Author Topic: Webhack/debug php/javascript  (Read 1280 times)

0 Members and 1 Guest are viewing this topic.

Offline Lt_O

  • /dev/null
  • *
  • Posts: 6
  • Cookies: 1
    • View Profile
Webhack/debug php/javascript
« on: September 24, 2015, 05:11:50 am »
Hello, I'm new here and I'd like some help to modify some values in an online application...

 I think I know how the procedure works, but I'm still having trouble to get to the source of it to be able to modify the things I want...
The website is tetrisfriends.com

It's a little flash application, that rewards the users with gifts, after you spin it... However the flash app itself only is being used to show the user what he won, and show your prices... The stuff you have won is being defined earlier in the process I found out...
First it triggers this link: /users/ajax/daily_spin_popup.php?action_token=ab75e41f11dbb00f 612a403cfa58a2c0 (the token being a random value), I think the token also doesn't have to do with the prize you will earn... It's just to verify your session I guess.
Then it generates a page like this (I intercept them with my webdebug proxy, Charles...)

Code: (html) [Select]
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Tetris - Daily Spin</title>
<link rel='stylesheet' href='http://tetrisow-a.akamaihd.net/data4_0_0_1/stylesheets/combined.min.css' type='text/css' media='screen' /> <script type='text/javascript' src='http://tetrisow-a.akamaihd.net/data4_0_0_1/javascripts/combined.min.js' charset='utf-8'></script> </head>
<body class='popup_body'>
<div id='daily_spin_container'>
<a id='daily_spin_close_btn' class='button button_small_grey button_small_grey_close user_stats_close_btn floatright' href='javascript:void(0)' onclick='closeDailySpinPopup()'></a>

<div id="daily_spin_content"></div>
</div>


<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>

<script type="text/javascript">
var swf = "/data/images/OWDailySweepstakes.swf?prize1=token:15&prize2=toke n:15&dayOfWeek=6&numOfDays=1&inTFActionToken=cdec8 58480c6553124bbc2edde21f968";
var vPage = "/daily_spin_popup";
var spinCount = 2;
var prizeTags = "token:15&token:15";

$(document).ready(function() {
swfobject.embedSWF(swf, "daily_spin_content", 640, 500, "9.0.0", {}, {}, {wmode: "transparent"}, {allowscriptaccess: "always"}, {id:"dailySpinSwf", name:"dailySpinSwf"});

try {
pageTracker = _gat._getTracker("UA-886022-5");
pageTracker._trackPageview(vPage);
} catch(err) {}

toggleAd(false);
});

function toggleAd(showAd) {
try {
if (showAd) {
$(window.top.document.getElementById("home_custom_ ad_content")).css({ 'left': 0, 'position': 'relative' });
$(window.top.document.getElementById("home_adverti sement")).css('left', 0);
} else {
$(window.top.document.getElementById("home_custom_ ad_content")).css({ 'left': -9999, 'position': 'relative' });
$(window.top.document.getElementById("home_adverti sement")).css('left', -9999);
}
} catch(err) {}
}

function closeDailySpinPopup() {
try {
pageTracker = _gat._getTracker("UA-886022-5");
pageTracker._trackPageview(vPage + '/close');
} catch(err) {}

setTimeout("window.top.Shadowbox.close()", 250);

toggleAd(true);
}
</script>


</body>
</html>

You can see where it shows and defines the price tags etc in this page... So it seemed easy to edit, however if I'm changing the prizes to what I want, which perfectly works, the flash spinner starts, gives me those prizes, but when I leave, it doesn't reward me those gifts... Instead it gives me the ones that were originally meant to be given to me...
So I suppose what you will earn with the daily spinner on that site, is defined before this page is created or the flash application starts...I would have to access that information to change the stuff I want  But so the problem is I cannot find where that info is stored, like that you will receive 10 tokens and 10 armor with the daily spinner, for example... in my webdebugging proxy I'm not finding any config files, or links to, where it says what you will get there... I'm not an expert with javascript, maybe someone can see some more in these functions... There is a file "combined.js" which contains the function of the dailyspinner... and of the link it gets than to reward the gifts.... :

Code: (html) [Select]
function popUpDailySpin(a){popUpBoxByUrl("/users/ajax/daily_spin_popup.php?action_token="+a,640,510,"",f unction(){setTimeout("refreshMiniProfile()",0)})}f unction refreshMiniProfile(){addLoadingAnimation("#home_mi ni_profile_container");$("#home_mini_profile_conta iner").load("/users/_inc/mini_profile.php",function(){removeLoadingAnimatio n("#home_mini_profile_container")})}

And

Code: (html) [Select]
function activateRewards(b){if(!activateSent){activateSent= true;try{if(typeof(spinCount)==undefined||typeof(s pinCount)=="undefined"){spinCount=1}var e=prizeTags.split("&");pageTracker=_gat._getTracke r("UA-886022-5");pageTracker._trackPageview("/daily_spin_popup/spin"+spinCount);for(var a=0;a<e.length;a++){var d=e[a].split(":");pageTracker._trackEvent("DailySpin",d[0],d[1])}}catch(c){}$.get("/users/ajax/activate_promo_item.php?rewardSpin=1",function(f){ })}}function toggleTroubleElements(b){var a=["select","object","embed","canvas"];for(var d=0;d<a.length;d++){var e=document.getElementsByTagName(a[d]);for(var c=0;c<e.length;c++){if(b){$(e[c]).css("visibility","visible")}else{$(e[c]).css("visibility","hidden")}}}}
Those are the javascript codes taht are being used on the site and I also see them in my proxy so these are being used to run the spinner... I've been looking into this a lot, so I would be really happy if someone could help me with this... So it basically gives you the rewards that were originally picked for you, when you finish the spin... even if you let the spinner give you something else... So I'd have to access the source where the original gifts are defined, or what links to it...

Thanks
 ::)
« Last Edit: September 24, 2015, 06:28:02 am by iTpHo3NiX »

Offline iTpHo3NiX

  • EZ's Pirate Captain
  • Administrator
  • Titan
  • *
  • Posts: 2920
  • Cookies: 328
    • View Profile
    • EvilZone
Re: Webhack/debug php/javascript
« Reply #1 on: September 24, 2015, 06:23:05 am »
Please use code tags
Code: [Select]
[code] when posting code. It also has syntax highlighting to enable you to do code=c++

To close it out you would do [ / code] without the spaces
[09:27] (+lenoch) iTpHo3NiX can even manipulate me to suck dick
[09:27] (+lenoch) oh no that's voluntary
[09:27] (+lenoch) sorry

Offline smack.it

  • NULL
  • Posts: 4
  • Cookies: 1
    • View Profile
Re: Webhack/debug php/javascript
« Reply #2 on: October 12, 2015, 03:09:35 am »
You are wasting your time, it's not gonna work.
Here's how it works.

You create account

GET /users/register_thank_you.php?saveGame=true&guestId=60447780
Then it triggers this
GET /users/ajax/daily_spin_popup.php?action_token=df1dd1d3c5ade92804693d81c77e3d6a

This action_token is nothing magical, as far as i could tell it's pretty much static, never the less. Server actually verifies how many times you have spinned, so there is no cheating.

And now it triggers this

GET /data/images/OWDailySweepstakes.swf?prize1=token:50&dayOfWeek=7&numOfDays=0&inTFActionToken=df1dd1d3c5ade92804693d81c77e3d6a


These arguments are just for flash, in reality nothing depends on it, besides showing that you won 50 tokens.

And now the last part.
GET /users/ajax/activate_promo_item.php?rewardSpin=1

I assume it does pretty much what it says it does, activates what you won.

Your price is created on the server side, you can't manipulate it just by editing some fields on the client side.

GET /users/ajax/daily_spin_popup.php?action_token=df1dd1d3c5ade92804693d81c77e3d6a

This is was creates your price, token is probably just your username and that's it.

End of story, but good luck anyways.


Offline Lt_O

  • /dev/null
  • *
  • Posts: 6
  • Cookies: 1
    • View Profile
Re: Webhack/debug php/javascript
« Reply #3 on: October 26, 2015, 03:30:59 pm »
You are wasting your time, it's not gonna work.
Here's how it works.

You create account

GET /users/register_thank_you.php?saveGame=true&guestId=60447780
Then it triggers this
GET /users/ajax/daily_spin_popup.php?action_token=df1dd1d3c5ade92804693d81c77e3d6a

This action_token is nothing magical, as far as i could tell it's pretty much static, never the less. Server actually verifies how many times you have spinned, so there is no cheating.

And now it triggers this

GET /data/images/OWDailySweepstakes.swf?prize1=token:50&dayOfWeek=7&numOfDays=0&inTFActionToken=df1dd1d3c5ade92804693d81c77e3d6a


These arguments are just for flash, in reality nothing depends on it, besides showing that you won 50 tokens.

And now the last part.
GET /users/ajax/activate_promo_item.php?rewardSpin=1

I assume it does pretty much what it says it does, activates what you won.

Your price is created on the server side, you can't manipulate it just by editing some fields on the client side.

GET /users/ajax/daily_spin_popup.php?action_token=df1dd1d3c5ade92804693d81c77e3d6a

This is was creates your price, token is probably just your username and that's it.

End of story, but good luck anyways.

Thanks, about that action token I didn't know that :) but I've already found another way to hack those tokens ;)