What are the common logical loopholes?
A
Verification code related, such as repeated use, invalid verification code, etc., unauthorized vulnerabilities, etc.
Q
What are the functions of code execution, command execution, and file reading?
A
Code execution eval, call_user_func, call_user_func_array, etc.
File reading fopen(), readfile(), fread(), file(), show_source(), etc.
Command execution system(), exec(), shell_exec(), passthru(), pcntl_exec(), etc.
Q
What are common middleware and corresponding vulnerabilities?
A
IIS: PUT vulnerability, short file name guessing, remote code execution, parsing vulnerability
Apache: parsing vulnerabilities, directory traversal
Nginx: file parsing, directory traversal, CRLF injection, directory traversal
Tomcat: remote code execution, war backdoor file deployment JBoss: deserialization vulnerability, war backdoor file deployment WebLogic: deserialization vulnerability, SSRF arbitrary file upload, war backdoor file deployment
Apache Shiro de-ordering leaky: ShirorememberMe(Shiro-550), ShiroPaddingOracleAttack(Shiro-721)
0
The principle of fastjson vulnerability exploitation?
A
The malicious json format payload is sent in the request packet. When the vulnerability processes the json object, the @type field is not filtered, so that the attacker can pass in the malicious Templateslmpl class, and this class has a field called _bytecodes. Some functions will generate java instances based on this _bytecodes, which allows fastjson to pass in a class through the field, and then execute the constructor when the class is generated.
Q
How to find shiro vulnerabilities?
A
When the login fails, it will return the rememberMe=deleteMe field or use shiroScan to passively scan to find Q
Which vulnerabilities will be exploited frequently for RBI?
A
a. Apache Shiro-related vulnerabilities
b. Fastjson vulnerability
c.Log4j
d. Upload vulnerability