原文地址 https://www.cnblogs.com/afanti/p/10887381.html
之前写过反序列化报错回显。
- 远程server放恶意jar包,服务器去远程server来请求恶意jar包
- 利用defineClass加载byte[]返回Class对象 从这里找到回显的poc,这个poc用的就是方法2.
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 127.0.0.1:7001
<?php | |
$blackDomain = array('localhost'); //屏蔽查询 | |
$blackIP = array('127', '27.151.'); //屏蔽查询内网IP | |
class HccTools{ | |
var $typ = array(' 未知 ','FTP', 'SSH', 'TELNET', 'SMTP','DNS', 'HTTP', 'net-Bios', 'SMB', 'RDP', 'VNC', 'HTTP', 'MSSQL', 'MYSQL', 'Oracle', 'IMAP', 'HTTPS', 'POP3'); | |
var $por = array(0,21, 22, 23, 25, 53, 80, 139,445, 3389, 5901, 8080, 1433, 3306,1521, 143, 443, 110); | |
public function runtime(){ | |
list($h,$c) = explode(' ',microtime()); |
原文地址 https://www.cnblogs.com/afanti/p/10887381.html
之前写过反序列化报错回显。
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 127.0.0.1:7001
<% | |
'Code by safe3 | |
On Error Resume Next | |
if request.querystring<>"" then call stophacker(request.querystring,"'|(and|or)\b.+?(>|<|=|in|like)|/\*.+?\*/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)") | |
if request.Form<>"" then call stophacker(request.Form,"\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)") | |
if request.Cookies<>"" then call stophacker(request.Cookies,"\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)") | |
ms() | |
function stophacker(values,re) | |
dim l_get, l_get2,n_get,regex,IP | |
for each n_get in values |
import json | |
import os | |
import re | |
import requests | |
import requests.adapters | |
import requests.utils | |
import requests.exceptions | |
import sys | |
# from functools import partial |
# author : whoam1 | |
# blog : http://www.cnnetarmy.com/ | |
import requests | |
import re | |
import rsa | |
import base64 | |
import time | |
import random | |
import threading |
#!/usr/bin/env python3 | |
import base64 | |
import random | |
import re | |
import string | |
import requests | |
sess = requests.Session() | |
randstr = lambda len=5: ''.join(random.choice(string.ascii_lowercase) for _ in range(len)) |