Request queensnake.com

[polar99]

https://queensnake.com/processlogin

would be glad if i get this bdsm site

[Mr. James Bond]

Not sending you the acc but had to reply after checking the site...

Some serious (painful) s**t there.

[DarkWingDuck]

I wouldn't even know where to start to make a working config for this site. Using (username) and (password) for testing purposes, you get this.

Code:

GET https://queensnake.com/login?username=username&password=A14DUAEHAltUVAIPBAQCBFJRDwVRD11QAF5ZUFdTCF0%3D&captchaResponse= HTTP/1.1
Host: queensnake.com
Connection: keep-alive
Accept: application/json, text/javascript, */*; q=0.01
Sec-Fetch-Dest: empty
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Safari/537.36
DNT: 1
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Referer: https://queensnake.com/processlogin
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=94334c2d6937c271039dcad48f526e15; cFallbackPlayer=false; cLegalAge=true

First thing i notice, is the (GET) response instead of the normal (POST)
The second thing, is the password field isn't processing normally or in plain text, since it's not ( password=password )
There is a script running that hashes the password with a salt before it is processed.
I don't think you can get away with

Code:

https://queensnake.com/login?username=<USER>&password=<PASS>&captchaResponse=

I'm guessing you will have to find a way to generate the <PASS> field into a salted hash before sending the (GET) request.
I tested the above with the plaintext password (unhashed) and all you get is "failedlogin" responses. Which doesn't really help because there are suppose to be multiple responses.

Code:

     case 'failedlogin':
        message='Login error';
        break;

      case 'deletedlogin':
        message='Login error';
        break;

      case 'failedlogincaptcha':
        message='Login error';
        theCaptcha.activate();

        break;

      case 'nocaptcha':
      case 'captchaerror':
        message='Captcha error';

        break;

      case 'bannedlogin':
        message='Banned account';
        break;
     
      case 'blocked':
      case 'blockedlogin':
        message='Blocked account';

But, the scripts used in this site/login is what makes it troublesome.

Code:

  function submitLogin(recaptchaResponse){
   
    var username=$("#userNameID").val();
    var passwordHash=String(CryptoJS.MD5(""+$("#passwordID").val()));
   
    if($("#remembermeID").is(':checked')){
      Cookies.set("rememberme", 1,  { expires: 365 });
      Cookies.set("username", username,  { expires: 365 });
      Cookies.set("password", passwordHash,  { expires: 365 });
    }
    else{
      Cookies.remove("rememberme");
      Cookies.remove("username");
      Cookies.remove("password");
    }
   
    sendLogin(recaptchaResponse, username, passwordHash);
  }
 
  function sendLogin(recaptchaResponse, username, passwordHash){

    var salt="6874bd19a5c821f2c576c895bfab451d";
    $.getJSON(
      '/login', {
        username: username,
        password: btoa(String.fromCharCode.apply(null, passwordHash.split('').map( function(v, i){return v.charCodeAt(0)^salt.charCodeAt(i%salt.length)}))),
        captchaResponse: recaptchaResponse
      },
      callbackLogin
    );
  }

i certainly haven't seen a login like this before. 
Good luck with this site. Only thing i would know how to do, is manually try bdsm/fetish combos manually for this site. Also this login page isn't very responsive on my browser for multiple login attempts.

[Mr. James Bond]

Hey @polar99, should I close this one or you want it to stay a bit more opened?

[polar99]

can be closed @Mr. James Bond