热点概要:Joomla Core 3.x后台getshell、Chrome缺陷导致网站秘密记录音频和视频、Windows内核池喷射、sudo-CVE-2017-1000367漏洞利用程序、趋势科技深度安全防护6.5 – XML外部实体注入/本地特权升级/远程执行代码、Split Tunnel SMTP漏洞解析、绕过无线网络的MAC过滤、使用数据格式混淆绕过NGFW/WAFs
资讯类:
影子经纪人响应团队正在为NSA泄露工具的分析进行公开众筹
https://www.patreon.com/shadowbrokers_crisis_team
网络安全法今天落地执行
http://www.miit.gov.cn/n1146295/n1146557/n1146614/c5345009/content.html
技术类:
Joomla Core 3.x后台getshell
Chrome缺陷导致网站秘密记录音频和视频
http://bobao.360.cn/news/detail/4183.html
Windows内核池喷射
http://bobao.360.cn/learning/detail/3921.html
sudo-CVE-2017-1000367漏洞利用程序
https://github.com/c0d3z3r0/sudo-CVE-2017-1000367
XSS on any Shopify shop via abuse of the HTML5 structured clone algorithm in postMessage listener on "/:id/digital_wallets/dialog"
https://hackerone.com/reports/231053
“EsteemAudit” Windows 远程桌面漏洞分析
在移动设备上实现Energy攻击
https://arxiv.org/pdf/1704.04464.pdf
趋势科技深度安全防护6.5 – XML外部实体注入/本地特权升级/远程执行代码
https://www.exploit-db.com/exploits/42089/
macOS上FileVault软件破解工具
https://github.com/macmade/FileVaultCracker/blob/master/README.md
Sophisticated Google Play BankBot Trojan campaigns
https://www.securify.nl/blog/SFY20170502/sophisticated_google_play_bankbot_trojan_campaigns.html
(Pwn2Own) Apple Safari WebSQL matchinfo型混淆远程代码执行漏洞
http://www.zerodayinitiative.com/advisories/ZDI-17-369/
Split Tunnel SMTP漏洞解析
https://blog.securolytics.io/2017/05/split-tunnel-smtp-exploit-explained/
绕过无线网络的MAC过滤
http://www.hackingtutorials.org/wifi-hacking-tutorials/bypass-mac-filtering-on-wireless-networks/
使用数据格式混淆绕过NGFW/WAFs
https://medium.com/@d0znpp/bypassing-ngfw-wafs-using-data-format-obfuscations-188351ea9e73
How to bootstrap self-service continuous fuzzing
https://www.fastly.com/blog/how-bootstrap-self-service-continuous-fuzzing
儿童节快乐