Thursday, May 14, 2009

Command Line API for jsunpack

Thanks Jesse!
Yesterday, he sent me this script, which takes URLs as parameters then provides the decoding as output. The "api" script does not escape HTML characters whenever the User-Agent is "jsunpack" and the parameter "apikey=exploitme" is set (to prevent accidental accesses of a malicious page).

#!/usr/bin/perl -w
use strict;
use CGI;
use LWP::Simple;
use LWP::UserAgent;
use HTTP::Request::Common;

my $unpackurl = 'http://jsunpack.jeek.org/dec/api?url=';
my $apikey = '&apikey=exploitme';

my $ua = LWP::UserAgent->new;
$ua->agent("jsunpack");

for my $url (@ARGV){
my $req = HTTP::Request->new( GET => ($unpackurl . CGI::escape($url) . $apikey));
my $res = $ua->request($req);

if ($res->is_success){
print $res->content;
}
else {
print "\n\n"."Failed to fetch remote file"."\n\n";
print "jsunpack"."\n".$res->status_line, "\n";
}
}


One feature that could improve this script would have it POST the contents of a local file. Does anyone feel like doing some scripting to extend this?

No comments:

Post a Comment