SecWiki周刊(第149期)
2017/01/02-2017/01/08
安全资讯
[新闻]  美情报机构:俄罗斯涉嫌通过黑客攻击和散步虚假消息干预美国大选
http://www.freebuf.com/news/124662.html
[Web安全]  国际航空订票系统存在漏洞,可轻易取消、修改航班预约
http://www.freebuf.com/news/124348.html
[事件]  Cyber​​Zeist入侵FBI网站并泄露部分数据
http://www.mottoin.com/95023.html
[设备安全]  The FTC’s Internet of Things (IoT) Challenge
http://krebsonsecurity.com/2017/01/the-ftcs-internet-of-things-iot-challenge/
[新闻]  廊坊历险记 -- 传销窝点救人纪实
http://weibo.com/ttarticle/p/show?id=2309404060928751575242
安全技术
[Web安全]  SQLChop - 一个新型 SQL 注入检测引擎
https://blog.chaitin.cn/sqlchop-the-sqli-detection-engine/
[Web安全]  SSRF漏洞的挖掘经验
https://sobug.com/article/detail/11
[Web安全]  端口渗透总结
http://www.91ri.org/15441.html
[会议]  2016 GIAC 全球互联网架构大会圆满结束,全部 PPT 开放下载
http://mp.weixin.qq.com/s/daAZ1tmcpsZt4pHdAW3oWg
[Web安全]  Python 格式化字符串漏洞(Django为例)
http://bobao.360.cn/learning/detail/3374.html
[工具]  内网渗透的一些工具和平台汇总
http://www.mottoin.com/95177.html
[Web安全]  dedeCMS友情链接getshell漏洞分析
http://www.hackdig.com/01/hack-42372.htm
[Web安全]  浅析ReDoS的原理与实践
http://www.freebuf.com/articles/network/124422.html
[Web安全]  e107 CMS <=2.1.2 权限提升漏洞分析
http://bobao.360.cn/learning/detail/3368.html
[漏洞分析]  Kernel Exploitation -> Pool Overflow
http://www.fuzzysecurity.com/tutorials/expDev/20.html
[漏洞分析]  【EXP】VMware vSphere Data Protection CVE-2016-7456 Authentication Bypass
https://github.com/phroxvs/metasploit-framework/blob/exploit_vdp_known_privkey/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb
[Web安全]  33c32016 writeup
http://lorexxar.cn/2017/01/03/33c3-wp/
[Web安全]  BurpSuite插件开发Tips:请求响应参数的AES加解密
http://www.mottoin.com/95091.html
[Web安全]  Data Retrieval over DNS in SQL Injection Attacks
https://arxiv.org/ftp/arxiv/papers/1303/1303.3047.pdf
[移动安全]  安卓Hook函数的复杂参数如何给定
https://xianzhi.aliyun.com/forum/read/611.html
[Web安全]  内网如何定位管理员
https://www.secpulse.com/archives/32859.html
[取证分析]  How to turn a DLL into a standalone EXE
https://hshrzd.wordpress.com/2016/07/21/how-to-turn-a-dll-into-a-standalone-exe/
[恶意分析]  Technical analysis of CryptoMix/CryptFile2 ransomware
https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/
[运维安全]  GitPrey: GitHub敏感信息扫描工具
https://github.com/repoog/GitPrey
[数据挖掘]  基于Spark GraphX实现微博二度关系推荐实践
http://weibo.com/ttarticle/p/show?id=2309404060500571876390
[数据挖掘]  Deep Learning Security Papers 深度学习与安全
http://www.covert.io/deep-learning-security-papers/
[Web安全]  Linux MySQL Udf 提权
http://www.91ri.org/16540.html
[运维安全]  Invoke-TheHash:执行WMI和SMB命令的PowerShell脚本
http://www.mottoin.com/94990.html
[移动安全]  2017年最好用的Android渗透工具合集
http://www.freebuf.com/sectool/124507.html
[设备安全]  自助终端机的常见入侵方式
https://www.t00ls.net/articles-24444.html
[会议]  33C3: Works for Me 中文翻译版
http://hardenedlinux.org/translation/2017/01/03/33c3-works-for-me.html
[文档]  FIT 2017台前幕后大揭秘(附大会议题PPT)
http://www.freebuf.com/news/topnews/124133.html
[取证分析]  基于 IP 地址的种子下载历史查询
http://iknowwhatyoudownload.com/en/peer/
[会议]  My favorite DFIR(Digital Forensics and Incident Response) presentations for 2016
https://threatintel.eu/2016/12/30/my-favorite-dfir-presentations-for-2016/
[Web安全]  DOOM:分布式任务分发IP端口漏洞扫描器
http://www.mottoin.com/94946.html
[设备安全]  《物联网安全白皮书》
http://toutiao.secjia.com/nsfocus-iot-security-whitepaper-ppt
[Web安全]  通过Burp Collaborator插件利用SQL盲注
http://www.mottoin.com/95010.html
[比赛]  CTFCrackTools: 中国国内首个CTFcrack框架
https://github.com/0Linchen/CTFCrackTools
[其它]  Comprehensive insider threat mitigation resource list
http://www.nationalinsiderthreatsig.org/nitsig-insiderthreatsymposiumexporesources.html
[Web安全]  SRC漏洞挖掘小见解
http://www.mottoin.com/95043.html
[恶意分析]  如何绕过杀毒软件运行Mimikatz
http://www.mottoin.com/95145.html
[其它]  FBI Hacked and Leaked -New Year wishes from Anonymous[需翻墙]
http://pastebin.com/5vwz6Wj4
[其它]  我的通行你的证
http://lvwei.me/passport.html
[漏洞分析]  Oracle的酒店管理平台RCE漏洞以及持卡人数据泄漏(CVE-2016-5663/4/5)
http://www.freebuf.com/vuls/123989.html
[无线安全]  安卓无线渗透利器:Hijacker
http://www.freebuf.com/sectool/124156.html
[编程技术]  The Beauty of Python Programming 「Python入门开源书籍」
https://funhacks.net/explore-python/
[漏洞分析]  WEB2PY 反序列化的安全問題-CVE-2016-3957
http://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/
[编程技术]  scrapy爬虫教程导航
http://brucedone.com/archives/771
[取证分析]  如何全面防御Webshell(下)
http://www.4hou.com/technology/2301.html
[移动安全]  Technical details on the Fancy Bear Android malware (poprd30.apk)
http://blog.crysys.hu/2017/01/technical-details-on-the-fancy-bear-android-malware-poprd30-apk/
[设备安全]  网络安全强国-以色列的工控安全之路
http://plcscan.org/blog/2017/01/development-path-of-ics-cybersecurity-in-israel/
[恶意分析]  FirePhisha: full-fledged phishing framework to manage all phishing engagements
https://github.com/Raikia/FirePhish
[恶意分析]  使用Golang绕过杀毒软件
http://www.mottoin.com/95161.html
[数据挖掘]  The Definitive Security Data Science and Machine Learning Guide
http://www.covert.io/the-definitive-security-datascience-and-machinelearning-guide/
[Web安全]  美团点评数据库中间件DBProxy开源
http://tech.meituan.com/dbproxy-pr.html
[Web安全]  Exploiting difficult SQL injection vulnerabilities using sqlmap: Part 1
http://www.thegreycorner.com/2017/01/exploiting-difficult-sql-injection.html
[设备安全]  iotdb: Nmap scans of Internet of Things devices
https://github.com/shodan-labs/iotdb
[Web安全]  PentesterLab 的 Padding Oracle 漏洞靶机测试
http://www.mottoin.com/94991.html
[Web安全]  SQLMap Tamper Scripts Update ~ ForkBombers
http://www.forkbombers.com/2016/07/sqlmap-tamper-scripts-update.html
[恶意分析]   Python script to inject existing Android applications with a Meterpreter payloa
https://github.com/sensepost/kwetza
[运维安全]  ipscan: Angry IP Scanner
https://github.com/angryziber/ipscan
[移动安全]  mach portal漏洞利用的一些细节
http://blog.pangu.io/mach-portal-details/
[恶意分析]  US Govt Data Shows Russia Used Outdated Ukrainian PHP Malware
https://www.wordfence.com/blog/2016/12/russia-malware-ip-hack/
[工具]  mitmAP:创建假AP和嗅探数据的简单工具
http://www.mottoin.com/94979.html
[设备安全]  物联网安全切入点(后有白皮书下载链接)
http://www.secjia.com/report/NSFOCUS-IoT-Security-Whitepaper.pdf
[工具]  PowerShell Empire | Building an Empire with PowerShell
http://www.powershellempire.com/
[移动安全]  Mac Malware of 2016: a cumulative analysis of new OS X malware
http://objective-see.com/blog/blog_0x16.html
[Web安全]  [Bug Bounty] GitHub Enterprise SQL Injection
http://blog.orange.tw/2017/01/bug-bounty-github-enterprise-sql-injection.html
[无线安全]   Improvements in rogue ap attacks – mana 1/2
https://sensepost.com/blog/2015/improvements-in-rogue-ap-attacks-mana-1-2/
[取证分析]  Introducing rkt’s ability to automatically detect privilege escalation attacks on containers
https://coreos.com/blog/rkt-detect-privilege-escalation.html
[设备安全]  IoT Trust Framework: The foundation for future IoT certification programs
https://www.helpnetsecurity.com/2017/01/05/iot-trust-framework/
[恶意分析]  Binary Ninja plugin to decompile binaries using RetDec API
https://github.com/hugsy/binja-retdec
[Web安全]  Safari Reader UXSS
http://alf.nu/SafariReaderUXSS
[Web安全]  持久化 XSS:被 ServiceWorkers 支配的恐惧
http://www.mottoin.com/95058.html
[Web安全]  Operative - The Fingerprint Framework
https://github.com/graniet/operative-framework
[恶意分析]  Open Source Malware Lab 相关开源系统介绍[论文+视频]
https://www.virusbulletin.com/blog/2017/01/vb2016-paper-open-source-malware-lab/
[恶意分析]  Fresh Veil - Automatically Generating Payloads
https://bluescreenofjeff.com/2014-04-17-Fresh-Veil-Automatically-Generating-Payloads/
[设备安全]  IoT Home Inspector Challenge 物联网安全防护工具大赛
https://www.ftc.gov/iot-home-inspector-challenge
[设备安全]  对斐讯Fir302B路由器进行的渗透测试
http://www.freebuf.com/articles/terminal/124069.html
[数据挖掘]   An evolutionary knowledge-based fuzzer
https://github.com/CENSUS/choronzon
[恶意分析]  Mac Malware of 2016 | a cumulative analysis of new OS X malware
https://objective-see.com/blog/blog_0x16.html
[Web安全]  [another] intercepting proxy
https://sensepost.com/blog/2015/another-intercepting-proxy/
[数据挖掘]   Wadi fuzzer
https://sensepost.com/blog/2015/wadi-fuzzer/
[恶意分析]  33C3: Analyzing Embedded Operating System Random Number Generators ←
http://samvartaka.github.io/cryptanalysis/2017/01/03/33c3-embedded-rngs
[运维安全]  2016年数据泄露年度汇总
https://www.t00ls.net/articles-37542.html
[漏洞分析]  SensePost | Abusing file converters
https://sensepost.com/blog/2015/abusing-file-converters/
[移动安全]  how to setup a rasperry pi 2 model b for wlan sniffing
http://blog.x1622.com/2016/12/how-to-setup-rasperry-pi-2-model-b-for.html
[文档]  2016中国电脑恶意程序伪装与欺骗性研究报告
http://www.freebuf.com/articles/system/124350.html
[编程技术]  一文读懂数据内容识别核心技术
http://blog.nsfocus.net/data-content-identification-core-technology/
-----微信ID:SecWiki-----
SecWiki,12年来一直专注安全技术资讯分析!
SecWiki:https://www.sec-wiki.com

本期原文地址: SecWiki周刊(第149期)