CyberGuerrilla 2013
 Vol.3--No.2013 | 9 Users Online
Thursday,Nov 21,2019 
By ro0ted avatar | June 2, 2013 - 04:40 | Posted in /b/ | Comments Off on #ro0ted #OpNewblood | Cookie Injections

#ro0ted #OpNewblood | Cookie Injections

Every website transmits what are called Web cookies. These things are responsible for the authentication of web processes and for mantaining some informations flowing constantly. For example: When you log in a website with your username and password, cookies will be the responsible for keeping you logged in 🙂

 

Okay, so let’s go….
If you type in your url bar:
jalert(document.cookie)
great, you have found your cookies 🙂
time to change them….
let’s suppose you have a cookie named shit and it is false, then you can change them by simply applying some letters to your code:
jvoid(document.cookie=”shit=true”)
great, you have edited it 🙂 every time you log in, the value for shit will be true 🙂
Now let’s use that information in more realistic aspects… You get to know of one SQL value and after some hours of study you discover that it is an md5 hash and that it is the admin’s password. Your have two options… Either bruteforcing the hash to get to know which is the password, or you can simply inject the value for the cookies, which is much easier and faster. The hash in this case is the encryption for world, but let’s suppose it is something much more difficult to discover:
7d793037a0760186574b0282f2f435e7 —-> The Hash!!!
jvoid(document.cookie=”user=admin”)
and
jvoid(document.cookie=”password=7d793037a0760186574b0282f2f435e7″)
Congrats! You’re in with full admin power xD
BKhI3ZeCcAAfGET
(Visited 1 times, 1 visits today)


  • You can follow any responses to this entry through the RSS 2.0 feed.
  • Both comments and pings are currently closed.

Comments are closed.

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

nonymous. Whoever you are, we are ungovernable!
> =[]= This site is run by cyberguerrilla, your friendly anonymous autonomous tech collective since 2010 =[]= This the past that can NOT be changed! <