How to see locked HTML code, how to bypass social content lockers and other website info gathering countermeasures

Is it possible to protect the HTML code of a web page?

The source code of the web page cannot be protected from viewing. It is a fact. But you can make code analyzing task more difficult. Completely inefficient methods include locking the right mouse button. The more effective means include obfuscation of the code. Especially if the code is not present in the source text of the page, but is loaded from different files using JavaScript and if at different stages (JavaScript and HTML itself) are also obfuscated. In this case, everything becomes much more difficult. But such cases are quite rare – more often found on the websites of very large companies. We will consider simpler options.

How to view the source HTML code of a web page if the right mouse button and CTRL+u are locked

If the right mouse button does not work, then just press CTRL+u. I came across a site where CTRL+u also refused to work:

CTRL+u can be disabled using JavaScript. That is, the first option is obvious – with disabled JavaScript the source code will not be “locked”.

Another option is to find the option “Show source code” in the browser menu. In Firefox, this option is there, but personally it always takes me a lot of time to find it))) In Chrome, I can't find this option at all in the browser menu, so remember the line

view-source:

If this line is added before any address of the site and all this is inserted into the tab of a web browser, the source code of this page will be opened.

For example, I want to see the HTML of the https://suip.biz/?act=view-source page, then I insert the line view-source:https://suip.biz/?act=view-source in the tab web browser and get the source code in it.

By the way, if it’s hard for you to remember the view-source, then here’s the appropriate service: https://suip.biz/?act=view-source (don’t laugh at its “complexity” - none can remember everything in life, and sometimes it’s really easier to open such page and use it to get the string you need to view the source code).

By the way about disabling JavaScript – it is not necessary to climb into the ‘deep’ browser settings and look for where this option is. You even do not need to disable JavaScript, it is enough to pause the execution of scripts for a specific page.

To do this, press F12, then in the developer tools, go to the Sources tab and click there F8:

Now the CTRL+u key combination will work on the site page, as if it has never been disabled.

Bypassing social content lockers

The social content lockers looks like this:

The point is the following, to view the content, you need to ‘like’ this article on the social network.

“Under the hood” there is everything (usually) like this: “hidden” text is already present in the HTML page, but is hidden with the style property style="display: none;". Therefore, it is enough:

  1. open the HTML page protected by social content lockers
  2. find all occurrences style="display: none;" - usually they are not very many.

An example of “hacking” a social content lockers:

Hidden text:

<p style="text-align: center;">
<div class="onp-locker-call" style="display: none;" data-lock-id="onpLock251327">
<p><a href="https://bit.ly/2qjwSYc" rel="nofollow">Mirror Link</a></p>
</div>
</p>

But every time it’s not very convenient to climb into the source code, and I … made an online service that itself retrieves data hidden by social blockers for you, its address: https://suip.biz/?act=social-locker-cracker

It is able to bypass four social content lockers and got a “heuristic” analysis – it turns on if no result found, then it displays the contents of all blocks with style="display: none;".

By the way, if you come across pages that this service cannot bypass – just write a link to the problem page in the comments – I will add the appropriate ‘handler’.

The site that I show in the screenshots seems to spread counterfeit software. I looked at the links with the help of the cracker of social content lockers – it turned out that all the hidden links are absolutely non-bonded: they lead to the demo version of the programs or to the official website. In some articles there are no links at all. I was interested in such “marketing” and I decided to search other sites of the same author.

Search for fake pirate sites

On the “Checking if the site uses CloudFlare” service, we check:

This site is behind CloudFlare – Ha ha, classic!

We look at the history of the IP domain on securitytrails: https://securitytrails.com/domain/macwinsofts.com/history/a

We see there:

  • Cloudflare, Inc. - these are today's IP addresses
  • GoDaddy.com, LLC - auction, domain parking and the like
  • Contabo GmbH - quite possible real hosting where this site is located

So, it is likely that the IP of this site is 173.249.15.230. At present, there is no information on the associated sites on the securitytrails for this IP.

Therefore, we go to the “List of sites on one IP” service, enter 173.249.15.230 as source data and get there:

List:

  • haxsofts.com
  • crackways.com
  • crackmafia.org

All sites have a similar modus operandi, everywhere there is a social content locker, everywhere instead of a pirate links there are links to the demo version, links to official sites, or there is simply nothing under the locked content.

Site IP Verification with cURL

For IP verification, I usually use the following command:

curl -v 173.249.15.230 -H 'Host: SITE_ADDRESS'

For example:

curl -v 173.249.15.230 -H 'Host: macwinsofts.com'

Or so, if you need to check the site on the HTTPS protocol:

curl -v https://173.249.15.230 -H 'Host: macwinsofts.com'

But server 173.249.15.230 is configured so that absolutely any host, even if you write “dfkgjdfgdfgfd” there, it redirects to the address with HTTPS, that is, to “https://dfkgjdfgdfgfd”. And the server itself does not accept requests via HTTPS at all – the web server is not configured to process them and port 443 is not even open.

In principle, it can be proved indirectly that this server is configured to process the macwinsofts.com host, for example, this request almost instantly causes an error 503:

curl -v 173.249.15.230/wp-content/uploads/2018/10/ReiBoot-Crack-Mw.png -H 'Host: fake.com'

But this request, although it will also cause an error 503, but will force the server ‘to think’ for a long time:

curl -v 173.249.15.230/wp-content/uploads/2018/10/ReiBoot-Crack-Mw.png -H 'Host: macwinsofts.com'

Apparently, there, due to the peculiarities of the settings, endless redirects occur and in the end the connection is reset on timeout.

This method allows including brute-force files and folders:

curl -v 173.249.15.230/.htaccess -H 'Host: macwinsofts.com'

And quite an interesting result is such a query:

curl -v 173.249.15.230/wp-content/uploads/2018/10/ReiBoot-Crack-Mw.png -H 'Host: ya.com'

Conclusion

What is the meaning of these sites? Some of them have .exe files for download – perhaps viruses or some dubious monetization. Although I checked on virustotal – like, the file is not malicious. Those sites that do not have executable files for download, apparently waiting for the growth of traffic, to then begin to distribute this executable file.

Perhaps the owner expects an increase traffic to enable monetization or to spread viruses.

Recommended for you:

Leave a Reply

Your email address will not be published.