时隔一年，再次以LQers之名打比赛

考虑到大部分人有直接抄答案的习惯，所以只给一些hint和关键步骤

基本环境

攻击机：Kali Linux最新版，192.168.85.131

Python版本：3.6！！ 十分重要，Kali自带的3.9会蓝屏

被攻击机：Win10 v1903 （OS内部版本18362.356），192.168.85.145

周末事情太多，就看了两道简单题

攻击机：kali

被攻击机：win7sp1

ROP Emporium 第二部分

When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter=“null” (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.

在一道密码学题目中碰到的问题，需要绕过Miller-Rabin素性测试，稍微记录一下

¶信息搜集

¶CVE-2018-1336

An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.