Page 35-Safety Programming Tutorials: Learn Safety Online-php.cn

Article Tags

Safety

Home

Technical articles

Operation and Maintenance

Safety

How to analyze Apache Dubbo deserialization vulnerability

Introduction Dubbo is a high-performance and excellent service framework open sourced by Alibaba, which enables applications to realize service output and input functions through high-performance RPC, and can be seamlessly integrated with the Spring framework. It provides three core capabilities: interface-oriented remote method invocation, intelligent fault tolerance and load balancing, and automatic service registration and discovery. Overview On June 23, 2020, ApacheDubbo officially released a risk notice about ApacheDubbo remote code execution. The vulnerability number is CVE-2020-1948, and the vulnerability level is: high risk. ApacheDubbo is a high-performance, lightweight open source JavaRPC framework. It provides three core capabilities: interface-oriented remote

May 17, 2023 pm 04:01 PM

Dubbo

What is wide byte injection in SQL injection?

Wide byte injection: It is a way to bypass SQL injection. 1. Wide byte concept: 1. Single-byte character set: all characters are represented by one byte, such as ASCII encoding (0-127) 2 . Multi-byte character set: In a multi-byte character set, some bytes are represented by multiple bytes, and another part (possibly none) is represented by a single byte. 3. UTF-8 encoding: It is an encoding method (multi-byte encoding). It can use 1 to 4 bytes to represent a symbol, and the byte length changes according to different symbols. 4. Common wide bytes: GB2312, GBK, GB18030, BIG5, Shift_JISGB2312 does not have wide byte injection, and it can be collected that there is wide byte injection

May 17, 2023 pm 03:37 PM

SQL

What are the optical module configurations and switch levels that need to be paid attention to?

Today I will explain to you what configurations of fiber optic port modules you need to pay attention to when purchasing a fiber optic switch? Yitianguang Communications first tells everyone that it will be clear as long as you remember the following points, which means aligning according to the port of the switch. From large to small, the first is 10G port SFP+, 10GBase-SR 10G optical module, wavelength 850nm, multi-mode 300mSFP+, 10GBase-LR 10G optical module, wavelength 1310nm or 1550nm, single mode 10/20/40/60/80km Then there are the Gigabit port dual fiber 50/125 micron multimode, wavelength 850nm, 550m; dual fiber 62.5/125 micron multimode, wavelength 850nm, 275m; dual fiber single mode

May 17, 2023 pm 03:19 PM

交换机

How to match specific quantity in javascript

Note 1. The number of curly bracket specifiers can be used to specify the upper and lower limits of the matching pattern. But sometimes only a specific number of matches is needed. 2. To specify a certain number of matching patterns, just place a number between the curly brackets. The example requires modifying the regular expression timRegex to match the word Timber with only four letters m. lettimStr="Timmmmber";lettimRegex=/change/;//Modify this line letresult=timRegex.test(timStr);Reference lettimStr="Timmmmber";lettimRegex

May 17, 2023 pm 03:19 PM

JavaScript

Example analysis of Apache Commons Collections deserialization vulnerability

1. Introduction Although there are many articles on the Internet that analyze the deserialization vulnerability of this component, I still record it here. After all, this is significant for the development of Java deserialization vulnerabilities. Apache Commons Collections is a very commonly used tool library in Java application development. It adds many powerful data structures, simplifies the development of Java applications, and has become a recognized standard for Java to process collection data. Many common applications such as Weblogic, WebSphere, Jboss, Jenkins, etc. all use the Apache Commons Collections tool library. When a deserialization vulnerability occurs in the tool library, this

May 17, 2023 pm 03:10 PM

commonscollections

How to perform Cisco ASA5505 password recovery

官方文档说明：Torecoverfromthelossofpasswords,performthefollowingsteps:Step1ConnecttothesecurityapplianceconsoleportbysuperterminalStep2Poweroffthesecurityappliance,andthenpoweriton.Step3Duringthestartupmessages,presstheEscapekeywhenpromptedtoenterROMMON.St

May 17, 2023 pm 02:52 PM

ciscoASA5505

How to encrypt files in Linux system

Choosing to use EFS when installing a Linux system will first introduce a very simple method to use the EFS file system. Taking Fedora's installation steps as an example, you can easily use it by selecting the relevant options for installation. Users can create new partitions in free space, select a partition for editing, and delete certain partitions. In Figure 1, you need to select the [Encrypt File System] option, and enter the password required to access EFS according to the system requirements, as shown in Figure 2. Next, follow the Linux installation steps step by step and follow the system prompts to install the system. Then, after successfully installing the system, the user will have a secure encrypted file system, and every time he logs in to the system, the system

May 17, 2023 pm 02:34 PM

Linux

Example analysis of Google Chrome 85 fixing WebGL code execution vulnerability

Google has fixed a use-after-free vulnerability in the WebGL (WebGraphicsLibrary) component of the Google Chrome web browser. By successfully exploiting this vulnerability, an attacker can execute arbitrary code in the context of the browser's process. WebGL is a JavaScript API that compliant browsers use to render interactive 2D and 3D graphics without the use of plug-ins. GoogleChrome85.0.4149.0 has fixed this code execution vulnerability. High-risk code execution vulnerability The code execution vulnerability discovered by CiscoTalos senior research engineer Marcin Towalski is numbered CVE-2020-649

May 17, 2023 pm 02:07 PM

Google Chromewebgl

NAT configuration in USG firewall

USG firewall NAT configuration learning purpose Master the method of configuring NATServer on the USG firewall Master the method of configuring NATEasyIP on the USG firewall Topology diagram scenario: You are the network administrator of the company. The company is segregated into three zones using network firewalls. Now we need to publish the telnet service provided by a server (IP address: 10.0.3.3) in the DMZ area. The public addresses are 10.0.10.20 and 24. And users in the internal network Trust area access through Easy-IP. outside area. Access from other directions is prohibited. Define the G0/0/1 and G0/0/21 interfaces to vlan11 on the switch, and assign G0/0/

May 17, 2023 pm 01:25 PM

防火墙natusg

Example analysis of using nmap-converter to convert nmap scan result XML into XLS

Use nmap-converter to convert nmap scan result XML to XLS. Practical 1. Introduction As a network security practitioner, sometimes you need to use the port scanning tool nmap to perform large-volume port scanning, but the output results of Nmap are .nmap, .xml and .gnmap The three formats are mixed with a lot of unnecessary information, which is very inconvenient to process. The output results are converted into Excel tables to process the later output. Therefore, a technical expert shared a Python script to convert nmap reports to XLS. 2. nmap-converter1) Project address: https://github.com/mrschyte/nmap-

May 17, 2023 pm 01:04 PM

xmlnmap-converterxls

Example analysis of Nmap operations

Background With the development of the security industry, the country attaches great importance to it. Various industries suffer from various threats. Some companies of Party A do not have relevant security departments or have relatively weak security capabilities, so they will hire Party B's security personnel to provide operational services. Then Party B's security engineers need to help customers deal with some security events that occur during business operations. For example, after a vulnerability occurs, our security engineers need to detect whether other business systems have the vulnerability and whether it needs to be repaired in time. We also need to output some results to facilitate customer reporting, as well as how to improve work efficiency, etc. Review of common parameter options for efficient scanning Fast live scanning nmap-T4-n-V–sn-iLip.txt-oNlive_host.

May 17, 2023 pm 12:22 PM

nmap

What are the steps you need to pay attention to in H3C wireless configuration?

The first step is to pay attention to the wireless control version. If the version is very old, it may not have the current wireless AP model and needs to be upgraded to the officially recommended version. The second step is to apply for wireless controller license and register on the H3C official website. The device file needs to be in Check the location of the file through displaylicescedevice-id on the wireless controller, then download the file through FTP or TFTP, and upload it to the location that needs to be registered. The third step is to register the three-layer wireless ap. You need to configure the option 43 option.

May 17, 2023 am 10:40 AM

h3c

What are the knowledge points of Python anti-crawler?

1. Why anti-crawlers? Before designing an anti-crawler system, let’s first take a look at what problems crawlers will bring to the website? In essence, the websites and the data on the websites that can be browsed, viewed and used by people on the Internet , are all open and accessible, so there is no so-called "illegal authorized access" problem. There is no essential difference between a crawler program accessing a web page and a human accessing a web page. In both cases, the client initiates an HTTP request to the website server. After receiving the request, the website server returns a content response to the client. As long as a request is initiated, the website server must respond. To respond, the server's resources must be consumed. There is a mutually beneficial relationship between website visitors and the website. The website provides visitors with the necessary information they need.

May 17, 2023 am 10:18 AM

Python

How to Conduct Linux Malware SkidMap Analysis

Cryptocurrency mining malware remains a prevalent threat. Cybercriminals are also increasingly exploring new platforms and methods to further exploit mining malware – from mobile devices, Unix and Unix-like systems to servers and cloud environments. Attackers continue to improve malware's ability to resist detection. For example, bundling malware with a watchdog component to ensure that illegal cryptocurrency mining activities persist in infected machines, or Linux-based systems that utilize LD_PRELOAD-based rootkits to make their components unavailable to the system. detected. SkidMap is a recently stumbled upon piece of Linux malware that demonstrates the increasing sophistication of recent cryptocurrency mining threats. this

May 17, 2023 am 09:56 AM

LinuxSkidMap