File tree Expand file tree Collapse file tree 2 files changed +11
-1
lines changed
Expand file tree Collapse file tree 2 files changed +11
-1
lines changed Original file line number Diff line number Diff line change @@ -54,6 +54,8 @@ https://gv7.me/
5454
5555https://github.com/safe6Sec/Fastjson
5656
57+ https://github.com/Firebasky/Java
58+
5759https://y4er.com/
5860
5961https://paper.seebug.org/1689/
Original file line number Diff line number Diff line change @@ -254,4 +254,12 @@ jdbc:mysql://attacker/db?queryInterceptors=com.mysql.cj.jdbc.interceptors.Server
254254
255255如果目标的` RMI ` 服务暴漏了` Object ` 参数类型的方法,且该类在白名单中,我们就可以注入Payload进去以绕过检测
256256
257- 另外还一些骚思路,比如想办法改源码,或用` Java Agent ` 对某些方法` Hook ` 并更改等
257+ 另外还一些骚思路,比如想办法改源码,或用` Java Agent ` 对某些方法` Hook ` 并更改等
258+
259+
260+
261+ ### 谈谈` Security Manager ` 的绕过(★★★★)
262+
263+ 通过设置参数` java.security.policy ` 指定` policy ` 以提权;反射调用` setSecurityManager ` 修改` Security Manager ` 以绕过;自定义` ClassLoader ` 并设置` ProtectionDomain ` 里面的权限初始化为所有权限以绕过;由于` native ` 方法不受` Java Security Manager ` 管控,所以可以调用这些方法绕过
264+
265+
You can’t perform that action at this time.
0 commit comments