Page 1 of 2

WHERE TO START

PostPosted: Mon Apr 21, 2008 5:13 pm
by usernamenotused
I have already wrote a topic on this thread, but obvously it was too spoilery. guess that i was trying to help the noobs a bit too much ;) sorry fellas, now, i have got some people asking me what to do, . . . i say that this small hint might be enough for those of you looking for a way to go, without being a spoiler. when you have user information kept in cookies, you can view them using
Code: Select all
javascript:alert(document.cookies)
Now, you want to log in as the administrator, (rconnor's boss) and access the pay page. so, you need to change the information in the cookie from rconnor's login information, to his bosses. who stole the cookies from the cookie jar? well it better be you if you want to finish this realistic mish. 3 things here. 1. google is your buddy, 2. freakwolfe is pretty good at stealing cookies from the cookie jar. 3. xss is your other buddy.

Re: WHERE TO START

PostPosted: Thu Apr 24, 2008 8:03 am
by sk8linkinhr
nice tutorial ;) ;)

Re: WHERE TO START

PostPosted: Thu Apr 24, 2008 8:09 am
by Robbinski12
actually it's
Code: Select all
javascript:alert(document.cookie)

Re: WHERE TO START

PostPosted: Thu Apr 24, 2008 11:34 am
by Damascus2k8
Robbinski12 wrote:actually it's
Code: Select all
javascript:alert(document.cookie)

or it could be
Code: Select all
solved=download(FF & Add 'n' Edit Cookies)

:lol: :lol: :lol:

Re: WHERE TO START

PostPosted: Tue Apr 29, 2008 12:46 pm
by tehMurloc
I'm stuck =(

Might contain spoilers

I have successfully created a working cookie stealer (I tested it), but the problem is that I don't know how to use it. I think the point is to make the boss somehow visit the stealer site, but I'm not sure how to do that . I tried some techniques of sending some scripted mails, but I couldn't make it. I'm not sure if that is the right way, so some advice would be useful.
Thanks!

Re: WHERE TO START

PostPosted: Tue Apr 29, 2008 3:01 pm
by purple_pixie
When you tested it, did you test it with the JS to call the stealer, or just straight visiting the .php ?

Re: WHERE TO START

PostPosted: Wed Apr 30, 2008 1:05 pm
by tehMurloc
purple_pixie wrote:When you tested it, did you test it with the JS to call the stealer, or just straight visiting the .php ?

Yes, I used JS to call it.

Re: WHERE TO START

PostPosted: Wed Apr 30, 2008 6:23 pm
by c24lightning
tehMurloc wrote:
purple_pixie wrote:When you tested it, did you test it with the JS to call the stealer, or just straight visiting the .php ?

Yes, I used JS to call it.

Are your variables correctly set up? Do you include the cookie(s) at the end of the URL using JS?

Re: WHERE TO START

PostPosted: Fri May 02, 2008 4:50 am
by pescador
I think I have the same problem as tehMurloc. When I call my script I receive my own cookie, so that seems to work. Now when I send it to a certain someone, nothing happens. Also, when I try to send a message to myself (I mean r-conner), I don't receive anything. Is that correct?

Re: WHERE TO START

PostPosted: Sun May 04, 2008 12:26 pm
by robi_petranovic
pescador wrote:I think I have the same problem as tehMurloc. When I call my script I receive my own cookie, so that seems to work. Now when I send it to a certain someone, nothing happens. Also, when I try to send a message to myself (I mean r-conner), I don't receive anything. Is that correct?


yeah,same thing with me.... And I have tested it with my own cookies and it works....