Drupal网站接收到url请求嵌入可疑代码,假设黑客的尝试 [英] Drupal site received url request embedding suspicious codes presuming attempt of hacking
问题描述
我发现一个url请求有一个可疑代码到我的一个Drupal站点。有人会解释这段代码的深度是什么,并建议采取任何预防措施。函数(){try {var _0x5757 = [/ x6C / x65 / x6E / x67 / x74 / x68 , / X72 / X61 / x6E / 64 / x6F / X6D, / X66 / X6C / x6F / x6F / X72],_ 0xa438x1 =此[_0x5757 [0]],_ 0xa438x2,_0xa438x3;若(_0xa438x1 == 0 ){return}; while(--_ 0xa438x1){_ 0xa438x2 = Math [_0x5757 [2]](Math [_0x5757 [1]]()*(_ 0xa438x1 1)); _ 0xa438x3 = this [_0xa438x1];这个[_0xa438x1] =这个[_0xa438x2];这个[_0xa438x2] = _ 0xa438x3;};} catch(e){}最后{return this}}
网站返回页面未找到错误,我没有发现任何问题。
通过打印机运行此代码您将收到:
function(){
try {
var _0x5757 = [/ x6C / x64 / x6E / x67 / x74 / x68,/ x72 / x61 / x6E / x64 / x6F / x6D,/ x66 / x6C / x6F / x6F / x72],
_0xa438x1 = this [_0x5757 [ 0]],
_0xa438x2,_0xa438x3;
if(_0xa438x1 == 0){
return
};
while(--_ 0xa438x1){
_0xa438x2 = Math [_0x5757 [2]](Math [_0x5757 [1]]()*(_0xa438x1 1));
_0xa438x3 = this [_0xa438x1];
这个[_0xa438x1] =这个[_0xa438x2];
这个[_0xa438x2] = _0xa438x3;
};
} catch(e){}最后{
return this
}
}
首先,我们重命名一些变量并解密第三行中的字符串数组。我已将 _0x5757 重命名为 arr 并转义了数组中的十六进制字符。这给你:
var arr = [length,random,floor],
所以这里我们有一个即将使用的函数的列表。替换字符串并重命名变量,您将收到:
function(){
try {
var arr = [length,random,floor],
length_func =length,
rand_number,temp;
if(length_func == 0){
return
};
while(--length_func){
rand_number = Math [floor](Math [random]()*(length_func 1));
temp = this [length_func];
this [length_func] = this [rand_number];
这个[rand_number] = temp;
};
} catch(e){}最后{
return this
}
}
注意生成随机数时脚本中有语法错误。
*(length_func 1)
与 length_func =length不是有效的JavaScript语法,所以代码实际上不起作用。我仍然可以猜测应该做什么:如果我们通过执行 Math [floor] 而不是<$ c $删除了调用函数的混淆c> Math.floor()重要的行是
while(--length_func){
rand_number = Math.floor(Math.random()*(length 1));
temp = this.length_func;
this.length_func = this.rand_number;
this.rand_number = temp;
};
似乎它尝试使用 Math.random )和 Math.floor(),然后交换变量 length_func 的内容, rand_numerber ,全部包裹在一个 while( - length_func)循环中。这里没有什么功能或任何有意义的东西。尝试无限循环挂起浏览器可能?代码是,因为它是非功能的。它甚至无法生成随机数,因为 Math.floor()将始终向下舍入输入的浮点数, Math.rand()将生成一个0.0到1.0之间的数字,所以几乎总是稍微低于1.0,所以在大部分时间里,$ code> rand_number = 0 。与 rand()输出与 length_func 1 的乘法也许应该使数字更大,但语法是无效。当我使用浏览器的控制台执行长度时,它会给我 0 ,当我尝试做$ code> length(1),然后长度不是一个函数,唯一的长度这是有道理的,这是一个字符串长度或数组长度,但是它必须明确地是someString.length 。希望这可以帮助你。
I found a url request having suspicious code to one of my Drupal site. Will someone explain what will be the depth of this code and advise any precautions to be taken. Code:
function (){try{var _0x5757=["/x6C/x65/x6E/x67/x74/x68","/x72/x61/x6E/x64/x6F/x6D","/x66/x6C/x6F/x6F/x72"],_0xa438x1=this[_0x5757[0]],_0xa438x2,_0xa438x3;if(_0xa438x1==0){return};while(--_0xa438x1){_0xa438x2=Math[_0x5757[2]](Math[_0x5757[1]]()*(_0xa438x1 1));_0xa438x3=this[_0xa438x1];this[_0xa438x1]=this[_0xa438x2];this[_0xa438x2]=_0xa438x3;};}catch(e){}finally{return this}}
Site returned page not found error and I observed no issues.
Run this code through a beatifier and you will receive:
function () {
try {
var _0x5757 = ["/x6C/x65/x6E/x67/x74/x68", "/x72/x61/x6E/x64/x6F/x6D", "/x66/x6C/x6F/x6F/x72"],
_0xa438x1 = this[_0x5757[0]],
_0xa438x2, _0xa438x3;
if (_0xa438x1 == 0) {
return
};
while (--_0xa438x1) {
_0xa438x2 = Math[_0x5757[2]](Math[_0x5757[1]]() * (_0xa438x1 1));
_0xa438x3 = this[_0xa438x1];
this[_0xa438x1] = this[_0xa438x2];
this[_0xa438x2] = _0xa438x3;
};
} catch (e) {} finally {
return this
}
}
First, let's rename some variables and decrypt the array of strings in the third line. I've renamed _0x5757 to arr and escaped the hex-chars within the array. That gives you:
var arr = ["length", "random", "floor"],
So here we have a list of functions that will be used shortly. Substitute the strings in and rename the variables and you will receive:
function () {
try {
var arr = ["length", "random", "floor"],
length_func = "length",
rand_number, temp;
if (length_func == 0) {
return
};
while (--length_func) {
rand_number = Math["floor"](Math["random"]() * (length_func 1));
temp = this[length_func];
this[length_func] = this[rand_number];
this[rand_number] = temp;
};
} catch (e) {} finally {
return this
}
}
Notice how there is a syntax error in the script when generating a random number.
* (length_func 1)
with length_func = "length" is not valid JavaScript syntax, so the code is actually not functional. I can still make a guess on what it was supposed to do: If we remove the obfuscation of calling a function by doing Math["floor"] instead of Math.floor() the important lines are
while (--length_func) {
rand_number = Math.floor( Math.random() * ( length 1 ));
temp = this.length_func;
this.length_func = this.rand_number;
this.rand_number = temp;
};
It seems that it tries to compute a random integer using Math.random() and Math.floor(), then swaps the contents of the variables length_func and rand_numerber, all wrapped in a while(--length_func) loop. There's nothing functional here or anything that makes sense. An attempt at an infinte loop hanging the browser maybe? The code is, as it stands, non-functional. It even fails to generate a random number, because Math.floor() will always round-down the inputted float, and Math.rand() will generate a number within 0.0 to 1.0, so nearly always something slightly below 1.0, therefore rand_number = 0 for most of the time. The multiplication with the rand() output with the length_func 1 maybe should have made the number bigger, but the syntax is invalid. When I use my browser's console to execute length, it gives me 0, when I try to do length(1), then length is not a function, the only length that makes sense here is a string-length or array length, but then it would have to explicitly be "someString".length. Hope this helps you.
这篇关于Drupal网站接收到url请求嵌入可疑代码,假设黑客的尝试的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
