Http://blog.itpub.net/rss/137/288
Yesterday, a friend asked me to copy a few webpages for her, but the website had a lot of hands and feet. I only wanted to check the materials and could not copy/paste. I still despise such a website, so it is boring.
I was about to get off work yesterday, so I didn't do anything about it. I checked it this morning.
First, the IFRAME on the page is switched to encrypt. asp? Act = body & id = 740. Let's take a look at the key part of this source file.
<Script language = "JavaScript">
Document. write (Unescape ("% 0d % 0a % 3C % 21 doctype % 20 H x 54 ml % 20 public % 20% 22 -............. .. "));
</SCRIPT>
Now, I will use alert for Javascript, But what alert comes out cannot be saved. Fortunately, the escape encoding is very simple, it is a conversion process of % and % u, so, A cProgramTo perform this conversion. Let's look at the output. In the end, we continue to use JScript. encode encoding.
<Script language = "jscript. encode"> #@~ ^ Lacaaa = [km; S + yrsdbo + vb @! C: HJ @*@! C2z9 @*@! KQ :....................
</SCRIPT>
I am not writing a program. I have found a website http://www.vvss.net/tools/encode.htmon the internet.
Document. write ('<HTML>
Document. Write ("loading ...");
Function doit (){
Document. write ('<HTML>
Document. Write ('<frameset rows = "0,100%" framespacing = "0" border = "0" frameborder = "0"> ');
Document. Write ('<frame src = "about: blank" border = 0 name = "ftop"> ');
Document. Write ('<frame src = "about: blank" border = 0 name = "fbottom"> ');
Document. Write ('</frameset>
SetTimeout ("Top. fbottom. Location. Replace ('encrypt. asp? Id = "+ Request (" ID ") +" ') ", 100 );
}
Function start ()
{
SetTimeout ("doit ();", 200 );
}
VaR _ requestarray;
Function requestreset (){
VaR I, J;
VaR URLRequest = "";
If (document. Location. href. indexof ("? ")> 0) URLRequest = Document. Location. href. substr (document. Location. href. indexof ("? ") + 1 );
Try {
_ Requestarray = URLRequest. Split ('&');
If (_ requestarray [0] = '') _ requestarray = new array ();
For (I = 0; I <_ requestarray. length; I ++ ){
If (_ requestarray [I]. indexof ('=')> = 0 ){
Varname = Unescape (_ requestarray [I]. substr (0, _ requestarray [I]. indexof ('= ')));
Value = Unescape (_ requestarray [I]. substr (_ requestarray [I]. indexof ('=') + 1 ));
}
Else {
Varname = Unescape (_ requestarray [I]);
Value = '';
}
_ Requestarray [I] = new array (varname, value );
}
} Catch (e ){}
}
Function request (varname ){
VaR I, lname = varname. tolowercase ();
For (I = 0; I <_ requestarray. length; I ++ ){
Try {
If (_ requestarray [I] [0]. tolowercase () = lname) return _ requestarray [I] [1];
} Catch (e ){}
}
Return '';
}
Requestreset ();
Start ();
Obviously the key point is one line:
SetTimeout ("Top. fbottom. Location. Replace ('encrypt. asp? Id = "+ Request (" ID ") +" ') ", 100 );
Offer flash get. Let's download it.
Download target: encrypt. asp? Id = 1, 740,
Reference page: encrypt. asp? Act = body & id = 740
Haha, then let's look at the downloaded content. The file looks very short. CodeYes.
<Script language = "jscript. encode"> #@~ ^ Paaaaa = [km; S + yrsdbo + v1_62zd ^ '6gyrwd -! Wtjbg-XV {J )! A-A & gv9umwaf K2O '6 + 2au1w [B '! CZ/m ^-X & 9 + MWAF Xao-x 2md2gmmd '$! 9elk ['rqnkm; hxy C ^ V K9 (GRR xdk6dqj @ *-A &;-& d1-6F + Kay @ * rbietyaaa == #~ @ </SCRIPT>
Then decode and check
Document. Write ("x3cscx72ipt40lanx67uagex3d 'jscx72iptx2eencode' 40srcx3dencx72yptx2easp? Act = b0dy & id = "+ document. All. Idid. innertext +"> x3c/scx72ert> ");
Haha, I am tired of coding so many codes.
<Script language = 'jscript. encode' src = encrypt. asp? Act = b0dy & id = 740> </SCRIPT>
Hoho, the fox's tail is out, encrypt. asp? Act = b0dy & id = 740, huh, huh, note that act writes b0dy, not the body. It seems like it is the final target link, happy.
When the ghost file is opened, it is something that JScript. encode has been used in it, and then decode it. Haha, haha, let's see what it is:
Function draw (Doc, S) {Doc. All. idb0dy. innerhtml = s ;}
S = "% 3 cdiv % 3E % u3000 % u3000 % 3C/Div % 3E % 20% 3 cdiv % 3E % 3 cstrong % 3E % u3000 % u4e00 % u3001 %
............
Window. onload = new function ("Draw (document, Unescape (s ));");
Window. Status = 'complete! ';
Bingo is yours. Haha, add a header and a tail to make an HTML file.
<HTML>
<Script language = "JavaScript">
Function draw (Doc, S) {Doc. All. idb0dy. innerhtml = s ;}
S = "...........";
Window. Status = 'complete! ';
</SCRIPT>
<Body>
<Div id = idb0dy> </div>
</Body>
</Html>
Haha, haha, look at the time, less than two hours, mainly in the Write Program Unescape, but still satisfied. Hahaha
To avoid disputes, the website name is hidden.
Http://blog.itpub.net/post/137/30955 Thu, 26 May 2005 11:21:34 + 0000