[渗透测试] PwnTools的使用学习

小帅帅 7388 0

pwntools有很多高级用法,是zio所没有的,所以果断的学习下用法,以便在以后能用的到。 = =

安装方法:

[mw_shl_code=shell,true]pip install pwn[/mw_shl_code]

在使用时可以

[mw_shl_code=python,true]from pwn import *[/mw_shl_code]

来调用

连接

本地process()、远程remote()。对于remote函数可以接url并指定端口。

IO模块 这里是容易与zio搞混的, zio是read write pwn是recv send

[mw_shl_code=applescript,true]send(data) : 发送数据

sendline(data) : 发送一行数据,相当于在末尾加\n

recv(numb=4096, timeout=default) : 给出接收字节数,timeout指定超时

recvuntil(delims, drop=False) : 接收到delims的pattern

(以下可以看作until的特例)

recvline(keepends=True) : 接收到\n,keepends指定保留\n

recvall() : 接收到EOF

recvrepeat(timeout=default) : 接收到EOF或timeout

interactive() : 与shell交互[/mw_shl_code]

ELF模块

首先ELF()获取下句柄,然后用句柄调用函数,和io相似。

[mw_shl_code=applescript,true]>>> e = ELF('/bin/cat')

>>> print hex(e.address) # 文件装载的基地址

0x400000

>>> print hex(e.symbols['write']) # 函数地址

0x401680

>>> print hex(e.got['write']) # GOT表的地址

0x60b070

>>> print hex(e.plt['write']) # PLT的地址

0x401680[/mw_shl_code]

数据处理

主要是对整数打包,换成2进制。 p32.p64 都是打包。 u32 u64是解包 (缩写:pack unpack)

DynELF

DynELF是leak信息的神器。前提条件是要提供一个输入地址,输出此地址最少1byte数的函数。官网给出的说明是:Given a function which can leak data at an arbitrary address, any symbol in any loaded library can be resolved.

很叼啊,有木有。以下是官方例程

[mw_shl_code=python,true]# Assume a process or remote connection

p = process('./pwnme')

# Declare a function that takes a single address, and

# leaks at least one byte at that address.

def leak(address):

data = p.read(address, 4)

log.debug("%#x => %s" % (address, (data or '').encode('hex')))

return data

# For the sake of this example, let's say that we

# have any of these pointers. One is a pointer into

# the target binary, the other two are pointers into libc

main = 0xfeedf4ce

libc = 0xdeadb000

system = 0xdeadbeef

# With our leaker, and a pointer into our target binary,

# we can resolve the address of anything.

#

# We do not actually need to have a copy of the target

# binary for this to work.

d = DynELF(leak, main)

assert d.lookup(None, 'libc') == libc

assert d.lookup('system', 'libc') == system

# However, if we *do* have a copy of the target binary,

# we can speed up some of the steps.

d = DynELF(leak, main, elf=ELF('./pwnme'))

assert d.lookup(None, 'libc') == libc

assert d.lookup('system', 'libc') == system

# Alternately, we can resolve symbols inside another library,

# given a pointer into it.

d = DynELF(leak, libc + 0x1234)

assert d.lookup('system') == system[/mw_shl_code]

发表评论 (已有0条评论)

还木有评论哦,快来抢沙发吧~