开放原始码,支援 JSP 和 servlets 的 Web 应用服务器
切勿使用 root 执行 Tomcat
useradd -d /tomcat -u 501 tomcat
passwd tomcat
su - tomcat
关闭目录显示
DefaultServlet False
修改预设 port & 版本资讯
vim $TOMCAT_HOME/conf/server.xml
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" server="App service版本资讯"/>
Tomcat 预设范例 /examples/servlets/servlet/SessionExample
log
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>
CVE-2020-1938:Tomcat Ghostcat
参考网址
Oracle 公司开发的 Web 应用服务器
基於 Java EE 架构
用於开发、部署 Java 的应用程序
启动 Weblogic 权限
chown -R weblogic:weblogic "Weblogic资料夹"
修改预设 port
config/config.xml
AdminServer
<listen-port>7005</listen-port>
目录列表
weblogic.xml
<index-directory-enabled>
敏感路径
config/config.xml
Weblogic SSRF
docker-compose up -d
http://漏洞ip:7001/uddiexplorer/
http://漏洞ip:7001/uddiexplorer/SearchPublicRegistries.jsp
/uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://127.0.0.1:7001
Weblogic 反序列化
log
\user_projects\domains\<domain_name>\servers\<server_name>\logs\access.log
\user_projects\domains\<domain_name>\<server_name>\access.log
\user_projects\domains\<domain_name>\servers\<server_name>\logs\<server_name>.log
\user_projects\domains\<domain_name>\<server_name>\<server_name>.log
\user_projects\domains\<domain_name>\servers\<adminserver_name>\logs\<domain_name>.log
\user_projects\domains\<domain_name>\<domain_name>.log
参考网址
IBM 开发的 Web 应用服务器
设定档
was_install_dir\bin\manageprofiles.bat –listProfiles
was_install_dir/bin/manageprofiles.sh –listProfiles
漏洞
log
http://localhost:9060/ibm/console
参考文章
/jboss/server/default/deploy/jmx-console.war/WEB-INF/jboss-web.xml
<security-domain>java:/jaas/jmx-console</security-domain>
/jboss/server/default/deploy/jmx-console.war/WEB-INF/web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
/jboss/server/default/conf/props/jmx-console-users.properties
/jboss/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml
<security-domain>java:/jaas/web-console</security-domain>
/jboss/server/defualt/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
/jboss/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/web-console-users.properties
AI is characterized as : AI or Artificial Intellig...
机器配置: 主板:超微x9dri-ln4f+ cpu:E5-2650v2 x2 内存:64gb 8g...
昨天笔者有提到, 资料库的运作效率着实让笔者伤透脑筋, 然而资料库的参数是可以调整的 笔者搜寻一大堆...
HTTP 与Web 请求 HTTP,超文本传输协定(HyperText Transfer Proto...
tags: 2021铁人赛 React 上一篇在串接API的时候有遇到一个前端蛮常见的问题,跨来源资...