Access to private Vkontakte video
It turned out that it was interesting to me to find out how safe it is to publish a private video on VK. It turned out that now the level of protection is weak.
Before investigating other people's files, it is worthwhile to study the system more closely, so I uploaded the video on VKontakte, made it public, and URLA video fed the service videosaver.ru. The service is good, because it kindly provided me with a direct link to my file.
Further, I made my public video extremely private (only for myself), and tried again to download the file directly with the completed session. Yeah, swinging. This means that the servers in the video distribution do not perform checks for privacy (and they do it right, because this should be done elsewhere).
')
The link to my public and now private video looks like:
551.gt3.vkadre.ru/assets/videos/08e8e26a100647241.vk.flv
in which the most interesting part is 08e8e26a100647241. This is clearly a hash and it is unlikely to be calculated, which means you need to find this hash on the site - in the source code, in comments, wherever. View the source code of the pages with a list of my video and when watching the video did nothing, but it can be seen that the thumbnail of the video is generated by the script:
vkadre.ru/get_thumbnail?vkid=100647241&vtag=08e8e26a&size=160
id video, etc. we are not interested. The main thing is that this script gave us a direct link to the picture:
551.gt3.vkadre.ru/assets/thumbnails/08e8e26a100647241.160.vk.jpg
and yes, here it is our hash (08e8e26a100647241), which we observed in the link to the video. Understandably, you can now associate any thumbnail with a part of the full path to the flv file.
If the file name can be obtained from the name of the picture, it is now necessary to complete the rest of the path - the name of the server and subdirectory. Subdirectories are all the same and the differences in the links are only in the hosts. In general, all links to the video can be described as
http: // [0-9] + .gt (2 | 3) .vkadre.ru / assets / videos / [0-9a-z] {, 16} .vk.flv
We are interested in the part before vkadre.ru, because everything is clear with the hash. Assuming that at the output of the video 2000 servers (with a steep margin) we scan all the hosts xxx.gt2.vkadre.ru and xxx.gt3.vkadre.ru for ip addresses, where xxx is from 1 to 1000.
It turned out that VKontakte has about 250 servers (unique ip) for video output (perhaps they also host audio, did not check). Having these 250 servers we do a brute force to download the file:
http: // [IP address from pool] / assets / videos / [hash from image] .vk.flv
If the file is not physically found, the server will issue the default flv movie for 300 kilobytes with some dumb music. That is, any file different in size from the default one is the desired movie, and the file is located in no more than ~ 250 requests.
check the access in the script /get_thumbnail.php and if there is no right, then show the default picture, saying that it’s personal and there is nothing to watch the preview. In addition to this, it is not necessary to show the video in the lists at all if it is impossible to watch it.
update
Thank you kabachok
easier way to get a hash
/ get_thumbnail? vkid = 100647241 & vtag = 08e8e26a & size = 160 = 08e8e26a 100647241
This means that the hash principle cannot be published.
Dig a little
Before investigating other people's files, it is worthwhile to study the system more closely, so I uploaded the video on VKontakte, made it public, and URLA video fed the service videosaver.ru. The service is good, because it kindly provided me with a direct link to my file.
Further, I made my public video extremely private (only for myself), and tried again to download the file directly with the completed session. Yeah, swinging. This means that the servers in the video distribution do not perform checks for privacy (and they do it right, because this should be done elsewhere).
')
Thumbnail is all
The link to my public and now private video looks like:
551.gt3.vkadre.ru/assets/videos/08e8e26a100647241.vk.flv
in which the most interesting part is 08e8e26a100647241. This is clearly a hash and it is unlikely to be calculated, which means you need to find this hash on the site - in the source code, in comments, wherever. View the source code of the pages with a list of my video and when watching the video did nothing, but it can be seen that the thumbnail of the video is generated by the script:
vkadre.ru/get_thumbnail?vkid=100647241&vtag=08e8e26a&size=160
id video, etc. we are not interested. The main thing is that this script gave us a direct link to the picture:
551.gt3.vkadre.ru/assets/thumbnails/08e8e26a100647241.160.vk.jpg
and yes, here it is our hash (08e8e26a100647241), which we observed in the link to the video. Understandably, you can now associate any thumbnail with a part of the full path to the flv file.
The path to the file
If the file name can be obtained from the name of the picture, it is now necessary to complete the rest of the path - the name of the server and subdirectory. Subdirectories are all the same and the differences in the links are only in the hosts. In general, all links to the video can be described as
http: // [0-9] + .gt (2 | 3) .vkadre.ru / assets / videos / [0-9a-z] {, 16} .vk.flv
We are interested in the part before vkadre.ru, because everything is clear with the hash. Assuming that at the output of the video 2000 servers (with a steep margin) we scan all the hosts xxx.gt2.vkadre.ru and xxx.gt3.vkadre.ru for ip addresses, where xxx is from 1 to 1000.
It turned out that VKontakte has about 250 servers (unique ip) for video output (perhaps they also host audio, did not check). Having these 250 servers we do a brute force to download the file:
http: // [IP address from pool] / assets / videos / [hash from image] .vk.flv
If the file is not physically found, the server will issue the default flv movie for 300 kilobytes with some dumb music. That is, any file different in size from the default one is the desired movie, and the file is located in no more than ~ 250 requests.
How to fix it
check the access in the script /get_thumbnail.php and if there is no right, then show the default picture, saying that it’s personal and there is nothing to watch the preview. In addition to this, it is not necessary to show the video in the lists at all if it is impossible to watch it.
update
Thank you kabachok
easier way to get a hash
/ get_thumbnail? vkid = 100647241 & vtag = 08e8e26a & size = 160 = 08e8e26a 100647241
This means that the hash principle cannot be published.
Source: https://habr.com/ru/post/58882/
All Articles