Category:Network Security

  • Safe dog file upload bypass


    Website security dog (WAF) file upload is restricted to the vulnerability protection sub module under the website protection module   The file types appearing in the above list will be blocked by WAF when uploading, but not all file types are added with detection rules by default, such as picture files (. JPG). Because it […]

  • How can biological research institutes improve data security?


    The Institute of molecular biology and Biotechnology (imbb), founded in 1983, is one of the institutes of the Greek research and Technology Foundation (forth). Forth consists of seven research institutes, which have provided valuable research results for the society for many years, and has become one of the top research centers in Europe.     […]

  • WAF block transmission bypass


    Principle: After adding transfer encoding: chunked in the header, it means that the message adopts block coding.At this time, the data part of the post request message needs to be transmitted in a series of blocks. Each block contains hexadecimal length value and data. The length value is exclusive of one line, and the length […]

  • Webshell safety dog (I)


    There is such a PHP code: Define a variable, assign the filename parameter received in the get mode to $filename, and include the variable $filename when calling. When accessing such a file, it will be intercepted by the WAF security dog, and there is the characteristic code of the WAF restriction rule,   There is […]

  • Webshell safety dog (2)


    There is a PHP code: Principle: the parameter f is assigned to $h, which is resolved to $f =$_ REQUEST[‘x’]; The parameter ‘check’ is assigned to the variable $D, which is resolved to $check = ‘ass’, and then resolved to $check = $check.’ ERT ‘, this step can also be understood as adding $check.’ ERT […]

  • Webshell safety dog (3)


    1. Use the method contained in the file to bypass WAF: Here is a PHP code: Principle: apply$_ The parameter obtained by get() is assigned to the $filename variable, and then include contains the variable. If you directly access this PHP code, you will be intercepted by WAF   At this time, use PHP online […]

  • Things about state secret HTTPS (I)


    Things about state secret HTTPS (I)   With the promulgation and implementation of the code law, the application and promotion of state secrets finally have laws to follow. For the application of state secrets, it is an important part—-State secret HTTPSCommunication also came into being. In order to better understand the relevant knowledge of state […]

  • Mysql database authorization (I)


    1、 Obtain MySQL login account and password 1. Database authorization needs to know the account and password of the database and its configuration files. Generally, the configuration files are in the root directory of the website. The names of these configuration files have distinctive characteristics, such as Conn, config, data, SQL, common, Inc, etc   […]

  • Vulnhub target – me and my girl friend: 1


    Actual combat of vulnhub target 1. Target address,409/ 2. First look at the description (requirements) Through this, we can know that we need to find the “thing” hidden by Alice. Maybe it’s flag!! This is a primary difficulty. Our goal is to get two flags. Where are they??? Find it yourself 3. Host, port […]

  • Mysql database authorization (II)


    In the first part:, the UDF rights in MySQL database are described in detail. In the second part, continue to use MOF to rights in MySQL database MOF belongs to vulnerability authorization. Load a MOF file or use the authorization tool to find the MOF authorization module and fill in the corresponding information of the […]

  • Mysql database authorization (III)


    In the first part:, describes the authorization of MySQL UDF. In the second part:, describes the MOF authorization of MySQL. The last one is about the startup authorization of MySQL database, The core condition of this kind of authorization is that the current identity is administrator, and webshell is also administrator. Otherwise, the authorization is […]

  • SSRF attack technology


    1. What is SSRF: SSRF (server side request forgery) is a security vulnerability constructed by an attacker to form a request initiated by the server. Generally, SSRF is the internal system of the target website. (because it is accessed from the internal system, all internal systems that cannot be accessed by the external network can […]