🚨 Fresh Session Cookie Exploit - Admin Panel

Sessions Captured: 3
🕒 2025-12-17T23:47:08.415046
URL: http://q.marc-julian.com/collect
Referer:
IP: 172.22.0.1
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:146.0) Gecko/20100101 Firefox/146.0
🔍 Browser Data:
{
  "cookies": "",
  "localStorage": null,
  "referrer": "",
  "sessionStorage": null,
  "timestamp": "2025-12-17T23:47:08.399Z",
  "url": "https://q.marc-julian.com/collect",
  "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:146.0) Gecko/20100101 Firefox/146.0"
}
🕒 2025-12-17T23:47:34.308087
URL: http://q.marc-julian.com/collect
Referer:
IP: 172.22.0.1
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:146.0) Gecko/20100101 Firefox/146.0
💀 STOLEN CREDENTIALS:
{
  "email": "x@x.de",
  "password": "asc",
  "timestamp": "2025-12-17T23:47:55.288752"
}
🔍 Browser Data:
{
  "cookies": "",
  "localStorage": null,
  "referrer": "",
  "sessionStorage": null,
  "timestamp": "2025-12-17T23:47:34.298Z",
  "url": "https://q.marc-julian.com/collect",
  "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:146.0) Gecko/20100101 Firefox/146.0"
}
🕒 2025-12-18T00:21:13.389079
URL: http://q.marc-julian.com/collect
Referer:
IP: 172.22.0.1
User Agent: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; GPTBot/1.3; +https://openai.com/gptbot)

🎯 How this exploit works:

  1. Attacker sends victim a crafted login URL with malicious returnUrl parameter
  2. Victim clicks the link and goes through OAuth login flow
  3. After successful login, victim is redirected to attacker's server
  4. Fresh session cookie is captured along with credentials if entered
  5. Attacker can now impersonate the victim with full privileges