Posted 2020-01-22Updated 2020-07-11web security11 minutes read (About 1699 words)Java中双亲委派相关知识梳理在反序列化的学习过程中总是不可回避碰到这个点,这次就来简单看看。Read more
Posted 2020-01-11Updated 2020-07-11web security20 minutes read (About 3047 words)Java Runtime.getRuntime().exec由表及里这篇文章主要目的在于学习前人文章,并从更深入一点的角度探讨为什么Runtime.getRuntime().exec某些时候会失效这个问题。Read more
Posted 2020-01-03Updated 2020-07-11web security11 minutes read (About 1702 words)Hessian 序列化代码分析及业务场景学习Hessian是一个轻量级的remotingonhttp工具,使用简单的方法提供了RMI的功能Read more
Posted 2019-12-31Updated 2020-07-11web security4 minutes read (About 528 words)JAVA JNI 执行命令与调试JNI是Java Native Interface的缩写,利用它可以在比较底层的位置执行命令。Read more
Posted 2019-11-29Updated 2020-07-11web security5 minutes read (About 694 words)记一次调试Commons Collections5遇到的小坑故事的起因是学弟来问我为什么在调Commons Collections5的时候,还没有走到触发点就触发了RCE。Read more
Posted 2019-11-08Updated 2020-07-11web security4 minutes read (About 531 words)记一次简单的寻找前端加密爆破的逻辑过程过程比较简单,属于一篇水文Read more
Posted 2019-11-01Updated 2020-07-11web security2 minutes read (About 357 words)wordpress xmlrpc.php have ssrf vuln(use dns rebinding bypass limit)In the wordpress xmlrpc.php pingback_ping function, the domain which be passed in was parsed three times.Read more
Posted 2019-10-18Updated 2020-07-11web security20 minutes read (About 3051 words)thinkphp 反序列化系列gadget 复现thinkphp 反序列化系列gadget 复现 草稿Read more
Posted 2019-10-09Updated 2024-08-11web security14 minutes read (About 2034 words)s2-001 代码分析s2-001 代码分析Read more
Posted 2019-10-02Updated 2020-07-11web security22 minutes read (About 3248 words)fastjson 反序列化流程硬核跟踪fastjson用于将Java Bean序列化为JSON字符串,也可以从JSON字符串反序列化到JavaBean。Read more