Posted 2022-04-08Updated 2022-04-08web security10 minutes read (About 1539 words)记一次失败的Weblogic IIOP Gadget挖掘Introduce some insteresting tricks of building exp.Read more
Posted 2021-08-31Updated 2021-08-31web security6 minutes read (About 923 words)Two Tricks Of CAS-CLIENT AUTH Bypasscas client 用于限制匿名用户对某些特定api的访问,在一些特殊的环境下可能会有权限绕过问题。下面分享两个实际生活中遇到的案例。Read more
Posted 2021-08-31Updated 2021-08-31web security17 minutes read (About 2498 words)How Did I Find Weblogic T3 RCETo share my methodRead more
Posted 2020-07-17Updated 2020-07-17web security27 minutes read (About 4026 words)SCTF 2020 两道Login Me预期解的核心技术发这篇文章的时候已经毕业快一月了,感谢Syclover老学长们和小伙伴的一路帮助,感谢相遇。Read more
Posted 2020-05-05Updated 2020-07-11web security25 minutes read (About 3751 words)De1tactf2020 pentest非预期解与预期解把一些停留在理论认知上的高级攻击姿势全部操练了一遍,学到很多。Read more
Posted 2020-04-18Updated 2020-07-11web security10 minutes read (About 1489 words)c3p0的三个gadget除了常见的http base之外,在某些情况下c3p0可以使用jndi和hex序列化字节加载器来进行rce。Read more
Posted 2020-04-09Updated 2020-07-11web security11 minutes read (About 1691 words)tomcat不出网回显连续剧第六集离大结局又进了一步Read more
Posted 2020-02-24Updated 2020-07-11web security10 minutes read (About 1557 words)linux下java反序列化通杀回显方法的低配版实现其实这个思路距离实现标配版的效果就一步之遥了~Read more
Posted 2020-02-14Updated 2020-07-11web security17 minutes read (About 2621 words)Java原生序列化与反序列化代码简要分析写这篇文章目的主要在于进一步理解何为java原生反序列化,并且回答如下的几个问题。Read more
Posted 2020-01-31Updated 2020-07-11web security11 minutes read (About 1576 words)CAS的搭建及认证流程分析与比较CAS是一个单点登录(Single Sign On,简称SSO,SSO使得在多个应用系统中,用户只需要登录一次就可以访问所有相互信任的应用系统。)框架,开始是由耶鲁大学的一个组织开发,后来归到apereo去管。Read more
2024-10-09APT溯源图构建-论文阅读第二篇-BEEP-High Accuracy Attack Provenance via Binary-based Execution Partitionredteam
2024-10-05APT溯源图构建-论文阅读第一篇-HOLMES: Real-time APT Detection through Correlation of Suspicious Information Flowsredteam