SecWiki周刊（第143期)

SecWiki周刊（第143期）

2016/11/21-2016/11/27

安全资讯

[爆库] GitHub 800万用户信息遭泄露附下载地址
http://mp.weixin.qq.com/s?__biz=MzI2MDExMzg5NQ==&mid=2652475044&idx=1&sn=b6eecc8bf73cb4a217484e9a509dedcd&chksm=f183ba2cc6f4333abbd4c59c9e31bdfac3cdc94cd1b6eed004ada862b12d46523625dea6da1d&mpshare=1&scene=1&srcid=1124gjxAAhzN4yJFc8pmOiE8#rd

[事件] 美国NSA局长表示DNC电子邮件泄漏是故意行为
http://www.mottoin.com/92399.html

[事件] 美国海军遭黑客攻击，泄露1.3万人员信息
http://www.mottoin.com/92570.html

[会议] 补天白帽沙龙江西站火热开启报名-更多福利戳这里
http://mp.weixin.qq.com/s?__biz=MzA5ODMyMzQ1OQ==&mid=2698432208&idx=1&sn=8c838ae67d3da804a4acf7219670e8e2&chksm=b5b133bc82c6baaafaefdcc2643ce49616ae8619ab7bdb22955775f9b16f182281c1caad8822&mpshare=1&scene=22&srcid=1123Yzz0SVBfuDc9TaznPR2K#rd

[事件] 黑客团队入侵并公布了Mega.nz源码数据
http://www.mottoin.com/92433.html

[漏洞分析] Shellphish CGC背后的故事
https://www.inforsec.org/wp/?p=1550&sukey=72885186ae5c357dccd01f069ec222e3232c5beea1b231d1908036259da358374b9ee52461cb6907fa0eb4316cb54b30

[设备安全] 美国国土安全部发布《物联网安全指导原则》
http://mp.weixin.qq.com/s?__biz=MjM5NjA0NjgyMA==&mid=2651062334&idx=2&sn=65b5af9571e5bcf9d2ecff759dd11226&chksm=bd1f92b58a681ba392ef48122488a314e7eb7a710f40230d396d9f2ddbcff7c89225a24734e0&mpshare=1&scene=2&srcid=1120P1w6TGlfKolJ8ZYpNrU4&from=timeline#rd

[会议] 2016 SyScan360：六大不得不看的议题
http://www.aqniu.com/industry/21219.html

[会议] SyScan360国际前瞻信息安全会议24日场
http://www.mottoin.com/92577.html

[新闻] 《2016中国Cybersecurity创业调查报告》全文图解
http://mp.weixin.qq.com/s?__biz=MzIzMTAzNzUxMQ==&mid=404654875&idx=2&sn=cf2db78ccabaea53025013bb2bdfe44a&mpshare=1&scene=2&srcid=1124mCcMkAYU1o5dy9jatnAE&from=timeline#rd

[新闻] FBI展开史上最大规模网络行动针对120个国家8000个IP进行入侵
http://mp.weixin.qq.com/s?__biz=MzI4MjA1MzkyNA==&mid=2655294614&idx=1&sn=19b63ab0d5a314b8bcdddafb9b9431fe&chksm=f02fe8ddc75861cba18fba86db4ac4933a02a5fc62e7a364729812259dfeb78351cc7dcf8428&mpshare=1&scene=1&srcid=1124tUwbt00UqSDbzsbPYr5x#rd

[恶意分析] 威胁情报：我有药，你有病吗？
http://mp.weixin.qq.com/s?__biz=MzA3MTEwNDE1NA==&mid=2649431880&idx=1&sn=ec914ebce88ff79dc69690eb875e5d30&chksm=872d1cbdb05a95ab949e78a1d6e58dac863aaa71e51e8be1ac230ecf56c541788629b0c04eee&mpshare=1&scene=2&srcid=1123B4v8u6zooJSOlbiWNvIA&from=timeline#rd

[新闻] 腾讯发布2016微信生态安全报告累计处理谣言文章20多万篇
http://news.qq.com/a/20161124/039113.htm

[其它] 黑客小说：杀手（第十章回忆）
http://www.jianshu.com/p/0c6330a17bce

[人物] 段钢：自从那个冬夜看雪，一晃已是十六年
http://mp.weixin.qq.com/s?__biz=MzIzMTAzNzUxMQ==&mid=2652876305&idx=1&sn=a1641265e33663d81d2163596368d35a&chksm=f3414139c436c82f7aa4bfc23f67a92975f076b4227cf2e781679165ae993bdf41c5695757c5&mpshare=1&scene=1&srcid=1121iQgkNlBmqB6Tkvvvh7nK#rd

[恶意分析] 安全的进化论（二）：来说说态势感知
http://mp.weixin.qq.com/s?__biz=MzIzMTAzNzUxMQ==&mid=2652876370&idx=1&sn=b35fb93d9837afafa8025a7fa511e8eb&chksm=f341417ac436c86c1d379340bf4942fcac669579085e3f888f718b6ef022377dab3aafc8dec5&mpshare=1&scene=2&srcid=1123zlifjW1YOmI7HkWmlvfh&from=timeline#rd

[新闻] 针对藏族人群的恶意程序 KeyBoy
http://www.solidot.org/story?sid=50451

[其它] 2015年全球网安市场重大M&A汇总
http://mp.weixin.qq.com/s?__biz=MzAwNDE4Mzc1NA==&mid=2650825053&idx=1&sn=58972d5b2481916769f99ed6580f3b9c&chksm=80db02f8b7ac8bee2c0cf9df78b9144b41432d88d86e30173f5ba79f1034e8fcc6b6544f0bba&mpshare=1&scene=2&srcid=1123ToQLG9Ze7BHNctSWmRlI&from=timeline#rd

安全技术

[Web安全] Kali-Linux-2016.2(Rolling) 更新源
https://www.ohlinge.cn/kali/rolling.html

[Web安全] 互联网业务安全的黑灰产业链的故事 - 【途牛风控】
http://mp.weixin.qq.com/s?__biz=MzI4NTIxNjczMA==&mid=2247483766&idx=1&sn=9af29dae213d976a958ad471fdf566b4&chksm=ebeedbc3dc9952d51da18d2ed57d993370d60a0d6e2108ef528c756597d4894e86bcc87db5cc&mpshare=1&scene=1&srcid=1122KxR8gXNoYfNEr1VXj7KQ#wechat_redir

[数据挖掘] kcws:深度学习中文分词（字嵌入+Bi-LSTM+CRF）
https://github.com/koth/kcws

[Web安全] Winmail最新直达webshell 0day漏洞挖掘实录
http://www.91ri.org/16519.html

[编程技术] BlindWaterMark: Python编程实现的盲水印
https://github.com/chishaxie/BlindWaterMark

[运维安全] OpenWAF: OpenWAF是基于openresty的Web应用防护系统（WAF）
https://github.com/titansec/OpenWAF

[会议] SIGKDD 2016 Tutorial:Leveraging Propagation for Data Mining: Models, Algorithms
http://people.cs.vt.edu/~badityap/TALKS/16-kdd-tutorial/

[Web安全] 一个价值7500刀的Chrome UXSS（CVE-2016-1631）分析与利用
http://avfisher.win/archives/619

[会议] 带你走进维也纳版的CCS2016（现场报告点评五）
http://mp.weixin.qq.com/s?__biz=MzA4ODYzMjU0NQ==&mid=2652307046&idx=1&sn=77c4e3c0d6fa1af88f011671bc02ffcc&chksm=8bc563e8bcb2eafe7b81ad79531d61a530f6c83a8ef216c143f54ec141d81fd1cf32d0bc8325&scene=0#rd

[恶意分析] 分析与总结常见勒索软件的加密算法
http://www.freebuf.com/articles/database/120023.html

[Web安全] Hacking Aria2 RPC Daemon
https://ricterz.me/posts/Hacking%20Aria2%20RPC%20Daemon?_=1479792710287

[工具] mimikatz 2.1 20161126 发布
http://www.mottoin.com/92735.html

[文档] SFDC 北京 Security 大会精彩分享
https://segmentfault.com/a/1190000007553551

[工具] Kaitai Web IDE：在线多种文件格式分析
https://kt.pe/kaitai_struct_webide/

[漏洞分析] Nginx权限提升漏洞(CVE-2016-1247) 分析
http://blog.knownsec.com/2016/11/nginx%e6%9d%83%e9%99%90%e6%8f%90%e5%8d%87%e6%bc%8f%e6%b4%9ecve-2016-1247-%e5%88%86%e6%9e%90/

[恶意分析] 黑客入侵ATM机的4种方法
http://www.mottoin.com/92434.html

[运维安全] 比一比Nmap、Zmap、Masscan三种扫描工具
http://www.arkteam.net/?p=1328

[运维安全] Nginx 配置简述
http://www.barretlee.com/blog/2016/11/19/nginx-configuration-start/

[会议] 带你走进维也纳版的CCS2016（现场报告点评四）
http://mp.weixin.qq.com/s?__biz=MzA4ODYzMjU0NQ==&mid=2652307022&idx=1&sn=4d8566897bad03aebab9dafa892e14bb&chksm=8bc563c0bcb2ead622d9805232da36d67e8ad822a2fc114a310d8bbcd020af796b8185424d95&scene=0#rd

[恶意分析] It’s Parliamentary: KeyBoy and the targeting of the Tibetan Community
https://citizenlab.org/2016/11/parliament-keyboy/

[Web安全] 我的WafBypass之道（SQL注入篇）
https://xianzhi.aliyun.com/forum/attachment/big_size/wafbypass_sql.pdf

[其它] 通过二维码传输IP数据
http://www.mottoin.com/92345.html

[漏洞分析] 对嵌入式设备的逆向和漏洞利用：软件层 Part 1
http://mp.weixin.qq.com/s?__biz=MjM5NTc2MDYxMw==&mid=2458280731&idx=1&sn=141e3f185b38d7ccede03a78c466c884&chksm=b181539186f6da87d99599d05823e8f60d0c6d578706ea53a40e9a57ce0e7cd871c93e80cb1f&scene=0#rd

[工具] deep-pwning: Metasploit for machine learning.
https://github.com/cchio/deep-pwning

[其它] TECHNICAL TEARDOWN: EXPLOIT & MALWARE IN .HWP FILES
http://www.vxsecurity.sg/2016/11/22/technical-teardown-exploit-malware-in-hwp-files/

[Web安全] 挖掘PHP禁用函数绕过利用姿势
http://blog.th3s3v3n.xyz/2016/11/20/web/%E6%8C%96%E6%8E%98PHP%E7%A6%81%E7%94%A8%E5%87%BD%E6%95%B0%E7%BB%95%E8%BF%87%E5%88%A9%E7%94%A8%E5%A7%BF%E5%8A%BF/

[Web安全] 新手指南：DVWA-1.9全级别教程之SQL Injection
http://www.freebuf.com/articles/web/120747.html

[恶意分析] awesome-iocs: 不错的IOC工具和数据发布站点
https://github.com/sroberts/awesome-iocs

[漏洞分析] Zigbee 安全与 IoT 设备漏洞利用
http://www.mottoin.com/92660.html

[Web安全] brut3k1t - Server-side Brute-force Module (ssh, ftp, smtp, facebook)
http://www.kitploit.com/2016/11/brut3k1t-server-side-brute-force-module.html

[无线安全] 扎克伯克是对的，黑掉耳机更容易
https://www.siliconrepublic.com/enterprise/hacking-earphones

[Web安全] httpscan: 一个爬虫式的网段Web主机发现小工具
https://github.com/zer0h/httpscan

[Web安全] 浅谈Web前端僵尸网络
http://www.arkteam.net/?p=1364

[设备安全] 破解一款无线智能插座
http://www.mottoin.com/92421.html

[漏洞分析] 使用Docker镜像/容器分析已知漏洞
http://www.mottoin.com/92339.html

[编程技术] Python multiprocessing
http://thief.one/2016/11/23/Python-multiprocessing/

[恶意分析] 安全的进化论（二）：来说说态势感知
https://www.sec-un.org/%e5%ae%89%e5%85%a8%e7%9a%84%e8%bf%9b%e5%8c%96%e8%ae%ba%ef%bc%88%e4%ba%8c%ef%bc%89%ef%bc%9a%e6%9d%a5%e8%af%b4%e8%af%b4%e6%80%81%e5%8a%bf%e6%84%9f%e7%9f%a5.html

[Web安全] BScanner: 又一款轻量级的目录扫描器
https://github.com/LoRexxar/BScanner

[设备安全] 树莓派应用：无线扫描仪
http://www.mottoin.com/92504.html

[其它] 值得关注的安全行业Twitter
http://mp.weixin.qq.com/s?__biz=MjM5NDM1OTM0Mg==&mid=2651050360&idx=1&sn=4c68808b7365b20f8a72340432337d8e&chksm=bd7f80398a08092f649306addbb32ada2e69bbaad8b8684add4484ac90f10b2439b14a525836&mpshare=1&scene=23&srcid=1123G3edVZbSDpkdhYMQz4Tz#rd

[移动安全] MobSF：自动化移动安全测试框架
http://www.mottoin.com/92477.html

[工具] The Damn Vulnerable Router Firmware Project
https://github.com/praetorian-inc/DVRF

[工具] aws_pwn:A collection of AWS penetration testing junk
https://github.com/dagrz/aws_pwn

[设备安全] 构造一个支持多端口的中间人网络TAP
http://www.mottoin.com/92353.html

[Web安全] Abusing of Protocols to Load Local Files, bypass the HTML5 Sandbox
http://www.brokenbrowser.com/abusing-of-protocols/

[Web安全] java Deserialization Cheat Sheet
https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/

[杂志] SecWiki周刊（第142期)
https://www.sec-wiki.com/weekly/142

[Web安全] A target specific wordlist generating tool for social engineers and security res
https://github.com/tch1001/pwdlogy

[Web安全] The Genesis of an XSS Worm – Part III
http://brutelogic.com.br/blog/genesis-xss-worm-part-iii/

[Web安全] Eagle: Eagle is a Web Application Attack and Audit Framework
https://github.com/magerx/Eagle

[Web安全] Feigong：针对各种情况自由变化的MySQL注入脚本
https://github.com/LoRexxar/Feigong

[其它] InPage zero-day exploit used to attack financial institutions in Asia
https://securelist.com/blog/research/76717/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/

[Web安全] 各大Web扫描器的价格与扫描功能比较
http://sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-opensource-list.html

[设备安全] Brutal -- 用来快速生成 HID 设备多种攻击代码的工具
http://www.kitploit.com/2016/11/brutal-toolkit-to-quickly-create.html

[Web安全] 【零知识证明】利用数据库查表瓶颈，对抗密码破解
https://www.cnblogs.com/index-html/p/database-lookup-against-password-cracking.html

[恶意分析] WebMalwareScanner - A simple malware scanner
https://github.com/maxlabelle/WebMalwareScanner

[运维安全] Monitoring 'DNS' inside the Tor network
http://blog.0x3a.com/post/153468210759/monitoring-dns-inside-the-tor-network

[Web安全] NEET - 网络枚举和利用工具
https://github.com/JonnyHightower/neet

[运维安全] Building a Whitelist of Network Domains
http://threatcrowd.blogspot.co.uk/2016/11/building-whitelist-of-network-domains.html

-----微信ID：SecWiki-----
SecWiki，12年来一直专注安全技术资讯分析！
SecWiki：https://www.sec-wiki.com

本期原文地址: SecWiki周刊(第143期)

SecWiki周刊（第143期）

最新公告

友情链接

SecWiki公众号

安全学术圈