【知识】8月31日 - 每日安全知识热点

http://p6.qhimg.com/t017313015b51e6034e.png

热点概要:SpamBot利用7.11亿邮箱地址发送垃圾邮件、先知XSS挑战赛 – L3m0n Writeup、流行电子邮件客户端漏洞分析,允许攻击者修改发送后HTML邮件内容、通过一系列实际挑战学习ROP、DOM Based Angular Sandbox Escapes by Gareth Hayes、PyMultitor:Python多线程Tor代理、Oracle Java和Apache Xerces PDF/Docx服务器端拒绝服务漏洞

资讯类:

SpamBot利用7.11亿邮箱地址发送垃圾邮件

https://threatpost.com/spambot-contains-mind-boggling-amount-of-email-smtp-credentials/127722/ 

Gazer: 一款针对全球各领事馆和大使馆的后门恶意软件

https://amp.thehackernews.com/thn/2017/08/gazer-backdoor-malware.html 

技术类:

ROPEMAKER技术白皮书(流行电子邮件客户端漏洞分析,允许攻击者修改发送后HTML邮件内容)

http://www.digitalloft.org/init/plugin_wiki/page/ropemaker 

http://www.digitalloft.org/init/plugin_wiki/attachment/21 

RubyGems修复多个漏洞

https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/ 

BSides Manchester 2017

https://www.youtube.com/playlist?list=PLcgqQkap1lNrOBNCXqpPqpPAqckxv0XhP 

分析3.2亿密码hash

https://cynosureprime.blogspot.fi/2017/08/320-million-hashes-exposed.html 


【APT报告】Introducing WhiteBear

https://securelist.com/introducing-whitebear/81638/ 


代码未写,漏洞已出—架构和设计的安全

http://djt.qq.com/article/view/1555 

先知XSS挑战赛 – L3m0n Writeup

https://mp.weixin.qq.com/s?__biz=MzI5MzY2MzM0Mw==&mid=2247484070&idx=1&sn=673e20a08d9ae6c3de60ca48110b920a 

通过一系列实际挑战学习ROP

https://ropemporium.com/ 

ConnManDo:新的IoT设备漏洞

https://www.nri-secure.com/blog/new-iot-vulnerability-connmando 

IoT安全:起搏器高危漏洞揭秘

http://hackersgrid.com/2017/08/vulnerability-pacemakers-millions-lives-risk.html 

物理安全指南:Hacking things by touching them

https://www.armadillophone.com/blog/2017/08/27/hacking-things-by-touching-them 

WordPresscan:Python版WPScan(wordpress漏洞扫描器)

https://github.com/swisskyrepo/Wordpresscan 

initroot: Exploiting CVE-2016-10277 for untethered jailbreak on Moto devices (USENIX WOOT '17)

https://alephsecurity.com/2017/08/30/untethered-initroot/ 

DSSS:轻量级SQL注入扫描器

https://github.com/stamparm/DSSS 

使用Dropbox应用程序进行Western Digital远程命令执行

https://blogs.securiteam.com/index.php/archives/3397 

VM_Setup:用于初始化Windows VM以运行恶意软件的powershell脚本集合

https://github.com/DBHeise/VM_Setup 

PCILeech支持通过DMA攻击UEFI

http://blog.frizk.net/2017/08/attacking-uefi.html 

如何在Windows 10上安装Metasploitable 3

http://www.hackingtutorials.org/metasploit-tutorials/setup-metasploitable-3-windows-10/ 

Anti-disassembly on ARM (IDA, specifically)

https://kbdsmoke.me/anti-disassembly-on-arm-ida-specifically/ 

如何绕过Windows Server 2008 R2上的身份验证

http://www.hackingtutorials.org/general-tutorials/bypass-authentication-windows-server-2008-r2/ 

DOM Based Angular Sandbox Escapes by Gareth Hayes

https://www.youtube.com/watch?v=jlSI5aVTEIg&feature=youtu.be&a= 

PyMultitor:Python多线程Tor代理

https://github.com/realgam3/pymultitor 

HITB GSEC CTF Win Pwn解题全记录之babyshellcode

https://whereisk0shl.top/hitb_gsec_ctf_babyshellcode_writeup.html 

Oracle Java和Apache Xerces PDF/Docx服务器端拒绝服务漏洞

https://blogs.securiteam.com/index.php/archives/3271 

Bug Bounty:热门航空网站上的SQLi和XSS漏洞

https://medium.com/@mkhizerjaved/sqli-xss-vulnerabilities-in-a-popular-airlines-website-bugbounty-poc-5c0d71f935c1 

通过简单的统计分析解码恶意软件

https://blog.nviso.be/2017/08/30/decoding-malware-via-simple-statistical-analysis/ 

Pharos二进制静态分析工具

https://insights.sei.cmu.edu/sei_blog/2017/08/pharos-binary-static-analysis-tools-released-on-github.html 

How To Chain Commands in Linux

https://n0where.net/how-to-chain-commands-in-linux/ 

(完)