So for the last couple of days I have been practicing some basic malware analysis on mainly macro malware like Agent Tesla but this time I am trying to figure out how solve the logic of the vjworm javascript malware and so far I have managed to deobfuscate the code using a combination of both manual deobfuscation and an online tool.
This is the sample in it's deobfuscated form https://pastebin.com/qRBKix6V
I am not able to post the entire thing here on Stackoverflow so I posted it on pastebin because it's just too large for the post limit of 30000 characters so I will post a snippet of the code instead and it's a piece of the code I am struggling to wrap my head around where it looks to be base64
and I did try convert it into text using a base64 to text online tool and I was promptly told that this was actually code and that I should convert to the bin format and I could read the output before I downloaded it and it was just a bunch of random letters with no meaning at all
What does this mean?.
function t() {
var Nd = ["W68xWPnGW59PWQiEnaC", "yMeBqSoNWPxdO8kT", "omkdW6ddQq", "q2XVC2u", "W7/dPCkWWPpdNfldVG", "WOHnWONcTtXLWPH+WQPb", "sSkzfq", "A3LWzsaVDhiGiG", "vbVdSSk7WOK", "Evz3tuK", "fSoHxmk9C1ldPq", "WOtcLSozW6S", "W7ebWPBcRaCxW5BcJrn0", "Ahr0CdOVl2DYyq", "atP8ssW", "gL3cMG", "C3bSAxq", "u2XLzxa", "B3bLBG", "tfNdJGddR8oFqSkHW7u", "W4RdPCo4aN/cIw9Ifmk4WPv1", "Dg9tDhjPBMC", "BsS0ga", "rhhcT3lcKXpcT8keW4tdMG", "jvjNtMuL", "WRpcTCoyW6/cQq", "mhWZFdr8mxWY", "ue9tva", "W5SibaddMmkMumo4", "mZmWt3Lsrvfe", "FY3dPHZcOcdcJ8kSWQJdQa", "lrJcQ8oRWQFdGSoaWPW6W4y", "aCo/fvxdJMuaD8oyW6C", "W5nKW68+ntGvEConeZ0", "W4pcJSkO", "Dub7or8", "hGnwAbvOcSo6W79/", "BgVcGwJcLG", "uMvNv3jPDgu", "xhjVB3rCC2vJDq", "W6LEA19k", "W4TgW6VdR3i", "WOTqgrldVmkDEmo4", "W7FcVSk1CmoBpW", "BuDAtKS", "WPNcNhqRWQ0", "t8kAztlcQmkrhW", "W5tdLahdNCoEW7KYmSkacW", "fSo0W4xcMN0XW5TDi2S", "tCoEWRJcVutcP2SJn8oMWQi", "twLJCM9ZB2z0xa", "WO9uwKZcHmk0CSoniSkIW5W", "WRZdJGtdI8od", "ef/dM8kau8olW6jFn8k6", "yxbWBhK", "jxZcVSkgWPe", "F8oPvW", "mJy0vhv2vgXi", "WRtdVMm1", "qCk4m8kNAM3dSHRdIq", "F2RcQG", "pCo5W6e7oaysu8oX", "hCodowFdS8osqSo5y8kogKFdVq", "WRyAkmk0kHuHFwS", "nxW0FdH8mW", "shHSz1O", "sXpdUmkUWO3dNCo7k8oWza", "WRiwj8kRlHa", "yMvRBKC", "AxrLBq", "WRJdH8ouWQRdKa", "u2HLBgWUqxbWBa", "W6PdW50", "W53dOCk0WPC", "oCk5xwJcSq", "atapCSoCWQxdMSk6", "zLDLuhG", "juVdHCoXW67cJxZdVSkLW4y", "ntG1odD2qKrRzNG", "ntuWmtK1DxjtC2nx", "we1msfruua", "ruPUEhu", "BG9MW58qWPJcPfddK8kt", "W7KibqBdKa", "jGVcQSk0W5JdLmkUi8kR", "W6nfA11+", "uxvPDa", "d8kDEvxcKa", "renDcdS", "W5/dVc7dVmo0", "WR5keSkhW7jdyCkca8o0sq0d", "WOVcVCkaDGS", "jedcRmo+W5NcNSoXoCoVCmkVWP8", "Bw92zu5LEhq", "wefJW5mcWP/cQeZdGSoy", "Ffz8", "EujSyvi", "yxrPBMDtExn0zq", "zgVcOwS", "h2hcOCkxWRRdOmkwqW", "DuPcfZ/cP3y", "rJ0XdLO", "CSonCJy+", "jJitWOhdHcldS8opbmkp", "rMLSzq", "ChnHBg1Zltu1", "betdKmkftSoC", "W6ZdTmkfWPhdMq", "uhjVz3jHBurHDa", "mNWWFdf8n3W2Fa", "FwPxW4BcMW", "v2LUzg93C1XdDq", "WPqHWRe", "xe1Py3jVC29MDa", "vxL4Cu0", "rgLZCgXHEu5HBq", "wuvt", "WQtcH8kLWPbpydzfWPRcVa", "W7vcW6BdQ3a", "u2nODgfZA3mGlW", "sw5ZDgfUy2vZtW", "odCZsgXrs2Do", "qSk+mvdcUa", "yxrfBMq", "vwDoC1u", "W7HfW5KHW6KFW6u", "zwXS", "z8kNcNTsWR3dKSoJWRFcVG", "u0XbD2O", "CMvWBgfJzq", "W6LiW4VcRXvNW47cJfro", "W4rrW7C", "yuXutgq", "v1nJCMLWDc5tAa", "W6ddVW7dJSoJ", "r1DNs2K", "wgDZtwq", "t3bLBLrLEhrgAq", "t3rYweK", "W5tdRSkoWRJdNa", "xfnVzNr3yxjLxa", "tqpcPt3cRZjFWP3dHH0", "zmkafgVcRSk1W6vYrmkn", "fmoGDSkksfNdGqK", "WONcU8k4WPbU", "qLFdR8k9uG", "qmoqwX8CW7bgzq", "Emo4W4hcKvS1W58EAq", "seTmtvXtt0zuvW", "uKvhx1nA", "CML0EwnLBNrLCG", "DCkclIO", "DgvTCa", "lK5fvfXgCMfTzq", "nKD6B3fbra", "BgXUvLa", "g2/dQSor", "mZq0mtjzv0rHwuG", "oCkNvf7cSsn5tu5t", "y29Kzeu", "udDfs09xqJzhsa", "rmo2W6xcTKK", "v3jPDgu"];
This is the malware sample in it's obfuscated form https://pastebin.com/xukFtPT7
My main goal here is to get an understanding about how the code functions and how it eventually get's to the ioc like ip adresses and domain names.
So far I have done some research around this malware but I found very little regarding how to reverse engineer this malware and the only resource I found did not have the same code as me.
I am by no means an expert at reverse engineering malware and I am not a master programmer by any means but I am able to read,write basic programs.
But on the other hand I have watched many tutorials and read many resources regarding malware from different families and how to best analyse them using a combination of both tools and manual malware analysis both static and dynamic.
What should I do now?
So, when our web application is scanned for Veracode, I get many Cross-Site Scripting flaws,
"Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"(CWE ID 80).
And, out of few flaws we have, I could not figure out how to fix this particular scenario.
Below is my piece of code -
$(".ui-dialog-buttonset .ui-button:visible").each(function(index, item) {
var label = $(item).text();
if (label == "Save" || label == "Create")
$(item).click();
});
I can see flaw reported on $(item).text(); and $(item).click(); lines.
I understand that, for text I can use something like DOMPurify.sanitize to clean the string.
But, I could not understand, why veracode is reporting for $(item).click();
Is it because the $(item) itself is not safe?
If yes then, how do I fix it?
I would greatly appreciate any help in this.
Okay, found fix from DOMPurify library.
You can sanitize DOM element too using DOMPurify.
So, below code works -
item = DOMPurify.sanitize(item, {SAFE_FOR_JQUERY:true});
I found hundreds of cloned versions of my website.
Whoever is doing that are using some code that clones my web pages, changes my website name mydomain.com to clone1.com, clone2.com, clone3.com etc and this makes it impossible to use a simple JS or PHP to check if the header URL is = to mysite.com then redirect.
It also does not work using the .htaccess
For this reason I have created this code:
<script type="text/javascript">
if (window.location.href== "http://clone1.com/cat1/{{{ $title->id }}}-{{ (Str::slug($title->title)) }}/cat2/{{ $se->n }}/cat3/{{ $episode->ep_n }}")
{
window.location.href = 'http://google.com/';
}
</script>
This script completes its purpose but is too long and is also very restrictive because it must contain the exact URL.
I'm looking to do this:
<script type="text/javascript">
if (window.location.href== "http://
//contains this part in its URL
clone1.com , clone2.com , clone3.com , clone4....
}}")
{
window.location.href = 'http://google.com/';
}
</script>
How can I create a global JS (JavaScript), that would detect if the current page is not on my domain and then redirect the reader to my domain and the same page?
Many thanks
1. Best Solution - Early Detection
Depending on your main traffic source, it is possible to detect who is scrapping you and block them based on their IP, Headers, number of page views and other data, using PHP & HTACCESS.
I really like this answer on the StackOverflow, that discusses almost all the options available for early detection.
How to detect fake users ( crawlers ) and cURL
2. Plugins & Extensions for Open Source Content Management Systems
Wordpress
If using Wordpress CMS, you can try some plugins, like WordFence, that can detect and block fake Google Crawlers, block based on the number of page views etc.
Other CMS
If you can't find a similar solution for your CMS of choice, consider to ask a community for a help with creating the solution like that, as I believe many people could benefit from it.
3. Solution for already stolen content with JavaScript
Sometimes the easiest road to hide something in JS, is to actually HIDE something by OBFUSCATING and by hiding in multiple important files. For example, obfuscate some important file on your website without which the website just wouldn't work properly.
For example, put an obfuscated version of the code below somewhere in JS file in the header, Obfuscate this code using any free services online or download your own library on Github:
Non-Obfuscated:
w='mysite.com'; // Current URL e.g. 'mysite.com/category1/page2/'
function check_origin(){
var check = 587;
if(window.location.hostname != w){
window.location.href = w;
}
return check;
}
var check = check_origin();
Obfuscated example:
var _0x303e=["\x6D\x79\x73\x69\x74\x65\x2E\x63\x6F\x6D","\x68\x6F\x73\x74\x6E\x61\x6D\x65","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x68\x72\x65\x66"];w= _0x303e[0];function check_origin(){var check=587;if(window[_0x303e[2]][_0x303e[1]]!= w){window[_0x303e[2]][_0x303e[3]]= w};return check}var check=check_origin()
Now put an additional code in some Footer JS File, to verify the code above wasn't modified in any way:
Non-Obfuscated example:
if(w!=='mysite.com'||check == false || typeof check == 'undefined' || check !== 587 ){
window.location.href = 'mysite.com';
}
Obfuscated:
var _0x92bb=["\x6D\x79\x73\x69\x74\x65\x2E\x63\x6F\x6D","\x75\x6E\x64\x65\x66\x69\x6E\x65\x64","\x68\x72\x65\x66","\x6C\x6F\x63\x61\x74\x69\x6F\x6E"];if(w!== _0x92bb[0]|| check== false|| typeof check== _0x92bb[1]|| check!== 587){window[_0x92bb[3]][_0x92bb[2]]= _0x92bb[0]}
I have used free online service from Google's search results for the term "Free Online JS Obfuscator:
https://javascriptobfuscator.com/Javascript-Obfuscator.aspx
4. Fight thieves with available methods e.g. Request a Ban from Search Engines – The Digital Millennium Copyright Act of 1998
Here is a blog-post that describes what to do when someone is stealing your content.
https://lorelle.wordpress.com/2006/04/10/what-do-you-do-when-someone-steals-your-content/
You can investigate who is doing that and report them to their partners, search engines, advertisers - to disrupt their business.
Depending on their country of origin and yours, it is maybe even possible to sue them and win.
why not check if hostname is your ?
if(window.location.hostname != 'mysite.com'){
window.location.href = 'http://google.com/';
}
I am in the process of setting up a blog through blogger.com and used a template from veethemes.com to get me started.
However, I noticed that there's an obfuscated script in the template and I'd prefer to know what it does to ensure that nothing untowards or unwanted is being done.
The code is as follows:
var _0x378a=["\x6B\x20\x45\x28\x73\x2C\x6E\x29\x7B\x79\x20\x73\x2E\x77\x28\x2F\x3C\x5C\x2F\x3F\x28\x3F\x21\x53\x5C\x73\x2A\x5C\x2F\x3F\x29\x5B\x61\x2D\x7A\x5D\x5B\x61\x2D\x54\x2D\x39\x5D\x2A\x5B\x5E\x3C\x3E\x5D\x2A\x3E\x2F\x4C\x2C\x22\x22\x29\x2E\x4B\x28\x2F\x5C\x73\x2B\x2F\x29\x2E\x31\x37\x28\x30\x2C\x6E\x2D\x31\x29\x2E\x5A\x28\x27\x20\x27\x29\x7D\x6B\x20\x31\x31\x28\x65\x2C\x74\x2C\x6E\x2C\x68\x2C\x63\x2C\x62\x2C\x71\x29\x7B\x35\x20\x72\x3D\x6A\x2E\x66\x28\x65\x29\x3B\x35\x20\x69\x3D\x6A\x2E\x66\x28\x6E\x29\x3B\x35\x20\x63\x3D\x63\x3B\x35\x20\x62\x3D\x62\x3B\x35\x20\x73\x3D\x22\x22\x3B\x35\x20\x6F\x3D\x72\x2E\x31\x39\x28\x22\x41\x22\x29\x3B\x35\x20\x61\x3D\x58\x3B\x35\x20\x70\x3D\x22\x22\x3B\x35\x20\x31\x36\x3D\x22\x75\x2E\x4D\x28\x57\x2E\x38\x2C\x20\x27\x31\x30\x27\x2C\x20\x27\x31\x32\x3D\x59\x2C\x20\x31\x33\x3D\x31\x34\x2C\x20\x31\x38\x3D\x78\x2C\x20\x31\x35\x3D\x78\x2C\x20\x4F\x2C\x20\x4E\x27\x29\x3B\x20\x79\x20\x50\x3B\x22\x3B\x49\x28\x6F\x2E\x51\x3E\x3D\x31\x29\x7B\x73\x3D\x27\x3C\x33\x20\x36\x3D\x22\x56\x2D\x55\x22\x3E\x3C\x61\x20\x38\x3D\x22\x27\x2B\x74\x2B\x27\x22\x3E\x3C\x41\x20\x36\x3D\x22\x52\x22\x20\x76\x3D\x22\x27\x2B\x6F\x5B\x30\x5D\x2E\x76\x2E\x77\x28\x2F\x73\x5C\x42\x5C\x64\x7B\x32\x2C\x34\x7D\x2F\x2C\x27\x73\x27\x2B\x31\x6F\x29\x2B\x27\x22\x20\x31\x71\x3D\x22\x22\x2F\x3E\x3C\x2F\x61\x3E\x3C\x2F\x33\x3E\x27\x3B\x61\x3D\x31\x73\x7D\x35\x20\x67\x3D\x27\x3C\x33\x20\x36\x3D\x22\x31\x72\x22\x3E\x3C\x33\x20\x36\x3D\x22\x31\x74\x22\x3E\x3C\x33\x20\x36\x3D\x22\x43\x22\x3E\x3C\x37\x20\x36\x3D\x22\x31\x61\x22\x3E\x27\x2B\x62\x2B\x27\x3C\x2F\x37\x3E\x3C\x37\x20\x36\x3D\x22\x31\x70\x22\x3E\x3C\x61\x20\x38\x3D\x22\x27\x2B\x74\x2B\x27\x23\x31\x6D\x22\x3E\x27\x2B\x63\x2B\x27\x3C\x2F\x61\x3E\x3C\x2F\x37\x3E\x3C\x2F\x33\x3E\x3C\x44\x3E\x3C\x61\x20\x38\x3D\x22\x27\x2B\x74\x2B\x27\x22\x3E\x27\x2B\x6E\x2B\x27\x3C\x2F\x61\x3E\x3C\x2F\x44\x3E\x3C\x33\x20\x36\x3D\x22\x43\x20\x31\x66\x22\x3E\x3C\x37\x20\x36\x3D\x22\x71\x22\x3E\x31\x65\x20\x31\x6E\x20\x27\x2B\x71\x2B\x27\x3C\x2F\x37\x3E\x3C\x37\x20\x36\x3D\x22\x68\x22\x3E\x31\x64\x20\x27\x2B\x68\x2B\x27\x3C\x2F\x37\x3E\x3C\x2F\x33\x3E\x3C\x2F\x33\x3E\x27\x2B\x73\x2B\x27\x3C\x33\x20\x36\x3D\x22\x31\x62\x22\x3E\x3C\x70\x3E\x27\x2B\x45\x28\x72\x2E\x6D\x2C\x61\x29\x2B\x27\x20\x5B\x2E\x2E\x2E\x2E\x2E\x5D\x3C\x2F\x70\x3E\x3C\x2F\x33\x3E\x3C\x2F\x33\x3E\x27\x3B\x72\x2E\x6D\x3D\x67\x7D\x3B\x75\x2E\x31\x63\x3D\x6B\x28\x29\x7B\x35\x20\x65\x3D\x6A\x2E\x66\x28\x22\x31\x67\x22\x29\x3B\x49\x28\x65\x3D\x3D\x31\x68\x29\x7B\x75\x2E\x31\x6C\x2E\x38\x3D\x22\x4A\x3A\x2F\x2F\x46\x2E\x47\x2E\x6C\x22\x7D\x65\x2E\x48\x28\x22\x38\x22\x2C\x22\x4A\x3A\x2F\x2F\x46\x2E\x47\x2E\x6C\x2F\x22\x29\x3B\x65\x2E\x48\x28\x22\x31\x6B\x22\x2C\x22\x31\x6A\x22\x29\x3B\x65\x2E\x6D\x3D\x22\x31\x69\x2E\x6C\x22\x7D","\x7C","\x73\x70\x6C\x69\x74","\x7C\x7C\x7C\x64\x69\x76\x7C\x7C\x76\x61\x72\x7C\x63\x6C\x61\x73\x73\x7C\x73\x70\x61\x6E\x7C\x68\x72\x65\x66\x7C\x7C\x7C\x74\x61\x67\x7C\x63\x6F\x6D\x6D\x65\x6E\x74\x7C\x7C\x7C\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64\x7C\x7C\x64\x61\x74\x65\x7C\x7C\x64\x6F\x63\x75\x6D\x65\x6E\x74\x7C\x66\x75\x6E\x63\x74\x69\x6F\x6E\x7C\x63\x6F\x6D\x7C\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C\x7C\x7C\x7C\x7C\x61\x75\x74\x68\x6F\x72\x7C\x7C\x7C\x7C\x77\x69\x6E\x64\x6F\x77\x7C\x73\x72\x63\x7C\x72\x65\x70\x6C\x61\x63\x65\x7C\x32\x34\x7C\x72\x65\x74\x75\x72\x6E\x7C\x7C\x69\x6D\x67\x7C\x7C\x6D\x65\x74\x61\x7C\x68\x32\x7C\x73\x74\x72\x69\x70\x54\x61\x67\x73\x7C\x77\x77\x77\x7C\x76\x65\x65\x74\x68\x65\x6D\x65\x73\x7C\x73\x65\x74\x41\x74\x74\x72\x69\x62\x75\x74\x65\x7C\x69\x66\x7C\x68\x74\x74\x70\x7C\x73\x70\x6C\x69\x74\x7C\x69\x67\x7C\x6F\x70\x65\x6E\x7C\x72\x65\x73\x69\x7A\x61\x62\x6C\x65\x7C\x73\x63\x72\x6F\x6C\x6C\x62\x61\x72\x73\x7C\x66\x61\x6C\x73\x65\x7C\x6C\x65\x6E\x67\x74\x68\x7C\x61\x72\x74\x69\x63\x6C\x65\x5F\x69\x6D\x67\x7C\x62\x72\x7C\x7A\x30\x7C\x6D\x65\x64\x69\x61\x7C\x70\x6F\x73\x74\x7C\x74\x68\x69\x73\x7C\x73\x75\x6D\x6D\x61\x72\x79\x5F\x6E\x6F\x69\x6D\x67\x7C\x35\x35\x30\x7C\x6A\x6F\x69\x6E\x7C\x77\x69\x6E\x64\x6F\x77\x4E\x61\x6D\x65\x7C\x72\x6D\x7C\x77\x69\x64\x74\x68\x7C\x68\x65\x69\x67\x68\x74\x7C\x36\x30\x30\x7C\x74\x6F\x70\x7C\x70\x6F\x70\x75\x70\x7C\x73\x6C\x69\x63\x65\x7C\x6C\x65\x66\x74\x7C\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65\x7C\x61\x72\x74\x69\x63\x6C\x65\x5F\x74\x61\x67\x73\x7C\x61\x72\x74\x69\x63\x6C\x65\x5F\x65\x78\x63\x65\x72\x70\x74\x7C\x6F\x6E\x6C\x6F\x61\x64\x7C\x6F\x6E\x7C\x70\x6F\x73\x74\x65\x64\x7C\x70\x6F\x73\x74\x5F\x6D\x65\x74\x61\x7C\x61\x74\x74\x72\x69\x5F\x62\x75\x74\x69\x6F\x6E\x7C\x6E\x75\x6C\x6C\x7C\x56\x65\x65\x54\x68\x65\x6D\x65\x73\x7C\x64\x6F\x66\x6F\x6C\x6C\x6F\x77\x7C\x72\x65\x6C\x7C\x6C\x6F\x63\x61\x74\x69\x6F\x6E\x7C\x63\x6F\x6D\x6D\x65\x6E\x74\x73\x7C\x62\x79\x7C\x37\x30\x30\x7C\x61\x72\x74\x69\x63\x6C\x65\x5F\x63\x6F\x6D\x6D\x65\x6E\x74\x73\x7C\x73\x74\x79\x6C\x65\x7C\x61\x72\x74\x69\x63\x6C\x65\x5F\x63\x6F\x6E\x74\x61\x69\x6E\x65\x72\x7C\x73\x75\x6D\x6D\x61\x72\x79\x69\x7C\x61\x72\x74\x69\x63\x6C\x65\x5F\x68\x65\x61\x64\x65\x72","","\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x72\x65\x70\x6C\x61\x63\x65","\x5C\x77\x2B","\x5C\x62","\x67"];
eval(function(_0x6c60x1,_0x6c60x2,_0x6c60x3,_0x6c60x4,_0x6c60x5,_0x6c60x6)
{_0x6c60x5=function(_0x6c60x3){return (_0x6c60x3<_0x6c60x2?_0x378a[4]:_0x6c60x5(
parseInt(_0x6c60x3/_0x6c60x2)))+((_0x6c60x3=_0x6c60x3%_0x6c60x2)>35?String[_0x378a[5]]
(_0x6c60x3+29):_0x6c60x3.toString(36))};if(!_0x378a[4][_0x378a[6]]
(/^/,String)){while(_0x6c60x3--){_0x6c60x6[_0x6c60x5(_0x6c60x3)]=_0x6c60x4[_0x6c60x3]||_0x6c60x5(_0x6c60x3)};
_0x6c60x4=[function(_0x6c60x5){return _0x6c60x6[_0x6c60x5]}];_0x6c60x5=function(){return _0x378a[7]};_0x6c60x3=1;};
while(_0x6c60x3--){if(_0x6c60x4[_0x6c60x3])
{_0x6c60x1=_0x6c60x1[_0x378a[6]]( new
RegExp(_0x378a[8]+_0x6c60x5(_0x6c60x3)+_0x378a[8],_0x378a[9]),
_0x6c60x4[_0x6c60x3])}};return _0x6c60x1;}(_0x378a[0],62,92,_0x378a[3]
[_0x378a[2]](_0x378a[1]),0,{}));
I was able to decode the first part using ddecode.com and came up with the following:
var _0x378a=["k E(s,n){y s.w(/<\/?(?!S\s*\/?)[a-z][a-T-9]*[^<>]*>/L,"").K(/\s+/).17(0,n-1).Z(' ')}k 11(e,t,n,h,c,b,q){5 r=j.f(e);5 i=j.f(n);5 c=c;5 b=b;5 s="";5 o=r.19("A");5 a=X;5 p="";5 16="u.M(W.8, '10', '12=Y, 13=14, 18=x, 15=x, O, N'); y P;";I(o.Q>=1){s='<3 6="V-U"><a 8="'+t+'"><A 6="R" v="'+o[0].v.w(/s\B\d{2,4}/,'s'+1o)+'" 1q=""/></a></3>';a=1s}5 g='<3 6="1r"><3 6="1t"><3 6="C"><7 6="1a">'+b+'</7><7 6="1p"><a 8="'+t+'#1m">'+c+'</a></7></3><D><a 8="'+t+'">'+n+'</a></D><3 6="C 1f"><7 6="q">1e 1n '+q+'</7><7 6="h">1d '+h+'</7></3></3>'+s+'<3 6="1b"><p>'+E(r.m,a)+' [.....]</p></3></3>';r.m=g};u.1c=k(){5 e=j.f("1g");I(e==1h){u.1l.8="J://F.G.l"}e.H("8","J://F.G.l/");e.H("1k","1j");e.m="1i.l"}","|","split","|||div||var|class|span|href|||tag|comment|||getElementById||date||document|function|com|innerHTML||||author||||window|src|replace|24|return||img||meta|h2|stripTags|www|veethemes|setAttribute|if|http|split|ig|open|resizable|scrollbars|false|length|article_img|br|z0|media|post|this|summary_noimg|550|join|windowName|rm|width|height|600|top|popup|slice|left|getElementsByTagName|article_tags|article_excerpt|onload|on|posted|post_meta|attri_bution|null|VeeThemes|dofollow|rel|location|comments|by|700|article_comments|style|article_container|summaryi|article_header","","fromCharCode","replace","\w+","\b","g"];
If I remove the script, the site breaks in certain places like Read More no longer cuts off the article on the home page and post headers are no longer visible, etc.
Any help in decoding this or tips on tools that may be available that would help me would be much appreciated.
Just remove eval in the code and throw it in the developer console.
Im trying to execute a some JS code via a background task.
Im using a gateway which works similar to paypal, i.e. once payment details are taken a response is sent back to a listener on my server (this could be immediate or several minutes later)
Once a response is received by the listener (listener.cfm), using cfhttp im calling a file (runPixCode.cfm) which has some trigger code.
Because runPixCode.cfm is not rendered by the browser the JS is not executing.
Also to prove whether this worked or not, im getting the JS to call another file (provethisiscalled.cfm) which write a log to a txt file.
If i put the following straight after the cfhttp call, i can see an entry in the log file. This assures me there is no issue with the JS providing its rendered by the browser.
<cfoutput>#cfhttp.FileContent#</cfoutput><cfabort>
However, doesnt work with a background task. I dont know how else to deal with this, any suggestions appreciated.
listener.cfm
--Does a bunch of logic--
<cfif paymentsuccessful>
<CFHTTP URL="www.mysite.com/runPixCode.cfm" METHOD="post" timeout="12" resolveurl="true">
<CFHTTPPARAM NAME="TrackingId" VALUE="#trackingId#" TYPE="FormField">
</CFHTTP>
</cfif>
runPixCode.cfm
<SCRIPT language="JavaScript">
var axel = Math.random()+"";
var a = axel * 1000;
document.write('<IFRAME SRC="http://www.mysite.com/provethisiscalled.cfm?codearea=landing&num='+ a + '?" WIDTH=1 HEIGHT=1 FRAMEBORDER=0></IFRAME>');
</SCRIPT>
<NOSCRIPT><IFRAME SRC="http://www.mysite.com/provethisiscalled.cfm?codearea=landing&num=1" WIDTH=1 HEIGHT=1 FRAMEBORDER=0></IFRAME> </NOSCRIPT>
provethisiscalled.cfm
<cfloop collection=#ARGUMENTS.triggerParams# item="key">
<cfset docLogging = docLogging & chr(13) & "#key# = " & ARGUMENTS.triggerParams[key]>
</cfloop>
<cffile action="append" file="c:\serverlocation\someDir\triggerlog.txt" output="#docLogging#" addnewline="YES" >
Writing an iframe is not going to work, nor is javascript, because all of these processes are being called by applications, not by browsers.
So with that, you have to get creative. First, what are you really attempting to do?
If your purpose is to determine whether or not a file has been called or executed, use <cflog> or write an entry to a database.
If you are trying to pass an HTTP call from listener.cfm to runPixCode.cfm, use <cfhttp> instead of an iframe.
If your purpose is actually to execute JavaScript as part of this automated process (it isn't, but this is cool), you can execute JavaScript in your CF/Java server through Rhino, which is not incredibly simple, but you can get code snippets by googling. Rhino is included with ColdFusion as js.jar, so there are no special files to download to make it work.