“How CVE-2025–4123 Turned Grafana Into a Hacker’s Playground”
Grafana的一个高危漏洞(CVE-2025–4123)因未正确清理用户提供的路径,导致路径遍历、XSS、SSRF和账户接管等连锁攻击,最终实现完全账户控制。
Aggregator
“How CVE-2025–4123 Turned Grafana Into a Hacker’s Playground”
11 months ago
Grafana中的高危漏洞CVE-2025–4123因未正确处理用户输入路径,导致路径遍历、XSS、SSRF及账户接管等连锁攻击,最终引发全面账户控制风险。
Payload in the Haystack: Using Wayback & ParamSpider to Find a Forgotten Upload Endpoint
11 months ago
深夜渗透测试中,利用自动化工具发现隐藏上传端点并成功执行ZIP Slip漏洞获取权限,最终获得赏金资助生活。
Payload in the Haystack: Using Wayback & ParamSpider to Find a Forgotten Upload Endpoint
11 months ago
深夜渗透测试中,通过ParamSpider和Wayback组合工具发现隐藏/upload端点,利用ZIP Slip漏洞成功入侵目标系统并获得赏金。
“From a 404 Page to $5k: How I Chained Forgotten Bugs Into a Critical Exploit”
11 months ago
从看似无用的路径遍历漏洞入手,通过深入分析和创造性思考,成功将其转化为远程代码执行,并获得高额赏金。
“From a 404 Page to $5k: How I Chained Forgotten Bugs Into a Critical Exploit”
11 months ago
从看似无用的漏洞入手,通过参数测试发现本地文件包含(LFI)漏洞,利用特殊路径构造请求,最终实现远程代码执行(RCE),获得高额奖金,展现了耐心和创造力在安全研究中的重要性。
“$ The Art of Smart Recon: How I Found 10+ Vulnerabilities Without Firing a Single Exploit”
11 months ago
文章讲述了作者在漏洞挖掘过程中从依赖自动化工具到掌握侦察技术的转变。通过关注被忽略的攻击面、手动调查和历史数据,作者成功发现大量漏洞,尤其是收购公司遗留系统中的高危问题。
“$ The Art of Smart Recon: How I Found 10+ Vulnerabilities Without Firing a Single Exploit”
11 months ago
作者在漏洞挖掘中认识到侦察的重要性,指出常见错误如忽视隐藏攻击面、依赖自动化工具和忽略历史数据,并通过分析收购公司遗留系统找到大量漏洞。
Tumblr Post+ Creator and Got Paid $100
11 months ago
Tumblr的Post+系统中发现一个低影响但意外的漏洞:用户可订阅已退出Post+的创作者。该漏洞涉及访问控制和支付流程问题,并最终为报告者带来$100奖励。
How Our Team Bypassed YouTube Authorization and Uploaded Videos to ANY Channel — $6,337 Bounty
11 months ago
作者发现YouTube内部工具Video Builder存在严重授权绕过漏洞,攻击者可修改请求中的channelId参数上传视频至任意频道。该漏洞因后端缺乏授权验证导致,Google已修复并奖励$6,337。
I want to brute force my attendance in UNI (SEATS APP)
11 months ago
文章描述了一位学生希望破解学校使用的SEATS考勤系统。该系统使用6位数代码进行签到,手动尝试耗时过长(仅15分钟可输入),因此寻求暴力破解方法以快速获取正确代码。
Popular npm linter packages hijacked via phishing to drop malware
11 months ago
Popular JavaScript libraries eslint-config-prettier and eslint-plugin-prettier were hijacked this week and turned into malware droppers, in a supply chain attack achieved via targeted phishing and credential theft. [...]
Ax Sharma
3 дня, 12 компаний, 400 ГБ данных: Akira выжигает бизнес за бизнесом
11 months ago
Компании падают, как домино — без правил, без жалости, без шанса на спасение.
CVE-2025-6771
11 months ago
Currently trending CVE - Hype Score: 29 - OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2,12.4.0.3 and 12.3.0.3 allows a remote authenticated attacker with high privileges to achieve remote code execution
CVE-2025-4428
11 months ago
Currently trending CVE - Hype Score: 29 - Remote Code Execution in API component in Ivanti Endpoint Manager Mobile 12.5.0.0 and prior on unspecified platforms allows authenticated attackers to execute arbitrary code via crafted API requests.
Snake Keylogger Evades Windows Defender and Scheduled Tasks to Harvest Login Credentials
11 months ago
A sophisticated phishing campaign targeting Turkish defense and aerospace enterprises has emerged, delivering a highly evasive variant of the Snake Keylogger malware through fraudulent emails impersonating TUSAŞ (Turkish Aerospace Industries). The malicious campaign distributes files disguised as contractual documents, specifically using the filename “TEKLİF İSTEĞİ – TUSAŞ TÜRK HAVACILIK UZAY SANAYİİ_xlsx.exe” to deceive recipients into […]
The post Snake Keylogger Evades Windows Defender and Scheduled Tasks to Harvest Login Credentials appeared first on Cyber Security News.
Tushar Subhra Dutta
手机系统不一样,如何远程帮父母的小米手机解决问题?
11 months ago
文章探讨了如何远程帮助父母使用小米手机的问题。建议包括通过视频通话指导操作、使用小米通话应用进行远程控制或统一手机品牌以简化问题。然而,这些方法各有优缺点,最终建议还是尽量面对面解决问题。
【重保情报资讯】2025-07-19
11 months ago
登录tix.qq.com获取更多资讯
ChatGPT"s GPT-5-reasoning-alpha model spotted ahead of launch
11 months ago
文章指出GPT-5可能即将发布,并整合了多个模型的突破;同时OpenAI正在测试名为o3-alpha的新模型,在编码和前端设计方面表现更优。
ChatGPT's GPT-5-reasoning-alpha model spotted ahead of launch
11 months ago
GPT-5 might be just a few days or weeks away, as we've spotted references to a new model called gpt-5-reasoning-alpha-2025-07-13. [...]
Mayank Parmar