The article isn’t mine and it’s old, but it’s pretty useful.
First a bit of theory
For the convenience of writing, webjects are written to a separate file specified in the configuration file as DynamicConfig.file_webinjects. Naturally, no additional files are generated after the configuration file is created.
The file is a list of URLs for which you can specify an unlimited number of web injectors, the URL to be modified is specified by a string following the rules of the configuration file:
set_url [url] [flags] [backmask POST] [whitemask POST] [blocking URL] [context mask]
with the last two parameters being optional.
URL to which the web injector should be triggered, a mask can be used. flags defines the basic condition of loading, it can consist of several flags in any order, but they are case-sensitive. Currently the following flags are available: P trigger web injector at POST request to URL. G launch web injector at GET request to URL. L changes the purpose of the web injector, specifying this flag will fetch the required piece of data and immediately save it to the log. F supplements the L flag, allowing to write the result to a separate file instead of the log. H supplements the L flag, saves the desired piece of data without cutting tags. D run web inject every 24 hours. POST backmask is a mask of POST data passed to URL which will not execute web injector. whitemask PO ST is a mask of POST data sent to the URL, in case of which the web injector will be executed. URL blocking if your Web injector must be loaded only once on the victim computer, here you must specify the URL mask, in case of which the Web injector will not be used on the computer anymore. If you do not need it, leave the field empty. context mask the mask of the part of the page content when the web injector should be triggered.
After specifying a URL, the next line is a listing of web injectors until the end of the file is reached or a new URL is set using another set_url entry.
One web injector consists of three elements: Without the L flag:
data_before]data mask after which new data should be written. data_after data mask before which new data is to be written. data_inject new data to be replaced by the contents between data_before, data_after.
With flag L:
data_before data mask after which a chunk of retrieved data begins. data_after data mask before which a chunk of retrieved data ends. data_inject plays the role of a header for the resulting data, it is only needed for visual highlighting in logs.
The element name must start from the first byte of a new line and immediately after the end of the name must be carried over to the next line. From the next line comes the data of the web engine, the end of the data is indicated by the line data_end, also this line must start from the first byte of the next line. You can freely use any characters inside the element.
Notes: As you know, a new string can be represented by one (0x0A) or two (0x0D and 0x0A) bytes. Since the web injector is mostly used to spoof text data content, this feature is taken into account, and the bot successfully runs the web injector even if you have newlines marked with two bytes, but the URL content is marked with one byte, and vice versa. Web inject elements can be arranged in any order, i.e. data_before, data_after, data_inject, or data_before, data_inject, data_after, etc. The element can be empty. When the L flag is used, each tag is replaced by a single space in the resulting data.
Substitute the header of any http protocol site with the phrase https: Web-Inject
Substitute any http site title with HTTPS: Web-Inject phrase and add BODY: Web-Inject text right after body tag
Get page title