hacking but at what cost
I am a CS undergrad and i do what the uni tells me to do cause academics altho sometimes when they are shoving things down our throats i get mad and so they gave us this online course platform to learn about AI do they have structured classes ? no its more like bunch of random articles that we are supposed to read and click mark as done so being the lazy guy i am i automated this redundant task its an autoclicker go right click click inspect, and paste this in console targets=document.querySelector('.contentlist_sec').children function complete(f=0){ elem=targets[f] if(f >= targets.length){ return } let pid=elem.id.split('_')[1] getSubProduct(pid,'0','1','false') setTimeout(()=>{ pre_mark_as_complete(pid,'false') },1000) setTimeout(()=>{ mark_as_complete_hub_product(parseInt(pid)) elem.classList.remove('allActiveProd') },3000) setTimeout(()=>{ complete(f+1) },7000) } complete() wait some seconds and u have all your courses automatically clicked and done awesome right ? well i should have stopped there well i didn't the ugly little did i know i was getting myself into a grave grave mistake that would haunt me for an entire night rise my adrenaline levels and almost threw me into a panic attack i inspected the quizzes section and decided to see how i can bypass the quizz , i moved around the js files sent to the client and figured out a way to print the answers well the IDs of the answers you'll have to inspect and click on them so its kinda hard this wasnt enough i wanted to see if i can override the entire quizz cause i saw no live answers being posted to a server on checking requests all i saw was nothing so the quizz was being validated on the client which itself is a stupid thing to do , hey atleast they put it inside an iframe to make it work so good for them most peeps dont know this trick you can access an inside an html page from the console by >> frames this is an array of iframes so i can even call the methods inside the iframe script by just chaining them to the first iframe like an object's methods >> frames[0].checkAnswers() yup its that obvious client code isnt bundled no obscufication just straight up methods and their names good for us bad for them i dont think they care tbh if they did they wouldnt have made a shitty site to begin with and most of all the courses are very shit so i saw this method called publishResult() and thought this might directly publish my results and get me that quizz completed so i went ahead and called it grave mistake, if i had a timemachine i'd go back in time and smack old me before doing it, this traumatic incident has given me a new insight never call a function or any get routes that seems like they are messing with data on the db reason is simple get request's likely modify something on the server and its not gonna let u control that modification again , so once its done theres no over-riding it unless u find another post request that actually does something well in this apps case its a get request so i started this shit around 2am as of time i am writign this its 6:30 am yes i didnt sleep i couldnt sleep cause the calling that publishResult() from the client did something and made my quizzy a self paced one meaning that i cant retake it anymore , too bad i havent even completed so there i was stuck midway at a course 16% done , mandatory for the semester unable to move past this quizz , cause no matter how hard i try server will not serve the quizz link to me cause that route likely is doing some checking with some table inside the server and its saying that i have already completed so send me the results page except the thing isn't marked as complete in the courses table (ig at this point i can only guess what they have named it as) so i was cooked deep fried
I am a CS undergrad and i do what the uni tells me to do
cause academics
altho sometimes when they are shoving things down our throats i get mad
and so they gave us this online course platform to learn about AI
do they have structured classes ?
no
its more like bunch of random articles that we are supposed to read and click mark as done
so being the lazy guy i am i automated this redundant task
its an autoclicker
go right click click inspect, and paste this in console
targets=document.querySelector('.contentlist_sec').children
function complete(f=0){
elem=targets[f]
if(f >= targets.length){
return
}
let pid=elem.id.split('_')[1]
getSubProduct(pid,'0','1','false')
setTimeout(()=>{
pre_mark_as_complete(pid,'false')
},1000)
setTimeout(()=>{
mark_as_complete_hub_product(parseInt(pid))
elem.classList.remove('allActiveProd')
},3000)
setTimeout(()=>{
complete(f+1)
},7000)
}
complete()
wait some seconds and u have all your courses automatically clicked and done awesome right ?
well i should have stopped there
well i didn't
the ugly
little did i know i was getting myself into a grave grave mistake that would haunt me for an entire night
rise my adrenaline levels and almost threw me into a panic attack
i inspected the quizzes section and decided to see how i can bypass the quizz , i moved around the js files sent to the client and figured out a way to print the answers well the IDs of the answers
you'll have to inspect and click on them so its kinda hard
this wasnt enough i wanted to see if i can override the entire quizz cause i saw no live answers being posted to a server on checking requests all i saw was nothing
so the quizz was being validated on the client which itself is a stupid thing to do , hey atleast they put it inside an iframe to make it work so good for them
most peeps dont know this trick
you can access an inside an html page from the console by
>> frames
this is an array of iframes so i can even call the methods inside the iframe script by just chaining them to the first iframe like an object's methods
>> frames[0].checkAnswers()
yup its that obvious client code isnt bundled no obscufication just straight up methods and their names
good for us
bad for them
i dont think they care tbh if they did they wouldnt have made a shitty site to begin with and most of all the courses are very shit
so i saw this method called publishResult() and thought this might directly publish my results and get me that quizz completed
so i went ahead and called it
grave mistake, if i had a timemachine i'd go back in time and smack old me before doing it,
this traumatic incident has given me a new insight
never call a function or any get routes that seems like they are
messing with data on the db
reason is simple get request's likely modify something on the server and its not gonna let u control that modification again , so once its done theres no over-riding it unless u find another post request that actually does something
well in this apps case its a get request so i started this shit around 2am as of time i am writign this its 6:30 am yes i didnt sleep
i couldnt sleep
cause the calling that publishResult() from the client did something and made my quizzy a self paced one meaning that i cant retake it anymore , too bad i havent even completed
so there i was stuck midway at a course 16% done , mandatory for the semester unable to move past this quizz , cause no matter how hard i try server will not serve the quizz link to me cause that route likely is doing some checking with some table inside the server and its saying that i have already completed so send me the results page
except the thing isn't marked as complete in the courses table (ig at this point i can only guess what they have named it as)
so i was cooked
deep fried
