首页 > 代码库 > 【pwnable】input

【pwnable】input

这道题是一道一遍一遍满足程序需求的题。

网上其他的题解都是用了C语言或者python语言的本地调用,我想联系一下pwntools的远程调用就写了下面的脚本,

执行效果可以通过1~4的检测,到最后socket的检测死活连不上了,怀疑是有防火墙,对进出端口的端口号做了限制,把脚本丢到服务器上执行就可以成功了。

那和之前的别人的题解 有啥区别...

权当练习使用pwntools,而且pwntools的文档真心不错。

 

最后一部分第五个检测不太好用,先扔脚本当个备份吧。。。

from pwn import *
import os
s =  ssh(host=pwnable.kr,user=input2,password=guest,port=2222)
#set_working_directory(wd = ‘/tmp/‘)
print s.pwd();
s.write(/tmp/1.txt, "\x00\x0a\x00\xff") 
s.write(/tmp/2.txt,"\x00\x0a\x02\xff")
s.write(/tmp/\x0a,"\x00"*4)
#print hex(s.download_data(‘/tmp//\x0a‘))
arg = list(1*100)
#print arg[0]
arg[0] = ./1
arg[ord(A)]= "\x00"
arg[ord(B)] = "\x20\x0a\x0d" 
arg[ord(C)] = "7777" 
#print arg
#print len(arg)
dic = {"\xde\xad\xbe\xef":"\xca\xfe\xba\xbe","PWD":"/tmp/"}
#print argnput2/input‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘‘, ‘ \n\r‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘, ‘1‘])
pro = s.process(argv= arg,cwd="/tmp/",env=dic,executable=/home/input2/input,stdin="/tmp/1.txt",stderr=/tmp/2.txt)
#print pro.recv()

print pro.recv()
#time.sleep(1)
#print pro.recv()
#r = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
time.sleep(1)
#time.sleep(10)  
#rom =remote("pwnable.kr", 7777)
s.remote("pwnable.kr", 7777)
s.send("\xde\xad\xbe\xef")
print s.recv()
#pro.interactive()
print pro.recv()

 

【pwnable】input