13:13 Access to a private video vkontakte | |
It turned out that I was curious to know how safe it is to publish a private video vkontakte.ru turned out that now the level of protection is weak.A little digBefore you explore other people's files, it is necessary to study the system more closely, so I uploaded the video on vkontakte, made it public, and the URL to the video service fed videosaver.ru. Service is good, because as a kindly gave me a direct link to my file. Further, his public video I made a very private (just for myself), and tried to download the file directly from the session. Yeah, swinging. This means that the server to distribute the video does not test for privacy (and rightly so, because it must be done elsewhere). Thumbnail it allLink to my brothel, now a private video looks like: 551.gt3.vkadre.ru/assets/videos/08e8e26a100647241.vk.flv in which The most interesting part - 08e8e26a100647241. This is obviously a hash and compute its hardly obtained, and hence need to find a hash of this site - in the source code in komentah, anywhere. View the source page with a list of my videos and watching the video has given nothing, but it shows that the thumbnail video generated script: vkadre.ru / get_thumbnail? Vkid = 100647241 & vtag = 08e8e26a & size = 160 id roller and so we are not interested. The main thing is that this script gave us a direct link to image: 551.gt3.vkadre.ru/assets/thumbnails/08e8e26a100647241.160.vk.jpg and yes, he is our hash (08e8e26a100647241), we saw in the link to the video. Understandably, you can now associate any thumbnail to part of the full path to the flv file. Path to fileIf the file name can be obtained from the title picture can be, it is now necessary to finish the rest of the way - the server name and subdirectory. Subdirectories are all identical and the differences in the links only hosts. As a whole, all references to the video can be described as http:// [0-9] +. Gt (2 | 3) .vkadre.ru / assets / videos / [0-9a-z] {, 16} . vk.flv We are interested in part to vkadre.ru, so as to hash everything is clear. Assuming that the issue of video servers in 2000 (with a steep stock) scan all hosts xxx.gt2.vkadre.ru and xxx.gt3.vkadre.ru for ip address, where xxx is between 1 and 1000. It turned out that vkontakte about 250 servers (unique ip) on the issue of video (maybe they also host and audio, not tested). With these 250 servers doing a brute force search for download: http:// [aypiadres pool] / assets / videos / [hash of the image]. Vk.flv If the file is not physically found, the server will return credit default flv video 300 kb with some dumb music. That is, any file other than the size of defoltnogo is the desired spot, and the file is not more than ~ 250 queries. How to fix itto check for access to the script / get_thumbnail.php and if the rights do not, then skip the credit default picture, they say there things personal and have nothing to watch previews. In addition, you should not even show the video in the list if it is impossible to see. Update Thanks kabachok easier way to get a hash / get_thumbnail? Vkid =100647241& vtag =08e8e26a& size = 160 = 08e8e26a 100647241 This means that the principle the hash can not publish. | |
|
| |
| Total comments: 0 | |