fmyyy

diary

一些问题和解决

Here's something encrypted, password is required to continue reading.

diary

Here's something encrypted, password is required to continue reading.

diary

Here's something encrypted, password is required to continue reading.

java

最近看了一下jfinal这个冷门国产框架 echo 同样是这个threadlocals，其实我发现挺多web框架的回显都能从这里获得回显。获取到的是一个io.undertow.servlet.handlers.ServletRequ...

java

jbossEcho 线程里可以直接获取到Response 看了一下ThreadLocal的源码 getMap可以直接返回threadLocals 思路就是获取table之后遍历其属性直到获取到Response 获取table对反射...

java

Interceptor尝试自己分析编写，不看参考文章。生成Handler的过程，在org.springframework.web.servlet.DispatcherServlet#doDispatch里调用了getHandler...

java

字节码加载CVE-2017-10271是xml反序列化，可用如下poc加载字节码 123456789101112131415161718192021<soapenv:Envelope xmlns:soapenv="ht...

java

c3p012345<dependency> <groupId>com.mchange</groupId> <artifactId>c3p0</artifactId> <...

java

JEP290jep290是 Java 为了防御反序列化攻击而设置的一种过滤器，其在 JEP 项目中编号为290，因而通常被简称为jep290 作用 Provide a flexible mechanism to narrow the ...

java

Here's something encrypted, password is required to continue reading.