stackoom
  简体   繁体   中英

Rsaencrypt and strange Javascript function(e,t,r,n,c,a,l)

 原文  2017-10-14 11:28:13       javascript/ encryption/ rsa

Question

I have found a strange script in my code: 

<script type="text/javascript">
n = 'D70ED106DEF035D7DB732C7C0B91F403B6C4A7F2FD5581483A700202482EF829302ED828F68AAAAC093AEFEB64B51882FD3AF350394182AD3E09D3C4FCA1D326A28F4D21759755130B8BB529F5A395DE829B13B070FCCCD507EDA5623EC22B91E080F35AC48E8A4EFD1BB64A1B79BEEF9A325598C430F5D8475297705B727BDD8E5CE1CDFF3BBE8D860B673CDB37681F82D9CF9DDE9E40E638B24E47DBBA9775410B1C0717B3B45F021AB4B633E2CE314DEA93576F318F671AB36509C0936FB7C5108324617D6EFD83B8369C75B7F7743A78E8CC98872C4FF1D83BFC0B7892F20BB869AC9185D82AA6D601F2036F18698661994EE02FDE7EDF6850C09EF05A445A965B4DC5B59CCCF3EB04F8B9AF5895DB7246F24546E34382A4CC221D3C680465906AB38DA8C13CAB72217B2145391E9A446A18116AF05F4DA10632E5C1F1A65DCE313E7DD081C2D374254CE2FD717B0EB346B2B8DD58487C3553398F6EABB816A6A4F1FA94BAE116EEEEC1EAABF4067A2D9B9C02275B61BC3FFB9F324BC0788E941120E772FACE5B16C46B4830DB0E842D1495385AA299D682E2981DF0B952A3B41CCA3DE2FEDD3C70AF63B57303B24F731F1C422D59701C25FEFE47D67CBC72EADD82D23B0374EEE5787D66DC15D68F873FE0BC49347274DF40B047D00BCB7E4068FDAAB74497F5A606AA1E67ED13A30C851AFF014A4F1C7DB9AB629BB693';
e = '010001';
</script>
<script>!function(e,t,r,n,c,a,l){function i(t,r){return r=e.createElement('div'),r.innerHTML='<a href="'+t.replace(/"/g,'&quot;')+'"></a>',r.childNodes[0].getAttribute('href')}function o(e,t,r,n){for(r='',n='0x'+e.substr(t,2)|0,t+=2;t<e.length;t+=2)r+=String.fromCharCode('0x'+e.substr(t,2)^n);return i(r)}try{for(c=e.getElementsByTagName('a'),l='/cdn-cgi/l/email-protection#',n=0;n<c.length;n++)try{(t=(a=c[n]).href.indexOf(l))>-1&&(a.href='mailto:'+o(a.href,t+l.length))}catch(e){}for(c=e.querySelectorAll('.__cf_email__'),n=0;n<c.length;n++)try{(a=c[n]).parentNode.replaceChild(e.createTextNode(o(a.getAttribute('data-cfemail'),0)),a)}catch(e){}}catch(e){}}(document);</script></script>

The n value changes with each page reload.

I have got template of my webpage from freelancer and first want to check it before publish, it strange for me because i cant found attributes in code like data-cfemail or .__cf_email__ also dont have anything like /cdn-cgi/l/email-protection#

Please tell me what it does? It can be malicious? Have to test what it do?

2 answers

solution1
 3 ACCPTED  2017-10-14 11:59:13

The code starts with 

e /*document*/ .getElementsByTagName('a')

So it gets all links on the page, iterates over them and if the link contains 

/cdn-cgi/l/email-protection#

then it does: 

a.href='mailto:'+o(a.href,t /*the position of the upper inside the link*/+l.length /*the length of the upper*/)

Theres another loop inside the code iterating over 

e.querySelectorAll('.__cf_email__')

and replaces these elements text with: 

o( 
  a /* one of the upper elems*/ .getAttribute('data-cfemail'),
  0
 )

So the interesting thing is actually the mysterious o function. That iterates over the passed string and converts 2byte pairs: 

String.fromCharCode( '0x'+e.substr(t,2) /*the pair*/^n );

whereas n is: 

n='0x'+e.substr(t,2)|0

so basically it does an xor operation based on the first two bytes. So this: 

A1 B2 C3 D4

will result in 

B2 ^ A1
C3 ^ A1
D4 ^ A1

This result is then shortened to a dynamic url using a small trick, and then returned. So basically this is some kind of email protection , which uses a very basic xor encryption to encrypt the content. And thats it.

To test that behaviour simply put a link into your content linking to: 

//the start link we need:
/cdn-cgi/l/email-protection#
//the xor encryption disabler as ( a ^ 0 = a)
00
//test@example.com in hex
74657374406578616d706c652e636f6d

And you will see that itll link to test@example.com.

Test environment

So i can conclude: this script is a harmless email link encryption, if you havent any link or text using this encryption its probably some code left over from an earlier version.

I havent found any indication that the two variables n and e change anything...

solution2
 0  2017-10-14 14:37:18

Im sorry, isn't that from mr.robot easter egg sites? http://www.conficturaindustries.com/

screen from site with this script

Are you sure that this is YOUR code?

Its email encoding sript, if you look at the result page code, you will not find any e-mails there, it will be available as a link only if you focus on the visual site display

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Problems with displaying text in Javascript “N�O�T�I�C�E�”, php displays it with no problem Javascript replace regexp \\n with \n, \\t with \t, \\r with \r and so on Using JavaScript, how to generate a randm 11 char string following these param/rules? (L,L,L,L/N,L/N,N,N,N,N,N,N) javascript, strange function arrangement, don't understand JavaScript Converting \n to \r\n javascript, replace \n with \r\n Object function (e,t){return new x.fn.init(e,t,r)} has no method 'plot' Javascript - Remove \r\n JS Unpacker via PHP - function(p,a,c,k,e,r) javascript split( /\r\n|\n|\r/) with semicolon
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM