热点概要:SpamBot利用7.11亿邮箱地址发送垃圾邮件、先知XSS挑战赛 – L3m0n Writeup、流行电子邮件客户端漏洞分析,允许攻击者修改发送后HTML邮件内容、通过一系列实际挑战学习ROP、DOM Based Angular Sandbox Escapes by Gareth Hayes、PyMultitor:Python多线程Tor代理、Oracle Java和Apache Xerces PDF/Docx服务器端拒绝服务漏洞
资讯类:
SpamBot利用7.11亿邮箱地址发送垃圾邮件
https://threatpost.com/spambot-contains-mind-boggling-amount-of-email-smtp-credentials/127722/
Gazer: 一款针对全球各领事馆和大使馆的后门恶意软件
https://amp.thehackernews.com/thn/2017/08/gazer-backdoor-malware.html
技术类:
ROPEMAKER技术白皮书(流行电子邮件客户端漏洞分析,允许攻击者修改发送后HTML邮件内容)
http://www.digitalloft.org/init/plugin_wiki/page/ropemaker
http://www.digitalloft.org/init/plugin_wiki/attachment/21
RubyGems修复多个漏洞
https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/
BSides Manchester 2017
https://www.youtube.com/playlist?list=PLcgqQkap1lNrOBNCXqpPqpPAqckxv0XhP
分析3.2亿密码hash
https://cynosureprime.blogspot.fi/2017/08/320-million-hashes-exposed.html
【APT报告】Introducing WhiteBear
https://securelist.com/introducing-whitebear/81638/
代码未写,漏洞已出—架构和设计的安全
http://djt.qq.com/article/view/1555
先知XSS挑战赛 – L3m0n Writeup
通过一系列实际挑战学习ROP
ConnManDo:新的IoT设备漏洞
https://www.nri-secure.com/blog/new-iot-vulnerability-connmando
IoT安全:起搏器高危漏洞揭秘
http://hackersgrid.com/2017/08/vulnerability-pacemakers-millions-lives-risk.html
物理安全指南:Hacking things by touching them
https://www.armadillophone.com/blog/2017/08/27/hacking-things-by-touching-them
WordPresscan:Python版WPScan(wordpress漏洞扫描器)
https://github.com/swisskyrepo/Wordpresscan
initroot: Exploiting CVE-2016-10277 for untethered jailbreak on Moto devices (USENIX WOOT '17)
https://alephsecurity.com/2017/08/30/untethered-initroot/
DSSS:轻量级SQL注入扫描器
https://github.com/stamparm/DSSS
使用Dropbox应用程序进行Western Digital远程命令执行
https://blogs.securiteam.com/index.php/archives/3397
VM_Setup:用于初始化Windows VM以运行恶意软件的powershell脚本集合
https://github.com/DBHeise/VM_Setup
PCILeech支持通过DMA攻击UEFI
http://blog.frizk.net/2017/08/attacking-uefi.html
如何在Windows 10上安装Metasploitable 3
http://www.hackingtutorials.org/metasploit-tutorials/setup-metasploitable-3-windows-10/
Anti-disassembly on ARM (IDA, specifically)
https://kbdsmoke.me/anti-disassembly-on-arm-ida-specifically/
如何绕过Windows Server 2008 R2上的身份验证
http://www.hackingtutorials.org/general-tutorials/bypass-authentication-windows-server-2008-r2/
DOM Based Angular Sandbox Escapes by Gareth Hayes
https://www.youtube.com/watch?v=jlSI5aVTEIg&feature=youtu.be&a=
PyMultitor:Python多线程Tor代理
https://github.com/realgam3/pymultitor
HITB GSEC CTF Win Pwn解题全记录之babyshellcode
https://whereisk0shl.top/hitb_gsec_ctf_babyshellcode_writeup.html
Oracle Java和Apache Xerces PDF/Docx服务器端拒绝服务漏洞
https://blogs.securiteam.com/index.php/archives/3271
Bug Bounty:热门航空网站上的SQLi和XSS漏洞
通过简单的统计分析解码恶意软件
https://blog.nviso.be/2017/08/30/decoding-malware-via-simple-statistical-analysis/
Pharos二进制静态分析工具
How To Chain Commands in Linux