 8  72.14.216.77  41.280 ms 72.14.215.199  38.651 ms  38.296 ms
  24. 9  216.239.54.1  39.183 ms  39.033 ms 209.85.142.95  38.461 ms
  25. 10  209.85.142.185  43.401 ms 216.239.40.11  43.397 ms 209.85.142.185  40.657 ms
  26. 11  72.14.238.35  64.533 ms 216.58.197.227  36.478 ms  37.243 ms
  27. [email protected]:~$3
复制代码
This request is banned even if the vhost is not good.
   The Host www.xhamster.com:80 field containing a censored webpage will trigger the censorship system:
  1. [email protected]:~$ host google.ru 8.8.8.8
  2. Using domain server:
  3. Name: 8.8.8.8
  4. Address: 8.8.8.8#53
  5. Aliases:
  6. google.ru has address 216.58.197.227
  7. google.ru has IPv6 address 2404:6800:4005:802::2003
  8. google.ru mail is handled by 50 alt4.aspmx.l.google.com.
  9. google.ru mail is handled by 30 alt2.aspmx.l.google.com.
  10. google.ru mail is handled by 20 alt1.aspmx.l.google.com.
  11. google.ru mail is handled by 10 aspmx.l.google.com.
  12. google.ru mail is handled by 40 alt3.aspmx.l.google.com.
  13. [email protected]:~$
  14. [email protected]:~$  traceroute -n 216.58.197.227
  15. traceroute to 216.58.197.227 (216.58.197.227), 30 hops max, 60 byte packets
  16. 1  100.114.55.252  3.915 ms  4.052 ms  4.495 ms
  17. 2  100.114.27.169  4.503 ms  4.498 ms  4.495 ms
  18. 3  1.255.24.48  4.806 ms  5.027 ms  5.026 ms
  19. 4  61.98.54.109  5.380 ms  5.376 ms  5.372 ms
  20. 5  58.229.4.16  7.384 ms 58.229.4.12  13.247 ms 58.229.4.8  10.801 ms
  21. 6  118.221.7.46  9.586 ms  5.669 ms  5.596 ms
  22. 7  39.115.132.69  5.062 ms 58.229.15.213  5.038 ms 39.115.132.69  5.030 ms
  23. 8  72.14.216.77  41.280 ms 72.14.215.199  38.651 ms  38.296 ms
  24. 9  216.239.54.1  39.183 ms  39.033 ms 209.85.142.95  38.461 ms
  25. 10  209.85.142.185  43.401 ms 216.239.40.11  43.397 ms 209.85.142.185  40.657 ms
  26. 11  72.14.238.35  64.533 ms 216.58.197.227  36.478 ms  37.243 ms
  27. [email protected]:~$4
复制代码
  The request is still banned with www.xhamster.com:80 as a remote host.
   The Host www.xhamster.com:-800000000000000000000 field containing a censored webpage will trigger the censorship system too:
  1. [email protected]:~$ host google.ru 8.8.8.8
  2. Using domain server:
  3. Name: 8.8.8.8
  4. Address: 8.8.8.8#53
  5. Aliases:
  6. google.ru has address 216.58.197.227
  7. google.ru has IPv6 address 2404:6800:4005:802::2003
  8. google.ru mail is handled by 50 alt4.aspmx.l.google.com.
  9. google.ru mail is handled by 30 alt2.aspmx.l.google.com.
  10. google.ru mail is handled by 20 alt1.aspmx.l.google.com.
  11. google.ru mail is handled by 10 aspmx.l.google.com.
  12. google.ru mail is handled by 40 alt3.aspmx.l.google.com.
  13. [email protected]:~$
  14. [email protected]:~$  traceroute -n 216.58.197.227
  15. traceroute to 216.58.197.227 (216.58.197.227), 30 hops max, 60 byte packets
  16. 1  100.114.55.252  3.915 ms  4.052 ms  4.495 ms
  17. 2  100.114.27.169  4.503 ms  4.498 ms  4.495 ms
  18. 3  1.255.24.48  4.806 ms  5.027 ms  5.026 ms
  19. 4  61.98.54.109  5.380 ms  5.376 ms  5.372 ms
  20. 5  58.229.4.16  7.384 ms 58.229.4.12  13.247 ms 58.229.4.8  10.801 ms
  21. 6  118.221.7.46  9.586 ms  5.669 ms  5.596 ms
  22. 7  39.115.132.69  5.062 ms 58.229.15.213  5.038 ms 39.115.132.69  5.030 ms
  23. 8  72.14.216.77  41.280 ms 72.14.215.199  38.651 ms  38.296 ms
  24. 9  216.239.54.1  39.183 ms  39.033 ms 209.85.142.95  38.461 ms
  25. 10  209.85.142.185  43.401 ms 216.239.40.11  43.397 ms 209.85.142.185  40.657 ms
  26. 11  72.14.238.35  64.533 ms 216.58.197.227  36.478 ms  37.243 ms
  27. [email protected]:~$5
复制代码
  So www.xhamster.com:-800000000000000000000 is banned too.
   The Host www.xhamster.com:80:80 field containing a censored webpage will trigger the censorship system:
  1. [email protected]:~$ host google.ru 8.8.8.8
  2. Using domain server:
  3. Name: 8.8.8.8
  4. Address: 8.8.8.8#53
  5. Aliases:
  6. google.ru has address 216.58.197.227
  7. google.ru has IPv6 address 2404:6800:4005:802::2003
  8. google.ru mail is handled by 50 alt4.aspmx.l.google.com.
  9. google.ru mail is handled by 30 alt2.aspmx.l.google.com.
  10. google.ru mail is handled by 20 alt1.aspmx.l.google.com.
  11. google.ru mail is handled by 10 aspmx.l.google.com.
  12. google.ru mail is handled by 40 alt3.aspmx.l.google.com.
  13. [email protected]:~$
  14. [email protected]:~$  traceroute -n 216.58.197.227
  15. traceroute to 216.58.197.227 (216.58.197.227), 30 hops max, 60 byte packets
  16. 1  100.114.55.252  3.915 ms  4.052 ms  4.495 ms
  17. 2  100.114.27.169  4.503 ms  4.498 ms  4.495 ms
  18. 3  1.255.24.48  4.806 ms  5.027 ms  5.026 ms
  19. 4  61.98.54.109  5.380 ms  5.376 ms  5.372 ms
  20. 5  58.229.4.16  7.384 ms 58.229.4.12  13.247 ms 58.229.4.8  10.801 ms
  21. 6  118.221.7.46  9.586 ms  5.669 ms  5.596 ms
  22. 7  39.115.132.69  5.062 ms 58.229.15.213  5.038 ms 39.115.132.69  5.030 ms
  23. 8  72.14.216.77  41.280 ms 72.14.215.199  38.651 ms  38.296 ms
  24. 9  216.239.54.1  39.183 ms  39.033 ms 209.85.142.95  38.461 ms
  25. 10  209.85.142.185  43.401 ms 216.239.40.11  43.397 ms 209.85.142.185  40.657 ms
  26. 11  72.14.238.35  64.533 ms 216.58.197.227  36.478 ms  37.243 ms
  27. [email protected]:~$6
复制代码
  www.xhamster.com:80:80 is banned too.
  Sending 2 hosts with the first one in the list of censored websites trigger the censorship system:
  1. [email protected]:~$ host google.ru 8.8.8.8
  2. Using domain server:
  3. Name: 8.8.8.8
  4. Address: 8.8.8.8#53
  5. Aliases:
  6. google.ru has address 216.58.197.227
  7. google.ru has IPv6 address 2404:6800:4005:802::2003
  8. google.ru mail is handled by 50 alt4.aspmx.l.google.com.
  9. google.ru mail is handled by 30 alt2.aspmx.l.google.com.
  10. google.ru mail is handled by 20 alt1.aspmx.l.google.com.
  11. google.ru mail is handled by 10 aspmx.l.google.com.
  12. google.ru mail is handled by 40 alt3.aspmx.l.google.com.
  13. [email protected]:~$
  14. [email protected]:~$  traceroute -n 216.58.197.227
  15. traceroute to 216.58.197.227 (216.58.197.227), 30 hops max, 60 byte packets
  16. 1  100.114.55.252  3.915 ms  4.052 ms  4.495 ms
  17. 2  100.114.27.169  4.503 ms  4.498 ms  4.495 ms
  18. 3  1.255.24.48  4.806 ms  5.027 ms  5.026 ms
  19. 4  61.98.54.109  5.380 ms  5.376 ms  5.372 ms
  20. 5  58.229.4.16  7.384 ms 58.229.4.12  13.247 ms 58.229.4.8  10.801 ms
  21. 6  118.221.7.46  9.586 ms  5.669 ms  5.596 ms
  22. 7  39.115.132.69  5.062 ms 58.229.15.213  5.038 ms 39.115.132.69  5.030 ms
  23. 8  72.14.216.77  41.280 ms 72.14.215.199  38.651 ms  38.296 ms
  24. 9  216.239.54.1  39.183 ms  39.033 ms 209.85.142.95  38.461 ms
  25. 10  209.85.142.185  43.401 ms 216.239.40.11  43.397 ms 209.85.142.185  40.657 ms
  26. 11  72.14.238.35  64.533 ms 216.58.197.227  36.478 ms  37.243 ms
  27. [email protected]:~$7
复制代码
  With 2 Host fields, only the first one seems to be used. Sending 2 hosts with only the second one in the list of censored websites will NOT trigger the censorship system as I received an answer from Xhamster.com servers:
  1. [email protected]:~$ host google.ru 8.8.8.8
  2. Using domain server:
  3. Name: 8.8.8.8
  4. Address: 8.8.8.8#53
  5. Aliases:
  6. google.ru has address 216.58.197.227
  7. google.ru has IPv6 address 2404:6800:4005:802::2003
  8. google.ru mail is handled by 50 alt4.aspmx.l.google.com.
  9. google.ru mail is handled by 30 alt2.aspmx.l.google.com.
  10. google.ru mail is handled by 20 alt1.aspmx.l.google.com.
  11. google.ru mail is handled by 10 aspmx.l.google.com.
  12. google.ru mail is handled by 40 alt3.aspmx.l.google.com.
  13. [email protected]:~$
  14. [email protected]:~$  traceroute -n 216.58.197.227
  15. traceroute to 216.58.197.227 (216.58.197.227), 30 hops max, 60 byte packets
  16. 1  100.114.55.252  3.915 ms  4.052 ms  4.495 ms
  17. 2  100.114.27.169  4.503 ms  4.498 ms  4.495 ms
  18. 3  1.255.24.48  4.806 ms  5.027 ms  5.026 ms
  19. 4  61.98.54.109  5.380 ms  5.376 ms  5.372 ms
  20. 5  58.229.4.16  7.384 ms 58.229.4.12  13.247 ms 58.229.4.8  10.801 ms
  21. 6  118.221.7.46  9.586 ms  5.669 ms  5.596 ms
  22. 7  39.115.132.69  5.062 ms 58.229.15.213  5.038 ms 39.115.132.69  5.030 ms
  23. 8  72.14.216.77  41.280 ms 72.14.215.199  38.651 ms  38.296 ms
  24. 9  216.239.54.1  39.183 ms  39.033 ms 209.85.142.95  38.461 ms
  25. 10  209.85.142.185  43.401 ms 216.239.40.11  43.397 ms 209.85.142.185  40.657 ms
  26. 11  72.14.238.35  64.533 ms 216.58.197.227  36.478 ms  37.243 ms
  27. [email protected]:~$8
复制代码
  With 2 Host fields, the first one is used and this request was OK but unusable because the remote server is configured to use the first vhost and is providing me with a 301 redirection to it (protip xhamster admins: please use a catch-all vhost!).
  Ok, as seen already, the system is analyzing HTTP requests passing to every international link. Let's continue using Google servers :)
   Asking www.xhamster.com to a Google server will result in a 302 redirect to http://www.warning.or.kr :
  1. user@kali:~$ host google.ru 8.8.8.8
  2. Using domain server:
  3. Name: 8.8.8.8
  4. Address: 8.8.8.8#53
  5. Aliases:
  6. google.ru has address 216.58.197.227
  7. google.ru has IPv6 address 2404:6800:4005:802::2003
  8. google.ru mail is handled by 50 alt4.aspmx.l.google.com.
  9. google.ru mail is handled by 30 alt2.aspmx.l.google.com.
  10. google.ru mail is handled by 20 alt1.aspmx.l.google.com.
  11. google.ru mail is handled by 10 aspmx.l.google.com.
  12. google.ru mail is handled by 40 alt3.aspmx.l.google.com.
  13. user@kali:~$
  14. user@kali:~$  traceroute -n 216.58.197.227
  15. traceroute to 216.58.197.227 (216.58.197.227), 30 hops max, 60 byte packets
  16. 1  100.114.55.252  3.915 ms  4.052 ms  4.495 ms
  17. 2  100.114.27.169  4.503 ms  4.498 ms  4.495 ms
  18. 3  1.255.24.48  4.806 ms  5.027 ms  5.026 ms
  19. 4  61.98.54.109  5.380 ms  5.376 ms  5.372 ms
  20. 5  58.229.4.16  7.384 ms 58.229.4.12  13.247 ms 58.229.4.8  10.801 ms
  21. 6  118.221.7.46  9.586 ms  5.669 ms  5.596 ms
  22. 7  39.115.132.69  5.062 ms 58.229.15.213  5.038 ms 39.115.132.69  5.030 ms
  23. 8  72.14.216.77  41.280 ms 72.14.215.199  38.651 ms  38.296 ms
  24. 9  216.239.54.1  39.183 ms  39.033 ms 209.85.142.95  38.461 ms
  25. 10  209.85.142.185  43.401 ms 216.239.40.11  43.397 ms 209.85.142.185  40.657 ms
  26. 11  72.14.238.35  64.533 ms 216.58.197.227  36.478 ms  37.243 ms
  27. user@kali:~$9
复制代码
  Asking www.xhamster.com%00 will produce an error from the Google server, showing that the request was NOT censored!
  1. user@kali:~$ wget -O- http://www.google.ru/ | grep -ai google|head -n 1
  2. --2016-10-01 XX:XX:XX--  http://www.google.ru/
  3. Resolving www.google.ru (www.google.ru)... 216.58.214.131, 2a00:1450:4001:813::2003
  4. Connecting to www.google.ru (www.google.ru)|216.58.214.131|:80... connected.
  5. HTTP request sent, awaiting response... 200 OK
  6. Length: unspecified [text/html]
  7. Saving to: 'STDOUT'
  8. <!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="ru"><head><meta content="Google." name="description"><meta content="noodp" name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"><title>Google</title><script>(function(){window.google={kEI:'9kbBV4mEM8nt0gSfvbGQCg',kEXPI:'3700062,3700283,3700389,4029815,4031109,4032678,4036509,4036527,4038012,4039268,4043492,4045841,4048347,4052304,4058543,4061154,4062702,4063879,4065786,4065793,4066654,4066708,4067175,4067860,4068550,4068816,4069839,4069841,4069905,4070127,4070220,4070598,4071231,4071575,4071603,4071842,4072000,4072289,4072364,4072653,4072682,4072773,4073231,4073405,4073419,4073958,4073980,4074426,4074801,4075122,4075451,4075464,4075781,4075788,4075860,4075966,4075976,4076018,4076096,4076115,4076117,4076797,4076931,4077219,4077221,4077384,4077391,8300096,8300273,8502184,8503585,8504846,8505150,8505152,8505585,8505677,8505816,8506585,10200083',authuser:0,kscs:'c9c918f0_24'};google.kHL='ru';})();(function(){google.lc=[];google.li=0;google.getEI=function(a){for(var b;a&&(!a.getAttribute||!(b=a.getAttribute("eid")));)a=a.parentNode;return b||google.kEI};google.getLEI=function(a){for(var b=null;a&&(!a.getAttribute||!(b=a.getAttribute("leid")));)a=a.parentNode;return b};google.https=function(){return"https:"==window.location.protocol};google.ml=function(){return null};google.wl=function(a,b){try{google.ml(Error(a),!1,b)}catch(c){}};google.time=function(){return(new Date).getTime()};google.log=function(a,b,c,e,g){a=google.logUrl(a,b,c,e,g);if(""!=a){b=new Image;var d=google.lc,f=google.li;d[f]=b;b.onerror=b.onload=b.onabort=function(){delete d[f]};window.google&&window.google.vel&&window.google.vel.lu&&window.google.vel.lu(a);b.src=a;google.li=f+1}};google.logUrl=function(a,b,c,e,g){var d="",f=google.ls||"";if(!c&&-1==b.search("&ei=")){var h=google.getEI(e)
  9. user@kali:~$0
复制代码
  Ok, let's try on Xhamster.com website:
  1. user@kali:~$ wget -O- http://www.google.ru/ | grep -ai google|head -n 1
  2. --2016-10-01 XX:XX:XX--  http://www.google.ru/
  3. Resolving www.google.ru (www.google.ru)... 216.58.214.131, 2a00:1450:4001:813::2003
  4. Connecting to www.google.ru (www.google.ru)|216.58.214.131|:80... connected.
  5. HTTP request sent, awaiting response... 200 OK
  6. Length: unspecified [text/html]
  7. Saving to: 'STDOUT'
  8. <!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="ru"><head><meta content="Google." name="description"><meta content="noodp" name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"><title>Google</title><script>(function(){window.google={kEI:'9kbBV4mEM8nt0gSfvbGQCg',kEXPI:'3700062,3700283,3700389,4029815,4031109,4032678,4036509,4036527,4038012,4039268,4043492,4045841,4048347,4052304,4058543,4061154,4062702,4063879,4065786,4065793,4066654,4066708,4067175,4067860,4068550,4068816,4069839,4069841,4069905,4070127,4070220,4070598,4071231,4071575,4071603,4071842,4072000,4072289,4072364,4072653,4072682,4072773,4073231,4073405,4073419,4073958,4073980,4074426,4074801,4075122,4075451,4075464,4075781,4075788,4075860,4075966,4075976,4076018,4076096,4076115,4076117,4076797,4076931,4077219,4077221,4077384,4077391,8300096,8300273,8502184,8503585,8504846,8505150,8505152,8505585,8505677,8505816,8506585,10200083',authuser:0,kscs:'c9c918f0_24'};google.kHL='ru';})();(function(){google.lc=[];google.li=0;google.getEI=function(a){for(var b;a&&(!a.getAttribute||!(b=a.getAttribute("eid")));)a=a.parentNode;return b||google.kEI};google.getLEI=function(a){for(var b=null;a&&(!a.getAttribute||!(b=a.getAttribute("leid")));)a=a.parentNode;return b};google.https=function(){return"https:"==window.location.protocol};google.ml=function(){return null};google.wl=function(a,b){try{google.ml(Error(a),!1,b)}catch(c){}};google.time=function(){return(new Date).getTime()};google.log=function(a,b,c,e,g){a=google.logUrl(a,b,c,e,g);if(""!=a){b=new Image;var d=google.lc,f=google.li;d[f]=b;b.onerror=b.onload=b.onabort=function(){delete d[f]};window.google&&window.google.vel&&window.google.vel.lu&&window.google.vel.lu(a);b.src=a;google.li=f+1}};google.logUrl=function(a,b,c,e,g){var d="",f=google.ls||"";if(!c&&-1==b.search("&ei=")){var h=google.getEI(e)
  9. user@kali:~$1
复制代码
It works - I got a reply from the www.xhamster.com server.
   Let's try to add some random stuff with invalid HTTP request (e.g. Host: %s:www.xhamster.com ):
  1. user@kali:~$ wget -O- http://www.google.ru/ | grep -ai google|head -n 1
  2. --2016-10-01 XX:XX:XX--  http://www.google.ru/
  3. Resolving www.google.ru (www.google.ru)... 216.58.214.131, 2a00:1450:4001:813::2003
  4. Connecting to www.google.ru (www.google.ru)|216.58.214.131|:80... connected.
  5. HTTP request sent, awaiting response... 200 OK
  6. Length: unspecified [text/html]
  7. Saving to: 'STDOUT'
  8. <!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="ru"><head><meta content="Google." name="description"><meta content="noodp" name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"><title>Google</title><script>(function(){window.google={kEI:'9kbBV4mEM8nt0gSfvbGQCg',kEXPI:'3700062,3700283,3700389,4029815,4031109,4032678,4036509,4036527,4038012,4039268,4043492,4045841,4048347,4052304,4058543,4061154,4062702,4063879,4065786,4065793,4066654,4066708,4067175,4067860,4068550,4068816,4069839,4069841,4069905,4070127,4070220,4070598,4071231,4071575,4071603,4071842,4072000,4072289,4072364,4072653,4072682,4072773,4073231,4073405,4073419,4073958,4073980,4074426,4074801,4075122,4075451,4075464,4075781,4075788,4075860,4075966,4075976,4076018,4076096,4076115,4076117,4076797,4076931,4077219,4077221,4077384,4077391,8300096,8300273,8502184,8503585,8504846,8505150,8505152,8505585,8505677,8505816,8506585,10200083',authuser:0,kscs:'c9c918f0_24'};google.kHL='ru';})();(function(){google.lc=[];google.li=0;google.getEI=function(a){for(var b;a&&(!a.getAttribute||!(b=a.getAttribute("eid")));)a=a.parentNode;return b||google.kEI};google.getLEI=function(a){for(var b=null;a&&(!a.getAttribute||!(b=a.getAttribute("leid")));)a=a.parentNode;return b};google.https=function(){return"https:"==window.location.protocol};google.ml=function(){return null};google.wl=function(a,b){try{google.ml(Error(a),!1,b)}catch(c){}};google.time=function(){return(new Date).getTime()};google.log=function(a,b,c,e,g){a=google.logUrl(a,b,c,e,g);if(""!=a){b=new Image;var d=google.lc,f=google.li;d[f]=b;b.onerror=b.onload=b.onabort=function(){delete d[f]};window.google&&window.google.vel&&window.google.vel.lu&&window.google.vel.lu(a);b.src=a;google.li=f+1}};google.logUrl=function(a,b,c,e,g){var d="",f=google.ls||"";if(!c&&-1==b.search("&ei=")){var h=google.getEI(e)
  9. user@kali:~$2
复制代码
It works too!
  Ok, doing Webdav will work too. The remote Xhamster.com webpage will reply to me:
  1. user@kali:~$ wget -O- http://www.google.ru/ | grep -ai google|head -n 1
  2. --2016-10-01 XX:XX:XX--  http://www.google.ru/
  3. Resolving www.google.ru (www.google.ru)... 216.58.214.131, 2a00:1450:4001:813::2003
  4. Connecting to www.google.ru (www.google.ru)|216.58.214.131|:80... connected.
  5. HTTP request sent, awaiting response... 200 OK
  6. Length: unspecified [text/html]
  7. Saving to: 'STDOUT'
  8. <!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="ru"><head><meta content="Google." name="description"><meta content="noodp" name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"><title>Google</title><script>(function(){window.google={kEI:'9kbBV4mEM8nt0gSfvbGQCg',kEXPI:'3700062,3700283,3700389,4029815,4031109,4032678,4036509,4036527,4038012,4039268,4043492,4045841,4048347,4052304,4058543,4061154,4062702,4063879,4065786,4065793,4066654,4066708,4067175,4067860,4068550,4068816,4069839,4069841,4069905,4070127,4070220,4070598,4071231,4071575,4071603,4071842,4072000,4072289,4072364,4072653,4072682,4072773,4073231,4073405,4073419,4073958,4073980,4074426,4074801,4075122,4075451,4075464,4075781,4075788,4075860,4075966,4075976,4076018,4076096,4076115,4076117,4076797,4076931,4077219,4077221,4077384,4077391,8300096,8300273,8502184,8503585,8504846,8505150,8505152,8505585,8505677,8505816,8506585,10200083',authuser:0,kscs:'c9c918f0_24'};google.kHL='ru';})();(function(){google.lc=[];google.li=0;google.getEI=function(a){for(var b;a&&(!a.getAttribute||!(b=a.getAttribute("eid")));)a=a.parentNode;return b||google.kEI};google.getLEI=function(a){for(var b=null;a&&(!a.getAttribute||!(b=a.getAttribute("leid")));)a=a.parentNode;return b};google.https=function(){return"https:"==window.location.protocol};google.ml=function(){return null};google.wl=function(a,b){try{google.ml(Error(a),!1,b)}catch(c){}};google.time=function(){return(new Date).getTime()};google.log=function(a,b,c,e,g){a=google.logUrl(a,b,c,e,g);if(""!=a){b=new Image;var d=google.lc,f=google.li;d[f]=b;b.onerror=b.onload=b.onabort=function(){delete d[f]};window.google&&window.google.vel&&window.google.vel.lu&&window.google.vel.lu(a);b.src=a;google.li=f+1}};google.logUrl=function(a,b,c,e,g){var d="",f=google.ls||"";if(!c&&-1==b.search("&ei=")){var h=google.getEI(e)
  9. user@kali:~$3
复制代码
Using URIs will trigger the censorship system too:
   Fetching http://xhamster.com/about.php and http://www.xhamster.com/ will show a 302 redirect to http://www.warning.or.kr :
  1. user@kali:~$ wget -O- http://www.google.ru/ | grep -ai google|head -n 1
  2. --2016-10-01 XX:XX:XX--  http://www.google.ru/
  3. Resolving www.google.ru (www.google.ru)... 216.58.214.131, 2a00:1450:4001:813::2003
  4. Connecting to www.google.ru (www.google.ru)|216.58.214.131|:80... connected.
  5. HTTP request sent, awaiting response... 200 OK
  6. Length: unspecified [text/html]
  7. Saving to: 'STDOUT'
  8. <!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="ru"><head><meta content="Google." name="description"><meta content="noodp" name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"><title>Google</title><script>(function(){window.google={kEI:'9kbBV4mEM8nt0gSfvbGQCg',kEXPI:'3700062,3700283,3700389,4029815,4031109,4032678,4036509,4036527,4038012,4039268,4043492,4045841,4048347,4052304,4058543,4061154,4062702,4063879,4065786,4065793,4066654,4066708,4067175,4067860,4068550,4068816,4069839,4069841,4069905,4070127,4070220,4070598,4071231,4071575,4071603,4071842,4072000,4072289,4072364,4072653,4072682,4072773,4073231,4073405,4073419,4073958,4073980,4074426,4074801,4075122,4075451,4075464,4075781,4075788,4075860,4075966,4075976,4076018,4076096,4076115,4076117,4076797,4076931,4077219,4077221,4077384,4077391,8300096,8300273,8502184,8503585,8504846,8505150,8505152,8505585,8505677,8505816,8506585,10200083',authuser:0,kscs:'c9c918f0_24'};google.kHL='ru';})();(function(){google.lc=[];google.li=0;google.getEI=function(a){for(var b;a&&(!a.getAttribute||!(b=a.getAttribute("eid")));)a=a.parentNode;return b||google.kEI};google.getLEI=function(a){for(var b=null;a&&(!a.getAttribute||!(b=a.getAttribute("leid")));)a=a.parentNode;return b};google.https=function(){return"https:"==window.location.protocol};google.ml=function(){return null};google.wl=function(a,b){try{google.ml(Error(a),!1,b)}catch(c){}};google.time=function(){return(new Date).getTime()};google.log=function(a,b,c,e,g){a=google.logUrl(a,b,c,e,g);if(""!=a){b=new Image;var d=google.lc,f=google.li;d[f]=b;b.onerror=b.onload=b.onabort=function(){delete d[f]};window.google&&window.google.vel&&window.google.vel.lu&&window.google.vel.lu(a);b.src=a;google.li=f+1}};google.logUrl=function(a,b,c,e,g){var d="",f=google.ls||"";if(!c&&-1==b.search("&ei=")){var h=google.getEI(e)
  9. user@kali:~$4
复制代码
  In this one, I ask http://www.xhamster.com/ to a remote Google server (censored too):
  1. user@kali:~$ wget -O- http://www.google.ru/ | grep -ai google|head -n 1
  2. --2016-10-01 XX:XX:XX--  http://www.google.ru/
  3. Resolving www.google.ru (www.google.ru)... 216.58.214.131, 2a00:1450:4001:813::2003
  4. Connecting to www.google.ru (www.google.ru)|216.58.214.131|:80... connected.
  5. HTTP request sent, awaiting response... 200 OK
  6. Length: unspecified [text/html]
  7. Saving to: 'STDOUT'
  8. <!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="ru"><head><meta content="Google." name="description"><meta content="noodp" name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"><title>Google</title><script>(function(){window.google={kEI:'9kbBV4mEM8nt0gSfvbGQCg',kEXPI:'3700062,3700283,3700389,4029815,4031109,4032678,4036509,4036527,4038012,4039268,4043492,4045841,4048347,4052304,4058543,4061154,4062702,4063879,4065786,4065793,4066654,4066708,4067175,4067860,4068550,4068816,4069839,4069841,4069905,4070127,4070220,4070598,4071231,4071575,4071603,4071842,4072000,4072289,4072364,4072653,4072682,4072773,4073231,4073405,4073419,4073958,4073980,4074426,4074801,4075122,4075451,4075464,4075781,4075788,4075860,4075966,4075976,4076018,4076096,4076115,4076117,4076797,4076931,4077219,4077221,4077384,4077391,8300096,8300273,8502184,8503585,8504846,8505150,8505152,8505585,8505677,8505816,8506585,10200083',authuser:0,kscs:'c9c918f0_24'};google.kHL='ru';})();(function(){google.lc=[];google.li=0;google.getEI=function(a){for(var b;a&&(!a.getAttribute||!(b=a.getAttribute("eid")));)a=a.parentNode;return b||google.kEI};google.getLEI=function(a){for(var b=null;a&&(!a.getAttribute||!(b=a.getAttribute("leid")));)a=a.parentNode;return b};google.https=function(){return"https:"==window.location.protocol};google.ml=function(){return null};google.wl=function(a,b){try{google.ml(Error(a),!1,b)}catch(c){}};google.time=function(){return(new Date).getTime()};google.log=function(a,b,c,e,g){a=google.logUrl(a,b,c,e,g);if(""!=a){b=new Image;var d=google.lc,f=google.li;d[f]=b;b.onerror=b.onload=b.onabort=function(){delete d[f]};window.google&&window.google.vel&&window.google.vel.lu&&window.google.vel.lu(a);b.src=a;google.li=f+1}};google.logUrl=function(a,b,c,e,g){var d="",f=google.ls||"";if(!c&&-1==b.search("&ei=")){var h=google.getEI(e)
  9. user@kali:~$5
复制代码
And minutes later, the same request will send me another reply:
  1. user@kali:~$ wget -O- http://www.google.ru/ | grep -ai google|head -n 1
  2. --2016-10-01 XX:XX:XX--  http://www.google.ru/
  3. Resolving www.google.ru (www.google.ru)... 216.58.214.131, 2a00:1450:4001:813::2003
  4. Connecting to www.google.ru (www.google.ru)|216.58.214.131|:80... connected.
  5. HTTP request sent, awaiting response... 200 OK
  6. Length: unspecified [text/html]
  7. Saving to: 'STDOUT'
  8. <!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="ru"><head><meta content="Google." name="description"><meta content="noodp" name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"><title>Google</title><script>(function(){window.google={kEI:'9kbBV4mEM8nt0gSfvbGQCg',kEXPI:'3700062,3700283,3700389,4029815,4031109,4032678,4036509,4036527,4038012,4039268,4043492,4045841,4048347,4052304,4058543,4061154,4062702,4063879,4065786,4065793,4066654,4066708,4067175,4067860,4068550,4068816,4069839,4069841,4069905,4070127,4070220,4070598,4071231,4071575,4071603,4071842,4072000,4072289,4072364,4072653,4072682,4072773,4073231,4073405,4073419,4073958,4073980,4074426,4074801,4075122,4075451,4075464,4075781,4075788,4075860,4075966,4075976,4076018,4076096,4076115,4076117,4076797,4076931,4077219,4077221,4077384,4077391,8300096,8300273,8502184,8503585,8504846,8505150,8505152,8505585,8505677,8505816,8506585,10200083',authuser:0,kscs:'c9c918f0_24'};google.kHL='ru';})();(function(){google.lc=[];google.li=0;google.getEI=function(a){for(var b;a&&(!a.getAttribute||!(b=a.getAttribute("eid")));)a=a.parentNode;return b||google.kEI};google.getLEI=function(a){for(var b=null;a&&(!a.getAttribute||!(b=a.getAttribute("leid")));)a=a.parentNode;return b};google.https=function(){return"https:"==window.location.protocol};google.ml=function(){return null};google.wl=function(a,b){try{google.ml(Error(a),!1,b)}catch(c){}};google.time=function(){return(new Date).getTime()};google.log=function(a,b,c,e,g){a=google.logUrl(a,b,c,e,g);if(""!=a){b=new Image;var d=google.lc,f=google.li;d[f]=b;b.onerror=b.onload=b.onabort=function(){delete d[f]};window.google&&window.google.vel&&window.google.vel.lu&&window.google.vel.lu(a);b.src=a;google.li=f+1}};google.logUrl=function(a,b,c,e,g){var d="",f=google.ls||"";if(!c&&-1==b.search("&ei=")){var h=google.getEI(e)
  9. user@kali:~$6
复制代码
3.4 Analysis

   The censorship system analyzes URI and Host field to identify remote webserver and denies the access by providing a 302 redirection to www.warning.co.kr or by providing a webpage with a JavaScript redirection.
  HTTP/0.9 is not supported and bypasses the censorship system.
  HTTP/1.0 and HTTP/1.1 requests without Hosts or complete URI are not supported and thus bypass the censorship system by default.
  We have now questions:
  
       
  • Will using HTTPS bypass the transparent proxy?   
  • Will using HTTP/2 with TLS bypass the transparent proxy?   
  • How about IPv6?  
  3.5 More tricky requests with HTTP

  3.5.1 Custom Vhosts

   I was lucky to find a website with a wildcard for the vhost: Tube8.com (NSFW - thank you tube8.com admins).
   Using random vhosts while contacting the Tube8.com servers will still provide me with tube8.com webpages.
   As shown below, Tube8.com is configured as a wildcard, and requesting this webpage with a custom vhost ( please-enlarge-my-bandwith ) will work:
  1. user@kali:~$ wget -O- http://www.google.ru/ | grep -ai google|head -n 1
  2. --2016-10-01 XX:XX:XX--  http://www.google.ru/
  3. Resolving www.google.ru (www.google.ru)... 216.58.214.131, 2a00:1450:4001:813::2003
  4. Connecting to www.google.ru (www.google.ru)|216.58.214.131|:80... connected.
  5. HTTP request sent, awaiting response... 200 OK
  6. Length: unspecified [text/html]
  7. Saving to: 'STDOUT'
  8. <!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="ru"><head><meta content="Google." name="description"><meta content="noodp" name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"><title>Google</title><script>(function(){window.google={kEI:'9kbBV4mEM8nt0gSfvbGQCg',kEXPI:'3700062,3700283,3700389,4029815,4031109,4032678,4036509,4036527,4038012,4039268,4043492,4045841,4048347,4052304,4058543,4061154,4062702,4063879,4065786,4065793,4066654,4066708,4067175,4067860,4068550,4068816,4069839,4069841,4069905,4070127,4070220,4070598,4071231,4071575,4071603,4071842,4072000,4072289,4072364,4072653,4072682,4072773,4073231,4073405,4073419,4073958,4073980,4074426,4074801,4075122,4075451,4075464,4075781,4075788,4075860,4075966,4075976,4076018,4076096,4076115,4076117,4076797,4076931,4077219,4077221,4077384,4077391,8300096,8300273,8502184,8503585,8504846,8505150,8505152,8505585,8505677,8505816,8506585,10200083',authuser:0,kscs:'c9c918f0_24'};google.kHL='ru';})();(function(){google.lc=[];google.li=0;google.getEI=function(a){for(var b;a&&(!a.getAttribute||!(b=a.getAttribute("eid")));)a=a.parentNode;return b||google.kEI};google.getLEI=function(a){for(var b=null;a&&(!a.getAttribute||!(b=a.getAttribute("leid")));)a=a.parentNode;return b};google.https=function(){return"https:"==window.location.protocol};google.ml=function(){return null};google.wl=function(a,b){try{google.ml(Error(a),!1,b)}catch(c){}};google.time=function(){return(new Date).getTime()};google.log=function(a,b,c,e,g){a=google.logUrl(a,b,c,e,g);if(""!=a){b=new Image;var d=google.lc,f=google.li;d[f]=b;b.onerror=b.onload=b.onabort=function(){delete d[f]};window.google&&window.google.vel&&window.google.vel.lu&&window.google.vel.lu(a);b.src=a;google.li=f+1}};google.logUrl=function(a,b,c,e,g){var d="",f=google.ls||"";if(!c&&-1==b.search("&ei=")){var h=google.getEI(e)
  9. user@kali:~$7
复制代码
  Trying to wget the webpage (with tube8.com vhost) will forward to the www.warning.or.kr webpage, ruining all the fun:
  1. user@kali:~$ wget -O- http://www.google.ru/ | grep -ai google|head -n 1
  2. --2016-10-01 XX:XX:XX--  http://www.google.ru/
  3. Resolving www.google.ru (www.google.ru)... 216.58.214.131, 2a00:1450:4001:813::2003
  4. Connecting to www.google.ru (www.google.ru)|216.58.214.131|:80... connected.
  5. HTTP request sent, awaiting response... 200 OK
  6. Length: unspecified [text/html]
  7. Saving to: 'STDOUT'
  8. <!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="ru"><head><meta content="Google." name="description"><meta content="noodp" name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"><title>Google</title><script>(function(){window.google={kEI:'9kbBV4mEM8nt0gSfvbGQCg',kEXPI:'3700062,3700283,3700389,4029815,4031109,4032678,4036509,4036527,4038012,4039268,4043492,4045841,4048347,4052304,4058543,4061154,4062702,4063879,4065786,4065793,4066654,4066708,4067175,4067860,4068550,4068816,4069839,4069841,4069905,4070127,4070220,4070598,4071231,4071575,4071603,4071842,4072000,4072289,4072364,4072653,4072682,4072773,4073231,4073405,4073419,4073958,4073980,4074426,4074801,4075122,4075451,4075464,4075781,4075788,4075860,4075966,4075976,4076018,4076096,4076115,4076117,4076797,4076931,4077219,4077221,4077384,4077391,8300096,8300273,8502184,8503585,8504846,8505150,8505152,8505585,8505677,8505816,8506585,10200083',authuser:0,kscs:'c9c918f0_24'};google.kHL='ru';})();(function(){google.lc=[];google.li=0;google.getEI=function(a){for(var b;a&&(!a.getAttribute||!(b=a.getAttribute("eid")));)a=a.parentNode;return b||google.kEI};google.getLEI=function(a){for(var b=null;a&&(!a.getAttribute||!(b=a.getAttribute("leid")));)a=a.parentNode;return b};google.https=function(){return"https:"==window.location.protocol};google.ml=function(){return null};google.wl=function(a,b){try{google.ml(Error(a),!1,b)}catch(c){}};google.time=function(){return(new Date).getTime()};google.log=function(a,b,c,e,g){a=google.logUrl(a,b,c,e,g);if(""!=a){b=new Image;var d=google.lc,f=google.li;d[f]=b;b.onerror=b.onload=b.onabort=function(){delete d[f]};window.google&&window.google.vel&&window.google.vel.lu&&window.google.vel.lu(a);b.src=a;google.li=f+1}};google.logUrl=function(a,b,c,e,g){var d="",f=google.ls||"";if(!c&&-1==b.search("&ei=")){var h=google.getEI(e)
  9. user@kali:~$8
复制代码
  Now by setting a custom vhost ( please-enlarge-my-bandwith.com ), we will bypass the censorship!
  1. user@kali:~$ wget -O- http://www.google.ru/ | grep -ai google|head -n 1
  2. --2016-10-01 XX:XX:XX--  http://www.google.ru/
  3. Resolving www.google.ru (www.google.ru)... 216.58.214.131, 2a00:1450:4001:813::2003
  4. Connecting to www.google.ru (www.google.ru)|216.58.214.131|:80... connected.
  5. HTTP request sent, awaiting response... 200 OK
  6. Length: unspecified [text/html]
  7. Saving to: 'STDOUT'
  8. <!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="ru"><head><meta content="Google." name="description"><meta content="noodp" name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"><title>Google</title><script>(function(){window.google={kEI:'9kbBV4mEM8nt0gSfvbGQCg',kEXPI:'3700062,3700283,3700389,4029815,4031109,4032678,4036509,4036527,4038012,4039268,4043492,4045841,4048347,4052304,4058543,4061154,4062702,4063879,4065786,4065793,4066654,4066708,4067175,4067860,4068550,4068816,4069839,4069841,4069905,4070127,4070220,4070598,4071231,4071575,4071603,4071842,4072000,4072289,4072364,4072653,4072682,4072773,4073231,4073405,4073419,4073958,4073980,4074426,4074801,4075122,4075451,4075464,4075781,4075788,4075860,4075966,4075976,4076018,4076096,4076115,4076117,4076797,4076931,4077219,4077221,4077384,4077391,8300096,8300273,8502184,8503585,8504846,8505150,8505152,8505585,8505677,8505816,8506585,10200083',authuser:0,kscs:'c9c918f0_24'};google.kHL='ru';})();(function(){google.lc=[];google.li=0;google.getEI=function(a){for(var b;a&&(!a.getAttribute||!(b=a.getAttribute("eid")));)a=a.parentNode;return b||google.kEI};google.getLEI=function(a){for(var b=null;a&&(!a.getAttribute||!(b=a.getAttribute("leid")));)a=a.parentNode;return b};google.https=function(){return"https:"==window.location.protocol};google.ml=function(){return null};google.wl=function(a,b){try{google.ml(Error(a),!1,b)}catch(c){}};google.time=function(){return(new Date).getTime()};google.log=function(a,b,c,e,g){a=google.logUrl(a,b,c,e,g);if(""!=a){b=new Image;var d=google.lc,f=google.li;d[f]=b;b.onerror=b.onload=b.onabort=function(){delete d[f]};window.google&&window.google.vel&&window.google.vel.lu&&window.google.vel.lu(a);b.src=a;google.li=f+1}};google.logUrl=function(a,b,c,e,g){var d="",f=google.ls||"";if(!c&&-1==b.search("&ei=")){var h=google.getEI(e)
  9. user@kali:~$9
复制代码
  Censorship was bypassed and confirms the filtering occurs in the Host header if we are using HTTP/1.1.
  3.5.2 HTTP requests methods

   Introducing a new banned website: www.spankwire.com .
  This website is censored.
   The reader will note that we only did GET requests in the previous sections. Now, from my tests, only GET and POST are filtered:
  These requests will be censored:
   GET request with a Host header:
  1. user@kali:~$ host google.co.kr
  2. google.ru has address 1.255.22.241
  3. google.ru has address 1.255.22.237
  4. google.ru has address 1.255.22.217
  5. google.ru has address 1.255.22.216
  6. google.ru has address 1.255.22.227
  7. google.ru has address 1.255.22.251
  8. google.ru has address 1.255.22.242
  9. google.ru has address 1.255.22.232
  10. google.ru has address 1.255.22.226
  11. google.ru has address 1.255.22.247
  12. google.ru has address 1.255.22.236
  13. google.ru has address 1.255.22.222
  14. google.ru has address 1.255.22.221
  15. google.ru has address 1.255.22.212
  16. google.ru has address 1.255.22.231
  17. google.ru has address 1.255.22.246
  18. google.ru has IPv6 address 2404:6800:400a:806::2003
  19. google.ru mail is handled by 10 aspmx.l.google.com.
  20. google.ru mail is handled by 40 alt3.aspmx.l.google.com.
  21. google.ru mail is handled by 20 alt1.aspmx.l.google.com.
  22. google.ru mail is handled by 50 alt4.aspmx.l.google.com.
  23. google.ru mail is handled by 30 alt2.aspmx.l.google.com.
  24. user@kali:~$ tcptraceroute -n 1.255.22.242 80
  25. Running:
  26.     traceroute -T -O info -n -p 80 1.255.22.242
  27. traceroute to 1.255.22.242 (1.255.22.242), 30 hops max, 60 byte packets
  28. 1  100.114.55.252  3.759 ms  4.431 ms  4.556 ms
  29. 2  100.114.27.169  4.553 ms  4.551 ms  4.547 ms
  30. 3  1.255.24.48  5.182 ms  5.668 ms  5.900 ms
  31. 4  61.98.54.109  5.900 ms  6.452 ms  6.992 ms
  32. 5  58.229.4.28  10.786 ms 58.229.4.20  12.408 ms 58.229.4.36  10.783 ms
  33. 6  58.229.4.163  10.713 ms  7.037 ms  7.370 ms
  34. 7  1.255.22.242<syn,ack>  6.621 ms  7.737 ms  7.798 ms
  35. user@kali:~$ ping 1.255.22.242
  36. PING 1.255.22.242 (1.255.22.242) 56(84) bytes of data.
  37. 64 bytes from 1.255.22.242: icmp_seq=1 ttl=58 time=4.32 ms
  38. ^C
  39. --- 1.255.22.242 ping statistics ---
  40. 1 packets transmitted, 1 received, 0% packet loss, time 0ms
  41. rtt min/avg/max/mdev = 4.328/4.328/4.328/0.000 ms
  42. user@kali:~$0
复制代码
  GET request with a complete URI containing a censored website:
  1. user@kali:~$ host google.co.kr
  2. google.ru has address 1.255.22.241
  3. google.ru has address 1.255.22.237
  4. google.ru has address 1.255.22.217
  5. google.ru has address 1.255.22.216
  6. google.ru has address 1.255.22.227
  7. google.ru has address 1.255.22.251
  8. google.ru has address 1.255.22.242
  9. google.ru has address 1.255.22.232
  10. google.ru has address 1.255.22.226
  11. google.ru has address 1.255.22.247
  12. google.ru has address 1.255.22.236
  13. google.ru has address 1.255.22.222
  14. google.ru has address 1.255.22.221
  15. google.ru has address 1.255.22.212
  16. google.ru has address 1.255.22.231
  17. google.ru has address 1.255.22.246
  18. google.ru has IPv6 address 2404:6800:400a:806::2003
  19. google.ru mail is handled by 10 aspmx.l.google.com.
  20. google.ru mail is handled by 40 alt3.aspmx.l.google.com.
  21. google.ru mail is handled by 20 alt1.aspmx.l.google.com.
  22. google.ru mail is handled by 50 alt4.aspmx.l.google.com.
  23. google.ru mail is handled by 30 alt2.aspmx.l.google.com.
  24. user@kali:~$ tcptraceroute -n 1.255.22.242 80
  25. Running:
  26.     traceroute -T -O info -n -p 80 1.255.22.242
  27. traceroute to 1.255.22.242 (1.255.22.242), 30 hops max, 60 byte packets
  28. 1  100.114.55.252  3.759 ms  4.431 ms  4.556 ms
  29. 2  100.114.27.169  4.553 ms  4.551 ms  4.547 ms
  30. 3  1.255.24.48  5.182 ms  5.668 ms  5.900 ms
  31. 4  61.98.54.109  5.900 ms  6.452 ms  6.992 ms
  32. 5  58.229.4.28  10.786 ms 58.229.4.20  12.408 ms 58.229.4.36  10.783 ms
  33. 6  58.229.4.163  10.713 ms  7.037 ms  7.370 ms
  34. 7  1.255.22.242<syn,ack>  6.621 ms  7.737 ms  7.798 ms
  35. user@kali:~$ ping 1.255.22.242
  36. PING 1.255.22.242 (1.255.22.242) 56(84) bytes of data.
  37. 64 bytes from 1.255.22.242: icmp_seq=1 ttl=58 time=4.32 ms
  38. ^C
  39. --- 1.255.22.242 ping statistics ---
  40. 1 packets transmitted, 1 received, 0% packet loss, time 0ms
  41. rtt min/avg/max/mdev = 4.328/4.328/4.328/0.000 ms
  42. user@kali:~$1
复制代码
  POST requests are censored too.
   Fun facts: X RANDOM PUT DELETE OPTIONS TRACE CONNECT methods are NOT censored.
   A X method and a RANDOM method can work against Apache2 servers.
   X / HTTP/1.0 will provide us with a remote resource, being treated as GET / HTTP/1.0 by Apache.
  Nginx doesn't like random HTTP methods.
   This can be used to bypass the censorship system as only GET and POST requests are analyzed.
  3.5.3 Having fun with HTTP/1.1 persistent connection

  You can send requests to multiple resources within a TCP connection for a HTTP/1.1 connection. Let's use it to find a "race condition" :)
  1. user@kali:~$ host google.co.kr
  2. google.ru has address 1.255.22.241
  3. google.ru has address 1.255.22.237
  4. google.ru has address 1.255.22.217
  5. google.ru has address 1.255.22.216
  6. google.ru has address 1.255.22.227
  7. google.ru has address 1.255.22.251
  8. google.ru has address 1.255.22.242
  9. google.ru has address 1.255.22.232
  10. google.ru has address 1.255.22.226
  11. google.ru has address 1.255.22.247
  12. google.ru has address 1.255.22.236
  13. google.ru has address 1.255.22.222
  14. google.ru has address 1.255.22.221
  15. google.ru has address 1.255.22.212
  16. google.ru has address 1.255.22.231
  17. google.ru has address 1.255.22.246
  18. google.ru has IPv6 address 2404:6800:400a:806::2003
  19. google.ru mail is handled by 10 aspmx.l.google.com.
  20. google.ru mail is handled by 40 alt3.aspmx.l.google.com.
  21. google.ru mail is handled by 20 alt1.aspmx.l.google.com.
  22. google.ru mail is handled by 50 alt4.aspmx.l.google.com.
  23. google.ru mail is handled by 30 alt2.aspmx.l.google.com.
  24. user@kali:~$ tcptraceroute -n 1.255.22.242 80
  25. Running:
  26.     traceroute -T -O info -n -p 80 1.255.22.242
  27. traceroute to 1.255.22.242 (1.255.22.242), 30 hops max, 60 byte packets
  28. 1  100.114.55.252  3.759 ms  4.431 ms  4.556 ms
  29. 2  100.114.27.169  4.553 ms  4.551 ms  4.547 ms
  30. 3  1.255.24.48  5.182 ms  5.668 ms  5.900 ms
  31. 4  61.98.54.109  5.900 ms  6.452 ms  6.992 ms
  32. 5  58.229.4.28  10.786 ms 58.229.4.20  12.408 ms 58.229.4.36  10.783 ms
  33. 6  58.229.4.163  10.713 ms  7.037 ms  7.370 ms
  34. 7  1.255.22.242<syn,ack>  6.621 ms  7.737 ms  7.798 ms
  35. user@kali:~$ ping 1.255.22.242
  36. PING 1.255.22.242 (1.255.22.242) 56(84) bytes of data.
  37. 64 bytes from 1.255.22.242: icmp_seq=1 ttl=58 time=4.32 ms
  38. ^C
  39. --- 1.255.22.242 ping statistics ---
  40. 1 packets transmitted, 1 received, 0% packet loss, time 0ms
  41. rtt min/avg/max/mdev = 4.328/4.328/4.328/0.000 ms
  42. user@kali:~$2
复制代码
Surprisingly, this request will bypass the censorship:
  [code]user@kali:~$ sh tcp-http11-persistent-test0.shHTTP/1.1 301 Moved PermanentlyServer: nginxDate: Fri, 01 Oct 2016 00:00:00 GMTContent-Type: text/htmlContent-Length: 178Location: http://www.tube8.com/400.htmlVary: User-Agent, Accept-EncodingRating: RTA-5042-1996-1400-1577-RTASet-Cookie: RNLBSERVERID=ded1165; path=/HTTP/1.1 200 OKServer: nginxDate: Fri, 01 Oct 2016 00:00:00 GMTContent-Type: text/htmlTransfer-Encoding: chunkedSet-Cookie: t8



上一篇:Spring AOP完成一个简单的参数统一校验框架
下一篇:Check If Given Array Can be Arranged In Left or Right Positioned Array
zyxin 发表于 2016-10-22 00:52:31
前排支持下
回复 支持 反对

使用道具 举报

之桃 发表于 2016-10-22 05:03:30
不错的~~! 感谢提供
回复 支持 反对

使用道具 举报

1281853691 发表于 2016-11-2 18:33:23
时间过的真快,一不留神我也抢了回沙发!
回复 支持 反对

使用道具 举报

杜季杨 发表于 2016-11-5 02:29:10
向楼主学习
回复 支持 反对

使用道具 举报

黄林 发表于 2016-11-21 15:06:35
你们城里人真会玩
回复 支持 反对

使用道具 举报

*滑动验证:
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

我要投稿

推荐阅读


回页顶回复上一篇下一篇回列表
手机版/CoLaBug.com ( 粤ICP备05003221号 | 文网文[2010]257号 )

© 2001-2017 Comsenz Inc. Design: Dean. DiscuzFans.

返回顶部 返回列表