Jump to content


Photo
- - - - -

Help With Javascript Injection


  • Please log in to reply
2 replies to this topic

#1 drewdaniels

drewdaniels

    Will I break 10 posts?

  • Members
  • 2 posts
  • Gender:Male

Posted 17 May 2011 - 08:39 PM

So I'm taking drivers ed at idrivesafely.com, and each page has a timer must countdown before you can move on to the next page. Ive already taken drivers ed once but it was a scam so i have to do it again, and i dont want to wait on each page. heres the 'javascript:continueNextPage();' function:
<form name="F_ID3" method="post">
<INPUT TYPE="HIDDEN" NAME="CHAPTER" VALUE="16">
<INPUT TYPE="HIDDEN" NAME="MODULE" VALUE="2">
<INPUT TYPE="HIDDEN" NAME="USERID" VALUE="2E0E0482">
<INPUT TYPE="HIDDEN" NAME="SECTION" VALUE="6">
</form>
<form name="F_ID" method="post">

<INPUT TYPE="HIDDEN" NAME="rm" value="outputContentHtml">
<INPUT TYPE="HIDDEN" NAME="LANGUAGE" VALUE="EN">
<INPUT TYPE="HIDDEN" NAME="PLUGINOK" VALUE="">
<INPUT TYPE="HIDDEN" NAME="USERID" VALUE="2E0E0482">
<INPUT TYPE="HIDDEN" NAME="STN" VALUE="5">
<INPUT TYPE="HIDDEN" NAME="TIMESTAMP" VALUE="0">
<INPUT TYPE="HIDDEN" NAME="CONTROL" VALUE="1">
<INPUT TYPE="HIDDEN" NAME="CHAPTER" VALUE="16">
<INPUT TYPE="HIDDEN" NAME="MODULE" VALUE="2">

<INPUT TYPE="HIDDEN" NAME="GASESSION" VALUE="">
</form>
<!-------------- MIDDLE HERE -->
<form name="F_ID1" method="post">

<INPUT TYPE="HIDDEN" NAME="rm">
<INPUT TYPE="HIDDEN" NAME="LANGUAGE" VALUE="EN">
<INPUT TYPE="HIDDEN" NAME="CHAPTER" VALUE="16">
<INPUT TYPE="HIDDEN" NAME="USERID" VALUE="2E0E0482">
<INPUT TYPE="HIDDEN" NAME="STN" VALUE="6">
<INPUT TYPE="HIDDEN" NAME="TIMESTAMP" VALUE="1305682527">
<INPUT TYPE="HIDDEN" NAME="PAUSETIMER" VALUE="">
<INPUT TYPE="HIDDEN" NAME="DONE" VALUE="0">
<INPUT TYPE="HIDDEN" NAME="MODULE" VALUE="2">

<INPUT TYPE="HIDDEN" NAME="USERID" VALUE="2E0E0482">
<INPUT TYPE="HIDDEN" NAME="GASESSION" VALUE="">


                <script language="javascript1.2">
                var isN6 = false, isN4 = false, isIE = false;
                var sawFirst = false, playStatus = 0;
                if(document.layers) 
                {
                    isN4 = true;
                } 
                else 
                {
                    if (document.all)
                    {
                        isIE = true;
                    } 
                    else 
                    {
                        if(!document.all && document.getElementById) isN6 = true;
                    }
                }
        function ehandler(e) {
            var x = '';
        }

        function addEHandlers(o) {
            o.onblur = ehandler;
            o.onclick = ehandler;
            o.ondblclick = ehandler;
            o.onfocus = ehandler;
            o.onkeydown = ehandler;
            o.onload = ehandler;
            o.onmousedown = ehandler;
            o.onresize = ehandler;
            o.onsubmit = ehandler;
        }

        function addHandlers(o) {
            o.onblur = handler;
            o.onclick = handler;
            o.ondblclick = handler;
            o.onfocus = handler;
            o.onkeydown = handler;
            o.onload = handler;
            o.onmousedown = handler;
            o.onresize = handler;
            o.onsubmit = handler;
        }

        var vTimeReq = 290;
        var vTimeStamp = parseInt(new Date().getTime() / 1000);
        var vMissedTime = 0;
        var vTotalTime = 0;
        var vLeftAtTime = 0;
        var haveReal = false;
        var mins = 0;
        var secs = 0;
        vTotalTime = 0;
        var vNow = 0;
        goClock = true;
        function dunn()
        {
        if(vTotalTime > vTimeReq) 
        {
                // do one more check.  Check to see if the movie has been played
                if (window.theViewer)
                {
                        if(window.theViewer.getVariable('tPlayValue') == "true")
                        {
                                return true;
                        }    
                        else
                        {
                                alert('You must watch the movie before you can continue');
                                return false;
                        }
                }
                return true;
        }
        else
        {
                vLeftAtTime = parseInt(new Date().getTime() / 1000);
                mins = parseInt((vTimeReq - vTotalTime) / 60);
                secs = parseInt((vTimeReq - vTotalTime) % 60);
                if(mins) 
                        alert("You must spend an additional " + mins + " minutes and " + secs + " seconds on this page");
                else
                        alert("You must spend an additional " + ((secs > 0) ? secs : 1) + " seconds on this page");
                
                if(parseInt(vLeftAtTime) != 0)
                {
                        vMissedTime += parseInt(new Date().getTime() / 1000) - vLeftAtTime;
                        vLeftAtTime = 0;
                }
                window.focus();
        }
        return false;
        }

        function handler(e) {
            var x = '';
        }

        addHandlers(window);
    addHandlers(document);
    for(var d = 0; d < document.images.length; d++) { addHandlers(document.images[d]);}
    for(var d = 0; d < document.links.length; d++) { addHandlers(document.links[d]);}
    if(window.theVideo)
    {
            addEHandlers(window.theVideo); 
    }

        if (window.theViewer)
        {
               addEHandlers(window.theViewer);
        }
       var i=2;
       while (eval("window.theViewer" + i))
       {
                addEHandlers(eval("window.theViewer" + i));
                ++i;
       }

    if (document.embeds)
               for(var d = 0; d < document.embeds.length; d++) { addEHandlers(document.embeds[d]);}
    
        for(var d = 0; d < document.forms.length; d++) 
        {
                addHandlers(document.forms[d]);
        for(var e = 0; e < document.forms[d].length; e++) {addHandlers(document.forms[d].elements[e]);}
    }
        
        function updateClock()
        {
                vTimeLeft = vTimeReq - vTotalTime;
                vTimeLeft = (vTimeLeft > 0) ? vTimeLeft : 0;
                vNow = parseInt(new Date().getTime() / 1000);
                vTotalTime = vNow - vTimeStamp - vMissedTime;

                mins = parseInt((vTimeReq - vTotalTime) / 60);
                secs = parseInt((vTimeReq - vTotalTime) % 60);
                secs = (secs >= 10) ? secs : "0" + secs;

                if (goClock && vTimeLeft && document.timer)
                {
                    document.timer.timerVal.value=mins + ":" + secs;
            if(mins=="00" && secs=="00") {
            setCurSection(document.F_ID3.SECTION.value, document.F_ID3.MODULE.value, document.F_ID3.CHAPTER.value, document.F_ID3.USERID.value);
            }
                }
                setTimeout("updateClock()",10);

        }
//        updateClock();
</script>

<script type="text/javascript">
    var xmlhttp=false;

    if (typeof XMLHttpRequest != "undefined") {
        xmlhttp = new XMLHttpRequest();
    } else if (window.ActiveXObject) {
    var aVersions = [ "MSXML2.XMLHttp.5.0",
        "MSXML2.XMLHttp.4.0","MSXML2.XMLHttp.3.0",
        "MSXML2.XMLHttp","Microsoft.XMLHttp"
    ];
      for (var i = 0; i < aVersions.length; i++) {
        try {
             xmlhttp = new ActiveXObject(aVersions[i]);
        } catch (oError) {
        }
      }
    }

    function setCurSection(section, module, chapter, userId) {
        var params = "SECTION="+section+"&MODULE="+module+"&CHAPTER="+chapter+"&USERID="+userId;
            xmlhttp.open("POST", '/processSection.pl', true);
            xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
            xmlhttp.setRequestHeader("Connection","close");
            xmlhttp.onreadystatechange=function() {
                if (xmlhttp.readyState==4) {
                        //xmlhttp.responseText;i
        }
        }
        xmlhttp.send(params);
    }
</script>


</form>
</td>

<script language='JavaScript'>updateClock()</script>


Someone please look through this and help me find the injection command to bypass this timer.

THANKS :D

#2 tekio

tekio

    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,119 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 18 May 2011 - 03:01 AM

You don't want to watch the films?

in the address bar of you browser:
javascript: alert(dunn(return true));

OR

alert(window.theViewer.getVariable('tPlayValue') = true;)
alert((vTotalTime = 300);

I know FF will execute js from the address bar, not too sure about other browsers, though. You'll need to use alert() to hold the code w/o generating errors. The second idea, is a shot in the dark since you didn't post the code for the viewer application. So, you'll probably need to find a way to escape the single quotes. I know it is possible, I've done it before, but forgot how. If you get stuck just google something like, "XSS encode OR escape single quotes".

There are several ways to trick it. It's just a matter of finding something that isn't tamper resistant. Looking at the code it isn't too sophisticated at all. I'm not too good w/ js either, but I think you want to look at dunn(), and the preceding the function.

I haven't taken driver's ed in years, but do remember understanding content before the test proved a good idea.

#3 drewdaniels

drewdaniels

    Will I break 10 posts?

  • Members
  • 2 posts
  • Gender:Male

Posted 18 May 2011 - 09:16 AM

It's not just the movies but the page timer. And I've already taken drivers Ed but the DMV didn't accept it as a legit source even though I passed the test




BinRev is hosted by the great people at Lunarpages!