热点概要:从模糊测试Apache httpd服务到挖到CVE-2017-7668并获得了$1500赏金、CVE-2017-4971:Spring Web Flow框架远程代码执行漏洞、利用Simhash做URL去重的实现方式、Volatility 2.6:高级内存取证框架、H1702 CTF Writeup
资讯类:
Cisco WebEx扩展再一次曝出远程代码执行漏洞
http://thehackernews.com/2017/07/cisco-webex-vulnerability.html
技术类:
从模糊测试Apache httpd服务到挖到CVE-2017-7668并获得了$1500赏金
https://animal0day.blogspot.co.uk/2017/07/from-fuzzing-apache-httpd-server-to-cve.html
Alpine Linux exploitation
https://www.twistlock.com/2017/07/13/alpine-linux-pt-2-twistlock-security-alert/
FreeRADIUS数据包解析器中的11个远程漏洞(含2个RCE)
http://freeradius.org/security/fuzzer-2017.html
LevelUp 2017演讲视频(含Web、移动、IoT等方向的安全测试技巧)
https://www.youtube.com/playlist?list=PLIK9nm3mu-S5InvR-myOS7hnae8w4EPFV
H1702 CTF Writeup
https://blog.teknogeek.io/post/h1702ctf/
思科:WebEx多种GPC Sanitization绕过允许任意远程命令执行
https://bugs.chromium.org/p/project-zero/issues/detail?id=1324&desc=2
CVE-2017-4971:Spring Web Flow框架远程代码执行漏洞
利用Simhash做URL去重的实现方式
Synesthesia Shellcode Generator
nWatch:用于主机发现,端口扫描和操作系统指纹识别的工具
https://github.com/suraj-root/nWatch
Volatility 2.6:高级内存取证框架
https://github.com/volatilityfoundation/volatility
PyREBox:基于Python 的逆向工程沙盒
https://github.com/Cisco-Talos/pyrebox
Mimikatz Videos
https://blog.didierstevens.com/2017/07/15/mimikatz-videos/
IMSI-catcher:可以显示周围的手机的IMSI号码、国家、品牌和运营商的开源项目
https://github.com/Oros42/IMSI-catcher
"Bypassing" Microsoft's Patch for CVE-2017-0199
http://justhaifei1.blogspot.com/2017/07/bypassing-microsofts-cve-2017-0199-patch.html
XSStrike:基于Python的XSS测试工具
https://github.com/UltimateHackers/XSStrike
可以捕捉POST请求参数的FireFox插件
https://addons.mozilla.org/en-US/firefox/addon/~h3ll4r_h5h-hackmod/
Microsoft IE:CMarkup::DestroyS playTree内存破坏漏洞
https://bugs.chromium.org/p/project-zero/issues/detail?id=1233
一个简单操作系统的实现
http://www.cs.bham.ac.uk/~exr/lectures/opsys/10_11/lectures/os-dev.pdf