# self-unzip.html
[](https://pypi.org/project/self-unzip-html/)
This [repo](https://github.com/six-two/self-unzip.html) contains tools to create self-extracting HTML pages.
It works by taking a payload, compressing it, and encoding the results using ASCII85.
It then puts the resulting string in a template file, that contains the code to decode and decompress the payload again.
Currently, there are multiple actions implemented, that can be executed, after the payload is decoded:
- `--download-link`: Download the payload as a file when clicking a button (example use case: bypass antivirus / filters)
- `--download-auto`: Automatically download the payload as a file when the page is opened (example use case: bypass antivirus / filters)
- `--driveby-redirect <REDIRECT_URL>`: Perform a drive-by download and redirect to the `REDIRECT_URL` (example use case: phishing)
- `--eval`: Execute payload as JavaScript code (example use case: obfuscate malicious JS code)
- `--replace`: Show payload as HTML page (example use case: compress a big web page)
- `--show-text`: Show payload as text (example use case: compress a big text file)
- `--copy-text`: Copy payload as text to the clipboard (example use case: download PowerShell script in remote browsing environment)
- `--copy-base64`: Copy payload as base64 encoded text and show commands that can be used to decode it (example use case: download executable file in remote browsing environment)
- `--custom <YOUR_JAVASCRIPT_CODE>`: This allows you to write your own action as JavaScript code
There are both a web and a python version. The web version is not actively developed anymore and very bare bones, but easy to use and requires no installation. The Python version has more features and is generally recommended.
## Feature comparison
Feature | Web version | Python version
---|---|---
Base64 encoding | no | yes
Ascii85 encoding | yes | yes
GZIP compression | yes, always | yes, can be disabled
AES-GCM encryption | no | yes
Automatic detection of most efficient algorithms | no | yes
Payload actions | download-link, eval, replace | all
## Python version
A Python script to generate self extracting web pages is under `python/main.py`.
It just requires a modern Python version (probably Python3.9+) and has no mandatory external dependencies.
But if you want to use the encryption feature, you need to install `pycryptodomex` with pip.
### Installation
You can install it with `pip` or docker.
#### pip
To install the latest release with encryption support:
```bash
python3 -m pip install -U self-unzip-html[all]
```
To install the latest release without encryption support:
```bash
python3 -m pip install -U self-unzip-html
```
If you want to have the bleeding edge version (`main` branch), you can clone the repository and run:
```bash
python3 -m pip install .
```
Example usage of the pip package:
```bash
self-unzip-html html --download-auto -o psexec.html -i PsExec.exe
```
#### Docker
You can use the image pushed to ghcr.io:
```bash
docker run --rm -v "$PWD:/share" ghcr.io/six-two/self-unzip-html html --download-auto -o psexec.html -i ./PsExec.exe
```
To use the bleeding edge version (`main` branch), you can build the `Dockerfile`:
```bash
docker build -t self-unzip-html .
```
Usage of docker image:
```bash
docker run --rm -v "$PWD:/share" self-unzip-html html --download-auto -o psexec.html -i ./PsExec.exe
```
### Usage
Do a basic HTML smuggling, that will show download link for an executable file:
```bash
self-unzip-html html --download-auto -o psexec.html -i PsExec.exe
```
Or if you wanted to password-protect the output:
```bash
self-unzip-html encrypted-html --download-auto -o psexec_encrypted.html -p YourPasswordHere -i PsExec.exe
```
Instead of HTML pages, you can also embed an HTML smuggling payload in an SVG file:
```bash
self-unzip-html svg -i PsExec.exe --download-auto -o psexec.svg
```
Please note that not all payload actions are available for SVGs due to technical limitations.
Use `self-unzip-html svg --help` to list supported actions.
You can show all flags with the `--help` flag and can see some example commands in `./test.sh`.
#### Phishing
If you want to use it for phishing (sending a download link to a malicious file), the `--driveby-redirect` is likely what you want. It starts a download and immediately redirects to any URL you choose, so that it looks like the other site started the download:
Just search for a "thank you for downloading" page that does not start a download. There are many of them for software like Skype, AnyDesk, etc. Then rename your payload file to something a visitor of the download page would expect and create the HTML smuggling page:
```bash
self-unzip-html html -i AnyDesk.exe -o anydesk-download.html --driveby-redirect https://anydesk.com/en/downloads/guide/thank-you --obscure-action
```
Host that HTML file on your server and link to it in your emails.
#### Encryption
Encryption uses AES-GCM for encryption and tamper detection and PBKDF2 with slightly over 1 million rounds of SHA-256 for password derivation.
The code has not been audited, so use it with caution.
If data security is very important to you may want to manually encrypt it beforehand (for example using `gpg`).
You can automatically decrypt a page by adding the password as the hash in a URL like `encrypted.html#monkey123!`.
The hash will not be sent to the server, so your password may only be stored locally (in your browsing history).
Otherwise, a prompt will ask you for the password.
#### Custom actions
With the `--custom` flag you can specify your own JavaScript that should handle the unpacked data. The data is passed via the `og_data` parameter.
The value is an Uint8Array which represents the bytes of the input file. If you want to interpret it as UTF-8 text and convert it to a string, you can use `new TextDecoder().decode(og_data)`.
If you want to build your payload based on one of the built-in payloads, you can find them in `python/self_unzip_html/static_js.py`
When debugging your own payload it can be useful to see go through it step by step. For this I find it easiest to create a page with:
```bash
self-unzip-html html -i README.md --custom 'window.og_data = og_data' -o test_custom.html
```
The resulting page exposes `og_data` in the global scope. You can then paste your payload into the JavaScript console piece by piece and inspect the output or DOM in between.
## Web version
There is a bare-bones page generator written in plain HTML and JavaScript.
To use it, just clone the repo and put the contents of the `site` directory somewhere in your web server directory.
You can of course also use it with Python's built-in web server:
```bash
python3 -m http.server --directory ./site/
```
I also host it via Vercel at <https://self-extracting-html.six-two.dev/>.
## JavaScript code
### Python
The JavaScript code is modular to decrease size and allow mixing and matching different algorithms.
The unminified files are in `code_to_minify/`.
They are minified by running `code_to_minify/build.sh`, which updates `python/self_unzip_html/minified_js.py`.
### template.html
This basically just explains, how I generated the obfuscated script in `template.html` (JavaScript version).
In case you are paranoid, you can reproduce the steps.
Or if there is an important update to `fflate` or `ascii85`, I will have to run them again.
Install with npm:
```bash
npm install .
```
First use rollup to only select the actually used code:
```bash
./node_modules/.bin/rollup -c rollup.config.js
```
This command should create `output/main.js`
The next step is optional.
If you want to skip it, just rename `main.min.js` to `main.js` in the `output` directory.
Otherwise, minify the code (may require you to install an external minifier like closure-compiler or <https://jscompressor.treblereel.dev/>).
```bash
closure-compiler output/main.js --js_output_file output/main.min.js
```
## License
The `python/self_unzip_html/template.svg` image was generated using the ChatGPT prompt `make me a really cool looking SVG for a hacking tool. The cooler the better` with me just replacing some text.
So to my understanding it is not copyrightable and you can do with it what you want :)
The rest of the project is under the MIT license, so you can do whatever as long as you credit my work to me.
## Notable changes
### Version 0.3.0
- **Breaking change**: Removed `self-unzip-html.py` script, use `self-unzip-html` instead.
- **Breaking change**: Implemented different subcommands (`html`, `encrypted-html`, `svg`, `encrypted-svg`) that only have the arguments that they support.
- **Breaking change**: Renamed `--download` to `--download-link` and added `--download-auto` which automatically starts the download
- Added `--copy-text` and `--copy-base64` options for smuggling files when downloads are not possible (for example in remote browsing setups)
- Added `serve` subcommand that serves the current directory and allows downloading files directly or via HTML smuggling. Each file in a directory listing has an entry like `.DS_Store (HTML, SVG)`.
- Refactoring of the python code to make it usable as a library
- Allow specifying multiple values for `--compression` and `--encoding` like `--encoding hex,base64,ascii85`
- Added `--iterations` option the PBKDF2, enabling a custom speed / security tradeoff
- Added `--cache-password` option
- Added option to supply decryption password via `localStorage`: `localStorage.setItem("self_unzip_pw", "YOUR_PASSWORD_HERE")`
- Added `--encoding hex` option
- Added support for SVG output files
### Version 0.2.1
- Added `Dockerfile` and published image. Download with `docker pull ghcr.io/six-two/self-unzip-html`
- Added `--show-text` action, which shows the payload as plain text
### Version 0.2.0
- **Breaking change**: Replaced the `--type` parameter with specific flags like `--download`, `--driveby-redirect`, `--eval`, `--replace`, and `--custom`.
- `--download` now has an optional parameter that allows you to change the file's name.
- `--driveby-redirect` allows you to perform a driveby download and redirect the visitor immediately to another page.
- `--custom` allows you to provide your own JavaScript code, which is useful for not implemented techniques or special usecases.
- Password protection now encrypts the payload action too.
This should prevent anyone without the password from inspecting the file and for example seeing that it performs a drive by download and redirects to a specific site.
- The debugging console messages are disabled by default, which results in nicer and shorter code.
If enabled with the `--console-log` flag, the data will be formatted as hex dumps for easier debugging.
- Added `--html`, `--html-file` and `--title` options to change the visual appearence of the initial page without needing a whole custom template.
Raw data
{
"_id": null,
"home_page": "https://github.com/six-two/self-unzip.html",
"name": "self-unzip-html",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.9",
"maintainer_email": null,
"keywords": null,
"author": "six-two",
"author_email": "pip@six-two.dev",
"download_url": "https://files.pythonhosted.org/packages/7f/32/690b8feec435fb3be9a7a9106160f022d34ee05158febbc52eda6aebd98b/self_unzip_html-0.3.0.tar.gz",
"platform": null,
"description": "# self-unzip.html\n[](https://pypi.org/project/self-unzip-html/)\n\n\n\nThis [repo](https://github.com/six-two/self-unzip.html) contains tools to create self-extracting HTML pages.\nIt works by taking a payload, compressing it, and encoding the results using ASCII85.\nIt then puts the resulting string in a template file, that contains the code to decode and decompress the payload again.\n\nCurrently, there are multiple actions implemented, that can be executed, after the payload is decoded:\n\n- `--download-link`: Download the payload as a file when clicking a button (example use case: bypass antivirus / filters)\n- `--download-auto`: Automatically download the payload as a file when the page is opened (example use case: bypass antivirus / filters)\n- `--driveby-redirect <REDIRECT_URL>`: Perform a drive-by download and redirect to the `REDIRECT_URL` (example use case: phishing)\n- `--eval`: Execute payload as JavaScript code (example use case: obfuscate malicious JS code)\n- `--replace`: Show payload as HTML page (example use case: compress a big web page)\n- `--show-text`: Show payload as text (example use case: compress a big text file)\n- `--copy-text`: Copy payload as text to the clipboard (example use case: download PowerShell script in remote browsing environment)\n- `--copy-base64`: Copy payload as base64 encoded text and show commands that can be used to decode it (example use case: download executable file in remote browsing environment)\n- `--custom <YOUR_JAVASCRIPT_CODE>`: This allows you to write your own action as JavaScript code\n\nThere are both a web and a python version. The web version is not actively developed anymore and very bare bones, but easy to use and requires no installation. The Python version has more features and is generally recommended.\n\n## Feature comparison\n\nFeature | Web version | Python version\n---|---|---\nBase64 encoding | no | yes\nAscii85 encoding | yes | yes\nGZIP compression | yes, always | yes, can be disabled\nAES-GCM encryption | no | yes\nAutomatic detection of most efficient algorithms | no | yes\nPayload actions | download-link, eval, replace | all\n\n## Python version\n\nA Python script to generate self extracting web pages is under `python/main.py`.\nIt just requires a modern Python version (probably Python3.9+) and has no mandatory external dependencies.\nBut if you want to use the encryption feature, you need to install `pycryptodomex` with pip.\n\n### Installation\n\nYou can install it with `pip` or docker.\n\n#### pip\n\nTo install the latest release with encryption support:\n```bash\npython3 -m pip install -U self-unzip-html[all]\n```\n\nTo install the latest release without encryption support:\n```bash\npython3 -m pip install -U self-unzip-html\n```\n\nIf you want to have the bleeding edge version (`main` branch), you can clone the repository and run:\n```bash\npython3 -m pip install .\n```\n\nExample usage of the pip package:\n```bash\nself-unzip-html html --download-auto -o psexec.html -i PsExec.exe\n```\n\n#### Docker\n\nYou can use the image pushed to ghcr.io:\n```bash\ndocker run --rm -v \"$PWD:/share\" ghcr.io/six-two/self-unzip-html html --download-auto -o psexec.html -i ./PsExec.exe \n```\n\nTo use the bleeding edge version (`main` branch), you can build the `Dockerfile`:\n```bash\ndocker build -t self-unzip-html .\n```\n\nUsage of docker image:\n```bash\ndocker run --rm -v \"$PWD:/share\" self-unzip-html html --download-auto -o psexec.html -i ./PsExec.exe \n```\n\n### Usage\n\nDo a basic HTML smuggling, that will show download link for an executable file:\n```bash\nself-unzip-html html --download-auto -o psexec.html -i PsExec.exe\n```\n\nOr if you wanted to password-protect the output:\n```bash\nself-unzip-html encrypted-html --download-auto -o psexec_encrypted.html -p YourPasswordHere -i PsExec.exe\n```\n\nInstead of HTML pages, you can also embed an HTML smuggling payload in an SVG file:\n```bash\nself-unzip-html svg -i PsExec.exe --download-auto -o psexec.svg\n```\n\nPlease note that not all payload actions are available for SVGs due to technical limitations.\nUse `self-unzip-html svg --help` to list supported actions. \n\n\nYou can show all flags with the `--help` flag and can see some example commands in `./test.sh`.\n\n#### Phishing\n\nIf you want to use it for phishing (sending a download link to a malicious file), the `--driveby-redirect` is likely what you want. It starts a download and immediately redirects to any URL you choose, so that it looks like the other site started the download:\n\n\n\nJust search for a \"thank you for downloading\" page that does not start a download. There are many of them for software like Skype, AnyDesk, etc. Then rename your payload file to something a visitor of the download page would expect and create the HTML smuggling page:\n```bash\nself-unzip-html html -i AnyDesk.exe -o anydesk-download.html --driveby-redirect https://anydesk.com/en/downloads/guide/thank-you --obscure-action\n```\n\nHost that HTML file on your server and link to it in your emails.\n\n#### Encryption\n\nEncryption uses AES-GCM for encryption and tamper detection and PBKDF2 with slightly over 1 million rounds of SHA-256 for password derivation.\nThe code has not been audited, so use it with caution.\nIf data security is very important to you may want to manually encrypt it beforehand (for example using `gpg`).\n\nYou can automatically decrypt a page by adding the password as the hash in a URL like `encrypted.html#monkey123!`.\nThe hash will not be sent to the server, so your password may only be stored locally (in your browsing history).\nOtherwise, a prompt will ask you for the password.\n\n#### Custom actions\n\nWith the `--custom` flag you can specify your own JavaScript that should handle the unpacked data. The data is passed via the `og_data` parameter.\nThe value is an Uint8Array which represents the bytes of the input file. If you want to interpret it as UTF-8 text and convert it to a string, you can use `new TextDecoder().decode(og_data)`.\nIf you want to build your payload based on one of the built-in payloads, you can find them in `python/self_unzip_html/static_js.py`\n\nWhen debugging your own payload it can be useful to see go through it step by step. For this I find it easiest to create a page with:\n```bash\nself-unzip-html html -i README.md --custom 'window.og_data = og_data' -o test_custom.html\n```\nThe resulting page exposes `og_data` in the global scope. You can then paste your payload into the JavaScript console piece by piece and inspect the output or DOM in between.\n\n## Web version\n\nThere is a bare-bones page generator written in plain HTML and JavaScript.\nTo use it, just clone the repo and put the contents of the `site` directory somewhere in your web server directory.\n\nYou can of course also use it with Python's built-in web server:\n```bash\npython3 -m http.server --directory ./site/\n```\n\nI also host it via Vercel at <https://self-extracting-html.six-two.dev/>.\n\n## JavaScript code\n\n### Python\n\nThe JavaScript code is modular to decrease size and allow mixing and matching different algorithms.\nThe unminified files are in `code_to_minify/`.\nThey are minified by running `code_to_minify/build.sh`, which updates `python/self_unzip_html/minified_js.py`.\n\n### template.html\n\nThis basically just explains, how I generated the obfuscated script in `template.html` (JavaScript version).\nIn case you are paranoid, you can reproduce the steps.\nOr if there is an important update to `fflate` or `ascii85`, I will have to run them again.\n\nInstall with npm:\n\n```bash\nnpm install .\n```\n\nFirst use rollup to only select the actually used code:\n\n```bash\n./node_modules/.bin/rollup -c rollup.config.js\n```\n\nThis command should create `output/main.js`\n\nThe next step is optional.\nIf you want to skip it, just rename `main.min.js` to `main.js` in the `output` directory.\nOtherwise, minify the code (may require you to install an external minifier like closure-compiler or <https://jscompressor.treblereel.dev/>).\n\n```bash\nclosure-compiler output/main.js --js_output_file output/main.min.js\n```\n\n## License\n\nThe `python/self_unzip_html/template.svg` image was generated using the ChatGPT prompt `make me a really cool looking SVG for a hacking tool. The cooler the better` with me just replacing some text.\nSo to my understanding it is not copyrightable and you can do with it what you want :)\n\nThe rest of the project is under the MIT license, so you can do whatever as long as you credit my work to me.\n\n## Notable changes\n\n### Version 0.3.0\n\n- **Breaking change**: Removed `self-unzip-html.py` script, use `self-unzip-html` instead.\n- **Breaking change**: Implemented different subcommands (`html`, `encrypted-html`, `svg`, `encrypted-svg`) that only have the arguments that they support.\n- **Breaking change**: Renamed `--download` to `--download-link` and added `--download-auto` which automatically starts the download\n- Added `--copy-text` and `--copy-base64` options for smuggling files when downloads are not possible (for example in remote browsing setups)\n- Added `serve` subcommand that serves the current directory and allows downloading files directly or via HTML smuggling. Each file in a directory listing has an entry like `.DS_Store (HTML, SVG)`.\n- Refactoring of the python code to make it usable as a library\n- Allow specifying multiple values for `--compression` and `--encoding` like `--encoding hex,base64,ascii85`\n- Added `--iterations` option the PBKDF2, enabling a custom speed / security tradeoff\n- Added `--cache-password` option\n- Added option to supply decryption password via `localStorage`: `localStorage.setItem(\"self_unzip_pw\", \"YOUR_PASSWORD_HERE\")`\n- Added `--encoding hex` option\n- Added support for SVG output files\n\n### Version 0.2.1\n\n- Added `Dockerfile` and published image. Download with `docker pull ghcr.io/six-two/self-unzip-html`\n- Added `--show-text` action, which shows the payload as plain text\n\n### Version 0.2.0\n\n- **Breaking change**: Replaced the `--type` parameter with specific flags like `--download`, `--driveby-redirect`, `--eval`, `--replace`, and `--custom`.\n - `--download` now has an optional parameter that allows you to change the file's name.\n - `--driveby-redirect` allows you to perform a driveby download and redirect the visitor immediately to another page.\n - `--custom` allows you to provide your own JavaScript code, which is useful for not implemented techniques or special usecases.\n- Password protection now encrypts the payload action too.\n This should prevent anyone without the password from inspecting the file and for example seeing that it performs a drive by download and redirects to a specific site.\n- The debugging console messages are disabled by default, which results in nicer and shorter code.\n If enabled with the `--console-log` flag, the data will be formatted as hex dumps for easier debugging.\n- Added `--html`, `--html-file` and `--title` options to change the visual appearence of the initial page without needing a whole custom template.\n",
"bugtrack_url": null,
"license": "MIT License",
"summary": "Create self-extracting and/or password protected HTML pages with arbitrary contents",
"version": "0.3.0",
"project_urls": {
"Homepage": "https://github.com/six-two/self-unzip.html"
},
"split_keywords": [],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "f0f788faca5b158b3fdbd784b4cfb33da8bab4d39014d2c9682e718bcfc8f098",
"md5": "b76c8e99d7bb6806bdae1f04959248d8",
"sha256": "6f4a2dfa184b0755f1c1fd15532e47b795a678a6f8cf3df494e7182eb60bd629"
},
"downloads": -1,
"filename": "self_unzip_html-0.3.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "b76c8e99d7bb6806bdae1f04959248d8",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.9",
"size": 29311,
"upload_time": "2025-10-25T17:05:19",
"upload_time_iso_8601": "2025-10-25T17:05:19.707435Z",
"url": "https://files.pythonhosted.org/packages/f0/f7/88faca5b158b3fdbd784b4cfb33da8bab4d39014d2c9682e718bcfc8f098/self_unzip_html-0.3.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "7f32690b8feec435fb3be9a7a9106160f022d34ee05158febbc52eda6aebd98b",
"md5": "2b7c2eb82da62f4967c296f2add9345f",
"sha256": "ed3e61c8fdf196f3772ef174e735db70b19549e6127fd0975e024ce66700ac00"
},
"downloads": -1,
"filename": "self_unzip_html-0.3.0.tar.gz",
"has_sig": false,
"md5_digest": "2b7c2eb82da62f4967c296f2add9345f",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.9",
"size": 28351,
"upload_time": "2025-10-25T17:05:21",
"upload_time_iso_8601": "2025-10-25T17:05:21.778258Z",
"url": "https://files.pythonhosted.org/packages/7f/32/690b8feec435fb3be9a7a9106160f022d34ee05158febbc52eda6aebd98b/self_unzip_html-0.3.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-10-25 17:05:21",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "six-two",
"github_project": "self-unzip.html",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "self-unzip-html"
}
JSON
