Rsaencrypt和奇怪的Javascript函数(e,t,r,n,c,a,l)
[英]Rsaencrypt and strange Javascript function(e,t,r,n,c,a,l)
问题描述
I have found a strange script in my code: 
我在代码中发现了一个奇怪的脚本:
<script type="text/javascript">
n = 'D70ED106DEF035D7DB732C7C0B91F403B6C4A7F2FD5581483A700202482EF829302ED828F68AAAAC093AEFEB64B51882FD3AF350394182AD3E09D3C4FCA1D326A28F4D21759755130B8BB529F5A395DE829B13B070FCCCD507EDA5623EC22B91E080F35AC48E8A4EFD1BB64A1B79BEEF9A325598C430F5D8475297705B727BDD8E5CE1CDFF3BBE8D860B673CDB37681F82D9CF9DDE9E40E638B24E47DBBA9775410B1C0717B3B45F021AB4B633E2CE314DEA93576F318F671AB36509C0936FB7C5108324617D6EFD83B8369C75B7F7743A78E8CC98872C4FF1D83BFC0B7892F20BB869AC9185D82AA6D601F2036F18698661994EE02FDE7EDF6850C09EF05A445A965B4DC5B59CCCF3EB04F8B9AF5895DB7246F24546E34382A4CC221D3C680465906AB38DA8C13CAB72217B2145391E9A446A18116AF05F4DA10632E5C1F1A65DCE313E7DD081C2D374254CE2FD717B0EB346B2B8DD58487C3553398F6EABB816A6A4F1FA94BAE116EEEEC1EAABF4067A2D9B9C02275B61BC3FFB9F324BC0788E941120E772FACE5B16C46B4830DB0E842D1495385AA299D682E2981DF0B952A3B41CCA3DE2FEDD3C70AF63B57303B24F731F1C422D59701C25FEFE47D67CBC72EADD82D23B0374EEE5787D66DC15D68F873FE0BC49347274DF40B047D00BCB7E4068FDAAB74497F5A606AA1E67ED13A30C851AFF014A4F1C7DB9AB629BB693';
e = '010001';
</script>
<script>!function(e,t,r,n,c,a,l){function i(t,r){return r=e.createElement('div'),r.innerHTML='<a href="'+t.replace(/"/g,'"')+'"></a>',r.childNodes[0].getAttribute('href')}function o(e,t,r,n){for(r='',n='0x'+e.substr(t,2)|0,t+=2;t<e.length;t+=2)r+=String.fromCharCode('0x'+e.substr(t,2)^n);return i(r)}try{for(c=e.getElementsByTagName('a'),l='/cdn-cgi/l/email-protection#',n=0;n<c.length;n++)try{(t=(a=c[n]).href.indexOf(l))>-1&&(a.href='mailto:'+o(a.href,t+l.length))}catch(e){}for(c=e.querySelectorAll('.__cf_email__'),n=0;n<c.length;n++)try{(a=c[n]).parentNode.replaceChild(e.createTextNode(o(a.getAttribute('data-cfemail'),0)),a)}catch(e){}}catch(e){}}(document);</script></script>
The n value changes with each page reload. n值随每次重新加载页面而变化。
I have got template of my webpage from freelancer and first want to check it before publish, it strange for me because i cant found attributes in code like data-cfemail or .__cf_email__ also dont have anything like /cdn-cgi/l/email-protection# 我从freelancer那里获得了我的网页模板,并且首先要在发布之前进行检查,这对我来说很奇怪,因为我无法在data-cfemail或.__cf_email__这样的代码中找到属性,也没有/cdn-cgi/l/email-protection#
Please tell me what it does? 请告诉我它是做什么的? It can be malicious? 可能是恶意的吗? Have to test what it do? 必须测试它做什么?
2 个解决方案
解决方案1
3 已采纳 2017-10-14 11:59:13
The code starts with 代码以
e /*document*/ .getElementsByTagName('a')
So it gets all links on the page, iterates over them and if the link contains 因此,它将获取页面上的所有链接,对其进行迭代,以及该链接是否包含
/cdn-cgi/l/email-protection#
then it does: 然后它会:
a.href='mailto:'+o(a.href,t /*the position of the upper inside the link*/+l.length /*the length of the upper*/)
Theres another loop inside the code iterating over 代码内还有另一个循环
e.querySelectorAll('.__cf_email__')
and replaces these elements text with: 并将这些元素文本替换为:
o(
a /* one of the upper elems*/ .getAttribute('data-cfemail'),
0
)
So the interesting thing is actually the mysterious o function. 因此,有趣的是实际上是神秘的o函数。 That iterates over the passed string and converts 2byte pairs: 遍历传递的字符串并转换2byte对:
String.fromCharCode( '0x'+e.substr(t,2) /*the pair*/^n );
whereas n is: 而n是:
n='0x'+e.substr(t,2)|0
so basically it does an xor operation based on the first two bytes. 因此基本上,它基于前两个字节执行异或运算。 So this: 所以这:
A1 B2 C3 D4
will result in 将导致
B2 ^ A1
C3 ^ A1
D4 ^ A1
This result is then shortened to a dynamic url using a small trick, and then returned. 然后,使用一个小技巧将结果缩短为动态网址,然后返回。 So basically this is some kind of email protection , which uses a very basic xor encryption to encrypt the content. 因此,基本上这是某种电子邮件保护 ,它使用非常基本的xor加密来加密内容。 And thats it. 就是这样。
To test that behaviour simply put a link into your content linking to: 要测试该行为,只需在您的内容中添加一个链接,链接到:
//the start link we need:
/cdn-cgi/l/email-protection#
//the xor encryption disabler as ( a ^ 0 = a)
00
//test@example.com in hex
74657374406578616d706c652e636f6d
And you will see that itll link to test@example.com. 您会看到它会链接到test@example.com。
So i can conclude: this script is a harmless email link encryption, if you havent any link or text using this encryption its probably some code left over from an earlier version. 因此,我可以得出结论:此脚本是一种无害的电子邮件链接加密,如果您没有使用此加密的任何链接或文本,则可能是早期版本遗留下的一些代码。
I havent found any indication that the two variables n and e change anything... 我还没有发现任何迹象表明两个变量n和e会改变任何东西...
解决方案2
0 2017-10-14 14:37:18
Im sorry, isn't that from mr.robot easter egg sites? 很抱歉,这不是来自机器人先生的复活节彩蛋网站吗? http://www.conficturaindustries.com/ http://www.conficturaindustries.com/
screen from site with this script 使用此脚本从站点进行屏幕
Are you sure that this is YOUR code? 您确定这是您的代码吗?
Its email encoding sript, if you look at the result page code, you will not find any e-mails there, it will be available as a link only if you focus on the visual site display 它的电子邮件编码很简陋,如果您查看结果页面代码,则不会在其中找到任何电子邮件,只有当您专注于可视站点显示时,它才能作为链接提供
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.