SecWiki周刊(第38期)
2014/11/17-2014/11/23
安全资讯
[Web安全]  某cms程序SQL注入(demo测试)
http://www.shellsec.com/tech/187619.html
[Web安全]  安全科普:什么是暴力破解攻击?如何检测和防御?
http://www.freebuf.com/news/special/52361.html
[工具]  MITMf:中间人攻击框架
http://www.91ri.org/10918.html
[工具]  PHP应用安全静态代码分析工具 – WAP 2.0
http://www.freebuf.com/tools/52333.html
[Web安全]  一种自动化检测 Flash 中 XSS 方法的探讨
http://www.91ri.org/11464.html
[Web安全]  PHP Execute Command Bypass Disable_functions
http://www.91ri.org/11321.html
[Web安全]  .NET远程代码执行(MS14-026/CVE-2014-1806)
http://www.91ri.org/11461.html
[工具]  Exploit搜索工具 – Pompem
http://www.freebuf.com/tools/51796.html
[漏洞分析]  域控制器的用户尽快升级MS14-068补丁
http://blog.sina.com.cn/s/blog_e8e60bc00102v9k7.html
[恶意分析]  在遭中国黑客攻击之后Google与NSA结盟
http://www.solidot.org/story?sid=41905
[Web安全]  一周海外安全事件回顾(11.03-11.15):黑暗网络的坠落
http://www.freebuf.com/news/51974.html
安全技术
[漏洞分析]  品味袁哥的DVE神韵
http://hi.baidu.com/xiyanggif/item/a386a123e1e6de92b73263ca
[漏洞分析]  IE浏览器Fuzzing技术
http://hitcon.org/2014/downloads/P1_06_Chen%20Zhang%20-%20Smashing%20The%20Browser%20-%20From%20Vulnerability%20Discovery%20To%20Exploit.pdf
[移动安全]  安卓Bug 17356824 BroadcastAnywhere漏洞分析
http://drops.wooyun.org/papers/3912
[Web安全]  安全科普:你的密码在谁的手里?
http://www.freebuf.com/news/special/52234.html
[漏洞分析]  漏洞预警:.NET远程代码执行漏洞(含EXP)
http://www.freebuf.com/vuls/51981.html
[其它]  震网病毒Stuxnet之子 – Duqu的现身
http://www.freebuf.com/news/52249.html
[漏洞分析]  沙虫漏洞(CVE-2014-4114)利用测试方法
http://www.freebuf.com/vuls/51735.html
[Web安全]  战斗之旅——SSCTF(一)
http://www.91ri.org/11349.html
[运维安全]  ModSecurity 晋级-如何调用lua脚本进行防御快速入门
http://danqingdani.blog.163.com/blog/static/1860941952014101862337903/
[其它]  勒索软件CoinVault:拿钱来,给你一个恢复文件的机会
http://www.freebuf.com/news/51899.html
[漏洞分析]  IE浏览器“神洞”CVE-2014-6332已经被用作定向攻击
http://blog.vulnhunt.com/index.php/2014/11/18/cve-2014-6332-used-in-targeted-attack/
[漏洞分析]  Win95+IE3 – Win10+IE11全版本执行漏洞(含POC)
http://www.freebuf.com/articles/system/51501.html
[Web安全]  WEB调试工具---Firebug
http://www.imooc.com/view/137?utm_source=jobboleweibo
[Web安全]  XML实体攻击-从内网探测到命令执行步步惊心
http://bobao.360.cn/course/detail/95.html
[漏洞分析]  Zero Day Initiative
http://www.zerodayinitiative.com/advisories/published/?nsukey=H3ybxI6z8vYpfXCHC7ZctZZ5WVg4BD1C0trgyAOTHU34SON%2Bfg%2FV3xdn9v95hZJGkmOFBybUHYsWQarBfBtCfQ%3D%3D
[Web安全]  使用Pfsense+Snorby构建入侵检测系统
http://www.freebuf.com/articles/network/51473.html
[漏洞分析]  CVE-2014-1767_Afd.sys_double-free_漏洞分析与利用
http://bbs.pediy.com/showthread.php?p=1331045#post1331045
[Web安全]  Pfsense和Snorby
http://drops.wooyun.org/%e8%bf%90%e7%bb%b4%e5%ae%89%e5%85%a8/3874
[漏洞分析]  安全研究进阶_yuange1975
http://blog.sina.com.cn/s/blog_85e506df0102v9o8.html
[编程技术]  2014中华架构师大会PPT
http://vdisk.weibo.com/s/A2SbHmu4fAWi/1416472883
[运维安全]  开源跳板机(堡垒机)Jumpserver
http://laoguang.blog.51cto.com/6013350/1576502
[Web安全]  战斗之旅——SSCTF(二)
http://www.91ri.org/11390.html
[漏洞分析]  Trigger the ms14-066
http://blog.beyondtrust.com/triggering-ms14-066
[漏洞分析]   IE远程代码执行漏洞(CVE-2014-6332)利用测试方法
http://www.freebuf.com/vuls/51628.html
[Web安全]  免费开源相册Piwigo <= v2.6.0 SQL注入漏洞(0day)
http://www.freebuf.com/vuls/51401.html
[Web安全]   博客安全:如何为WordPress做安全防护?
http://www.freebuf.com/articles/web/49210.html
[工具]  IRMA在线分析系统
http://irma.quarkslab.com/
[Web安全]  关于重复发包的防护与绕过
http://drops.wooyun.org/web/3910
[数据挖掘]  Pullcore-永久免费的新闻标题核心词提取API
http://pullcore.com/
[Web安全]  SSLStrip 终极版:Location 瞒天过海
http://www.freebuf.com/articles/web/50771.html
[Web安全]  PHP WDDX Serializier Data Injection Vulnerability
http://drops.wooyun.org/tips/3911
[书籍]  一些Malware、Virus、Worm相关的文档和电子书
http://m.weibo.cn/1684840802/3778153060791056/weixin?sourceType=weixin&from=1046295010&wm=5091_0008
[漏洞分析]  Smashing_The_Browser
https://github.com/demi6od/Smashing_The_Browser
[恶意分析]  Debugging and reverse engineering: Stuxnet
http://bsodanalysis.blogspot.sg/2014/11/stuxnet-kernel-analysis.html
[漏洞分析]  Mongodb注入攻击
http://drops.wooyun.org/tips/3939
[移动安全]  Radare - Forensic Android Tool
http://www.radare.org/y/?p=download
[Web安全]  PHP绕过open_basedir列目录的研究
http://drops.wooyun.org/tips/3978
[Web安全]  爬虫技术浅析
http://drops.wooyun.org/tips/3915
[漏洞分析]  小窥杀软主防+某杀软反注入exp
http://bbs.pediy.com/showthread.php?p=1332925#post1332925
[恶意分析]  chm文件执行任意代码
http://xiaonieblog.com/?post=128
[编程技术]  Optimizing Disk IO and Memory for Big Data Vector Analysis
http://blogs.teradata.com/data-points/optimizing-disk-io-and-memory-for-big-data-vector-analysis/
[Web安全]  PHP Session 序列化及反序列化处理器设置使用不当带来的安全隐患
http://drops.wooyun.org/tips/3909
[漏洞分析]  CVE-2014-6332 ie漏洞利用分析
http://xteam.baidu.com/?p=104
[其它]  Google与NSA(美国国安局)结盟,共同对抗黑客
http://www.freebuf.com/news/51956.html
[编程技术]  2014 WOT全球软件技术峰会PPT
http://down.51cto.com/zt/6814/1
[Web安全]  PHP Execute Command Bypass Disable_functions With Shellshock
http://www.secpulse.com/archives/2300.html
[Web安全]  WAF的实现
http://danqingdani.blog.163.com/blog/static/1860941952014101723845500/
[其它]  建立个人知识体系
http://www.lishen.me/archives/528
[恶意分析]  Deobfuscation and beyond (ZeroNights, 2014)
http://www.slideshare.net/ReCrypt/deobfuscation-and-beyond
[漏洞分析]  老掉牙的12306根证书问题可导致中间人攻击
http://www.wooyun.org/bugs/wooyun-2014-082725
[Web安全]  PHP Execute Command Bypass Disable_functions
http://zone.wooyun.org/content/16631
[Web安全]  Static-DOM-XSS-Scanner
https://github.com/ajinabraham/Static-DOM-XSS-Scanner
[恶意分析]  火眼实验室MSDN脚本使用
http://blog.depressedmarvin.com/blog/2014/11/18/msdn-annotations-ida-pro/
[恶意分析]  APT事件技术文档索引库
http://git.oschina.net/superme/APTnotes
[编程技术]  远程工作资料
https://github.com/greatghoul/remote-working
[移动安全]  IOS假面攻击
http://bobao.360.cn/news/detail/810.html?preview=1
[漏洞分析]  CVE-2014-0569漏洞分析
http://weibo.com/p/1001603769606924861349?u=http%3A%2F%2Ft.cn%2FR7JT2kU&ep=BtcNexjTX%2C1874932054%2CBtcNexjTX%2C1874932054&wm=5091_0008&sourceType=weixin&from=1046295010&ext=sourceType%3Aweixin&featurecode=20000180&oid=3778056844143251&rl=1&luicode=2
[漏洞分析]  XCTF HCTF Reverse Writeup
http://www.programlife.net/xctf-hctf-reverse-writeup.html
[移动安全]  Android Hacking and Security, Part 13: Introduction to Drozer
http://resources.infosecinstitute.com/android-hacking-security-part-13-introduction-drozer/
[书籍]  Data Mining in Social Science
http://lingfeiw.gitbooks.io/data-mining-in-social-science/
[编程技术]  pyspider介绍
http://blog.binux.me/2014/11/introduction-to-pyspider/
[其它]  不只是搜索引擎:10个鲜为人知谷歌搜索功能
http://www.shellsec.com/tech/187536.html
[Web安全]  程序员与黑客
http://mdslide.sinaapp.com/infoq.php?count=52&prefix=yuxian&title=%E7%A8%8B%E5%BA%8F%E5%91%98%E4%B8%8E%E9%BB%91%E5%AE%A2&from=timeline&isappinstalled=0#/
[数据挖掘]  社会信息学2014巴塞罗那会议报告
http://www.jianshu.com/p/81075168240e
[其它]  捣毁Tor网络黑市:400个匿名站点被关,丝绸之路2.0经营者被捕
http://www.freebuf.com/news/50903.html
[漏洞分析]  Advanced Exploitation of Mozilla Firefox Use-After-Free Vulnerability
http://www.vupen.com/blog/20140520.Advanced_Exploitation_Firefox_UaF_Pwn2Own_2014.php?nsukey=9s%2BGDLjFM2hq51rKHzOfJbHEZ6vfVkIcD4bFMXkcMfYm2msBPSzpn5ErG7MIq6Ljh8F3jSt7ksTOZu6wm6VbMA%3D%3D
[Web安全]  NoSuchCon 2014 大会资料
http://www.nosuchcon.org/talks/2014/
-----微信ID:SecWiki-----
SecWiki,12年来一直专注安全技术资讯分析!
SecWiki:https://www.sec-wiki.com

本期原文地址: SecWiki周刊(第38期)