Aggregator

在前不久结束的DASCTF July中，有一道名为cybercms的web题目，当时打了半天没打通，赛后还是想不通就来稍微深入探究了一下。

Start the game

最近看了几个GitHub Pull Request相关的漏洞，觉得有点意思，能侧面反应当前业界对于业务逻辑风

此为先前对CVE-2018-8120的分析续集，其实很早就写好发布在安全客了，近来比较忙碌，迟迟未补录至个人公众号，有需要的可以跳转至安全客公众号查看，感谢各位师傅的支持～

The Latest on the Uber Data Breach and Protecting Your Info You may have spotted the news last week that...

The post Uber Data Breach and How to Protect Your Info appeared first on McAfee Blog.

针对特定case的策略建设思路

一、文章前述 关于CLR Profiler的基础部分我上篇文章已经讲过了，具体可以去看看 https://www.cnblogs.com/wh4am1/p/15143698.html 直接进入正文部分 二、重写MSIL部分 这次爬坑也挺久的，请教了公司的同事，最后经过多次调试之后总算把demo做出来

点击蓝字 关注我们《关键信息基础设施安全保护条例》解读

DeFi 收益聚合器 Dot.Finance 遭受闪电贷攻击，受到攻击的影响，其代币 PINK 短时急跌 35%，从 0.77 USD 跌至约 0.5 USD。

我们从变化说起

今天遇到一个存在SQL注入漏洞的系统。 通过手动修改参数值后确认漏洞确实存在，但是这么明显的注入漏洞，不可能留 …

继续阅读“复杂加密接口的一种SQL注入测试方法”

让分块传输重振往日雄风

你知道黑客如何隐藏自己吗？在实际攻击场景中，攻击者获取到了服务器的权限时通常会想办法躲避安全人员的检测来进行

A detailed look at an 840-Gbps DDoS attack on a financial services provider and a deeper dive into attacking nodes.

结合腾讯SOC在客户侧的运营实践，本文首先介绍安全运营在业界落地中普遍遇到的问题，并分享腾讯SOC在解决该问题时的思路和工作。

if (!in_array('sm4-cbc', openssl_get_cipher_methods())) { printf("不支持 sm4\n"); } $key = 'her-cat.com'; $iv = random_bytes(openssl_cipher_iv_length('sm4-cbc')); $plaintext = '她和她的猫'; $ciphertext = openssl_encrypt($plaintext, 'sm4-cbc', $key, OPENSSL_RAW_DATA , $iv); printf("加密结果: %s\n", bin2hex($ciphertext)); $original_plaintext = openssl_decrypt($ciphertext, 'sm4-cbc', $key, OPENSSL_RAW_DATA , $iv); p

Researching malware has many challenges. One of those challenges is obfuscated code and intentionally corrupted binaries. To address challenges like this, we've written a small tool in C that could fix intentionally corrupted binaries automatically. We also plan to open-source the project so other researchers could use it too, and perhaps improve and expand upon the tool's capabilities as needed.

前言最近痴迷于看 RFC 及各类规范文档，从中发现一些有趣的利用。

This is a guest post DEVCORE collaborated with Zero Day Initiative (ZDI) and published at their blog, which describes the exploit chain we demonstrated at Pwn2Own 2021! Please visit the following link to read that :)

• FROM PWN2OWN 2021: A NEW ATTACK SURFACE ON MICROSOFT EXCHANGE - PROXYSHELL!

If you are interesting in more Exchange Server attacks, you can also check our series of articles:

• A New Attack Surface on MS Exchange Part 1 - ProxyLogon!
• A New Attack Surface on MS Exchange Part 2 - ProxyOracle!
• A New Attack Surface on MS Exchange Part 3 - ProxyShell!
• A New Attack Surface on MS Exchange Part 4 - ProxyRelay!

With ProxyShell, an unauthenticated attacker can execute arbitrary commands on Microsoft Exchange Server through an exposed 443 port! Here is the demonstration video: