kgretzky / pwndrop Goto Github PK

Hi Kgretzky - great tool, thanks a lot!
Quick question - pwndrop does not seem to allow listening to all interfaces 0.0.0.0.
Is this by design?
Thanks

Nice job :)

It would be nice to set up an individual download password for a file.
Btw. customizing the wallpaper would be great too.

I'm using PwnDrop in a lab environment with no Internet connection. When I start PwnDrop it takes around 30 seconds for the webpage to load because it's trying to access fonts.googleapis.com. Is there a way to disable this lookup?

Hi ~

I upload files in different languages. I'm done uploading.
If you check the link to the http file, 400 bad request errors will occur. Is there a solution?

Chrome and other browsers not initiating an automatic download when the shared link is clicked. Instead it asks if to download and save the file.

i've tried different types of mime:

application/x-msdownload
application/octet-stream
application/x-ms-dos-executable

Instead of only file upload through drag-and-drop, what about the ability to host files already on the server?

I tried to upload files but most "bigger" ones failed. A couple hundred byte file size is okay but above ~30MB it starts the upload and the entry just disappears. Firefox 75/MacOS. I didn't do rigorous testing, maybe it's a problem on my end, was curious if this is a known limitation or case-by-case.

Here is the answer to the douchebag from Issue #17. No thanks to that toolbag I figured it out. If you are getting 502 from CloudFlare when reverse proxying here is the fix.

To get Pwndrop to work in Unraid with a reverse proxy in SWAG using CloudFlare. Setup a custom template within SWAG with the private 172.x.x.x port and not the LAN 192.x.x.x port for Pwndrop. If you get error 502 Bad Gateway, make sure the port is correct!

Creating encrypted/encoded payloads to get through filtering proxies can be daunting. It would be nice if the server could do this by itself, preferably even providing matching decoder stubs (PS, certutil, etc.) when possible.

Hi, I'm one of the linuxserver.io team members. We publish and maintain a variety of docker containers and have over 9 Billion pulls on Docker Hub. Here's a list of our currently maintained images: https://fleet.linuxserver.io/

We recently came across your project and several team members got very excited. It is very cool and we love the simplicity.

We're thinking about publishing a multi-arch docker image for pwndrop and were wondering if you have a donation link. If so, please let us know and we'll display it in the Github Sponsor button, as well as the container logs.

Anyways, here's the link to the proof of concept image (currently x86 only for testing): https://github.com/linuxserver/docker-pwndrop/tree/initial
The dev image is pushed to docker hub at lsiodev/pwndrop

EDIT: since opening this issue we switched to multi-arch images and support x86_64, arm32v7 and arm64v8

Hello,
Will there be a Docker image available?

make install target attempts to stop a currently running instance, fails if there is not an instance running.

[war] certificate: TLS private key not found at: /usr/local/pwndrop/data/private.key

Can I get some help please?

When deployed with a private IP address and using a public IP to NAT it is not possible to use the nameserver feature.

Is is possible to have the listen IP set to the private IP so it can bind to the ports but have an option for DNS response IP set to the public NAT IP.

Currently when using the private IP as the listen IP and using NAT, the DNS server replies with the private listen IP in the DNS response

I noticed this project hasn't retrieved any commits since 2020, however people are still opening issues. Is this project no longer maintained or will you be picking back up on this project in the future? If not, I would love to contribute to this project and keep it maintained.

Similar to how there are directives in the pwndrop.ini file for changing the HTTP and HTTPS ports, it would be nice if there was such an option for changing the DNS port.

Apart from offering more flexibility, there is another advantage to this. I'm trying to build a Docker image in which the processes(mainly pwndrop) are run as an unprivileged user(for security purposes).

Since the port on which the DNS server listens is hard-coded to a privileged port(53), there is no possibility to change it without changing the value in the /core/nameserver.go file as shown below:

func NewNameserver(ch_exit *chan bool) (*Nameserver, error) {
... [truncated]

	listen_ip := Cfg.GetListenIP()
	dns_host := fmt.Sprintf("%s:%d", listen_ip, 5353)

...[truncated]
}

Since a process started by a non-root user cannot be bound to a privileged port(<1024), it would be convenient if the ability to change the port on which the DNS server listens would be provided. Thanks!

Would be great if there was a way to create a folder of files (instead of just one offs) as well as allow non-users to upload to that folder (I imagine a toggleable setting here to turn permission on/off).

Hello,
very awesome tool, thank you.
is it possible to have admin interface accessible only on localhost, any way to restrict this?

Encountered this when trying to insert an image in a phishing payload. Pwndrop doesn't like the HEAD / OPTIONS verb, and ends up returning a 404 / 302 error.

To replicate:

Host an image on pwndrop.

Create a new Excel document. Goto Insert -> Image (Local), then type into the URL into the file name field and click the drop down and click 'insert and link'.

In the logs of pwndrop, you can see that the requests come with OPTIONS and HEAD verbs and return a 404 / 302 error.

This is useful to helping when tracking payloads to see if users open them or not.

Would be a nice additional feature to track users.

can it work on kali nethunter>? .. during make install

i get this error ...

** stopping pwndrop
./build/pwndrop: 1: Syntax error: "|" unexpected
make: [Makefile:21: install] Error 2 (ignored)
*** installing and starting pwndrop
/bin/sh: 1: ./build/pwndrop: Exec format error
make: *** [Makefile:23: install] Error 2

Would there be any interest in adding a feature to add an IP block list that would serve the facade file instead of the true payload based on IP address? Something similar to https://github.com/violentlydave/mkhtaccess_red ?

This would be useful to evade sandboxing. You can do this already if you have an Apache server sitting in front of pwndrop, so you can block it via .htaccess file.

is there config for sharex?

Lets Encrypt doesn't work..

Awesome stuff! It would be better if I could share the server with my team without all of us using the same account. Also, with that, logging would be very beneficial.

Thanks and keep up the great work!

Hi there. I've tried to build from source under windows (with the command "go install") (go version go1.14.2). I can generate the binaries and can start it but it doesn't seems to work correctly. The only thing which is working is the redirect: the default one is this one (https://www.youtube.com/watch?v=oHg5SJYRHA0). But the admin page doesn't show up, even if i specify a custo secret path in the ini configuration file. Another thing is that everytime i start the exe, it wipes everything inside the ini which is under [setup]

Hi, i have an issue using the Palemoon browser. The "Upload" button does not work.
No issue with other browsers.

Tried to ask support on the Palemoon forum and they told me that for:

--> can't be inside , that's the issue. Should use a

I have been trying to get this to work behind a reverse proxy without much success. Is this not currently supported?

I'm a newbie to all of this, so please excuse my lack of knowledge
I have set up pwndrop according to the instructions and its working perfectly
My question is instead of redirecting to a URL in case of unsuccessful authorization, can I redirect to a local html webpage ?

pwndrop status: Service is stopped
After setting the IP and running and checking the status, I encounter this problem

When I use Firefox, I click upload, the website will change to https://domain.com/?#/ (it should be https://domain.com/#/). At this time, I cannot upload files after selecting them. I can only upload the file by clicking upload again. I don't have this problem in Chrome.

Fantastic work!

Suggestion: Enable optional curl/scp upload/download (along with a complete curl/scp command for ease of use). That would enable better/easier use from commandline.

Thanks again! :)

I was trying to install pwndrop on a Raspberry Pi 4B, and since there's no designated way to download it to this version, I was building from source. When running the command "sudo make install" this error was thrown:

stopping pwndrop
make: execvp: ./build/pwndrop: Permission denied
make: [Makefile:21: install] Error 127

`
All this is executed on the Desktop, so no external device

There haven't been any changes since October 2020 and no responses to many of the issues.
It's quite a cool utility, so I hope it's not dead.

Can I deploy this respiratory on vercel?

currently facing issues using this in an azure virtual instance running ubuntu, all installation was correctly done(except am missing some requirements) the problem is accessing via browser it dosnt work have tried even installing docker way

i get this on bot 0.0.0/pwndrop ,0.0.0:8080/pwndrop

i have also opened the port 8080 in azure networking kindly test on your end lets fix this out,.

I would love to see a feature in this wonderful app: thumbnails for image files. Combine files and picture host (á la tinypic)..

It seems the server does not support resuming failed downloads.
It would be sweet to have this supported.

am i tripping or somethign iv read this git up and down and cant find the web ui for this, i got the rick roll one but i cant find the web ui

Prebuilt version 1.0.1 does not works properly with national characters.

1. Create file žluťoučký.txt and upload it.
   
2. Click HTTP button to copy link to clipboard, open new tab and open the link
   
3. But link with national characters works as expected
   

WebDAV button has the same issue.

It would be good to see the logging for each file that is requested, and also have a master log that writes to a file.

It would also be cool if you can click on the file, and it can show a summary of the geographical locations where it has been requested and the hotspots.

Would be good if you can search accesses by IP too.

Hi,

i gues it's a feature request, for asking how to select your own cert for the https instead of the self signed one.

nx
jdkf

jfkckshttps://github.com/kgretzky/pwndrop/blob/385ba70248fa234e27cdb7ccf1745233a2f6b9f0/api/files.go#L19

CloudFlare has file upload limits, 100MB for the free plan, up to 500MB for the enterprise plan.
So support for chunked uploads, if possible, would be very nice. Now I'm limited to 100MB unless I expose my IP by turning off the proxy.

If I define a custom location for admin in the ini, a location other than next to the binary, the server starts, but there are no admin files generated in the custom location and thus no access to web gui.

One question I have is, does the admin folder contain and files or folders that need to be persistent?

The reason I'm asking is because in a docker setting, the container is ephemeral. So any data that needs to persist, we save to a folder that is mapped (or symlink). If there are no files in admin that need to persists, I won't worry about it.

Thanks

EDIT: Since opening this issue, we switched to multi-arch images and are now compiling from source. I see that the makefile copies the admin folder contents, so we followed suit. We'll keep the admin folder inside the container and it will be updated along with the binary.

That would be great if you can confirm that the admin folder contents are all ephemeral. Thanks