Page 45-Safety Programming Tutorials: Learn Safety Online-php.cn

Article Tags

Safety

Home

Technical articles

Operation and Maintenance

Safety

Struts2-052 vulnerability example analysis

Preface On September 5, 2017, a serious vulnerability discovered by security researchers from the foreign security research organization lgtm.com was officially released in Apache Struts2. The vulnerability number was CVE-2017-9805 (S2-052). An attacker can pass in a carefully constructed XML data, remote command execution. There is a deserialization vulnerability in the XStream component of the Struts2REST plug-in. When using the XStream component to deserialize data packets in XML format, the data content is not effectively verified, which poses a security risk and can be executed by remote commands. Exploit conditions: Using REST plugin and within the affected version range. Exploitation method: The attacker constructs malicious data packets for remote exploitation.

May 13, 2023 am 11:25 AM

struts2

How to encrypt Android apk released by unity

Security Issues of the Unity3D Program Code Security Issues The core assembly file Assembly-CSharp.dll of the Unity3D program is a standard .NET file format and comes with rich metadata information such as method names, class names, type definitions, etc. You can use tools such as DnSpy to It can be easily decompiled and tampered with, and the code logic, class names, method names, etc. can be seen at a glance. Once the code logic is decompiled, it is easy to breed various types of plug-ins and destroy the balance of the game. If there are loopholes in the code logic, it is easy to be discovered and exploited, which may cause unpredictable losses to developers. Resource security issues: During the compilation and packaging phase, the Unity3D program will package resources into AssetBun through the Unity editor.

May 13, 2023 am 11:10 AM

apkunity

How to use Nishang, the PowerShell penetration testing tool

Initial PowerShell, first let's understand the concept: PowerShell can be regarded as an upgraded version of cmd (bat scripting language), which is a scripting language on the Windows platform. It is object-oriented and closely related to .NetFrameWork. It can also be thought of as the bashshell on Windows. Windows PowerShell is a command line shell and scripting environment that enables command line users and script writers to take advantage of the power of the .NET Framework. It introduces a number of very useful new concepts, further extending what you get in the Windows Command Prompt and WindowsHost environments

May 13, 2023 am 10:58 AM

PowerShellNishang

What is the way from XML to remote code execution

What is XXE? Simply put, XXE is XML external entity injection. When external entities are allowed to be referenced, by constructing malicious content, it may cause harm such as arbitrary file reading, system command execution, intranet port detection, and attacks on intranet websites. For example, if the program you are currently using is PHP, you can set libxml_disable_entity_loader to TRUE to disable external entities for defense purposes. Basic exploitation usually involves an attacker injecting payload into an XML file. Once the file is executed, local files on the server will be read, and access to the internal network will be initiated to scan internal network ports. In other words, XXE is a way to reach various services locally. also,

May 13, 2023 am 10:04 AM

xml

How to conduct range practice with bee-box LDAP injection

If the essence of sql injection is to splice strings, then the essence of everything that can be injected is to splice strings. LDAP injection is no exception as a kind of injection. What is more interesting is that it is splicing parentheses (sql injection is also concatenates parentheses, but it is more conventional to say that it concatenates strings). In the environment configuration chapter, the configuration of the ldap environment in bee-box has been discussed in great detail. The shooting range practice chapter is more about the connection process between php and ldap, the introduction of the special functions used in the middle, and some techniques for splicing parentheses. Let’s first talk about the login process of the ldap shooting range in bwapp: First, this is an LDAP login interface, the URL is http://192.168.3.184/bW

May 13, 2023 am 09:49 AM

ldapbee-box

How to conduct analysis to bypass WTS-WAF

0x01. Looking for the target inurl:.php?id=intext: Electrical Appliances I found a website of an electrical appliances company. I tested it casually and found that there is a waf but it has not been arranged yet (I found some information and it seems that you can just add a sign instead of a space. Directly Try) 0x02. The operation found that there was no waf to intercept the data and it also said sqlmap.py-uhttp://*/*.php?id=29--tables--tamperspace2plus.py tool. I tried it and found that it could not be started. .....0x03.Hand-note http://*/*.php?id=1+and+1=1#The echo is normal http://*/*.php?id=1

May 13, 2023 am 09:40 AM

wafWTS

How to conduct in-depth analysis of the exploitation process of Apache HTTP component privilege escalation vulnerability

Apache HTTP was found to have a local privilege escalation vulnerability (CVE-2019-0211). The author of the vulnerability immediately provided the WriteUp and vulnerability EXP. Alpha Labs also conducted an in-depth analysis of the EXP. Here, the analysis notes are organized and shared. I hope it will help everyone understand this vulnerability. The following content mainly explains step by step the execution steps of EXP, and also explains in detail several difficult-to-understand points in the utilization process. 1. Cause of the vulnerability The author's WriteUp has already introduced the code that caused the vulnerability. I will only briefly mention it here and omit most of the source code to reduce the reading burden. In Apache's MPMprefork mode, run the master server with root privileges

May 13, 2023 am 09:28 AM

apache http

How to reverse engineer Spotify.app and hook its functions to obtain data

The goal of this project is to build a Spotify client that can learn my listening habits and skip some songs that I would normally skip. I have to admit, this need comes from my laziness. I don't want to have to create or find playlists when I'm in the mood for something. What I want is to select a song in my library and be able to shuffle other songs and remove songs that don't "flow" from the queue. In order to achieve this, I need to learn some kind of model that can perform this task (maybe more on that in a future post). But in order to be able to train a model, I first need data to train it. Data I need a complete listening history, including those songs I skipped. Get history

May 13, 2023 am 08:37 AM

AppSpotify

How to implement Winnti Group new variant analysis

In February 2020, WinntiGroup’s new modular backdoor PipeMon was discovered. Its main targets are Korean and Taiwanese multiplayer online gaming and video companies, and the malware can launch attacks on the supply chain. Attackers can embed Trojans in published games, or attack game servers, and use game currency to obtain financial benefits. WinntiGroup, which has been active since 2012, targets software industry supply chain attacks. Recently, ESET researchers also discovered attacks targeting several universities in Hong Kong. Technical analysis discovered two variants of PipeMon in targeted companies. The first stage of PipeMon consists of launching a password-protected executable embedded in .rsrc. Launch the program to RAR

May 12, 2023 pm 10:01 PM

winnti group

How to conduct electronic wallet APP vulnerability analysis

Razer Pay is widely used in Singapore and Malaysia. In this Writeup, the author used APP reverse analysis and Frida debugging to discover the user signature (Signature) generation vulnerability in the Razer Pay Ewallet. As a result, the chat history of Razer payment users can be read, the bank account bound to the user can be deleted, and the user's personal sensitive information can be stolen. The vulnerability eventually earned Razer an official reward of nearly $6,000. The following is the author's idea of vulnerability discovery, which can only be used as a reference for posture learning. Vulnerability background Razer Inc (RΛZΞR) is a gaming peripheral equipment company founded in Singapore, also known as the "Green Light Factory".

May 12, 2023 pm 09:55 PM

App

What is the principle of Layer 2 STP?

The ultimate goal of STPSTP: From anywhere in the network, it is the shortest loop-free data forwarding path 1 to the same network as the switch: The first problem faced: Single point of failure Solution: Provide network redundancy/backup 1 Device backup 2 New problems brought by link backup: Layer 2 data forwarding loop New solution: STP/RSTP-spanning-treeprotpocol [Spanning Tree Protocol] highlights another problem: Utilization solution: MSTP [Generate Instance Tree Protocol] has standard protocols: STP-802.1d, slow; RSTP-802.1w, a little faster; MSTP-802.1s can also realize data forwarding while realizing link backup.

May 12, 2023 pm 09:43 PM

stp

How to write high-quality and high-performance SQL query statements

1. First, we must understand what an execution plan is? The execution plan is a query plan made by the database based on the SQL statement and the statistical information of the related tables. This plan is automatically analyzed and generated by the query optimizer. For example, if a SQL statement is used to query 1 record from a table with 100,000 records, records, the query optimizer will choose the "index search" method. If the table is archived and there are currently only 5,000 records left, the query optimizer will change the plan and use the "full table scan" method. It can be seen that the execution plan is not fixed, it is "personalized". There are two important points in generating a correct "execution plan": (1) Does the SQL statement clearly tell the query optimizer what it wants to do? (2) The database system obtained by the query optimizer

May 12, 2023 pm 09:04 PM

SQL

What are the five common vulnerabilities of APIs?

API makes it easy to do business, and hackers think so too. Today, when the digital transformation of enterprises is in full swing, APIs have gone far beyond the scope of technology. Both Internet business innovation and the digital transformation of traditional enterprises are inseparable from the API economy or API strategy. APIs connect not only systems and data, but also corporate functional departments, customers and partners, and even the entire business ecosystem. At the same time, with increasingly severe security threats, APIs are becoming the next frontier of network security. We have compiled the top five API security weaknesses and patching suggestions that security experts have given to enterprises. APIs make everything easier, from data sharing to system connectivity to the delivery of critical functionality, but APIs also make it easier for attackers, including malicious bots

May 12, 2023 pm 08:40 PM

API

How to configure the environment for bee-box LDAP injection

1. Overview According to my learning process, I must know what the model and vulnerability of my web attack are. Now I have encountered an unexpected situation. The first time I saw LDAP was during a penetration test in a state-owned enterprise. I found an unpopular one (authorized) and piqued my interest in it. The concept of LDAP: Full name: Lightweight Directory Access Protocol (Lightweight Directory Access Protocol), features: I won’t talk about the protocol, it’s too esoteric, it can be understood as a database for storing data, its special feature is that it is a tree A database in the form of a database. First, the name of the database is equivalent to the root of the tree (i.e. DB=dc), and then the process from the root to a leaf node is

May 12, 2023 pm 08:37 PM

ldapbee-box