admin管理员组文章数量:1434908
I just received a virus that looks something like this
<script type='text/javascript'>
<!--
var s="=nfub!iuuq.frvjw>#sfgsfti#!------REST OF PAYLOAD REMOVED-----?";
m="";
for (i=0; i<s.length; i++)
{
if(s.charCodeAt(i) == 28)
{
m+= '&';
}
else if
(s.charCodeAt(i) == 23)
{ m+= '!';}
else
{
m+=String.fromCharCode(s.charCodeAt(i)-1);
}}
document.write(m);//-->
</script>
I'm not a JS expert but I would like to decrypt the contents of that string. Can you tell me the best way to alter document.write to see what it's doing?
I just received a virus that looks something like this
<script type='text/javascript'>
<!--
var s="=nfub!iuuq.frvjw>#sfgsfti#!------REST OF PAYLOAD REMOVED-----?";
m="";
for (i=0; i<s.length; i++)
{
if(s.charCodeAt(i) == 28)
{
m+= '&';
}
else if
(s.charCodeAt(i) == 23)
{ m+= '!';}
else
{
m+=String.fromCharCode(s.charCodeAt(i)-1);
}}
document.write(m);//-->
</script>
I'm not a JS expert but I would like to decrypt the contents of that string. Can you tell me the best way to alter document.write to see what it's doing?
Share Improve this question edited Sep 21, 2010 at 13:50 Marcel Korpel 21.8k6 gold badges62 silver badges80 bronze badges asked Sep 21, 2010 at 13:32 makerofthings7makerofthings7 61.5k57 gold badges230 silver badges463 bronze badges 1- It's a very simple substitution cypher, B->A, etc. You can read it by hand if you squint at it enough. "meta!http.equiv>#refrefh#...." – Alex Feinman Commented Sep 21, 2010 at 14:08
4 Answers
Reset to default 4Just create a <textarea id="foo"></textarea>, and write
document.getElementsById('foo').value = m;
Alternatively, you could encode < and & to < and & and keep the document.write.
FYI, the payload starts with
<meta http-equiv="refresh"
so looks like it just redirects the user into the a malicious site.
Use Malzilla to decode the URL. http://malzilla.sourceforge/
Since m is a String, you can just replace document.write() by alert(). Jsfiddle demo.
It seem to be creating a meta refresh header, probably with intent to inject it in the head of the current HTML page in order to redirect to a different (malicious?) page.
Don't run it your browser, instead try running it in FireBug for example (except document.write(m) line - just use FireBug to see contents of m variable).
Most of these embed an iframe into your site
本文标签: javascriptWas just sent a JS virus How do I safely display the outputStack Overflow
版权声明:本文标题:javascript - Was just sent a JS virus. How do I safely display the output? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1745641043a2667857.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论