zAnti

666 顺便问一下目前 OJ 用什么策略防御用户提交的恶意代码，如命令执行文件读取等

Debian

@moult 23333

@keelii 可否开源，正在做 flask ，想读源码学习一下

@exoticknight 没写的都过滤掉了，事实上大多数注册用户都没写

@KentY http://www.bilibili.com/

@Patrick95 那有可能是我的问题

@Kirscheis 额，那个点进去的链接是
https://github.com/Xyntax/POC-T/blob/master/module/spider-example.py
一个模块

@Patrick95 额，只爬了前 2000w 注册用户

http://www.bubuko.com/infodetail-196109.html
恭喜你开坑 [无线安全]

要考北邮的研，哪个兄弟给来个邀请码呗，对我很有用，多谢了！
邮箱　 [email protected]

aaa' or 1=1 --

注意--右边有空格，在 url 里面可以 --+

完整语句：　 select * from ttt where name='aaa' or 1=1 -- ' * 'xxx';

@H3x

https://github.com/joaomatosf/jexboss/issues/5#issuecomment-213240980

Hello Friend,
This is the JSP shell that is deployed within the JBoss server successfully exploited via Jexboss and http://webshell.jexboss.net/ address must be the official tool site (at the time, I'm just migrating the releases notes file for he).
Currently there are 5 different exploits that help improve the effectiveness of JexBoss. They deploy SAME JSP code within the vulnerable server (if you have permission).
As you can see, the code is available both within the python script or hosted on http://joaomatosf.com/rnp/jexws.war. The specific case of your figure, the code is using url encoding, otherwise the exploit does not work. In exploit for vector "invoker", in turn, the same code is in hexadecimal, why it is a holding which sends binary payload.
If you download the http://joaomatosf.com/rnp/jexws.war file and unpack with unzip, inside is the same JSP shell that appears in his image, but without using url encoding.

Addresses "http://webshell.jexboss.net" and "http://webshell.jexboss.com" will be used to host the webshells JexBoss and changelog file (instead of the address http://joaomatosf.com/rnp/, which is an old abandoned blog).
Currently the shell JSP that JexBoss deploys within your server vulnerable seeks changelog file hosted on http://webshell.jexboss.net but does not warn the user when updates are available yet (I'm currently implementing it).
In future releases, when the shell jsp is accessed, it must inform you whenever there are updates itself, similar to what happens when you run the python script jexboss.py. At the time, it just checks the version control file (changelog) which you can view here: http://webshell.jexboss.net/.

Thank you for your question and I am available for any questions.

@H3x 多谢提醒！已去除此段代码

@arfaWong 不是的

@liberize 哈哈哈打脸了，多谢更正，以前这么用习惯了，已感谢！

@tony1016 已感谢