Does an open source blog theme hide private goods?

First of all, this article is just my guess. If there is something wrong, please correct it in time

background

A few days ago, a friend introduced that he saw a blog Park theme. The theme had a great idea. It was not so good, but later he looked at the source code and found some secret things.

Source Address https://github.com/cjunn/cnblog_theme_atum

find

Mysterious Backend Request

First, the theme sends requests to the php server of the theme author

Here we can see that a callback is returned, which is typically a jsonp technology used to solve cross-domain problems

So what is the exact principle of jsonp?

jsonp principle

Because of the cross-domain mechanism of browser, if cors-related operations are not done on the other side of the interface server, then the ajax interface data can not be requested, and jsonp technology comes into being.

A browser can introduce a JS from a foreign domain, and no cross-domain related settings are required on the foreign domain. After the introduction of the foreign js, the functions within the JS can be called, so a callback is passed on the interface, such as

<script src="http://a.com/a.php?callback=ttt"></script>

And then back there to a js whose content is

ttt({'a': 1, 'b': 2})

This json data is then available by calling the ttt function

Backend Request Problem Point

Do you still feel that there is nothing wrong with it so far? It seems that he is OK to go back?

But imagine that this callback can be replaced at any time in the back end, such as adding a js to get some information about you, or even controlling your browser's behavior, such as what to click on for him, to know Beef

Mysterious Encrypted String

I see this theme takes up less cpu and memory, so it took a few minutes to double the source and find something strange

I found this when looking for the php request mentioned above

Then follow up

Continue to follow

There's a bunch of encrypted stuff

Look at the name like Baidu statistics, but why do you encrypt it? Follow up this encryption function to see

/**
 *
 *  Base64 encode / decode
 *  http://www.webtoolkit.info
 *
 **/


  // private property
let _keyStr = ""
_keyStr += "AByz0r4wxs";

// public method for encoding
let encode = function (input) {
  var output = "";
  var chr1, chr2, chr3, enc1, enc2, enc3, enc4;
  var i = 0;

  input = _utf8_encode(input);

  while (i < input.length) {
    chr1 = input.charCodeAt(i++);
    chr2 = input.charCodeAt(i++);
    chr3 = input.charCodeAt(i++);

    enc1 = chr1 >> 2;
    enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
    enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
    enc4 = chr3 & 63;

    if (isNaN(chr2)) {
      enc3 = enc4 = 64;
    } else if (isNaN(chr3)) {
      enc4 = 64;
    }

    output = output +
      _keyStr.charAt(enc1) + _keyStr.charAt(enc2) +
      _keyStr.charAt(enc3) + _keyStr.charAt(enc4);
  } // Whend

  return output;
} // End Function encode
_keyStr += "KLMCDEtuTUVWX12NOPQk";


// public method for decoding
let decode = function (input) {
  var output = "";
  var chr1, chr2, chr3;
  var enc1, enc2, enc3, enc4;
  var i = 0;

  input = input.replace(/[^A-Za-z0-9\+\/\=]/g, "");
  while (i < input.length) {
    enc1 = _keyStr.indexOf(input.charAt(i++));
    enc2 = _keyStr.indexOf(input.charAt(i++));
    enc3 = _keyStr.indexOf(input.charAt(i++));
    enc4 = _keyStr.indexOf(input.charAt(i++));

    chr1 = (enc1 << 2) | (enc2 >> 4);
    chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
    chr3 = ((enc3 & 3) << 6) | enc4;

    output = output + String.fromCharCode(chr1);

    if (enc3 != 64) {
      output = output + String.fromCharCode(chr2);
    }

    if (enc4 != 64) {
      output = output + String.fromCharCode(chr3);
    }

  } // Whend

  output = _utf8_decode(output);

  return output;
} // End Function decode
_keyStr += "lmnopqYZabcdef";


// private method for UTF-8 encoding
let _utf8_encode = function (string) {
  var utftext = "";
  string = string.replace(/\r\n/g, "\n");

  for (var n = 0; n < string.length; n++) {
    var c = string.charCodeAt(n);

    if (c < 128) {
      utftext += String.fromCharCode(c);
    } else if ((c > 127) && (c < 2048)) {
      utftext += String.fromCharCode((c >> 6) | 192);
      utftext += String.fromCharCode((c & 63) | 128);
    } else {
      utftext += String.fromCharCode((c >> 12) | 224);
      utftext += String.fromCharCode(((c >> 6) & 63) | 128);
      utftext += String.fromCharCode((c & 63) | 128);
    }

  } // Next n

  return utftext;
} // End Function _utf8_encode
_keyStr += "35RSJFGHIvgh";
// private method for UTF-8 decoding
let _utf8_decode = function (utftext) {
  var string = "";
  var i = 0;
  var c, c1, c2, c3;
  c = c1 = c2 = 0;

  while (i < utftext.length) {
    c = utftext.charCodeAt(i);

    if (c < 128) {
      string += String.fromCharCode(c);
      i++;
    } else if ((c > 191) && (c < 224)) {
      c2 = utftext.charCodeAt(i + 1);
      string += String.fromCharCode(((c & 31) << 6) | (c2 & 63));
      i += 2;
    } else {
      c2 = utftext.charCodeAt(i + 1);
      c3 = utftext.charCodeAt(i + 2);
      string += String.fromCharCode(((c & 15) << 12) | ((c2 & 63) << 6) | (c3 & 63));
      i += 3;
    }

  } // Whend

  return string;
} // End Function _utf8_decode
_keyStr += "ij6789+/=";

export default {
  i: (message) => {
    return encode(message);
  },
  o: (ciphertext) => {
    return decode(ciphertext);
  },
}

This function runs on its own and runs out at https://hm.baidu.com/hm.js?ae80cc662109a34c868ba6cbe3431c8d, the Baidu statistical address

Then at initialization, every time you go to the website

This function initBaiduCount() is called every time you enter a website

And a routing guard called pushBaiduCount()

Some people may not understand what a routing guard is. A routing guard is a hook hook that is called every time you enter or leave a route, or the page of a website, such as when you enter a new route, so follow up

Here is Baidu statistical code inserted

My doubts

I don't know what Baidu statistics is, I always thought it was a matter of site traffic and visits, and I don't know anything else.

I said what I thought was suspicious

I thought it was for statistics on my blog, but I don't understand why it takes so much time to encrypt and decrypt it

What's more, this encrypted JS removes the suffix js, so github can't retrieve the analysis code, it should only be hard to find if you don't down load the code

I see, in fact, I did not use the things on the built php server, at first I thought it was the conversion of anti-generation blog parks into interfaces, but I looked at the next request, all of which were callback s, returned a string, I really can't imagine what is necessary to do this operation, currently it seems to be of no value

So the question arises:

  1. Baidu statistics have been added, but it does not seem to be a customizable item for users or a generous thing to show?
  2. What is the main purpose of this php server?Does the current callback seem pointless, or is it really what I want to do so that I can do something later?

Tags: PHP github encoding JSON

Posted on Tue, 12 May 2020 20:03:25 -0400 by skyace888