考点:
塔珀自指公式
多图信息提取
ban CE的game题的做法
整数溢出
jsfuck
vol3的插件使用
https://www.bilibili.com/read/cv20634842?spm_id_from=333.999.0.0(鼠标动态指针的制作原理)
tiff文件的认识
SSTI漏洞
LSB加密
suid提权
MISC
验证码
手搓数字
1594199391770250354455183081054802631580554590456781276981302978243348088576774816981145460077422136047780972200375212293357383685099969525103172039042888918139627966684645793042724447954308373948403404873262837470923601139156304668538304057819343713500158029312192443296076902692735780417298059011568971988619463802818660736654049870484193411780158317168232187100668526865378478661078082009408188033574841574337151898932291631715135266804518790328831268881702387643369637508117317249879868707531954723945940226278368605203277838681081840279552
然后根据hint:tupper
知道是塔珀自指公式画图(这里记得套神的博客里有过这个知识点的题的wp来着,所以马上理解了意思)
Snake on web
手搓100分
差点就不想摁了(wasm狗都不看
看别的师傅们做题才知道还可以用python和按键精灵来遍历地图
LSSTIB(复现)
你看这个指针它可爱嘛(复现)
来一把紧张刺激的CS(复现)
复现zysgmzb师傅的两个工具直接梭(好方便
预期解:
WEB
象棋王子
F12查看源码发现jsfuck
(当然硬下也能下赢)
控制台输入即可
电子木鱼
下载源码查看
if let Some(payload) = PAYLOADS.iter().find(|u| u.name == body.name) {
let mut cost = payload.cost;
if payload.name == "Donate" || payload.name == "Cost" {
cost *= body.quantity;
}
if GONGDE.get() < cost as i32 {
return web::Json(APIResult {
success: false,
message: "功德不足",
});
}
if cost != 0 {
GONGDE.set(GONGDE.get() - cost as i32);
}
if payload.name == "Cost" {
return web::Json(APIResult {
success: true,
message: "小扣一手功德",
});
看到i32,一眼整数溢出漏洞,然后cost是减去功德,所以使name=Cost&quantity为32位的最大值2147483648就行
Comments | NOTHING