冰蝎客户端反制的分析和复现
起因beichen发了个反制冰蝎的视频,想看看如何做到的。
寻找资料群里师傅给我发了个冰蝎XSS的链接
http://www.lvyyevd.cn/archives/gei-ni-yi-ge-da-bi-dou-zi-zhi-bing-xie-xss
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160 ...
JeecgBoot SSTI以及JDBC RCE 复现
JeecgBoot SSTI以及JDBC RCE 复现今天接到消息,jeecgboot有SSTI 和 JDBC RCE漏洞,马上来分析复现一下。
文笔不好,没去详细分析,随手一写。
情报两个接口存在RCE,分别是/jmreport/queryFieldBySql 和 /jmreport/testConnection
SSTI根据线索:
直接用JADX找到对应代码
很直接嘛,直接传入sql,那直接构造请求先试试:
居然还有黑名单?
输入个简单的试试:
这里起码还有个SQL注入漏洞。
线索中说明了用Freemarker处理了传入的sql语句,那直接打SSTI试试。
poc
123456789101112POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1Host: 192.168.90.1:3100Origin: http://192.168.90.1:3100User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, ...
Typora XSS Vulnerability
Typora XSS VulnerabilityVulnerability OverviewThere is an XSS vulnerability because the editor mishandled when parsing the embed tag in html. The html tag is <embed src="https://c0olw.github.io/pic/1.html">
Vulnerability Reproduction
Download the lastest version of Typora from https://typora.io/.
The version when I downloaded was 1.6.7.
Use Typora to open or edit a markdown file.
For example, I created a file called “xss test.md” with typora.
Enter <embed src="https ...