SecWiki周刊(第233期)
2018/08/13-2018/08/19
安全资讯
中央国家机关2018-2019年政府集中采购信息类产目录
http://www.zycg.gov.cn/td_xxlcpxygh/platform
http://www.zycg.gov.cn/td_xxlcpxygh/platform
BlackHat 2018:10大网络安全热点趋势pick一下
https://mp.weixin.qq.com/s/cGg_1VNL0Yj2CcpcmvN_Dw
https://mp.weixin.qq.com/s/cGg_1VNL0Yj2CcpcmvN_Dw
推动企业上云实施指南(2018-2020年)
https://mp.weixin.qq.com/s/lUvdujsFeW_GbHzpY0aVLw
https://mp.weixin.qq.com/s/lUvdujsFeW_GbHzpY0aVLw
安全技术
New PHP Code Execution Attack Puts WordPress Sites at Risk
https://thehackernews.com/2018/08/php-deserialization-wordpress.html
https://thehackernews.com/2018/08/php-deserialization-wordpress.html
利用Craft CMS SEOmatic插件(版本<= 3.1.3)实现服务器端模板注入 [CVE-2018-14716]
https://xz.aliyun.com/t/2580
https://xz.aliyun.com/t/2580
实战web缓存中毒
https://xz.aliyun.com/t/2585
https://xz.aliyun.com/t/2585
Mailget: 通过脉脉用户猜测企业邮箱
https://github.com/Ridter/Mailget
https://github.com/Ridter/Mailget
openQPA: 协议分析软件QPA的开源代码(进程抓包、特征自动分析)
https://gitee.com/qielige/openQPA
https://gitee.com/qielige/openQPA
第二届顺丰信息安全峰会2018 PDF #密码: 09cu
https://pan.baidu.com/s/14I8YxPwoLcjzwYhSQO3H-Q
https://pan.baidu.com/s/14I8YxPwoLcjzwYhSQO3H-Q
初试XML外部实体注入
https://xz.aliyun.com/t/2571
https://xz.aliyun.com/t/2571
PHP-Audit-Labs题解之Day5-8
https://xz.aliyun.com/t/2597
https://xz.aliyun.com/t/2597
DocHub: 使用Beego(Golang)开发的开源文库系统
https://github.com/TruthHun/DocHub
https://github.com/TruthHun/DocHub
MesaPy项目开源: 一个安全且快速的 Python
https://mp.weixin.qq.com/s/IVpij_eGCccI2I-V0FYfBQ
https://mp.weixin.qq.com/s/IVpij_eGCccI2I-V0FYfBQ
2018黑帽大会工具清单-Blackhat
http://www.ddosi.com/2018/08/13/2018blackhat/
http://www.ddosi.com/2018/08/13/2018blackhat/
基于Redis的扫描器任务调度设计方案
https://thief.one/2018/08/15/1/
https://thief.one/2018/08/15/1/
自适应安全架构的历史和演进
https://mp.weixin.qq.com/s/6BmRdNPKG2dA7m1DrdGtkQ
https://mp.weixin.qq.com/s/6BmRdNPKG2dA7m1DrdGtkQ
渗透测试实战-lin.security靶机+Goldeneye靶机入侵
https://www.anquanke.com/post/id/156098?from=timeline
https://www.anquanke.com/post/id/156098?from=timeline
TJCTF 2018 Web专题全解析
https://www.anquanke.com/post/id/156434
https://www.anquanke.com/post/id/156434
Google SRE最佳实践之On-Call
https://mp.weixin.qq.com/s/NZlhmapXN0iErIMIKx7aHw
https://mp.weixin.qq.com/s/NZlhmapXN0iErIMIKx7aHw
Advanced Topics in Security 课程视频
https://www.youtube.com/playlist?list=PL5H0SXHF1jMVpMEEcddvGJ_ZhqFwxmpO5
https://www.youtube.com/playlist?list=PL5H0SXHF1jMVpMEEcddvGJ_ZhqFwxmpO5
SQLMap tamper编写尝试
https://uknowsec.cn/posts/notes/SQLMap-tamper%E7%BC%96%E5%86%99%E5%B0%9D%E8%AF%95.html
https://uknowsec.cn/posts/notes/SQLMap-tamper%E7%BC%96%E5%86%99%E5%B0%9D%E8%AF%95.html
Omnibus: Automating OSINT Collection
http://blog.inquest.net/blog/2018/08/16/omnibus-automating-osint/
http://blog.inquest.net/blog/2018/08/16/omnibus-automating-osint/
Bodhi - Client-side Vulnerability Playground
https://github.com/amolnaik4/bodhi
https://github.com/amolnaik4/bodhi
代码审计之YOUKE365
https://xz.aliyun.com/t/2561
https://xz.aliyun.com/t/2561
论如何优雅地拿下PHPCMS
https://bbs.ichunqiu.com/thread-44046-1-1.html?from=sec
https://bbs.ichunqiu.com/thread-44046-1-1.html?from=sec
Real World CTF doc2own 命题报告
https://zhuanlan.zhihu.com/p/41544965
https://zhuanlan.zhihu.com/p/41544965
Detecting SSH Username Enumeration
https://blog.rootshell.be/2018/08/16/detecting-ssh-username-enumeration/
https://blog.rootshell.be/2018/08/16/detecting-ssh-username-enumeration/
deep-hooks-monitoring-native-execution-wow64-applications-part-2
https://www.sentinelone.com/blog/deep-hooks-monitoring-native-execution-wow64-applications-part-2/
https://www.sentinelone.com/blog/deep-hooks-monitoring-native-execution-wow64-applications-part-2/
一种利用 etherscan.io 缺陷的智能合约蜜罐
https://paper.seebug.org/671/
https://paper.seebug.org/671/
TJCTF 2018 Pwn_Re专题全解析
https://www.anquanke.com/post/id/156443
https://www.anquanke.com/post/id/156443
Web Application Penetration Testing Course URLs
https://docs.google.com/document/d/101EsKlu41ICdeE7mEv189SS8wMtcdXfRtua0ClYjP1M/edit
https://docs.google.com/document/d/101EsKlu41ICdeE7mEv189SS8wMtcdXfRtua0ClYjP1M/edit
Iptables Essentials: Common Firewall Rules and Commands.
https://github.com/trimstray/iptables-essentials
https://github.com/trimstray/iptables-essentials
逆向相关的wiki分享
https://lichao890427.github.io/wiki/
https://lichao890427.github.io/wiki/
我的AI安全检测学习笔记(一)
https://www.secpulse.com/archives/74179.html
https://www.secpulse.com/archives/74179.html
利用PHP扩展Taint找出网站的潜在安全漏洞实践
https://bbs.ichunqiu.com/thread-44407-1-1.html?from=sec
https://bbs.ichunqiu.com/thread-44407-1-1.html?from=sec
Trust no one: TrustKit SSL pinning bypass
https://kov4l3nko.github.io/blog/2018-08-14-trustkit-bypass/
https://kov4l3nko.github.io/blog/2018-08-14-trustkit-bypass/
window应急响应(四):挖矿病毒
https://mp.weixin.qq.com/s/dbQ0ZMHur4vIq98oqR-sXA
https://mp.weixin.qq.com/s/dbQ0ZMHur4vIq98oqR-sXA
deep-hooks-monitoring-native-execution-wow64-applications-part-3
https://www.sentinelone.com/blog/deep-hooks-monitoring-native-execution-wow64-applications-part-3/
https://www.sentinelone.com/blog/deep-hooks-monitoring-native-execution-wow64-applications-part-3/
DEFCON 26 CTF參賽記
http://maskray.me/blog/2018-08-13-defcon-26-ctf
http://maskray.me/blog/2018-08-13-defcon-26-ctf
NASA开源软件实践与思考
https://mp.weixin.qq.com/s/-9BlAQqApaoGLfRgtJIn7Q
https://mp.weixin.qq.com/s/-9BlAQqApaoGLfRgtJIn7Q
浅谈APK安全及自动化审计
http://www.freebuf.com/articles/terminal/180637.html
http://www.freebuf.com/articles/terminal/180637.html
window应急响应(三):勒索病毒
https://mp.weixin.qq.com/s/Z0kBcwy379x_J-Xm2Y-Vlg
https://mp.weixin.qq.com/s/Z0kBcwy379x_J-Xm2Y-Vlg
How to Hunt Command & Control Channels Using Bro IDS and RITA
https://www.blackhillsinfosec.com/how-to-hunt-command-and-control-channels-using-bro-ids-and-rita/
https://www.blackhillsinfosec.com/how-to-hunt-command-and-control-channels-using-bro-ids-and-rita/
中国香港地区 DDoS-botnet 态势分析
https://mp.weixin.qq.com/s/_lzFwYVlSe9L5K0RsSS1bw
https://mp.weixin.qq.com/s/_lzFwYVlSe9L5K0RsSS1bw
Black Hat 2018观感:威胁情报百家争鸣
https://mp.weixin.qq.com/s/rS7nTJ-rwnmcxvRSmwn-4w
https://mp.weixin.qq.com/s/rS7nTJ-rwnmcxvRSmwn-4w
Charles 破解工具
https://github.com/8enet/Charles-Crack
https://github.com/8enet/Charles-Crack
一个传真接管你的网络:含有传真功能的打印机漏洞分析
https://xz.aliyun.com/t/2573
https://xz.aliyun.com/t/2573
教你如何自动创建机器学习特征
https://mp.weixin.qq.com/s/1Zj_pQDBqBJKSrtt9HsKXg
https://mp.weixin.qq.com/s/1Zj_pQDBqBJKSrtt9HsKXg
Hardening machine learning defenses against adversaria
https://cloudblogs.microsoft.com/microsoftsecure/2018/08/09/protecting-the-protector-hardening-machine-learning-defenses-against-adversarial-attacks/
https://cloudblogs.microsoft.com/microsoftsecure/2018/08/09/protecting-the-protector-hardening-machine-learning-defenses-against-adversarial-attacks/
Google编程之夏2018盘点
https://mp.weixin.qq.com/s/49liyrR-RcVS6CESkIC50w
https://mp.weixin.qq.com/s/49liyrR-RcVS6CESkIC50w
Dalton - IDS规则和PCAP测试系统
https://github.com/secureworks/dalton
https://github.com/secureworks/dalton
X-Ways Forensics/ WinHex(手册)
http://x-ways.net/winhex/manual.pdf
http://x-ways.net/winhex/manual.pdf
Window应急响应(二):蠕虫病毒
https://mp.weixin.qq.com/s/xodT25Pn3fW1xHrU0IhBDQ
https://mp.weixin.qq.com/s/xodT25Pn3fW1xHrU0IhBDQ
黑客是如何攻击 WebSockets 和 Socket.io的
https://xz.aliyun.com/t/2572
https://xz.aliyun.com/t/2572
基于机器学习的WebShell检测方法与实现(上)
http://www.freebuf.com/articles/web/181169.html
http://www.freebuf.com/articles/web/181169.html
ML&AI如何在云态势感知产品中落地
https://mp.weixin.qq.com/s/7Clr-Uxg6y5nXOnIQXLZ6A
https://mp.weixin.qq.com/s/7Clr-Uxg6y5nXOnIQXLZ6A
哈希长度拓展攻击(Hash Length Extension Attacks)
https://xz.aliyun.com/t/2563
https://xz.aliyun.com/t/2563
机器学习在安全攻防场景的应用与分析
https://cloud.tencent.com/developer/article/1045024
https://cloud.tencent.com/developer/article/1045024
deep-hooks-monitoring-native-execution-wow64-applications-part-1
https://www.sentinelone.com/blog/deep-hooks-monitoring-native-execution-wow64-applications-part-1/
https://www.sentinelone.com/blog/deep-hooks-monitoring-native-execution-wow64-applications-part-1/
深度学习与词法、句法、语义分析
https://mp.weixin.qq.com/s/UERPcb_XWwmnwissDHkeTg
https://mp.weixin.qq.com/s/UERPcb_XWwmnwissDHkeTg
Xdebug 攻击面在 PhpStorm 上的现实利用
https://paper.seebug.org/668/
https://paper.seebug.org/668/
Delving deep into VBScript: Analysis of CVE-2018-8174 exploitation
https://securelist.com/delving-deep-into-vbscript-analysis-of-cve-2018-8174-exploitation/86333/?from=timeline
https://securelist.com/delving-deep-into-vbscript-analysis-of-cve-2018-8174-exploitation/86333/?from=timeline
2018 Blackhat 工具列表
https://nosec.org/home/detail/1739.html
https://nosec.org/home/detail/1739.html
SecWiki周刊(第232期)
https://www.sec-wiki.com/weekly/232
https://www.sec-wiki.com/weekly/232
2018中国大数据产业生态地图暨中国大数据产业发展白皮书
http://www.sohu.com/a/245975306_468714
http://www.sohu.com/a/245975306_468714
一种把指定程序的 TCP 流量重定向到代理的方法
https://www.v2ex.com/t/476594
https://www.v2ex.com/t/476594
TensorFlow教程和资源(附链接&视频)
https://mp.weixin.qq.com/s/h5jpQCOwjOnniaJD7yFrPA
https://mp.weixin.qq.com/s/h5jpQCOwjOnniaJD7yFrPA
-----微信ID:SecWiki-----
SecWiki,12年来一直专注安全技术资讯分析!
SecWiki:https://www.sec-wiki.com本期原文地址: SecWiki周刊(第233期)
