Shoaib Ali It's bloggin time

I've been challenged by lack of cURL's ability to follow javascript redirects such as


document.location.href=dyJvo;


Some people do this for security reasons as they don't want scripted or bots to be able to access the web page.

So this is how I change the rules of the game.

When I do a normal cURL get request I get the following response

TGP Brownie

function kgDgcxsJR() {
var lbyXE = 'YdJrjlIwdWIspCNn';
var tKedu = 'wkenESdrNlxONGIE';
var dyJvo = 'QFPgzysIDcNdszwh';
var mFvGU = 751092;
var RZvuP = 432329;
mFvGU = mFvGU + RZvuP;
dyJvo = 'http://www.xyz.com/cgi-bin/brownie/submit.cgi' + '?' + 'fp=' + tKedu + mFvGU + dyJvo + lbyXE;
document.location.href=dyJvo;
}

Please turn on JavaScript

As you can see the way that special code fp= is generated is quite impossible to crack unless you write a JParser in PHP which surprisingly enough some buddy already done. Also, those special codes change every time you visit that submission script. Some times it even uses some weird values like Math.random

So, far I play by the rules and then once that page is loaded on client side browser I break the rules by intercepting and change the bit that says "http://www.xyz.com/cgi-bin/brownie/submit.cgi" to redirect to my own local server. So it becomes something like this

TGP Brownie

function kgDgcxsJR() {
var lbyXE = 'YdJrjlIwdWIspCNn';
var tKedu = 'wkenESdrNlxONGIE';
var dyJvo = 'QFPgzysIDcNdszwh';
var mFvGU = 751092;
var RZvuP = 432329;
mFvGU = mFvGU + RZvuP;
dyJvo = 'http://mylocalserver/brownie.php' + '?' + 'fp=' + tKedu + mFvGU + dyJvo + lbyXE;
document.location.href=dyJvo;
}

Please turn on JavaScript

This is where my brownie.php comes in to play and i can simple hijack the secret code of fp= from $_GET and redirect back to my cURL script :D. After this I do another POST/GET with that special code and voila!