SecWiki周刊(第180期)
2017/08/07-2017/08/13
安全资讯
[法规]  军工四证——武器装备科研生产单位保密资质认证
http://www.toutiao.com/i6452537530297352717/
[无线安全]  窃隐私,传明文,京东劣举挑战网安法
http://www.4hou.com/info/news/7104.html
[新闻]  DNA序列竟被编成恶意软件感染计算机
http://www.aqniu.com/hack-geek/27376.html
[其它]  连载黑客小说《杀手》第十七章 阴与阳,0与1,攻与防
http://www.jianshu.com/p/288c62014476
安全技术
[编程技术]  华西安全网(cha.hxsec.com)密码泄露查询接口研究
http://anhkgg.github.io/hxsec-search-pwd-interface-analyze/
[文档]  GitHub 万星推荐:黑客成长技术清单
http://www.4hou.com/info/news/7061.html
[漏洞分析]  Metinfo 5.3.17 前台SQL注入漏洞分析
https://www.leavesongs.com/PENETRATION/metinfo-5.3.17-sql-injection.html
[Web安全]  免杀 MSF Windows Payload 的方法与实践
https://mp.weixin.qq.com/s/OxgJIIPaXMXqrY5lPdukdA
[Web安全]  ThinkPHP5.0.10-3.2.3缓存函数设计缺陷可导致Getshell
https://xianzhi.aliyun.com/forum/read/1973.html
[工具]  域渗透神器Empire安装和简单使用
http://mp.weixin.qq.com/s/VqrUTW9z-yi3LqNNy-lE-Q
[文档]  Acunetix11 API Documentation
https://h4rdy.me/index.php/archives/91/
[工具]  开源CTF平台框架合辑
https://github.com/We5ter/Create_Your_CTFs
[运维安全]  Termite: 跳板机管理工具
http://rootkiter.com/Termite/
[Web安全]  Bypass 360主机卫士SQL注入防御
http://www.cnblogs.com/xiaozi/p/7275134.html
[运维安全]  OpenDLP: 免费&开源的DLP 系统
https://github.com/ezarko/opendlp
[编程技术]  通过Burp以及自定义的Sqlmap Tamper进行二次SQL注入
http://www.4hou.com/system/6945.html
[Web安全]  内网渗透中主机发现的小技巧
http://mp.weixin.qq.com/s/fg8f7ydniZiQZ87niDTwqA
[Web安全]  UDP tunnel:绕过UDP屏蔽或QoS
https://github.com/wangyu-/udp2raw-tunnel/blob/master/doc/README.zh-cn.md
[工具]  Vuzzer自动漏洞挖掘工具简单分析附使用介绍
http://www.freebuf.com/sectool/143123.html
[Web安全]  玩转linux系统之Linux内网渗透
https://thief.one/2017/08/09/2/
[运维安全]  scan_webshell: 简单的webshell扫描
https://github.com/erevus-cn/scan_webshell
[其它]  windows环境下的信息收集i
http://mp.weixin.qq.com/s/37xtTdjVetMg5P1WaJvYvA
[漏洞分析]  我是如何通过fuzz apache httpd服务发现CVE-2017-7668
http://www.4hou.com/technology/6738.html
[Web安全]  结合一次有趣的XSS实战
https://bbs.ichunqiu.com/thread-25726-1-1.html?from=sec
[Web安全]  由视频系统SQL注入到服务器权限
https://bbs.ichunqiu.com/thread-25827-1-1.html?from=sec
[Web安全]  一句话开启http服务
http://mp.weixin.qq.com/s/yT9WW5iPap1AB5hUT-jXag
[恶意分析]  APT28 Targets Hospitality Sector, Presents Threat to Travelers
https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html
[Web安全]  看我如何从54G日志中溯源web应用攻击路径
https://secvul.com/topics/715.html
[观点]  做到这一点,你也可以成为优秀的程序员
https://mp.weixin.qq.com/s/8Bl105G8ZsE_jy5mbrIy_g
[设备安全]  NSA开发的工控ICS/SCADA态势感知开源工具Grassmarlin(附下载地址)
http://www.freebuf.com/sectool/143106.html
[设备安全]   IoT Village 物联网安全技术PPT和视频资料
https://www.iotvillage.org/#dc25_schedule
[Web安全]  Electron hack —— 跨平台 XSS
https://mp.weixin.qq.com/s/DgjJ6uKtuUPFQhgztL69RQ
[其它]  渗透测试指南之域用户组的范围
http://www.4hou.com/penetration/7016.html
[其它]  利用CLR实现一种无需管理员权限的后门
http://www.4hou.com/technology/6863.html
[移动安全]  BetterZip For macOS 破解实战(Patch公钥、黑名单检测、签名校验、Keygen等)
http://www.chinapyg.com/thread-91890-1-1.html
[Web安全]  关于xss的防护与绕过科普
http://mp.weixin.qq.com/s/cJxDb5vWTSPzRKWlEB3GCQ
[Web安全]  FileScan: 敏感文件扫描 / 二次判断降低误报率
https://github.com/Mosuan/FileScan
[恶意分析]  64位系统下的Office后门利用
http://www.4hou.com/technology/6782.html
[Web安全]  绕过主机卫士进行注入的两种姿势
https://bbs.ichunqiu.com/thread-25534-1-1.html?from=sec
[其它]  Shellcode Via XSL, And DotNetToJScript
https://gist.github.com/subTee/7c926f51181945d20594eb91e8f4064b
[Web安全]  大力出奇迹:Web架构中的安全问题一例
http://www.polaris-lab.com/index.php/archives/369/
[Web安全]  二维码引发诈骗案到成功追回赃款-社会工程学
https://bbs.ichunqiu.com/thread-25601-1-1.html?from=sec
[设备安全]  看我如何基于Python&Facepp打造智能监控系统
http://www.freebuf.com/geek/143186.html
[设备安全]  USB-based attacks USB 攻击论文
http://www.sciencedirect.com/science/article/pii/S0167404817301578
[漏洞分析]  高通加解密引擎提权漏洞解析
http://www.iceswordlab.com/2017/08/07/qualcomm-crypto-engine-vulnerabilities-exploits/
[其它]  从内部看NSA如何跟踪你
https://media.ccc.de/v/SHA2017-402-how_the_nsa_tracks_you
[Web安全]  记一次Github项目被fork后的删除经历
https://bbs.ichunqiu.com/thread-25588-1-1.html?from=sec
[移动安全]  琢石成器之自动化去广告神器
https://bbs.ichunqiu.com/thread-25681-1-1.html?from=sec
[设备安全]  《工业控制系统信息安全防护能力评估工作管理办法》解读
http://www.miit.gov.cn/n1146285/n1146352/n3054355/n3057656/n3057672/c5761113/content.html
[Web安全]  IsThisLegit+Phinn:采用了机器学习算法的开源网络钓鱼防御与检测工具
http://www.freebuf.com/sectool/142955.html
[移动安全]  2017上半年移动安全报告
http://blog.avlsec.com/2017/08/4817/report/
[Web安全]  Modern Alchemy: Turning XSS into RCE
https://blog.doyensec.com/2017/08/03/electron-framework-security.html
[数据挖掘]  三种特征向量对深度学习攻击检测的影响
http://bobao.360.cn/learning/detail/4224.html
[漏洞分析]  Angr:一个具有动态符号执行和静态分析的二进制分析工具
http://www.freebuf.com/sectool/143056.html
[Web安全]  腾讯安全反病毒实验室:揭秘“挂马”黑产最新态势
http://www.freebuf.com/articles/system/143217.html
[漏洞分析]  Windows Exploitation Tricks: Arbitrary Directory Creation to Arbitrary File Read
https://googleprojectzero.blogspot.dk/2017/08/windows-exploitation-tricks-arbitrary.html
[恶意分析]  Analysis Results of Zeus.Variant.Panda
https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf
[恶意分析]  一种劫持COM服务器并绕过微软反恶意软件扫描接口(AMSI)的方法
http://www.4hou.com/technology/7018.html
[Web安全]  All your devs are belong to us: how to backdoor the Atom editor
http://blog.thinkst.com/2017/08/all-your-devs-are-belong-to-us-how-to.html
[编程技术]  pychrome: A Python Package for the Google Chrome Dev Protocol
https://github.com/fate0/pychrome
[移动安全]  解锁更多姿势——手机锁屏安全研究
https://security.tencent.com/index.php/blog/msg/118
[Web安全]  Office 在64位操作系统的持久控制
https://3gstudent.github.io/Office-Persistence-on-x64-operating-system/
[编程技术]  Flask0.1源码阅读——请求处理和响应
https://jiayi.space/post/flask0.1yuan-ma-yue-du-qing-qiu-chu-li-he-xiang-ying
[设备安全]  Industrial Control System (ICS) security 工控系统安全相关资源
https://github.com/hslatman/awesome-industrial-control-system-security
[Web安全]  SSRF, Memcached and other key-value injections in the wild
https://medium.com/@d0znpp/ssrf-memcached-and-other-key-value-injections-in-the-wild-c8d223bd856f
[文档]  SecWiki周刊(第179期)
https://www.sec-wiki.com/weekly/179
[Web安全]  如何通过简单的网页文件从MacOS中盗取文件?
http://www.4hou.com/system/7012.html
[文档]  post-exploitation-persistence-with-application-shims-intro
http://blacksunhackers.club/2016/08/post-exploitation-persistence-with-application-shims-intro/
[其它]  mysql-插入优化Disk seeks are evil, so let’s avoid them, pt. 4
https://www.percona.com/blog/2010/06/18/disk-seeks-are-evil-so-lets-avoid-them-pt-4/
[漏洞分析]  Solving a CTF Challenge with S2E
https://adrianherrera.github.io/post/google-ctf-2016/?from=timeline
-----微信ID:SecWiki-----
SecWiki,5年来一直专注安全技术资讯分析!
SecWiki:https://www.sec-wiki.com

本期原文地址: SecWiki周刊(第180期)