Activate an Onclick Event via PHP, Ruby or Perl script?

[SniperRyan]

I'm wondering if it's possible to activate an 'onclick' event on a third-party website using an automated script of some kind?

I'm guessing this is possible because TGP sites have been around forever and people must have figured out multiple ways to vote themselves up, but all my G searches just return methods for calling PHP from an OnClick.

Can anyone point me to a resource on writing such a script?

EDIT: Maybe a better solution is to use JavaScript to call a function to make the "click" and then include that on a high-traffic page? That way I use the visitor's IP address and the timing is random?

 

[chatmasta]

I don't know how to do it in PHP, but there has to be a way. Otherwise we wouldn't even need CAPTCHAs! But your javascript solution won't work. You can't execute any action on an external site. What you CAN do however, is submit a form from your site to their site, which you can activate with an onClick or even an onLoad (I think).

 

[7figures]

Can you look into the onclick code located on that site and see what it does, and just try and replicate that yourself? If its just making an ajax call to a remote form or whatever, you could skip the middleman and just post to it yourself. Unless I'm missing what you're trying to do.

 

[Rage9]

There's no way to get the onclick event on another page. Your only option is to reverse engineer what the onclick event does on the page and emulate that with PHP and cURL. Depending what it is it can be really easy or really hard.

The topic in itself is too complex and broad without knowing more details.

 

[SniperRyan]

Yeah, since I posted this I decided to snoop around their JS to try to unravel it.

They basically just pass two variables in the function call from onclick, then their function populates those into URL variables and POSTs it.

I tried using CURl to POST to the same place with the variables I wanted but there were no outward signs of success. I might try a larger scale test next. They basically aggregate the "Votes" and then display each member's percentage of the total vote, so it may take more than a few tries to see the needle move.

Now I'm thinking they probably limit requests to those initiated from their own server. Or is that something no one would do because it's too time consuming?

Should I just spoof the referrer or could it be more complex? They're running ASP, if it matters.

Thanks for the ideas so far.

 

[Rage9]

Probably not as complex as your making it sound, you probably just fucked something up.

 

[SniperRyan]

Probably not as complex as your making it sound, you probably just fucked something up.

No doubt. Thanks for the push, I'm gonna keep spamming them and see what I can do.

 

[fcu_1]

You've got 2 options:

1.) Watch the HTTP requests that occur when you perform the click in your actual browser and attempt to mimic it with your own program.

2.) Use an automated browsing framework. None of these are designed for what you're doing, and out of all of them, very few have any meaningful support for javascript. Unless you're not scared to write your own engine based on XULRunner or Rhino, then completely ignore this option and go with #1. If you actually are interested, I would look into what's been done with Selenium and Crowbar.

 

[erect]

...

Welcome to WF, stick around we could use you



I don't know shit about ruby but this looks like it might be a solution ... if it doesn't work out, let me know so I don't waste my time fucking around with it

 

[7figures]

Now I'm thinking they probably limit requests to those initiated from their own server. Or is that something no one would do because it's too time consuming?

There's no real way of doing that, a POST is a POST. You'll have to do some experimenting I guess, can you create a new item in their poll with 0 votes, use your script to vote for it, and see if it changes anything?

Also keep in mind the results may be cached and only updated every hour / day / whatever.

Last thing would be to check if they use an off the shelf script, and if so get your hands on it and do your own tests and watch the DB to see if what you're doing is working or not.

 

[kblessinggr]

Technically it would be called AJAX assuming the data was coming from php/asp/etc. (watching for the onclick event, javascript picks it up, makes an asynchronous call to php, and performs the action based on the response).

There is of course no way to directly invoke a server-side action on a client-side behavior when the page had already been sent to the user and is no longer running on the server by the time the viewer sees it on their screen.

 

[LogicFlux]

You've got 2 options:

1.) Watch the HTTP requests that occur when you perform the click in your actual browser and attempt to mimic it with your own program.

2.) Use an automated browsing framework. None of these are designed for what you're doing, and out of all of them, very few have any meaningful support for javascript. Unless you're not scared to write your own engine based on XULRunner or Rhino, then completely ignore this option and go with #1. If you actually are interested, I would look into what's been done with Selenium and Crowbar.

Probably Selenium + ø TOR : How To Switch To a New Identity Using PHP | W-Shadow.com ø or some other kind of proxy switcher would be the best bet. You could probably also just create your own little automated web browser in .NET using the Webbrowser control.

 

[guerilla]

Wow, selenium is too cool for school

 

[guerilla]

Probably Selenium + ø TOR : How To Switch To a New Identity Using PHP | W-Shadow.com ø or some other kind of proxy switcher would be the best bet. You could probably also just create your own little automated web browser in .NET using the Webbrowser control.

I just realized that URL title is based on something Eli blogged at BHSEO about. I know because I added those queer characters to a bunch of my sites!

 

[LogicFlux]

I just realized that URL title is based on something Eli blogged at BHSEO about. I know because I added those queer characters to a bunch of my sites!

Yeah, the character is the same one Eli likes to use. I actually learned about that code/technique from syndk8. There's attribution in the code on syndk8 that has that url so I just linked there instead of the post at syndk8.
I don't feel like looking it up but search "tor new identity" or something like that on syndk8.

 

[guerilla]

I meant to use that to torswitch with iMacros.

So if I am in a loop, performing an operation repeatedly on the same base URL (like google search) I had this plan to open a second tab, hit the torswitch url through localhost (running WAMP) and then go back to tab1 and carry on with my imacros loop with a new IP.

I forget what I specifically wanted that for (it wasnt google search), so I never ended up implementing it but I am sure it can be done.

 

[Rage9]

#1 WAMP is for Windows bitches.

#2 you could write yourself a nice proxy surfing app in PHP.

#3 Tor is generally fairly slow, IMHO.

#4 The cost of my advice on that subject is costly.

 

[ikonic]

They basically just pass two variables in the function call from onclick, then their function populates those into URL variables and POSTs it.

what are the variables, are they dynamic or fixed, POST or GET?
did you request the variables from the page prior to making the request?
did you pass in a valid session id?

if it is fixed variables and it accepts get requests then try a CSRF attack and add a image into your sig that points to the voting url

<img src="h**p://tempuri/vote.php?variable1=1&variable2=2"/>