在一些连nc的题中需要用到Pwntools,没有系统的学习过,今天来补充下。
接收数据
- **recv(n)**,接收任何数量的字节
- **recvline()**,接收一行数据
- **recvuntil()**,接收数据,直到找到一个分隔符
- **recvregex(pattern)**,接收数据,直到满足一个与pattern重合的内容为止
- **recvrepeat(timeout)**,继续接收数据,直到发生超时
- **clean()**,丢弃所有缓冲的数据
发送数据
- **send(data)**,发送数据
- **sendline(line)**,发送一行数据,末尾加上换行
下面记录一些之前用过的例子,仅帮助熟悉
题目:
def proof_of_work():
random.seed(os.urandom(8))
proof = ''.join([random.choice(string.ascii_letters+string.digits) for _ in range(20)])
_hexdigest = sha256(proof.encode()).hexdigest()
print(f"sha256(XXXX+{proof[4:]}) == {_hexdigest}")
print('Give me XXXX: ')
x = input()
if len(x) != 4 or sha256(x.encode()+proof[4:].encode()).hexdigest() != _hexdigest:
print('Wrong PoW')
return False
return True
if not proof_of_work():
exit(1)
signal.alarm(10)
print("Give me a bad RSA keypair.")
try:
p = int(input('p = '))
q = int(input('q = '))
assert p > 0
assert q > 0
assert p != q
assert p.bit_length() == 512
assert q.bit_length() == 512
assert isPrime(p)
assert isPrime(q)
n = p * q
e = 65537
assert p % e != 1
assert q % e != 1
d = inverse(e, (p-1)*(q-1))
except:
print("Invalid params")
exit(2)
try:
key = RSA.construct([n,e,d,p,q])
print("This is not a bad RSA keypair.")
exit(3)
except KeyboardInterrupt:
print("Hacker detected.")
exit(4)
except ValueError:
print("How could this happen?")
from secret import flag
print(flag)
wp:
def hashstring(partstr, hashstr):
str = string.ascii_letters + string.digits
for i1 in str:
for i2 in str:
for i3 in str:
for i4 in str:
plain = i1 + i2 + i3 + i4 + partstr
maystr = hashlib.sha256(plain.encode()).hexdigest()
if maystr == hashstr:
print(i1 + i2 + i3 + i4)
return i1 + i2 + i3 + i4
def getPQ():
e = 65537
p = getPrime(512)
m = inverse(e,p-1)
res = (e*m*p-1) // (p-1)
for k in range(0,e):
if res % k == 0:
q = res // k + 1
return p,q
s = remote("...", ...)
s.recvuntil(b"XXXX+")
partstr = s.recvuntil(b')')[:-1].decode()
print(partstr)
s.recvuntil(b"== ")
hashstr = s.recvline()[:-1].decode()
print(hashstr)
knownpart = hashstring(partstr, hashstr)
s.recvuntil(b"Give me XXXX: ")
s.sendline(knownpart.encode())
print(s.recvuntil(b"Give me a bad RSA keypair."))
p,q = getPQ()
当然pwntools还有其它的函数,等遇到了再补充。。。
转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。可以在下面评论区评论,也可以邮件至 1666739907@qq.com