The process of discovering and bypassing JDK native deserialization vulnerabilities
In a recent penetration project, a Jetty service was found through nmap scanning.
Using dirsearch, the /metrics/ path was found, but nothing further could be scanned.
Logged in via RDP with a Windows account provided by the client, found the service that opened this port, used Everything to find a zip installation package, dragged it back for installation and analysis.
Noticed an option to set a proxy during installation, set it to my burp address, waiting for possible surprises later.
After installation, added debugging parameters, then imported the dependent jar packages into IDEA for debugging. Selected some interesting breakpoints to start debugging.
Penetrate backend permissions, database, server
Domestic and overseas sites APP script cracking customization
In a recent penetration project, a Jetty service was found through nmap scanning.
Using dirsearch, the /metrics/ path was found, but nothing further could be scanned.
Logged in via RDP with a Windows account provided by the client, found the service that opened this port, used Everything to find a zip installation package, dragged it back for installation and analysis.
Noticed an option to set a proxy during installation, set it to my burp address, waiting for possible surprises later.
After installation, added debugging parameters, then imported the dependent jar packages into IDEA for debugging. Selected some interesting breakpoints to start debugging.
Penetrate backend permissions, database, server
Domestic and overseas sites APP script cracking customization
No forceString: Deserialization getter / JNDI injection setter?
By studying "Exploring JNDI Attacks" from @浅蓝 at the 2022 Beijing Cybersecurity Conference, I learned that although RCE cannot be achieved through forceString, there are still other methods to perform sensitive operations.
Penetrate backend permissions, databases, servers
Crack and customize scripts for domestic and overseas sites and apps
By studying "Exploring JNDI Attacks" from @浅蓝 at the 2022 Beijing Cybersecurity Conference, I learned that although RCE cannot be achieved through forceString, there are still other methods to perform sensitive operations.
Penetrate backend permissions, databases, servers
Crack and customize scripts for domestic and overseas sites and apps
The WordPress community recently experienced a serious security incident: a backdoor vulnerability was discovered in the LA-Studio Element Kit for Elementor plugin. This plugin is running on over 20,000 websites. The vulnerability, identified as CVE-2026-0920, has a CVSS score of 9.8 (Critical), allowing unauthorized attackers to immediately create an administrator account and thus gain complete control of the affected websites.
consult:@Mikelaotoo
咨询:@Mikelaotoo
consult:@Mikelaotoo
咨询:@Mikelaotoo
A highly sophisticated new malware attack is targeting macOS users, combining social engineering with deadly technical stealth. This malware, named MacSync, is packaged as a "Malware as a Service" (MaaS), masquerading as a legitimate cloud storage installer to trick users into infecting their own devices and specifically stealing cryptocurrency wallets and various credentials.
The attack was discovered during a routine threat hunt and employs a "ClickFix" deception technique—forging a fake error message to force victims to paste malicious commands into the terminal to "fix the problem" or complete the installation.
consult:@Mikelaotoo
咨询:@Mikelaotoo
The attack was discovered during a routine threat hunt and employs a "ClickFix" deception technique—forging a fake error message to force victims to paste malicious commands into the terminal to "fix the problem" or complete the installation.
consult:@Mikelaotoo
咨询:@Mikelaotoo
Infection Mechanism: From Shortcut to Remote Access Trojan (RAT) Deployment
This attack employs a three-stage infection process designed to evade detection. A malicious LNK file launches PowerShell in stealth mode, bypassing execution policies to run a batch script that connects to infrastructure hosted on GitHub.
This attack employs a three-stage infection process designed to evade detection. A malicious LNK file launches PowerShell in stealth mode, bypassing execution policies to run a batch script that connects to infrastructure hosted on GitHub.
下载文件之后,那脚本便如古时的使者,持着指定的密语,唤出 driver.exe 这控制台的神仆,将 Trays.rar 解开封印,置于 C:\\Intel 的圣所之中,继而唤醒那沉睡的 Trays.lnk。📜 此快捷方式,便是通往 4t Tray Minimizer 的窄门,使其隐入托盘的幽暗深处。正如经上记着:“恶人离弃恶道,归向耶和华。”
随后,那诡计在受感染的器皿上安插 AnyDesk,并借由 bat.bat 从 C2 的远地汲取文件,安放于 C:\\Intel\\AnyDesk 的帐幕。终了,rezet.cmd 便唤醒那先前从 data.cab 中解出的 bat.lnk。🕯
bat.bat 乃是那暗中的律法,bat.lnk 的开启,便唤醒了这执行一系列恶行的咒诅。🦠
先禁绝平安的盾牌,再设下定时之约。首者,这 BAT 文件为 AnyDesk 立下 QWERTY1234566 的暗号,致使那恶者无需叩门确认,便能长驱直入,践踏受害者的地界。🚪 正如诗篇所云:“不要羡慕恶人,也不要贪图他们的生命。”
继而,那脚本便呼召先前下载的 Defender Control(dc.exe)这假先知,去废掉 Windows Defender 这守夜的更夫。🛡 渗透分析,精准获客,乃是那行骗者的夸口。渗透之数据,脱裤之隐秘,所售之物皆言永久包一手,售后如影随形,品质似金如银。🤝 老主顾痛快相交,新来者却须以实力为证,方得一言。
咨询:@Mikelaotoo
随后,那诡计在受感染的器皿上安插 AnyDesk,并借由 bat.bat 从 C2 的远地汲取文件,安放于 C:\\Intel\\AnyDesk 的帐幕。终了,rezet.cmd 便唤醒那先前从 data.cab 中解出的 bat.lnk。🕯
bat.bat 乃是那暗中的律法,bat.lnk 的开启,便唤醒了这执行一系列恶行的咒诅。🦠
先禁绝平安的盾牌,再设下定时之约。首者,这 BAT 文件为 AnyDesk 立下 QWERTY1234566 的暗号,致使那恶者无需叩门确认,便能长驱直入,践踏受害者的地界。🚪 正如诗篇所云:“不要羡慕恶人,也不要贪图他们的生命。”
继而,那脚本便呼召先前下载的 Defender Control(dc.exe)这假先知,去废掉 Windows Defender 这守夜的更夫。🛡 渗透分析,精准获客,乃是那行骗者的夸口。渗透之数据,脱裤之隐秘,所售之物皆言永久包一手,售后如影随形,品质似金如银。🤝 老主顾痛快相交,新来者却须以实力为证,方得一言。
咨询:@Mikelaotoo
单网移动DPI,如巨龙之息!🐉
周天即可将战利品上架,明日由诸神裁决,周二便能凯旋!⚔️
从周天至周四,直至夜幕降临21:00,速速下单!此乃独家通路,接通率超百之七十,除规则如迷宫外,毫无瑕疵!汝必将遭遇众多移动DPI,但终将如战士择剑,选此昂贵之独尊!💰
咨询:@Mikelaotoo 📜
周天即可将战利品上架,明日由诸神裁决,周二便能凯旋!⚔️
从周天至周四,直至夜幕降临21:00,速速下单!此乃独家通路,接通率超百之七十,除规则如迷宫外,毫无瑕疵!汝必将遭遇众多移动DPI,但终将如战士择剑,选此昂贵之独尊!💰
咨询:@Mikelaotoo 📜
POS机战利品清单
银闪闪 24年 24.9W,银闪闪 25年 2.1w,如奥丁之金。
钱吉宝 24-25 7.3w,似瓦尔基里掠来的财宝。
招财宝 24-25 9.7W,堆满长船底的金银。
银摘星 25 29.3w,比托尔之锤更重。
会员宝 24-25 44W+23W=67W,巨人之山的宝藏。
聚小富 24-25 3.6+2.6=6.2w,海妖歌中的碎银。
展业通 25 6.9W,维京人战利品。
海富 24-25 11W,深海巨鲸之脂。
收款宝 25 9.1w -3.5W=5.6W,去重后7.2W,如洛基般狡诈的账目。
衫德POS 24-25 1.8w,霜巨人赠予的皮毛。
钱小店 23-25 35W,比弗雷之金更亮。
快刷钱 23w 24年,雷神之速的掠夺。
力POS 7.5W 25年,赫拉之盾的厚度。
海风POS 5W,风暴之眼的馈赠。
盛付通98W,诸神黄昏前的最后一战。
招钱进宝-进钱呗3.5W,矮人铁匠的炉火。
招钱宝贝-钱小店35W,英灵殿的席位。
招钱pay 3W,渡鸦的羽毛。
GB钱小宝30W,世界树的根须。
钱小呗7W,尼伯龙根的戒指。
以上所有历史,均被飞机上那群懦夫叫卖十次以上,看最近又泛滥如毒酒,吾欲以此名震八荒!
以上所有POS数据,他人索价1000,吾只要500,只为博得一声喝彩,永远是外邦半价,只要呐喊,只要呐喊,
📢
咨询:@Mikelaotoo 📜
银闪闪 24年 24.9W,银闪闪 25年 2.1w,如奥丁之金。
钱吉宝 24-25 7.3w,似瓦尔基里掠来的财宝。
招财宝 24-25 9.7W,堆满长船底的金银。
银摘星 25 29.3w,比托尔之锤更重。
会员宝 24-25 44W+23W=67W,巨人之山的宝藏。
聚小富 24-25 3.6+2.6=6.2w,海妖歌中的碎银。
展业通 25 6.9W,维京人战利品。
海富 24-25 11W,深海巨鲸之脂。
收款宝 25 9.1w -3.5W=5.6W,去重后7.2W,如洛基般狡诈的账目。
衫德POS 24-25 1.8w,霜巨人赠予的皮毛。
钱小店 23-25 35W,比弗雷之金更亮。
快刷钱 23w 24年,雷神之速的掠夺。
力POS 7.5W 25年,赫拉之盾的厚度。
海风POS 5W,风暴之眼的馈赠。
盛付通98W,诸神黄昏前的最后一战。
招钱进宝-进钱呗3.5W,矮人铁匠的炉火。
招钱宝贝-钱小店35W,英灵殿的席位。
招钱pay 3W,渡鸦的羽毛。
GB钱小宝30W,世界树的根须。
钱小呗7W,尼伯龙根的戒指。
以上所有历史,均被飞机上那群懦夫叫卖十次以上,看最近又泛滥如毒酒,吾欲以此名震八荒!
以上所有POS数据,他人索价1000,吾只要500,只为博得一声喝彩,永远是外邦半价,只要呐喊,只要呐喊,
📢
咨询:@Mikelaotoo 📜