Any price you want
-
@morbiuswilters said:
Challenge #1 --
Difficulty: Have the username randomzied from regular forum posters, pulling in their post counts and emulating their current signatures.
You might need to include just enough HTML to embed an image that's dynamically generated by a script somewhere. Although given the amount of stuff it allows, I still think it's probably possible to get CS to accept Javascript in a post.
As far as the tags thing goes, you guys do realize that you're trying to bring down a site you spend quite a bit of time reading, right?
-
Let me try this out.. O_O
Unfake SigFiled under: TAGS<input name="ctl00$ctl00$bcr$bcr$ctl00$PostList$ctl12$ctl23$ctl01" id="ctl00_ctl00_bcr_bcr_ctl00_PostList_ctl12_ctl23_ctl01_State" value="nochange" type="hidden">
Fri, Apr 18 2008 3:04 PM
-
Unfakename
- Joined on Mon, Jan 01 1847
- 123 Fake Street, Springfield
- Posts -10
Nice Fake Post
-
-
@AbbydonKrafts said:
Here's the complete script
Again with a minor modification.
// -------------------------------------------------------------------------------------------------------------- // TheDailyWTF.com : Generates a random "TagException" tag for new forum posts // -------------------------------------------------------------------------------------------------------------- function rand_addr() { var a = ""; for (var i = 0; i < 8; i++) { a += Math.floor(Math.random() * 16).toString(16); } return a; } function rand_module() { var mod_names = new Array('EXPLORER.EXE', 'MFC40.DLL', 'MFC70.DLL', 'MSHTML.DLL', 'MSVBVM50.DLL', 'MSVBVM60.DLL', 'MSVCP50.DLL', 'MSVCP60.DLL', 'MSVCP70.DLL', 'SYSTEM32.DLL', 'USER32.DLL', 'VB40032.DLL'); var max_val = mod_names.length; var rand_idx = Math.floor(Math.random() * max_val); return mod_names[rand_idx]; } function generateTags() { var elm = document.getElementById("ctl00_ctl00_bcr_bcr_PostForm_ctl04_TagsSubForm_ctl00_Tags"); if (elm) { if (elm.value.length == 0) { var tagex = "TagException at 0x" + rand_addr(); tagex += " in " + rand_module(); elm.value = "throw new TagException(), " + tagex; } } } function countTagExceptions() { var all_tags = document.getElementsByTagName("input"); // TagException variations var tagex_count = 0; var tagex_bytes = 0; var curr_idx = 0; var end_idx = 0; for (var i = 0; i < all_tags.length; i++) { if (all_tags[i].id.indexOf("AllTags") != -1) { all_tags = all_tags[i].value; while (curr_idx != -1) { curr_idx = all_tags.indexOf("TagException", curr_idx); if (curr_idx != -1) { end_idx = all_tags.indexOf("&", curr_idx); tagex_count++; tagex_bytes += (end_idx - curr_idx); curr_idx++; } } var report_elm = document.createElement("div"); document.body.appendChild(report_elm); report_elm.innerHTML = "TagExceptions: " + tagex_count + ", Bytes: " + tagex_bytes + ", All Tags Bytes: " + all_tags.length; report_elm.style.position = "absolute"; report_elm.style.top = "127px"; report_elm.style.left = "300px"; // report_elm.style.background = "#ECECEC"; // report_elm.style.border = "1px solid #000000"; report_elm.style.padding = "6px"; report_elm.style.fontWeight = "bold"; break; } } } // -------------------------------------------------------------------------------------------------------------- // ONLY TRIGGER ON FORUM PAGES // -------------------------------------------------------------------------------------------------------------- if (location.href.indexOf('forums.thedailywtf.com/forums/') != -1) { document.addEventListener( 'load', function (e) { if( !document.body ) { return; } countTagExceptions(); generateTags(); }, false ); }
-
@AbbydonKrafts said:
// TagException variations
Err.. that part wasn't supposed to be there. I was tinkering and didn't take the comment out.
-
Man, CS sucks so bad. It lets you use its own element ids in your posts, so you can get the javascript to do wacky things..
-
Went ahead and created a userscript page for my GM version. Community Server isn't very good at being a version control system either.. :-P
-
Well, that all seems to work OK. :-)
-
@morbiuswilters said:
http://userscripts.org/scripts/show/25387
Does it handle edits correctly though?
EDIT: Testing...
EDIT2: Hooray!
-
How does it deal with Signature Guy, I wonder?
With great power comes great abuse of responsibilityFiled under: Testing...<input type="hidden" name="ctl00$ctl00$bcr$bcr$ctl00$PostList$ctl12$ctl23$ctl01" id="ctl00_ctl00_bcr_bcr_ctl00_PostList_ctl12_ctl23_ctl01_State" value="nochange" />
Fri, Apr 18 2008 3:04 PM
-
Signature Guy
- Joined on Mon, Jan 01 1847
- 123 Fake Street, Springfield
- Posts ∞
Seems it tags SG's post, but NOT my own. Awesome- that means I can just blame SG when the forum explodes!
-
-
@rc_pinchey said:
Does it handle edits correctly though?
Yeah, it should handle any of that just fine. The only thing it really does is search the page for [Edit Tags] and then post an AJAX request back to the server with the __LINE__ constant replaced with the post ID. It's possible to "trick" it into trying to edit non-tags, like bstorer did. Basically, someone can add HTML to their post that looks just like the "edit tags" HTML. Because Community Server is so lame, there's no way to tell if the edit tags link is legit or from another poster, so it just tries to post an AJAX request back to the server for an invalid tag and it fails silently. Because the "[Edit Tags]" HTML in someone's post won't disappear after a few minutes like the real edit tags option does, it will try this everytime you view a page with the fake HTML on it, but it shouldn't even be noticeable. Let me know if you have any other problems.
-
@morbiuswilters said:
Because Community Server is so lame, there's no way to tell if the edit tags link is legit or from another poster, so it just tries to post an AJAX request back to the server for an invalid tag and it fails silently
Does it? I admit I didn't read the code that hard, but it looked like it tried to post back based upon the post number in the URL, not the post number containing the tags, so it just submitted one AJAX request with my fake tags in it, and then another with your correct tags right after it.
-
@bstorer said:
@morbiuswilters said:
Because Community Server is so lame, there's no way to tell if the edit tags link is legit or from another poster, so it just tries to post an AJAX request back to the server for an invalid tag and it fails silently
Does it? I admit I didn't read the code that hard, but it looked like it tried to post back based upon the post number in the URL, not the post number containing the tags, so it just submitted one AJAX request with my fake tags in it, and then another with your correct tags right after it.Your HTML wasn't similar enough to the abomination that is CS for the tags to be extracted, so it just submitted back a blank entry. I think CS rejected the blank ones, but I'm not really sure. I have since added a few things to minimize the number of "junk" AJAX requests and make it better at guessing legit tags. I'll post the update later if it works successfully.
-
I did it my way.
-
@Eternal Density said:
I did it my way.
"Hallowed is TagException(0x000D)"... your way doesn't appear to have worked. :-P
-
@rc_pinchey said:
"Hallowed is TagException(0x000D)"... your way doesn't appear to have worked. :-P
It what regard have I failed? Did I miss the point somehow?
-
@Eternal Density said:
It what regard have I failed?
You entirely haven't- I didn't realise your tags were incrementing, I thought they'd just failed to be randomised. My bad.
-
New version for anyone who is intersted:
Additions include new Anti-bstorer Technology™!
-
@morbiuswilters said:
Additions include new Anti-bstorer Technology™!
If I had a dollar for every piece of software that now has Anti-bstorer Technology, I'd have, like, two dollars.
-
@morbiuswilters said:
Hmmm... let's try this.New version for anyone who is intersted:
Additions include new Anti-bstorer Technology™!
-
@bstorer said:
Hmmm... let's try this.
As with all technologies, our Anti-bstorer Technology™ does have some gaps in its coverage. We do not take responsibility for any damage to property or loss of life or limb that may result from a successful bstorer attack.
-
@morbiuswilters said:
As with all technologies, our Anti-bstorer Technology™ does have some gaps in its coverage.
Honestly, I'm just hoping that we'll accidentally reveal a hole in Community Server so big you could drive a truck through it.
-
@bstorer said:
Honestly, I'm just hoping that we'll accidentally reveal a hole in Community Server so big you could drive a truck through it.
Ha ha, it works! Apparently the document structure isn't quite the same so it just ends up with empty tags and returns at the !tags.length line. It also appears there is no way for you to alter the document structure in the tags sufficiently to trick it. bstorer's reign of terror is at an end!
-
-
@bstorer said:
If CS let's me do this, it deserves to go to hell:@morbiuswilters said:
bstorer's reign of terror is at an end!
We'll see...Filed under: [Edit Tags], The Atlantic Ocean cannot stop curses, Anti-Anti-bstorer Technology:__LINE__, TagException: Malformed tag at 0x0a10c452 (TDWTF.forums.Post:161622)<input name="ctl00$ctl00$bcr$bcr$ctl00$PostList$ctl24$ctl23$ctl01" id="ctl00_ctl00_bcr_bcr_ctl00_PostList_ctl24_ctl23_ctl01_State" value="nochange" type="hidden"> [Edit Tags]
-
@bstorer said:
If CS let's me do this, it deserves to go to hell:
Not sure what you were trying, but it failed. Anything entered into the content div (comment or sig) will not trigger my script, it has to be in the content footer (tags).
-
@morbiuswilters said:
Anything entered into the content div (comment or sig) will not trigger my script, it has to be in the content footer (tags).
Let's see if that can be arranged...
-
@bstorer said:
Let's see if that can be arranged...
Nope. If I find what I think to be an Edit Tags link, I loop through all the parent nodes and consider the link invalid if any of them have the className "ForumPostContentArea". Much harder to defeat than assuming the link is valid if it is contained within the footer class/id.
-
@morbiuswilters said:
Much harder to defeat than assuming the link is valid if it is contained within the footer class/id.
Much harder, but as Signature Guy has shown us, not impossible.
<div class="ForumPostSignature">"up and down, back and forth, faster, faster.."</div>Filed under: [Edit Tags], The Atlantic Ocean cannot stop curses, Anti-Anti-bstorer Technology:__LINE__, TagException: Malformed tag at 0x0a10c452 (TDWTF.forums.Post:161622) [Edit Tags]<ul class="ForumPostStatistics CommonPrintHidden" style="clear: both;"> <li><br></li> <li><a>Report abuse</a></li> <li><a>Quick Reply</a></li> </ul> <li> <div class="ForumPostArea"> <h4 class="ForumPostHeader"> <table style="border: 0px none ; width: 100%;" cellpadding="0" cellspacing="0"> <tbody><tr> <td align="left"> <img src="http://forums.thedailywtf.com/Themes/leanandgreen/images/icon_post_show.gif" mce_src="http://forums.thedailywtf.com/Themes/leanandgreen/images/icon_post_show.gif" alt="" style="border-width: 0px;"> Tue, Apr 15 2008 10:31 PM </td> <td align="right"><a>In reply to</a></td> </tr> </tbody></table> </h4> <table style="border: 0px none ; width: 100%;" cellpadding="0" cellspacing="0"> <tbody><tr> <td rowspan="2" class="ForumPostUserArea"> <div class="ForumPostUserContent">
-
@AbbydonKrafts said:
Again with a minor modification.
Added a 'getUnicodeTag' function to return ender's weather vane Unicode thing and modified 'generateTags' to use it.
function getUnicodeTag() { var unitag = "\u00B7\u0300\u0301\u0302\u0303\u0304\u0305\u0306\u0307\u0308\u0309\u030A\u030B" + "\u030C\u030D\u030E\u030F\u0310\u0311\u0312\u0313\u0314\u0315\u0316\u0317\u0318\u0319\u031A" + "\u031B\u031C\u031D\u031E\u031F\u0320\u0321\u0322\u0323\u0324\u0325\u0326\u0327\u0328\u0329" + "\u032A\u032B\u032C\u032D\u032E\u032F\u0330\u0331\u0332\u0333\u0334\u0335\u0336\u0337\u0338" + "\u0339\u033A\u033B\u033C\u033D\u033E\u033F\u0340\u0341\u0342\u0343\u0344\u0345\u0360\u0361"; return unitag; } function generateTags() { var elm = document.getElementById("ctl00_ctl00_bcr_bcr_PostForm_ctl04_TagsSubForm_ctl00_Tags"); if (elm) { if (elm.value.length == 0) { var tagex = "TagException at 0x" + rand_addr(); tagex += " in " + rand_module(); tagex += ", " + getUnicodeTag(); elm.value = "throw new TagException(), " + tagex; } } }
-
Fail?
-
-
@morbiuswilters said:
TinyMCE is eating some -- but not all -- of my tags. I'll switch to plain HTML later if I find myself still caring.@bstorer said:
Much harder, but as Signature Guy has shown us, not impossible.
Keep trying, rookie.
-
@morbiuswilters said:
Let's try this again...@bstorer said:
Much harder, but as Signature Guy has shown us, not impossible.
Keep trying, rookie.
</div> <div class="ForumPostSignature">-bstorer<br /><br />$admin = true;</div></td></tr></table></td></tr><tr><td class="ForumPostFooterArea"> <div><span id="ctl00_ctl00_bcr_bcr_ctl00_PostList_ctl24_ctl23_ctl01">Filed under: <a href="http://forums.thedailywtf.com/tags/Anti-Anti-bstorer+Technology_3A005F005F00_LINE_5F005F00_/default.aspx" rel="tag">Anti-Anti-bstorer Technology:__LINE__</a></span> <a>[Edit Tags]</a></div>-
A few seconds after the above post
In reply to 
morbiuswilters
- Joined on Tue, Jan 15 2008
- Cambridge, MA
- Posts 696
Duhhh, I'm morbiuswilters, and I suck.
-
-
And that is when putting your name in your signature really doesn't help.
-
-
@AbbydonKrafts said:
And that is when putting your name in your signature really doesn't help.
Yeah, I don't know why he changed his signature to match mine. A desperate need to be like me, no doubt.
Honestly, I just wanted it to be clear that it wasn't actually morbius's, lest some idiot be confused when he resurrects this thread three months from now.
-
@bstorer said:
lest some idiot be confused when he resurrects this thread three months from now.
Oh come on, ED can hear you...
-
@MasterPlanSoftware said:
@bstorer said:
lest some idiot be confused when he resurrects this thread three months from now.
Oh come on, ED can hear you...
Don't give people more credit than they deserve, MPS. That's how you end up with a 2500 post thread about a shitty application that doesn't do anything worthwhile. And we don't want that, do we?
-
@bstorer said:
-bstorer
I just noticed this. Why are you always so negative on yourself in your signature? What does "negative bstorer" even mean?
-
@bstorer said:
@AbbydonKrafts said:
And that is when putting your name in your signature really doesn't help.
Yeah, I don't know why he changed his signature to match mine. A desperate need to be like me, no doubt.
Honestly, I just wanted it to be clear that it wasn't actually morbius's, lest some idiot be confused when he resurrects this thread three months from now.
If you want to properly do a fake message embedded in the message body, you need to clear your signature and manually put it in [b]all[/b] of your posts. The trouble with embedding the post in your signature (as I am doing) is that signatures are dynamically inserted on every page view rather than substituted at post time (which is what older forums did, including the one from which Signature Guy originated).
-
@belgariontheking said:
@bstorer said:
-bstorer
I just noticed this. Why are you always so negative on yourself in your signature? What does "negative bstorer" even mean?Clearly, since I'm bstorer and we're applying a negative bstorer, both are annihliated in an explosion of energy and wonder, which you see as my post. I then respawn myself through pair production in the quantum foam, and allow the negative half of the pair to be drawn into a nearby blackhole. It's simple physics.
-
@Quietust said:
If you want to properly do a fake message embedded in the message body, you need to clear your signature and manually put it in all of your posts.
I know, I just couldn't be bothered. Especially because eventually I'd want to put something in my signature again.
-
@bstorer said:
Clearly, since I'm bstorer and we're applying a negative bstorer, both are annihliated in an explosion of energy and wonder, which you see as my post. I then respawn myself through pair production in the quantum foam, and allow the negative half of the pair to be drawn into a nearby blackhole. It's simple physics.
Thanks, I will now, forever and always, giggle like a little girl whenever I see your signature.
-
@morbiuswilters said:
Duhhh, I'm morbiuswilters, and I suck.
Man, I must suck, I don't even remember posting that!
-
@morbiuswilters said:
@morbiuswilters said:
Duhhh, I'm morbiuswilters, and I suck.
Man, I must suck, I don't even remember posting that!
Looks like I might've broken your tag. Or you just navigated away too quickly or something?
Also, why aren't you on #TDWTF?
-
@bstorer said:
Also, why aren't you on #TDWTF?
A critical vulnerability has been found in code I wrote and I must get a patch working. I think it's done, though.
// Anti-Anti-Anti-bstorer Technology(tm): check username of post against logged-in user var whoami = document.getElementById("welcome").childNodes[1].innerHTML;var whoispost = elm.parentNode.parentNode.parentNode.parentNode; var childs = [0, 1, 1, 1, 1, 3]; for (var i = 0; i < childs.length; i++) { if (whoispost.childNodes.length < (childs[i] + 1)) { dalert("bad HTML 1"); return; } whoispost = whoispost.childNodes[childs[i]]; } whoispost = whoispost.innerHTML; if (whoami != whoispost) { dalert("whoami: "+whoami+"\nwhoispost: "+whoispost); return; }
-
@morbiuswilters said:
@bstorer said:
Also, why aren't you on #TDWTF?
A critical vulnerability has been found in code I wrote and I must get a patch working. I think it's done, though.
Okay, but more importantly, did my Anti-Anti-bstorer Technology best your Anti-bstorer Technology or not?
-
@bstorer said:
Okay, but more importantly, did my Anti-Anti-bstorer Technology best your Anti-bstorer Technology or not?
It did, which is why I had to take things to the next level. See above.
-
@morbiuswilters said:
@bstorer said:
Okay, but more importantly, did my Anti-Anti-bstorer Technology best your Anti-bstorer Technology or not?
It did, which is why I had to take things to the next level. See above.
Maybe I need to see the whole thing, but I'm fairly certain I can beat that, too. It may require faking two posts, though.
-
@bstorer said:
Maybe I need to see the whole thing, but I'm fairly certain I can beat that, too. It may require faking two posts, though.
Probably. We've proven that CS isn't exactly stellar here. At this point, though, 90% of the processing my script does is just to try to thwart you. Source is linked below. I don't want to put it on userscripts until I test it a bit more.
http://demergence.com/wtf/tdwtfrandom.js
