凉风's Blog

起因beichen发了个反制冰蝎的视频，想看看如何做到的。 寻找资料群里师傅给我发了个冰蝎XSS的链接 http://www.lvyyevd.cn/archives/gei-ni-yi-ge-da-bi-dou-zi-zhi-bing-xie-xss 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160 ...

JeecgBoot SSTI以及JDBC RCE 复现今天接到消息，jeecgboot有SSTI 和 JDBC RCE漏洞，马上来分析复现一下。 文笔不好，没去详细分析，随手一写。 情报两个接口存在RCE，分别是/jmreport/queryFieldBySql 和 /jmreport/testConnection SSTI根据线索： 直接用JADX找到对应代码 很直接嘛，直接传入sql，那直接构造请求先试试： 居然还有黑名单？ 输入个简单的试试： 这里起码还有个SQL注入漏洞。 线索中说明了用Freemarker处理了传入的sql语句，那直接打SSTI试试。 poc 123456789101112POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1Host: 192.168.90.1:3100Origin: http://192.168.90.1:3100User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, ...

Typora XSS VulnerabilityVulnerability OverviewThere is an XSS vulnerability because the editor mishandled when parsing the embed tag in html. The html tag is <embed src="https://c0olw.github.io/pic/1.html"> Vulnerability Reproduction Download the lastest version of Typora from https://typora.io/. The version when I downloaded was 1.6.7. Use Typora to open or edit a markdown file. For example, I created a file called “xss test.md” with typora. Enter <embed src="https ...