python-study

2021-01-10

Word count: 1.3k | Reading time≈ 7 min

0x01 MD5 encrypt this string

提取字符串，进行md5加密，并提交。我还是太慢了，学学脚本。网络有点卡多提交几次

from hack the box web1

自己结合网上的学习了两种方法，re.search和re.findall，个人感觉还是比较喜欢第二种方法，感觉法二挺方便的

法一

import requests
import hashlib
import re              #字符串匹配

head = {
    "Referer": "http://159.65.87.50:32588/",
    "Cookie": "PHPSESSID=1nd51s259e9epagvhkgolgm5h7",
    "Content-Type": "application/x-www-form-urlencoded",
    "Origin": "http://159.65.87.50:32588"}
url1 = "http://159.65.87.50:32588/"
req1 = requests.get(url=url1,headers=head)
str1= re.search("<h3 align='center'>(.)*</h3>",req1.text)
str2=str1.group(0).replace("<h3 align='center'>","").replace("</h3>","")

#print (str2)
h1=hashlib.md5()
h1.update(str2.encode(encoding='utf-8'))
md5 =h1.hexdigest()
#print(md5)
postdata="hash="+md5

req2=requests.post(data=postdata,url=url1,headers=head)
print(req2.text)

法二

# -*- coding:utf-8 -*-   
# hack the box web1 re.findall

import requests
import re
import hashlib
def md5_str(str):
    md=hashlib.md5();
    md.update(str.encode(encoding='utf-8'))
    return md.hexdigest()


url = "http://138.68.182.108:31255/"
head = {
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0",
    "Cookie": "PHPSESSID=3brhsrsfuq7k869bg9s7bae6u4",
    "Content-Type": "application/x-www-form-urlencoded",
    "Origin": "http://138.68.182.108:31255"
}

req1 = requests.get(url,headers=head)
str = re.findall(r'<h3 align=.*>(.*?)</h3>',req1.text,re.S)[0]
#print(str)
mdstr=md5_str(str)
#print(mdstr)
req2=requests.post(url,headers=head,data="hash="+mdstr)
#print(req2.text)
flag="HTB{"+re.findall('HTB\{(.*?)\}',req2.text,re.S)[0]+"}"
print(flag)

1.1

0x02 scan_dir目录扫描

import requests
import sys

headers = {'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0'}
url = sys.argv[1]   
zidian = sys.argv[2]
result = sys.argv[3]

with open(zidian,"r") as f:
    for line in f.readlines():
        line = line.strip()
        r =requests.get(url+line,headers=headers)
        if r.status_code == 200:
            print("url:"+r.url+"\n   exist")
            with open(result,"a") as f1:
                f1.write("url:"+r.url+"    exist\n")    //写入result.txt
        else:print("url:"+r.url +"\n   false")

python scan_dir.py http://www.shmilying.top/ F:\pycharm\python-study\zidian.txt F:\pycharm\python-study\result.txt

result:

2.0

2.1

0x03 file_open_r/w/a

***read***
with open("zidian.txt") as f:
    for a in f():
        print(a.strip())       #最实用,方便，而且效果和下面的一样。


with open("zidian.txt","r") as f:
    for line in f.readlines():
        print(line.strip())     #比较方便


f = open("zidian.txt","r")
for line in f.readlines():  #读取全部  == for line in f：
    print(line)
    print(line.strip())  #去除空行
f.close()                 #记得关闭


f = open("zidian.txt","r")
line1 = f.readline()        #读一行
print(line1)
f.close()

f = open("zidian.txt","r")
line2 = f.read(1)           #读字节
print(line2)
f.close()


***write***

f = open("zidian.txt","a")          #open("zidian.txt","a") 在末尾追加,不影响原来的
f.write('\nxxxxx')                  #open("zidian.txt","w") w:写入内容会覆盖原有内容
f.close()

f2 = open("zidian.txt")
for line in f2.readlines():
    print(line.strip())
f2.close()

总结：

f = open("c:\filename","mode")   //mode:r/w/a
xxxxxxx
xxxxxxx
f.close()

0x04 awd_sendflag

学习的大佬脚本，批量sendflag。

import requests
import time 
def result-flag(flag):      //自定义函数

    url="http://xx.xxx.xxx.xx:8080/api/v1/challenges/attempt"
    #data={"challenge_id":2,"submission":""+flag+""}
    data='{"challenge_id":2,"submission":"'+flag+'"}'
    h = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
"Accept-Encoding": "gzip, deflate",
"CSRF-Token":"e9817606c5e5373499bd7e43b64c045b60a276b839b340c4f4a37c2eb27f4e8a",
"Connection": "keep-alive",
"Content-Type": "application/json"
}
    cookies={"session":"2deefa03-cda6-41fc-be25-a986067c7048","PHPSESSID":"jnr3quolg5o2ohlifbdld6bku5"}
    req=requests.post(url=url,data=data,cookies=cookies,headers=h)
    print(req.text)        //result

def flagtxt():
    with open("web1-flag.txt") as f:
        for a in f:
            print(a.strip())
            time.sleep(1)
            result-flag(a.strip())
            
flagtxt()

0x05 生成以指定字符为开头的md5值

百度的

# -*- coding:utf-8 -*-
# 脚本功能：生成以指定字符为开头的md5值（x位数字）

import hashlib
import random

def encryption(chars):
    return hashlib.md5(chars.encode("utf8")).hexdigest()
def generate():
    return str(random.randint(11111111,99999999))  #爆破范围
def main():
    start = "66666"  #md5指定前几位
    while True:
        strs = generate()
        print("Test %s " % strs)
        if encryption(strs).startswith(start):
            print ("yes!")
            print ("[+] %s " % strs + "%s " % encryption(strs))
            break
        else:
            print ("no!")
if __name__ == '__main__':
    main()
    print ('完成！')

结果如下

1
2
3

yes!
[+] 43650254 66666b9c81d0d15f983ad8963908ce10 
完成！

0x06 多线程

from threading import Thread
import time
def test(name):
    time.sleep(2)
    print('%s say hello' %name)

if __name__ == '__main__':
    t=Thread(target=test,args=('egon',))
    t.start()
    print('主线程')

from threading import Thread

import time

class test(Thread):
    def __init__(self,name):
        super().__init__()
        self.name = name
    def run(self):
        time.sleep(2)
        print("%s good night" %self.name)

if __name__ == '__main__':
    t = test('lihua')
    t.start()
    print("zhuxiancheng")

0x07 proxy

import requests
url = "https://home.firefoxchina.cn/"
proxies= {'http':'http://127.0.0.1:8080','https':'https://127.0.0.1:8080'}
r=requests.get(url,proxies=proxies,verify=False)  ###verify 避免证书检测
print(r.status_code)