Arbitrary file reading in X-OA system & SSRF+JNDI remote command execution combination

Arbitrary file read in X-OA system - SSRF+JNDI remote command execution 1, Vulnerability description There is an arbitrary file reading vulnerability in digital OA(EKP) of Shenzhen Lanling Software Co., Ltd. Attackers can use the vulnerability to obtain sensitive information, and use ssrf to eUTF-8...

Posted by jburbage on Sat, 15 May 2021 04:55:30 +0930

Qi Anxin's big brother gives us all his money and stays up late to sum up the emergency response and share the experience (quick collection!)

preface As a safe worker, every time when fishing, there will always be some unexpected situations, such as the following. Boss: XX enterprise has been hit. Go to support it and give a report by the way. Boss: XX enterprise security equipment alarm, you go to see, see if you can develop the marUTF-8...

Posted by jf3000 on Sat, 29 May 2021 08:20:19 +0930

Node.js implements encryption and decryption of front-end and back-end data transmission

1. Introduction In the front-end and back-end communication process, some sensitive information, especially the user's account password, needs to be encrypted for transmission. How to choose the encryption method is also a knowledge, there are not too many biases here. Generally speaking, RSA eUTF-8...

Posted by sean paul on Fri, 04 Jun 2021 01:51:01 +0930

Penetration testing of MySQL using Metasploit

preface This paper introduces how to use metaploit to test mysql in detail 1, db_nmap scanning Both external and built-in nmap are OK. To use the built-in nmap of metasploit, you need to start the postgresql service 1 introduction of commonly used nmap parameters Target discovery -iL Add scan UTF-8...

Posted by php new bie on Sat, 05 Jun 2021 04:54:03 +0930

15-PHP code audit -- yii 2.0.37 deserialization vulnerability

Yii is a component-based high-performance PHP framework for developing large Web applications. There is a deserialization vulnerability in yii2 before 2.0.38. If the program calls unserialize() internally to deserialize, there may be a deserialization vulnerability in the program. Attackers canUTF-8...

Posted by Stalingrad on Mon, 07 Jun 2021 05:10:01 +0930

Linux basic knowledge of network security

1. Please describe the three elements of communication between hosts in TCP/IP protocol ip Address subnet mask ip route +wx: machinegunjoe666 Free access to information 2. Please describe the classification of IP address and the range of each category A 1-127 B 128-19 C 192-223 D 224-239((multUTF-8...

Posted by capella07 on Wed, 16 Jun 2021 04:49:30 +0930

[Xiaodi security 36 days] verification code and Token

Verification code identification Using tool: pakv_http_fuzz Copy the request header information in the captcha picture packet without cookie and host Use the tool's image type captcha recognition, paste the request header information to other request header positions, and fill in the captcha aUTF-8...

Posted by dbair on Fri, 18 Jun 2021 03:35:21 +0930

19-PHP code audit -- jizhicms logic vulnerability analysis (sql injection caused by ultra vires)

Affected version: jizhicms_Beta1.7 Vulnerability environment: jizhicms_Beta1.7 php5.6.27 Unauthorized modification of points is caused by the user information function of the foreground user interface Why is there an ultra vires loophole in the user data function? First, analyze the userinfo fuUTF-8...

Posted by designguy79 on Fri, 18 Jun 2021 06:55:03 +0930

Network Security Learning -- python

Do loophole recurrence, will use python to write python Installation of python Installation of python Download and install. Install the stable version, the executable one The use of python How to start python 1. Start the python compiler from the command line win window key + r key -- enter cmUTF-8...

Posted by afterburner on Tue, 06 Jul 2021 03:04:19 +0930

First contact penetration test

preface: The author of this paper received an authorized penetration test task, and needed to test the security of the app back-end server with an app as the entrance. Stage 1: IOS prison break After getting the corresponding authorization and downloading the specified app, we found that thereUTF-8...

Posted by jfourman on Thu, 08 Jul 2021 05:25:47 +0930