Follow us on Twitter!
It is the path of least resistance that makes rivers and men crooked. - Bj Palmer
Sunday, April 20, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 23
Guests Online: 22
Members Online: 1

Registered Members: 82843
Newest Member: hx47
Latest Articles
View Thread

HellBound Hackers | Computer General | Web hacking

Page 1 of 2 1 2 >
Author

Injecting session cookies


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-09-08 10:19
I'm having some problems using the cookies I stole with XSS, for example I get a PHPSESSID cookie, logout of the site i'm testing, and clear my cookies. I prefer to use JS then a cookie editor, so I use:

Code
javascript:void(document.cookie="PHPSESSID=<myvalue>");




And that seems to work (a cookie is created), but when I try to go back to the index of the site, it redirects me to the login. Is this just the way the site is coded, or am I doing something wrong?




Edited by on 05-09-08 10:20
Author

RE: Injecting session cookies


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-09-08 10:22
I'm not too sure, I dont know too much about sessids but I think it is probably being changed when you/they logout to prevent Session hijacking.

Again im not too sure.

if its not then I suppose you could try using a <script> and post it through to the server

Code

<html>
<form method="POST" action="http://example.com/loginarea.php">
<script>void(document.cookie="PHPSESSID=<yourvalue>";</script>
</form>
</html>





Edited by on 05-09-08 10:38
Author

RE: Injecting session cookies


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-09-08 10:46
Normally, I would inject every cookie in the person's cookie. It just makes it so that you definitely have the same thing as the user. Also, he could've already been logged out and his session destroyed.
Author

RE: Injecting session cookies


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-09-08 11:03
How would you do that?
Author

RE: Injecting session cookies


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-09-08 11:17
The same way he did it with just the session. You just have to do that for every cookie name. Like if you have the cookie:

PHPSESSID=randomness;whatever=blah


You would do:
[code]
javascript:void(document.cookie="PHPSESSID=randomness"Wink;void(document.cookie="whatever=blah"Wink;
Author

RE: Injecting session cookies


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-09-08 11:27
Ahh Yeah I see Smile

Ty =]]
Author

RE: Injecting session cookies


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-09-08 11:54
The PHPSESSID cookie was the only one set, thats the thing. It probably destroyed the session when I logged out. Might try it with 2 machines, no logout.


Author

RE: Injecting session cookies


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-09-08 12:09
jjbutler88 wrote:
The PHPSESSID cookie was the only one set, thats the thing. It probably destroyed the session when I logged out. Might try it with 2 machines, no logout.


Yes, it destroys the session when you log out. Trying it while you're still logged in sounds like a good try.


Author

RE: Injecting session cookies


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-09-08 12:33
It worked Grin


Author

RE: Injecting session cookies

yours31f
Member



Posts: 1678
Location: Dallas Texas
Joined: 27.04.07
Rank:
Elite
Posted on 05-09-08 13:09
session ids are updated frequently on most sites


Debugging is what programmers do to beta software to make it take up more room on your hard drive if it is running too efficiently.


img259.imageshack.us/img259/3713/sigr.png

yours31f@live.com yours31f@yahoo.com rpwd.info
Author

RE: Injecting session cookies


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-09-08 13:16
yours31f wrote:
session ids are updated frequently on most sites


Dude, just shut up. You don't know what you're talking about. They're not "updated frequently"... they're generated at random when a session is created, stored on the server in the tmp directory and, when the session is destroyed, the little session file in tmp disappears.


Author

RE: Injecting session cookies


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-09-08 13:20
If you install the web develop firefox plugin , you can create cookies through it and edit cookies, and view them..

Just a tip ;P

And also, alot of sites now store the session_id(); in a db , so that the cookies cant be hijacked.


Author

RE: Injecting session cookies


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-09-08 14:14
I know about the ff plugin, I have it, I said previously in my posts that I wanted to use JS.

Also, how does storing session ID's in a database make them less easy to hijack?


Author

RE: Injecting session cookies


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-09-08 15:57
Because the ID is unique, so you cant create one as it will need to be the exact same ID as the one stored in the DB, learn about php security.


Author

RE: Injecting session cookies


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-09-08 16:34
But once you have done an XSS, you will have the session id, so its exactly the same isnt it? Someone with some actual knowledge plz respond...


Author

RE: Injecting session cookies


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-09-08 17:29
I'm asuming you got the cookies from a cookie logger so perhaps you could help me.
Basically ALL the cookies loggers I coded did'nt work because I tell it to write the cookies to x.txt then it says:
CookieSadThis is blank)
IPSadThe IP)
RefererSadThe referer)
etc.
And I was wondering why. Thanks
P.S I use t35.com


Author

RE: Injecting session cookies

spyware
Member



Posts: 4192
Location: The Netherlands
Joined: 14.04.07
Rank:
God
Warn Level: 90
Posted on 05-09-08 17:37
jjbutler88 wrote:
But once you have done an XSS, you will have the session id, so its exactly the same isnt it? Someone with some actual knowledge plz respond...


The thing is, a website can bind an IP to a session ID. So, lets say Alice visits google.com, her ip is 23.23.23.23, and her session ID is ABCDEFG.

Now, Bob comes along, exploits google.com and steals Alice's cookies. He now injects her session ID (ABCDEFG), but, what happens? Google.com checks the database for an IP match, but, Bob's IP is not 23.23.23.23! Google.com won't let Bob login with that session ID, because his IP isn't correct.

Btw; the server can also check for user-agents, IP-range, you name it. IP is most frequently used though.



img507.imageshack.us/img507/3580/spynewsig3il1.png
"The chowner of property." - Zeph
[small]
Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term.
- Carl Sagan
“Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor?” - Ebert
[/s
http://bitsofspy.net
Author

RE: Injecting session cookies


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-09-08 17:49
@SamTHG - Its because you dont know php (its a very simple job), or your XSS isnt propperly formatted.

@spyware - Thanks, I didn't realize more than the session ID was stored.


Author

RE: Injecting session cookies


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-09-08 21:58
Yea that's good to know. So could you root Alice's computer and use it as a proxy and inject the cookie. Because the cookie is in the database would it be reused? I don't see why a cookie would be reused unless if it were authenticate by the IP, which it would be. And then the cookie changes every so often.



Author

RE: Injecting session cookies


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-09-08 22:02
chronicburst wrote:
Yea that's good to know. So could you root Alice's computer and use it as a proxy and inject the cookie. Because the cookie is in the database would it be reused? I don't see why a cookie would be reused unless if it were authenticate by the IP, which it would be. And then the cookie changes every so often.


Why would you go through that trouble? If you rooted them, you could just sniff the traffic and get their UN/PW.
Page 1 of 2 1 2 >