search

s0md3v / AwesomeXSS

Awesome XSS stuff
MIT License
4.74k stars 767 forks source link

Another javascript executing method #2

Closed ilatypov closed 5 years ago

ilatypov commented 5 years ago

...seems a worker's importScripts. as I found in dangerously ubiquitous Content Insights which executes code from social networks around the world, including Russia based ones.

https://docs.contentinsights.com/setup/

  function getSocial(t, e) {
    function n(t, e, n, i) {
      if ('undefined' != typeof Worker) {
        void 0 === i && (i = '');
        var a = '';
        for (var o in e) a += '&' + o + '=' + e[o];
        var r = new Blob([i + 'var cb = function(val) { postMessage(val) };try { importScripts(\'' + t + '?callback=cb' + a + '&x=' + Math.random() + '\'); } catch (ex) {}'], {
          type: 'text/javascript'
        }),
        s = window.URL.createObjectURL(r),
        c = new Worker(s);
        c.onmessage = function (t) {
          n(t),
          c.terminate()
        },
        c.onerror = function () {
        },
        setTimeout(function () {
          c.terminate()
        }, 10000)
      }
    }
    for (var i = [
      'fb_count',
      'vk_like',
      'vk_share',
      'ok_count',
      'ln_count',
      'pn_count',
      'gp_count'
    ], a = [
      0,
      1,
      2
    ], o = [
      4,
      2,
      1
    ], r = 0, s = 0; s < o.length; s++) r += o[s];
    for (var c = [
    ], u = 0; u < a.length; ) {
      for (s = 0; s < o[u]; s++) c[c.length] = a[u];
      u++
    }
    switch (c[Math.floor(Math.random() * r)]) {
      case 0:
        isSocialCountPredefined('fb_count') || n('https://graph.facebook.com/', {
          format: 'jsonp',
          id: t,
          fields: 'og_object{engagement{count}},share'
        }, function (t) {
          var n = '';
          void 0 !== t.data.og_object && (n += '&fb_count=' + t.data.og_object.engagement.count),
          void 0 !== t.data.share && (n += '&fb_share_count=' + t.data.share.share_count),
          e(n)
        }),
        isSocialCountPredefined('vk_share') || n('https://vk.com/share.php', {
          act: 'count',
          url: t
        }, function (t) {
          void 0 !== t.data && e('&vk_share=' + t.data)
        }, 'var VK = { Share: { count: function(a, b){ postMessage(b); } }};');
        break;
      case 1:
ilatypov commented 5 years ago

(I do not know the reason for so much complication in the code. Perhaps it is trying to bypass some web application filters?)

ilatypov commented 5 years ago

This code appears included in a local newspaper because Content Insights bills itself as an analytical dashboard showing statistics about online readers. The code is included via a link https://d7d3cf2e81d293050033-3dfc0615b0fd7b49143049256703bfce.ssl.cf1.rackcdn.com/stf.js

from every article such as

https://www.therecord.com/news-story/9243893-former-bf-goodrich-employee-among-rubber-workers-looking-for-closure/

s0md3v commented 5 years ago

What in the uncle nephew-son, satellite dish hooked up to the trailer, kool aid without sugar, frozen pizza dinner, five teeth missing, creek water sippin, tobacco dip packin, dumpster diving, out of toilet paper so I had to use my hand, tractor driving, catfish selling, cat piss smelling, dog food chompin, Yee Yee yelling, camel cigarette smoking bullshit is this?