Analysis of Exploiting Script for Anomaly Dimension Card Leakage - 1


Recently, the competition for zero-cost purchases in the parallel dimension has become increasingly fierce, and the reason is that the author did not do a good job of website protection. Based on the enthusiastic netizens and the vulnerability exploitation scripts captured by themselves, this series of analytical articles is written.

To be honest, as long as there is no income and no card every day, there is no fear of being hacked.


In order to prevent further malicious exploitation, all code and descriptions in this article have been obfuscated.


In this article, the vulnerability script author uses avatar injection to inject XSS code, and then takes advantage of the administrator's fear of being hacked and viewing the backend logs to design malicious code to execute at this time, thereby achieving the goal of using the administrator's privileges to achieve zero-cost purchases.

Code Analysis#

Malicious code script address:

After downloading, it was found to be obfuscated, so I will briefly deobfuscate it. The process will not be shown here, and the following code is only decrypted to a readable level to prevent exploitation. The overall structure is as follows:

First, add an administrator with the email address "".

$("td")["each"](function (_0x36ba71, _0x348775) {
	console.log(_0x36ba71, _0x348775,_0x348775["innerHTML"]["indexOf"])
  if (_0x348775["innerHTML"]["indexOf"]("") != -1) {
    var _0x53991d = $(this)["parent"]();

Its meaning is to traverse all tables, and if the value in the table contains "", then delete its parent element. The administrator list happens to be a table, so this can hide the administrator with "". In other words, this administrator cannot be seen in the backend, only in the database.

After running, the result is as shown above, and the administrator is gone. The only drawback is the "Showing 1 to 1 of 1 entries, total 1 entries" at the bottom, which should be reduced by one. Otherwise, it will be exposed.

Then comes the crucial hacker function. First, it determines whether it is in the backend operation log interface based on the title. Then it starts a timer to execute the malicious code. If it is not in the backend log operation interface, the malicious code in the timer will not be executed.

First, it requests to find the user ID of the user with the username "toptoones". Then, based on the returned ID, it performs the following steps:

First, delete this user. Then, call the order destruction plugin to destroy this user's orders.

If you haven't installed this plugin, this old 6 will kindly call the API to help you download the plugin from the plugin store, activate the plugin, destroy the order, close the plugin, uninstall the plugin, and conveniently clear the backend logs for you.

Then, it injects the code to hide the malicious administrator from the administrator avatar, so that the malicious code will be triggered when you log in to the backend. Then it uploads your information to his backend.

Then it checks if there is an easy payment plugin in the backend and injects code if there is. I guess it should be to modify the payment configuration, but for some reason, it was not modified, and there may be upgrades in the future.

It also kindly handles the backend guardian.

Finally, it clears logs and transfers data.


Give up the illusion (parallel dimension). See reality. Use another card platform, the author doesn't even show up.

Communication Group#

Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.