1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How the hell is this done?

Discussion in 'Black Hat SEO' started by seemayer, Jan 6, 2009.

  1. seemayer

    seemayer Junior Member

    Joined:
    Jan 2, 2009
    Messages:
    108
    Likes Received:
    15
    Can anybody work out what is going on here:

    hxxp://betweenthecolumns.umd.edu/index.php?rxp=400

    Without the parameter it shows a uni of maryland page but with it shows a drug search engine (try in i explore if it doesn't work in firefox)

    I guess someone has posted a script into this page somehow

    But how??????

    Any ideas?
     
  2. zone69

    zone69 Junior Member

    Joined:
    Nov 24, 2008
    Messages:
    196
    Likes Received:
    1,290
    quite easily done as he uses a GET parameter to determine what to display. Here is a quick snippet. As you can see in your example he passes rxp=400 so you can check for the rxp GET variable and serve one page. If nothing or any other value is passed in the rxp variable, the else condition is hit and another page is served.

    Code:
    <?php
    $page = $_GET['rxp'];
    if ( $page == 400) {
    ?>
    <html>
    .
    .
    .
    </html>
    <?php
    } else {
    ?>
    <html>
    .
    .
    .
    </html>
    <?php
    }
    ?>
    
    Hope that helps you!
     
  3. seemayer

    seemayer Junior Member

    Joined:
    Jan 2, 2009
    Messages:
    108
    Likes Received:
    15
    Thanks for the reply zone69. I understand how the script would work but was more interested as to how this had been done on a site that is clearly not owned by the person doing this

    if you search google for 'generic celebrex' you will find a .edu site that has a drug search engine on it - i assume it is some sort of script injection? The odd thing is it seems to be a different .edu domain each time - also sometimes the url displayed in google doesn't match the final page url

    Just thought whatever is going on here is quite clever and i certainly cant figure it out i wondered if anybody on here might be able to crack it!
     
  4. mateuszm

    mateuszm Newbie

    Joined:
    Dec 15, 2007
    Messages:
    20
    Likes Received:
    4
    This is quite popular technique, people use commonly known holes to exploit web applications, such as WPs, Joomlas and so on. Then they just modify a little bit the source code, it's a bit more sophisticated than zone69 described but the whole idea is the same.

    The guy who's created this doorway isn't pretty wise, he didn't notice that in robots.txt he's got:
    User-agent: *
    Disallow: /

    Which means Google will index his pages without descriptions and mostly without titles.

    The url displayed in Google doesn't match the final url, beacuse the page uses cloaking. When Google visits such page, it gets a wordpress looking keyword stuffed page with crappy content, when user visits such page, he is redirected to a search engine or just search engine is added in the top of such page.