package Email::SpoofingDemo::API::Attacker; use Dancer2; our $VERSION = '0.1'; my $SCRIPT = '/home/attaquant/scripts/send_email.py'; sub run_script { open(my $fh, '-|', $SCRIPT, '--non-interactive', @_) or die "$SCRIPT: $!"; my $json; { local $/ = undef; $json = <$fh>; } close($fh); if (($? >> 8) != 0) { die $json; } return from_json($json); } get '/' => sub { return "Welcome"; }; get '/config' => sub { return run_script('--get-config'); }; post '/spoof' => sub { my $helo = body_parameters->{'helo'}; my $scenario = body_parameters->{'scenario'}; if (not defined $scenario) { status 400; return "Need a scenario name"; } my @args = ('--template', $scenario); if (defined $helo) { push @args, ('--helo', $helo); } if (body_parameters->{'replace_mail_from'}) { push @args, ('--replace-rfc5321-mail-from'); } return run_script(@args); }; any qr{.*} => sub { status 'not_found'; return "Invalid route" }; dance; true;