Track users where you normally can’t track users

For those of you who wondered about this stupid monkey posted earlier, here’s some explanation. At least part 1 of the explanation.

Usually Web 2.0 sites like myspace, youtube or facebook won’t let you track your visitors and tell you rarely or not how many visitors you already had and so on. With some (e.g. myspace) you get a tiny amount of data. They tell you the total amount of visitors and (if the visitors have enabled the feature) the last visitors on your profile, but if the latter is disabled you won’t even get that. On most of these sites it is impossible to include javascript on your profile and also some code like:

<img src=”script.php?var=foo” alt=”” />

will not work, because obviously this is not a picture and  so it is blocked.

So, how to do some more statistics on pages where we normally couldn’t get the data from?

The idea is inspired by a presentation held by Mike Shrenk on DefCon where a method for simple image “exploitation” was shown. All you need is a webserver and a supported script language on it (but it’s easy to get some free webspace with php or perl support). After creating/changing your .htaccess file you are ready to go. In this first example I will show how to count the visitors on myspace profiles. We will use JPEG images and so we have added

AddType x-httpd-php .jpg

to our .htaccess file to treat all files with the extension .jpg as PHP scripts. Fortunately myspace is one of the sites, that made it possible to post images lying on other servers, but only valid images, not scripts, like php files (s.a). Myspace only checks the file extension, so you don’t even have to have valid bytecode to output, but never the less, for this example we want to hide our script completly behind something inconsiderable. In fact, what we are going to do is not really an exploitation, but more a mixture between XSS and exploitation. This will not be the best code, but it will show the clue and all following relies on your creativity. I wrote this example in PHP with GD library, you could also use different script languages like JSP with java.awt, etc.

What we need to do:

  1. Create a database to store the data (we could also use cookies, but a database is much more accurate, because cookies can be deleted by the user).
  2. Create a script file to track users and store data in the database.
  3. Within the script, create an image with the actual count of visits.

So, for creating a database we simply use phpMyAdmin or type in a console something like:

CREATE TABLE `somedb`.`visitors` (
`id` INT NOT NULL AUTO_INCREMENT PRIMARY KEY ,
`ip` VARCHAR( 255 ) NOT NULL ,
`ref` VARCHAR( 255 ) NOT NULL ,
`tm` VARCHAR( 255 ) NOT NULL
) ENGINE = MYISAM

Yeah, it’s not optimized, bla bla – but it’ll work. Now, that we have created our database to store the data, we need some script to handle the visitors and give us some nice picture.

< ?php
// SQL data
$sqluser = "someuser";
$sqlpass = "lamepass";
$sqldb = "somedb";
$sqltabl = "visitors";
$sqlserv = "somehost"; 
 
// Connect to the database
$link = @mysql_connect($sqlserv, $sqluser, $sqlpass);
@mysql_select_db($sqldb); 
 
/* We simply fetch the IP of the client it's referrer and create
a timestamp */
$ip = $_SERVER['REMOTE_ADDR'];
$ref = $_SERVER['HTTP_REFERRER'];
$tm = time(); 
 
// Count how ofther the user already was on the site
$cnt_query = "SELECT COUNT(*) FROM $sqltabl;";
$res_cnt = @mysql_query($cnt_query);
$cnt_tmp = @mysql_fetch_array($res_cnt);
$visits = $cnt[0]; 
 
// Insert the user data in the database and close SQL connection
$query = "INSERT INTO $sqltabl VALUES ('', '$ip', '$ref', '$tm');";
@mysql_query($query);
@mysql_close($link); 
 
/* Now that we fetched the user data let's create some image and
output the visit count, but first check if it's the first visit. */
if( $visits &gt; 0 ) {
    $msg = "Visit nr.: $visits";
} else {
    $msg = "First visit here!";
}
 
// The image we want to use as a background
$file = "someimage.jpg";
$img = imagecreatefromjpeg($file);
$text_farbe = ImageColorAllocate ($img, 0xFF, 0xFF, 0x00);
 
// This header will cloak us more
header ("Content-type: image/jpeg");
// Font size: 5, X:10, Y:20
ImageString ($img, 5, 10, 20, $msg, $text_farbe);
/* Print image and clean up the garbage,
   so we don't get memory problems */
Imagejpeg($img);
imagedestroy($img);
exit;
?>

Save that as “script.jpg” and that’s all we need! As simple as it looks it really is. If we now paste that image into our myspace profile, we can actually count every single visitor on the page and log his referrer. The nice thing about it is, that we can post the image like a normal JPEG-image.

<img src="script.jpg" />

and so it’s also possible to post script files, where you normally can’t. You can imagine, that logging these two things is not the end of the road, but only this tiny piece of data can help us creating some nice statistics.

Now, we could count visitors that followed the link we posted on twitter or the internal one posted on myspace. With the IP address we could also determine the gegraphical location of the visitor. We could place one picture on any of our profile pages and see which of them have more and which less visitors.

More funny than that is counting visitors on profiles you don’t even own. On myspace it is not only possilble to post images on your profile, but also put them in a comment you leave on a friends profile.  If the comments are not moderated it’s easy going, but even then it’s not suspicious to post a winter landscape with “Merry Christmas” on it during Christmas time. The profile owner himself can never find out if there lies a script behind the image. All he gets is valid JPEG code, no matter how he displays or downloads it. The only way to crack that is to hack the server.

This is all for part 1. In the next part I will show the code for the monkey and some other way to track users, because some sites may not allow posting images from other servers.

Similar Posts:

    None Found