主页 > 历史

SecWiki周刊(第254期)

时间:2019-07-11 来源:爆炸生活元素

本期关键字:ThinkPHP 5.0.0~5.0.23 RCE、Scanver: 分布式在线资产漏洞扫描管理系统、安全建设之平台搭建、CTF中区块链入门教程、XSS in steam react chat client、安全研究者的自我修养等。

2019/01/07-2019/01/13


安全资讯

[新闻]  广东省反诈短视频创作大赛正式启动
https://mp.weixin.qq.com/s/Kf0VzANEmBBWQkFu23dQRA

[人物]  携程凌云:举着火把照亮安全前路的男孩
https://mp.weixin.qq.com/s/oyvQ_Mhe0Q33RKUKVXKXyw

[观点]  黑客是场电子梦
https://mp.weixin.qq.com/s/Hraig48huSQ93ZMf448Htw

[新闻]  Exclusive: How a Russian firm helped catch an alleged NSA data thief
https://www.politico.com/story/2019/01/09/russia-kaspersky-lab-nsa-cybersecurity-1089131

[新闻]  Reapers, Cryptos, and More: Our Top 5 Research Pieces From 2018
https://www.recordedfuture.com/top-research-2018/

[其它]  ICS/SCADA系统的对比
http://www.4hou.com/system/15634.html

[新闻]  The January 2019 Security Update Review
https://www.zerodayinitiative.com/blog/2019/1/8/the-january-2019-security-update-review

[观点]  管中窥豹—从NSA泄露资料看美国网络安全
https://mp.weixin.qq.com/s/ImlfOFJK-ui0h6YV-tURrg

[新闻]  区块链信息服务管理规定
http://www.cac.gov.cn/2019-01/10/c_1123971164.htm

安全技术

[比赛]  hackthebox 入门攻略
https://xz.aliyun.com/t/3811

[Web安全]  安全研究者的自我修养
https://mp.weixin.qq.com/s/WrSZpqgq6gvZwEIqghqggg

[取证分析]  斯诺登泄露文档简报(1)
https://mp.weixin.qq.com/s/BB9abB5j3IuAH8Rj4lPyvQ

[数据挖掘]  2018年暗网非法数据交易总结
https://mp.weixin.qq.com/s/hCLPdAt7MRhv40nxNeXTag

[比赛]  2018国内网络安全赛事排名
https://mp.weixin.qq.com/s/OAqfstNEu0ns4l3aKJQ9oA

[其它]  中小型企业自建安全平台
https://bloodzer0.github.io/ossa/other-security-branch/security-operation/security-platform/

[Web安全]  dota2官网的存储型XSS
https://nosec.org/home/detail/2149.html

[取证分析]  跨国定位手机の奥义
https://mp.weixin.qq.com/s/K-zFVBaSw6yThuoLdUTjdg

[Web安全]  Exchange在渗透测试中的利用
https://evi1cg.me/archives/Exchange_Hack.html

[Web安全]  Perun: 网络资产漏洞扫描器/扫描框架
https://github.com/WyAtu/Perun

[观点]  安全研究者的自我修养(续)
https://mp.weixin.qq.com/s/o7IMaLMuPYuXgr5hatK5Mw

[漏洞分析]  Scanver: 分布式在线资产漏洞扫描管理系统
https://github.com/ydhcui/Scanver

[漏洞分析]  如何快速捕捉 0-Day Payload
https://mp.weixin.qq.com/s/pgo83SPu9Cd9qv3achhnrQ

[Web安全]  ThinkPHP request函数远程代码执行
http://www.lmxspace.com/2019/01/13/ThinkPHP-request%E5%87%BD%E6%95%B0%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C/

[会议]  NDSS 2019 论文录用列表
https://mp.weixin.qq.com/s/HGNSOQcHedQAbGG3Hl1rwg

[数据挖掘]  知识图谱更新技术研究及其应用
https://mp.weixin.qq.com/s/umGYa32iGyeV0dE60rg9Gw

[漏洞分析]  如何黑掉一台ATM
https://nosec.org/home/detail/2161.html

[Web安全]  利用Cookie劫持+HTML注入进行钓鱼攻击
https://nosec.org/home/detail/2150.html

[运维安全]  安全建设之平台搭建
https://www.freebuf.com/articles/es/193143.html

[恶意分析]  国内网站内容篡改现状调查
http://www.4hou.com/info/news/15683.html

[Web安全]  ThinkPHP 5.0再曝远程代码执行漏洞
https://nosec.org/home/detail/2163.html

[漏洞分析]  尝试进行RPC漏洞挖掘
https://mp.weixin.qq.com/s/RLNyzImYsgRWkGlp0AXcVg

[恶意分析]  爆破流DDOS团伙ChinaZ的流程记录
https://mp.weixin.qq.com/s/enSFtxUSYqovYuMX0X8nQg

[取证分析]  路由器抓包分析之SMB篇
https://www.freebuf.com/news/193340.html

[杂志]  SecWiki周刊(第253期)
https://www.sec-wiki.com/weekly/253

[Web安全]  利用SMTP日志+LFI本地文件包含进行getshell
https://nosec.org/home/detail/2155.html

[其它]  区块链安全-以太坊智能合约静态分析
http://blogs.360.cn/post/staticAnalysis_of_smartContract.html

[Web安全]  如何远程利用PHP绕过Filter以及WAF规则
https://www.anquanke.com/post/id/168667

[Web安全]  Apache Spark RPC协议中的反序列化漏洞分析
https://mp.weixin.qq.com/s/tIG5PZHkMOh62mcIauxShQ

[Web安全]  从LFI到SMTP日志投毒到远程代码执行
https://xz.aliyun.com/t/3799

[其它]  CTF中区块链入门教程
https://www.freebuf.com/articles/blockchain-articles/193357.html

[论文]  研究综述 | 事件抽取及推理 (上)
https://mp.weixin.qq.com/s/etMS7OdLz_NUj1YtSGNdTg

[数据挖掘]  100-Days-Of-ML-Code中文版
https://github.com/MLEveryday/100-Days-Of-ML-Code

[Web安全]  Dolibarr ERP CRM 小于v8.0.2 SQL注入漏洞分析
https://nosec.org/home/detail/2142.html

[数据挖掘]  qtalk: Startalk 是一款高性能的企业级im套件
https://github.com/qunarcorp/qtalk

[设备安全]  德国35C3混沌通信大会—IoT相关议题解读
https://www.anquanke.com/post/id/169260

[比赛]  HCTF 2018 Final
http://momomoxiaoxi.com/ctf/2018/12/31/HCTFfinal/

[其它]  whitepaper-http-security-headers
https://www.netsparker.com/whitepaper-http-security-headers/

[论文]  科研新手写论文常犯的15个错误
https://mp.weixin.qq.com/s/wtJRA1c17Phnq3CYPT_XHA

[漏洞分析]  ThinkPHP5 核心类 Request 远程代码漏洞分析
https://mp.weixin.qq.com/s/DGWuSdB2DvJszom0C_dkoQ

[漏洞分析]  基于深度学习的 API 误用缺陷检测
https://mp.weixin.qq.com/s/c3FqWiY6H4xdlZlmylnBkQ

[取证分析]  对抗样本对人工智能应用的威胁
https://www.aqniu.com/tools-tech/42523.html

[Web安全]  XSS in steam react chat client
https://hackerone.com/reports/409850

[漏洞分析]  Java反序列化:基于CommonsCollections4的Gadget分析
https://www.freebuf.com/articles/others-articles/193445.html

[数据挖掘]  LEMNA: 深度学习在网络安全应用中的可解释性
https://mp.weixin.qq.com/s/t0e49MiSGY2lam8y9B-FIg

[漏洞分析]  公链安全之比特币任意盗币漏洞浅析(CVE-2010-5141)
https://bcsec.org/index/detail/tag/2/id/443

[论文]  研究综述 | 事件抽取及推理 (下)
https://mp.weixin.qq.com/s/xR_JFczYbxY0xuy7BYDc7g

[漏洞分析]  基于机器学习的 C 程序内存泄漏智能化检测方法
https://mp.weixin.qq.com/s/ZHd6wWqnHB1rjKL2SCUqWw

[漏洞分析]  区块链安全—详谈代币合约ERC20
https://xz.aliyun.com/t/3769

[恶意分析]  dont-underestimate-credential-theft-malware
https://www.fireeye.com/blog/executive-perspective/2019/01/dont-underestimate-credential-theft-malware.html

[比赛]  AI Challenger 2018 机器翻译参赛总结
https://zhuanlan.zhihu.com/p/54060156

[论文]  NDSS 2019 议题抢先 (一)
https://mp.weixin.qq.com/s/0VX4FAPhmCjqs1OYj4lOIw

[恶意分析]  tknk_scanner:Community-based integrated malware identification system
https://github.com/nao-sec/tknk_scanner

[数据挖掘]  初探Kaggle之再探微软恶意软件预测挑战赛
https://xz.aliyun.com/t/3780

[数据挖掘]  基于知识图谱的问答系统入门—NLPCC2016KBQA数据集
https://mp.weixin.qq.com/s/v4XjU2UGe1ikVj8d70gTSw

[论文]  2018 ML和NLP学术会议统计
https://mp.weixin.qq.com/s/6bVxjkjnKJR3ixsUGY7_4Q

[其它]  mkcert: valid HTTPS certificates for localhost
https://blog.filippo.io/mkcert-valid-https-certificates-for-localhost/

[Web安全]  dxa4481/XSSOauthPersistence: Maintaining account persistence via XSS and Oauth
https://github.com/dxa4481/XSSOauthPersistence

[工具]  woj-ciech/LeakLooker: Find open databases with Shodan
https://github.com/woj-ciech/LeakLooker

[漏洞分析]  区块链攻击利用技术拓展
https://www.anquanke.com/post/id/169248

[工具]  A PoC for data smuggling using Scapy and ideas
https://www.linkedin.com/pulse/smuggler-cove-poc-data-smuggling-using-scapy-ideas-sean

[Web安全]  How I could have taken over any Pinterest account
http://infosecflash.com/2019/01/05/how-i-could-have-taken-over-any-pinterest-account/

[恶意分析]  DNS Tunneling & Other Hunts w/ RockNSM (Bro & ELK)
https://blog.perched.io/dns-tunneling-other-hunts-w-rocknsm-bro-elk-52a4486e44d0

[恶意分析]  analysis-of-cyberattacks-against-the-national-bank-of-malawi
http://www.antiy.net/p/analysis-of-cyberattacks-against-the-national-bank-of-malawi/

[取证分析]  GDPR实践-隐私成熟度模型PM2(一)
https://www.freebuf.com/articles/es/193658.html

[运维安全]  Digging Up the Past: Windows Registry Forensics Revisited
https://www.fireeye.com/blog/threat-research/2019/01/digging-up-the-past-windows-registry-forensics-revisited.html

[数据挖掘]  基于AWS Greengrass的机器学习模型部署实践 
http://blog.nsfocus.net/deployment-practice-of-machine-learning-model-based-on-aws-greengrass/

[数据挖掘]  深度学习在搜索业务中的探索与实践
https://tech.meituan.com/2019/01/10/deep-learning-in-meituan-hotel-search-engine.html

[其它]  mattnotmax/cyber-chef-recipes: A list of cyber-chef recipes
https://github.com/mattnotmax/cyber-chef-recipes