链接:https://pan.baidu.com/s/1pKhxYsJbtqZme8qXnJhsmA
提取码:0oxa
其他文件
御林yu者斗flag龙
# https://blog.csdn.net/weixin_45004513/article/details/117332121参考文章
# 因为我说python2写的所以有很多地方要bytes string转换
from pwn import * # 凑合版Windows pwn python脚本
p = remote("43.198.152.253", 50001) # 连接端口
# p.sendline(b'help') #b表示是bytes,测试用语句
# p.sendline(b'status')
name = ["", "", "", "", ""]
hp = [1, 1, 1] # 第四个是flag龙血量,和名字一样倒着排序,从而和名字对应,flag龙血量没什么用删了
heals = [0, 0, 0]
def HpUpgrade(): # python是解释型的而C,java是编译型所以不可以提前声明函数需要定义
d = 0 # 名称序号,倒着写
p.sendline(b'status')
status = str(p.recvuntil('$'), encoding="utf-8")
print(status)
for a in range(len(status)):
if status[a] == "m" and status[a - 1] == '2' and status[a - 2] == '3':
# '[[FLAG龙 Health]]: \x1b[0;31m1000\x1b[0m'龙的血量前面是31m,其他角色是32m可以在names变量看到,并且结尾是\
# 这里还有个问题就是函数里的recv每次只能接受一行
hps = "" # 血量字符串用于接受数据
for n in range(1, 5): # 从1到4
# if status[a + n] in '0123456789': # 如果是个数字,下面知道了\结尾所以改了判断条件,本来是else break
# hps = hps + status[a + n] # 挪位置
if status[a + n] == '\x1b': # 第一次这里忘了加“a + ”,导致第一次循环结束后就会异常结束,好像并不是这个问题,把d=d-1和hp更新放到break之前就好了
# 好吧并没有好是因为结束条件是'\\x1b'而不是"\\"
# 好吧是'\x1b'而不是"\\x1b"
d = d - 1
hp[d] = int(hps)
break
hps = hps + status[a + n]
'''
d = d - 1
hp[d] = int(hps)
'''
return
p.sendline(b'status') # 试试输出能不能直接输出
# print(type(p.sendline(b'status')))# 返回值为nonetype
print(str(p.recvuntil('$'), encoding="utf-8")) # 欢迎来到Single Player Dungen!
names = str(p.recvuntil('$'), encoding="utf-8")
# names = str(p.recvuntil('$'), encoding="utf-8")
print(names)
b = 0 # 第b个名字,设置为0倒着每次减一进行存储可以让有用的三个名字存储在前三个
try:
for i in range(len(names)):
if names[i] == "[" and names[i + 1] != '0':
# print(names[i + 1]) # 会打印多余的[0m所以我们需要判断如果下一个字符为'0'(字符0)则不进入名字拼接
b = b - 1
for j in range(20):
name[b] = name[b] + names[i]
# print(name[b])
i = i + 1
if names[i] == "]":
name[b] = name[b] + names[i]
# print(name[b])
# 在初始化的时候也初始化血量
HpUpgrade()
break
except IndexError:
print('数组长度错误')
print(i)
HpUpgrade()
# print(name)# 测试成功读取到名字
# 先读取到[就开始存入名字直到读到]
# 修改最后两个FLAG龙名字变量为" attack"和" heal ",注意这里两边多打了两个空格目的是方便拼接,attack只有左边有空格
name[3] = b" attack" # 记得下标从0开始
name[4] = b" heal "
# print(type(name[3])) # <class 'bytes'>
print(name) # 测试成功
print(hp) # 测试成功
# 接下来要写的是读取输出交互,然后逻辑判断做出攻击还是heal队员
def loop():
heal = 0 # 用于给一个人判断是否需要回血
# 这里缩进不对
# for r in range(3):
# if heals[r] == 1:
# heal == r
# heals[r] == 0
for c in range(3): # name[0],name[1],name[2]
for r in range(3):
if heals[r] == 1:
heal = r # 多打了一个 = 变成等于了,应该是赋值
heals[r] = 0 # 多打了一个 = 变成等于了,应该是赋值
# print(name[c] + name[3])
if heal == -1: # 不好意思忘记第一个是0了
print(name[c] + name[3].decode('utf-8')) # 这里错了好久最后发现没有转bytes类型
p.sendline(name[c].encode('utf-8') + name[3]) # 一定要用sendline别问我为什么
q = str(p.recvuntil('$'), encoding="utf-8")
if "恭喜你" in q:
return 0 # 提前终止循环
print(q)
else:
print(name[c] + name[4].decode('utf-8') + name[heal])
p.sendline(name[c].encode('utf-8') + name[4] + name[heal].encode(
'utf-8')) # 不应该治愈r每次r都会遍历到2,应该是使用heal作为参数啊啊啊啊忘记改了,把r改成heal
print(str(p.recvuntil('$'), encoding="utf-8"))
heal = -1
HpUpgrade() # 更新血量
# if hp[c] < 80:
# heal = 1 设置治疗状态,第一套治疗术略显不足,因为攻击的不一定是攻击的人也可能没打而挨打,因此治疗需要治疗对应角色,新建数组heals=[0,0,0]
for g in range(3):
if hp[g] < 70:
heals[g] = 1
# 此处为逻辑判断,循环三个人攻击
for f in range(100):
# 怎么血量一直是满的,MAL:你肯定要p.recvuntil('$')之后再输入x;,所有的p.recv替换为p.recvuntil('$'),然后将loop循环的send改为sendline,不过会多出一些无关紧要的报错,总算知道为什么要用python2了
o = loop()
if o == 0:
break
# [FLAG龙]召唤了syscall攻击[PaleSign],造成[52]点伤害!
p.interactive()
应聘CNSS娘中之人
from pwn import * # 凑合版Windows pwn python脚本
p = remote("43.156.14.141", 1141) # 连接端口
def loop():
a = str(p.recvuntil(">"), encoding="utf-8")
print(a)
if '#ping' in a:
print(b"pong!")
p.send(b'pong!')
elif "[SYSTEM]" in a:
"""
e.g.
[SYSTEM][DeePunk](114514pt)--[NvZhuang Guideline](500pt)
> Congratulations to DeePunk for passing[NvZhuang Guideline], current score is 115014 points!
"""
d = 0
c = ["", "", "", "", ""]
for i in range(len(a)):
if a[i] == "[":
# print(names[i + 1])
for j in range(20):
c[d] = c[d] + a[i + j + 1]
# print(name[b])
if a[i + j + 2] == "]":
d = d + 1
i = i + j + 3
break
for i in range(len(a)):
if a[i] == "(":
# print(names[i + 1])
for j in range(20):
c[d] = c[d] + a[i + j + 1]
# print(name[b])
if a[i + j + 2] == ")": # pt结尾直接写p省的后续过滤
d = d + 1
i = i + j + 3
break
a = int(c[3]) + int(c[4])
print(b"Congratulations to " + c[1].encode("UTF-8") + b" for passing [" + c[2].encode(
"UTF-8") + b"], current score is " + str(a).encode("UTF-8") + b" points!")
p.send(b"Congratulations to " + c[1].encode("UTF-8") + b" for passing [" + c[2].encode(
"UTF-8") + b"], current score is " + str(a).encode("UTF-8") + b" points!")
else:
b = 0
wrong = ""
for i in range(len(a)):
if a[i] == "#" or b == 1:
b = 1
wrong = wrong + a[i]
print(b'The command ' + wrong.encode('utf-8').rstrip(b"\n>") + b' does not exist.')
p.send(b'The command ' + wrong.encode('utf-8').rstrip(b"\n>") + b' does not exist.')
for f in range(100):
loop()
# print(f)好像是因为最后多了printf(
p.interactive()