【开源】小学生编程实现多用户Cookie注入，并通过web管理Cookie

蛋蛋蛋蛋小蛋蛋

前已有贴，谓前帖而改

【开源】谷歌cookie注入插件改写，实现cookie保存到服务器 https://www.52pojie.cn/thread-1721819-1-1.html

链接: https://pan.baidu.com/s/1oWcoeLFwn5XE7U9n4E9PFQ?pwd=52pj 提取码: 52pj 复制这段内容后打开百度网盘手机App，操作更方便哦  ←数据库在此

2024.04.28改：美化之，请诸君使用上方网盘下载，下面附件缺少sql文件，盘中有优化后的文件

吾名小学生，次称吾为生

生以为，诸君雄强，强于生，远甚

故生对代码不多述，请诸君观之，多加建言，生必感激涕零

生在前贴基上，加以改进，增多用户注册和登录，以文本之存变为数据库存放，由token进行认证

图片:

其文件有八：

其一: ck.php 以作插件Ajax接收cookie之用

[PHP] 纯文本查看 复制代码

<?phprequire 'config.php';  

header('Content-Type: application/json');

$postData = file_get_contents("php://input");
$data = json_decode($postData, true);

$url = $data['url'];
$encodedCookies = $data['cookies'];
$token = $data['token'];
$domain = parse_url($url, PHP_URL_HOST);  // 提取 URL 的域名部分

// 解码 cookies
$cookies = base64_decode($encodedCookies);

// 使用 PDO 连接数据库
try {
    $pdo = new PDO("mysql:host=".DB_HOST.";dbname=".DB_NAME, DB_USER, DB_PASSWORD);
    $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

    // 检查 token 并找到对应的用户
    $stmt = $pdo->prepare("SELECT id FROM users WHERE token = :token");
    $stmt->bindParam(':token', $token);
    $stmt->execute();
    $user = $stmt->fetch();

    if ($user) {
        $userId = $user['id'];
        // 检查是否存在相同域名的 cookie
        $stmt = $pdo->prepare("SELECT id FROM user_cookies WHERE user_id = :user_id AND url LIKE :domain");
        $domainLike = "%$domain%";
        $stmt->bindParam(':user_id', $userId);
        $stmt->bindParam(':domain', $domainLike);
        $stmt->execute();
        $existingCookie = $stmt->fetch();

        if ($existingCookie) {
            // 更新现有的 cookie 记录
            $stmt = $pdo->prepare("UPDATE user_cookies SET cookies = :cookies WHERE id = :id");
            $stmt->bindParam(':cookies', $cookies);
            $stmt->bindParam(':id', $existingCookie['id']);
            $stmt->execute();
            echo json_encode(['status' => 'success', 'message' => 'Cookies updated successfully']);
        } else {
            // 插入新的 cookie 记录
            $stmt = $pdo->prepare("INSERT INTO user_cookies (user_id, url, cookies) VALUES (:user_id, :url, :cookies)");
            $stmt->bindParam(':user_id', $userId);
            $stmt->bindParam(':url', $url);
            $stmt->bindParam(':cookies', $cookies);
            $stmt->execute();
            echo json_encode(['status' => 'success', 'message' => 'New cookies saved successfully']);
        }
    } else {
        echo json_encode(['status' => 'error', 'message' => 'Invalid token']);
    }
} catch (PDOException $e) {
    echo json_encode(['status' => 'error', 'message' => 'Database error: ' . $e->getMessage()]);
}
?>

其二: config.php 生以为无需多言

其三: index.php

[PHP] 纯文本查看 复制代码

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>User Cookies Management</title>
    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.0.5/dist/css/bootstrap.min.css" rel="stylesheet">
</head>
<body>
    <div class="container mt-5">
        <h1 class="mb-4">User Cookies Management</h1>
        
        <div class="row">
            <div class="col-md-6">
                <h2>Register</h2>
                <form method="post" action="register.php">
                    <input type="text" name="username" placeholder="Username" class="form-control mb-2" required>
                    <button type="submit" class="btn btn-primary">Register</button>
                </form>
            </div>
            <div class="col-md-6">
                <h2>Login</h2>
                <form method="post" action="login.php">
                    <input type="text" name="username" placeholder="Username" class="form-control mb-2" required>
                    <input type="text" name="token" placeholder="Token" class="form-control mb-2" required>
                    <button type="submit" class="btn btn-success">Login</button>
                </form>
            </div>
        </div>

    
       
    </div>

    <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.0.5/dist/js/bootstrap.bundle.min.js"></script>
</body>
</html>

其四: login.php

[PHP] 纯文本查看 复制代码

<?php
session_start();
require 'config.php';

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    $username = $_POST['username'] ?? '';
    $token = $_POST['token'] ?? '';

    try {
        $pdo = new PDO("mysql:host=" . DB_HOST . ";dbname=" . DB_NAME, DB_USER, DB_PASSWORD);
        $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

        $stmt = $pdo->prepare("SELECT id FROM users WHERE username = :username AND token = :token");
        $stmt->bindParam(':username', $username);
        $stmt->bindParam(':token', $token);
        $stmt->execute();
        $user = $stmt->fetch();

        if ($user) {
            $_SESSION['user_id'] = $user['id'];
            $_SESSION['username'] = $username;
            $_SESSION['token'] = $token;
            header("Location: manage_cookies.php");
            exit;
        } else {
            echo "Login failed: Invalid username or token.";
        }
    } catch (PDOException $e) {
        die("Error: " . $e->getMessage());
    }
} else {
    echo "Invalid request method.";
}
?>

其五 register.php

[PHP] 纯文本查看 复制代码

<?php
session_start();
require 'config.php';

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    $username = $_POST['username'] ?? '';

    try {
        $pdo = new PDO("mysql:host=" . DB_HOST . ";dbname=" . DB_NAME, DB_USER, DB_PASSWORD);
        $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

        // 检查用户名是否已存在
        $stmt = $pdo->prepare("SELECT id FROM users WHERE username = :username");
        $stmt->bindParam(':username', $username);
        $stmt->execute();

        if ($stmt->rowCount() > 0) {
            echo "Registration failed: Username already exists.";
        } else {
            $token = bin2hex(random_bytes(16));  // 生成一个随机 token
            $stmt = $pdo->prepare("INSERT INTO users (username, token) VALUES (:username, :token)");
            $stmt->bindParam(':username', $username);
            $stmt->bindParam(':token', $token);
            $stmt->execute();

            // 设置用户 session
            $_SESSION['user_id'] = $pdo->lastInsertId();
            $_SESSION['username'] = $username;
            $_SESSION['token'] = $token;

            
            header("Location: manage_cookies.php");
            exit;
        }
    } catch (PDOException $e) {
        die("Error: " . $e->getMessage());
    }
} else {
    echo "Invalid request method.";
}
?>

其六:  mange_cookies.php 生以为，此为核心

[Asm] 纯文本查看 复制代码

<?php
session_start();
if (!isset($_SESSION['user_id'])) {
    header('Location: login.php');
    exit;
}

require 'config.php';
$message = '';

if (!isset($_SESSION['csrf_token'])) {
    $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
}

if ($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST['new_token'], $_POST['csrf_token'])) {
    if ($_POST['csrf_token'] !== $_SESSION['csrf_token']) {
        $message = "CSRF token mismatch.";
    } else {
        $newToken = $_POST['new_token']; 

        try {
            $pdo = new PDO("mysql:host=" . DB_HOST . ";dbname=" . DB_NAME, DB_USER, DB_PASSWORD);
            $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

            $stmt = $pdo->prepare("SELECT COUNT(*) FROM users WHERE token = :newToken");
            $stmt->bindParam(':newToken', $newToken);
            $stmt->execute();
            if ($stmt->fetchColumn() > 0) {
                $message = "Token update failed: Token already in use.";
            } else {
            
                $stmt = $pdo->prepare("UPDATE users SET token = :newToken WHERE id = :user_id");
                $stmt->bindParam(':newToken', $newToken);
                $stmt->bindParam(':user_id', $_SESSION['user_id']);
                $stmt->execute();

                $_SESSION['token'] = $newToken; 
                $message = "Token updated successfully!";
            }
        } catch (PDOException $e) {
            $message = "Error updating token: " . $e->getMessage();
        }
    }
}

try {
    $pdo = new PDO("mysql:host=" . DB_HOST . ";dbname=" . DB_NAME, DB_USER, DB_PASSWORD);
    $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

    $stmt = $pdo->prepare("SELECT * FROM user_cookies WHERE user_id = :user_id");
    $stmt->bindParam(':user_id', $_SESSION['user_id']);
    $stmt->execute();
    $cookies = $stmt->fetchAll(PDO::FETCH_ASSOC);
} catch (PDOException $e) {
    die("Database error: " . $e->getMessage());
}
?>

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Manage Cookies</title>
    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/css/bootstrap.min.css">
</head>
<body>
<div class="container mt-5">
    <h1>Cookie Management Dashboard</h1>
    <p>Welcome, <?php echo htmlspecialchars($_SESSION['username']); ?></p>
    <p>Current token: <?php echo htmlspecialchars($_SESSION['token']); ?></p>
    <p><?php echo $message; ?></p>
    
    <form method="post">
        <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token']; ?>">
        <input type="text" name="new_token" required placeholder="Enter new token" class="form-control mb-3">
        <button type="submit" class="btn btn-primary">Update Token</button>
    </form>

    <form class="d-flex mb-3" method="get">
        <input class="form-control me-2" type="search" name="search" placeholder="Search by URL" aria-label="Search">
        <button class="btn btn-outline-success" type="submit">Search</button>
    </form>
    
<div class="table-responsive">
    <table class="table">
        <thead>
            <tr>
                <th scope="col">#</th>
                <th scope="col">URL</th>
                <th scope="col">Cookies</th>
                <th scope="col">Actions</th>
            </tr>
        </thead>
        <tbody>
            <?php foreach ($cookies as $cookie): ?>
            <tr>
                <td><?php echo htmlspecialchars($cookie['id']); ?></td>
                <td><?php echo htmlspecialchars($cookie['url']); ?></td>
                <td>
                    <div style="position: relative;">
                        <span style="overflow: hidden; display: inline-block; max-width: 300px; text-overflow: ellipsis;"><?php echo htmlspecialchars($cookie['cookies']); ?></span>
                        <button class="btn btn-sm btn-secondary" style="position: absolute; top: 0; right: 0;">Copy</button>
                    </div>
                </td>
                <td>
                    <!-- <a href="edit_cookie.php?id=<?php echo $cookie['id']; ?>" class="btn btn-sm btn-primary">Edit</a> -->
                    <a href="delete_cookie.php?id=<?php echo $cookie['id']; ?>" class="btn btn-sm btn-danger">Delete</a>
                </td>
            </tr>
            <?php endforeach; ?>
        </tbody>
    </table>
</div>

<script>
    function copyToClipboard(text) {
        navigator.clipboard.writeText(text)
            .then(() => {
                alert("Copied to clipboard!");
            })
            .catch((error) => {
                console.error("Unable to copy to clipboard:", error);
            });
    }
</script>
</body>
</html>

其七: search.php 寻其domian，以助诸君之便

[Asm] 纯文本查看 复制代码

<?php
require 'config.php';
$search = $_GET['search'] ?? '';  // 获取搜索关键词

try {
    $pdo = new PDO("mysql:host=".DB_HOST.";dbname=".DB_NAME, DB_USER, DB_PASSWORD);
    $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

    $stmt = $pdo->prepare("SELECT * FROM user_cookies WHERE url LIKE ?");
    $stmt->execute(["%$search%"]);
    $cookies = $stmt->fetchAll(PDO::FETCH_ASSOC);

    foreach ($cookies as $cookie) {
        echo "<tr>
                <td>{$cookie['id']}</td>
                <td>{$cookie['url']}</td>
                <td>{$cookie['cookies']}</td>
                <td>
                    <button class='btn btn-danger'>Delete</button>
                    <button class='btn btn-secondary'>Edit</button>
                </td>
              </tr>";
    }
} catch (PDOException $e) {
    echo "Error: " . $e->getMessage();
}
?>

其八: delete_cookie.php

[Asm] 纯文本查看 复制代码

<?php
session_start();
if (!isset($_SESSION['user_id'])) {
    header('Location: login.php');
    exit;
}

require 'config.php';

if ($_SERVER['REQUEST_METHOD'] == 'GET' && isset($_GET['id'])) {
    $cookieId = $_GET['id'];
    try {
        $pdo = new PDO("mysql:host=" . DB_HOST . ";dbname=" . DB_NAME, DB_USER, DB_PASSWORD);
        $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

        $stmt = $pdo->prepare("DELETE FROM user_cookies WHERE id = :id AND user_id = :user_id");
        $stmt->bindParam(':id', $cookieId);
        $stmt->bindParam(':user_id', $_SESSION['user_id']);
        $stmt->execute();

        header("Location: manage_cookies.php"); 
        exit;
    } catch (PDOException $e) {
        die("Error: " . $e->getMessage());
    }
}

插件代码请诸君移步 https://www.52pojie.cn/thread-1721819-1-1.html




生虽以注册时长久远，但水平依旧年幼，望各位前辈不吝妙言。

如有违规，请管理员删之。

wari01

阁下真乃年少有志也。闻君谦虚，自知学识尚浅，实乃难得。

对于代码之道，虽言不多，但亦可见其用心。吾观之，虽有不足之处，然亦有其可圈可点之处。

愿与汝共学共进，相互勉励，以求代码之道日益精进。

期待汝之成长，共赴编程之路，再创辉煌！

爱飞的猫

简单看了下：

1. 数据库操作使用的是 prepared statement 而非直接拼接 SQL 语句，已经比很多人的代码要安全一些了；
2. 删除请求可以使用 DELETE 操作 (不推荐使用 GET 请求)，更新数据则可以使用 PATCH 操作提交 (后半部分则是有点鸡蛋里挑骨头了)。
3. 后台主页看起来是有进行 CSRF 令牌验证，但是其他接口如修改和删除却没有。
   • 例如我可以生成一个包含很多指向 /delete_cookie.php?id=<从1开始的数字> 的图片的网页，并诱导用户访问；如果该用户已经登陆，则可造成批量删除大量该用户存储的 Cookie。
4. manage_cookies.php 有对从数据库拉去的数据进行转义处理，但是在 search.php 却漏掉了。有潜在的 XSS 风险，但是如果是自用的话问题也不大。
5. 源码未包含数据库定义（database schema）或自动迁移脚本（database migration）。前者可以使用工具导出，后者可能需要利用 PHP 框架来处理了。

如果有兴趣，也可以提交到在线 Git 仓库，来记录各个版本之间的更改。例如 gitee 或 GitHub。

蛋蛋蛋蛋小蛋蛋

爱飞的猫 发表于 2024-4-29 06:10
[md]简单看了下：

1. 数据库操作使用的是 prepared statement 而非直接拼接 SQL 语句，已经比很多人的代 ...

感谢贤之善言，生无以为报
然生接先生之训，继而自省
1.token使用明文传输
2.写入数据库之前没有进行加密，cookie可以在数据库被查看
3.页面不美观
其他接口没有csrftoken验证是因为 接口准备都写在管理页面，然后不知道美化从何处下手，就导致了这个问题出现
目前上传到了github，不过数据库我是属实忘记了

uuuwan

感谢分享~

ztqddj007

这算小学生 那我幼儿园都还没上

不负韶华

现在的孩子条件真的好，我00年的，想当初，，初三时候微机课才第一次碰电脑，连复制粘贴我都不会

Ybushu

学习学习，点赞

Ybushu

少年之姿，国家之态。健康茁壮成长，这才是我们的少年！

fzkfqzz

学习学习，点赞