最近更新
时间 | 节点 | |
---|---|---|
2024年5月6日 12:13 | freebuf |
大多数情况下,攻击者会利用信任关系,通过入侵第三方外部供应商或承包商,在连接的虚拟机或混合环境中执行命令。 |
2024年5月6日 11:53 | Github关注 | |
2024年5月6日 11:53 | Github关注 |
NextTrace, an open source visual route tracking CLI tool |
2024年5月6日 11:53 | Github关注 |
An open-source UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform with web UI supporting OAuth 2.0, OIDC, SAML, CAS, LDA… |
2024年5月6日 11:53 | freebuf |
2023 年,在Bitsight观察到的所有组织中,有35%的组织处理过KEV,其中绝大多数的组织有一个以上的KEV。 |
2024年5月6日 11:53 | freebuf |
大多数情况下,攻击者会利用信任关系,通过入侵第三方外部供应商或承包商,在连接的虚拟机或混合环境中执行命令。 |
2024年5月6日 11:53 | 先知社区 | |
2024年5月6日 11:33 | 先知社区 | |
2024年5月6日 11:33 | 先知社区 | |
2024年5月6日 11:13 | Github关注 |
AttacKG: Constructing Knowledge-enhanced Attack Graphs from Cyber Threat Intelligence Reports |
2024年5月6日 11:13 | 先知社区 | |
2024年5月6日 11:13 | 先知社区 | |
2024年5月6日 10:53 | 先知社区 | |
2024年5月6日 10:13 | 补天社区 |
用友NC runStateServlet注入漏洞分析 |
2024年5月6日 10:13 | freebuf |
在实际复现过程中也遇到了很多的问题,关键就是要利用前后端服务器对数据包的处理不同。 |
2024年5月6日 09:53 | Github关注 |
burp手工检测fastjson辅助 |
2024年5月6日 09:53 | 先知社区 | |
2024年5月6日 09:53 | 先知社区 | |
2024年5月6日 09:53 | 先知社区 | |
2024年5月6日 09:53 | 先知社区 | |
2024年5月6日 09:33 | 先知社区 | |
2024年5月6日 09:23 | starlabs |
Earlier this year, in mid-January, you might have come across this security announcement by GitHub. In this article, I will unveil the shocking story of how I discovered CVE-2024-0200, a deceptively simple, one-liner vulnerability which I initially assessed to likely be of low impact, and how I turned it into one of the most impactful bugs in GitHub’s bug bounty history. Spoiler: The vulnerability enabled disclosure of all environment variables of a production container on GitHub. " 今年年初,大约在1月中旬,您可能会看到GitHub发布的这个安全公告。在本文中,我将揭示我如何发现CVE-2024-0200这个看似简单的一行漏洞,并将其转变为GitHub漏洞赏金历史上最具影响力的漏洞之一的惊人故事。剧透:这个漏洞允许泄露GitHub上所有生产容器的环境变量。" |
2024年5月6日 09:22 | SkullSecurity |
This is a write-up for turing-complete, turing-incomplete, and turing-incomplete64 from the BSides San Francisco 2024 CTF! turing-complete is a 101-level reversing challenge, and turing-incomplete is a much more difficult exploitation challenge with a very similar structure. turing-incomplete64 is a 64-bit version of turing-incomplete, which isn’t necessarily harder, but is different. Let’s look at the levels! turing-complete My ideas doc said “Turing Machine?” from a long time ago. I don’t really remember what I was thinking, but what I decided was to make a simple reversing challenge with a finite tape and 4 operations - go left, go right, read, and write. All commands and responses are binary (1s and 0s), which is hinted at by the instructions being a series of binary bits. The actual main loop, in C, is quite simple: uint8_t tape[128]; // ...write the flag to the tape... for(;;) { uint8_t a = r(); if(a == 2) break; uint8_t b = r(); if(b == 2) break; if(a == 0 && b == 0) { ptr++; } else if(a == 0 && b == 1 |
2024年5月6日 09:21 | SkullSecurity |
Slay the Spider is a Minesweeper-like game where the user and computer try to uncover a spider. The challenge name and trappings are based on Slay the Spire, which is one of my favourite games. When you start the game, there are several different enemy AI options: 1: The Angry One - Plays at Random 2: Cheater Mc Cheaterly - Knows the best places to play 3: Smartypants - Uses magical super AI for the best chance of winning 4: Captain Fastidious - Is sure that playing left to right is best Those are loosely based on the classes from Slay the Spire. The third - Smarypants - is the key. It chooses the target square based on a silly algorithm: case AI_SMART: // Picks the average of the human move and the last computer move move.row = (human_move.row + last_computer_move.row) / 2; move.col = (human_move.col + last_computer_move.col) / 2; The problem is that the human_move.row and human_move.col are set even when the move is invalid: static move_t do_human_turn(game_t *game) { move_t move; printf("It's your (human) |
2024年5月6日 09:20 | SkullSecurity |
This is a write-up for Safer Streets. I apparently wrote this in more “note to self” style, not blog style, so enjoy! First, browse the application. You should be able to create an error: $ curl 'http://localhost:8080/display?name=test' Error in script /app/server.rb: No such file or directory @ rb_sysopen - /app/data/test Note that has a image/jpeg content-type, so it might confuse the browser. That issue grants access to two primitives: a) Read any file via path traversal b) The full path to the server For example: $ curl -s 'http://localhost:8080/display?name=../server.rb' | head -n20 require 'json' require 'sinatra' require 'pp' require 'singlogger' require 'open3' ::SingLogger.set_level_from_string(level: ENV['log_level'] || 'debug') LOGGER = ::SingLogger.instance() # Ideally, we set all these in the Dockerfile set :bind, ENV['HOST'] || '0.0.0.0' set :port, ENV['PORT'] || '8080' SAFER_STREETS_PATH = ENV['SAFER_STREETS'] || '/app/safer-streets' SCRIPT = File.expand_path(__FILE__) LOGGER.info("Checking for |
2024年5月6日 09:19 | SkullSecurity |
No Tools is a fairly simple terminal challenge, something for new players to chew on. I suspect there are several different ways to solve it, but the basic idea is to read a file using only built-in functions from sh. I personally solved it with the read built-in: $ read FLAG < /home/ctf/flag.txt && echo $FLAG CTF{where-are-my-tools} Another solution that my co-organizer developed used exec: $ exec < /home/ctf/flag.txt $ /bin/sh: 2: CTF{where-are-my-tools}: not found " 无工具挑战是一个相对简单的终端挑战,适合新手玩家尝试。\n我认为解决这个问题有几种不同的方法,但基本思路是仅使用sh内置函数读取文件。\n我本人是用read内置函数解决的:\n$ read FLAG < /home/ctf/flag.txt && echo $FLAG CTF{where-are-my-tools}\n我的另一位共同组织者开发的解决方案使用了exec:\n$ exec < /home/ctf/flag.txt $ /bin/sh: 2: CTF{where-are-my-tools}: not found" |
2024年5月6日 09:19 | SkullSecurity |
The premise of the three challenges cant-give-in, cant-give-in-secure, and cant-give-in-securer are to learn how to exploit and debug compiled code that’s loaded as a CGI module. You might think that’s unlikely, but a surprising number of enterprise applications (usually hardware stuff - firewalls, network “security” appliances, stuff like that) is powered by CGI scripts. You never know! This challenge was inspired by one of my co-workers at GreyNoise asking how to debug a CGI script. I thought it’d be cool to make a multi-challenge series in case others didn’t know! This write-up is intended to be fairly detailed, to help new players understand their first stack overflow! Part 1: cant-give-in The vulnerability First, let’s look at the vuln! All three challenges have pretty similar vulnerabilities, but here’s what the first looks like: char *strlength = getenv("CONTENT_LENGTH"); if(!strlength) { printf("ERROR: Please send data!"); exit(0); } int length = atoi(strlength); read(fileno(stdin), data, length); if( |
2024年5月6日 09:14 | Blog on STAR Labs |
Earlier this year, in mid-January, you might have come across this security announcement by GitHub. In this article, I will unveil the shocking story of how I discovered CVE-2024-0200, a deceptively simple, one-liner vulnerability which I initially assessed to likely be of low impact, and how I turned it into one of the most impactful bugs in GitHub’s bug bounty history. Spoiler: The vulnerability enabled disclosure of all environment variables of a production container on GitHub. " 今年年初,大约在1月中旬,您可能会看到GitHub发布的这个安全公告。在本文中,我将揭示我如何发现CVE-2024-0200这个看似简单的一行漏洞,并将其转变为GitHub漏洞赏金历史上最具影响力的漏洞之一的故事。剧透:这个漏洞允许泄露GitHub上所有生产容器的环境变量。" |
2024年5月6日 09:13 | 补天社区 |
用yakit的热加载魔术方法实现webfuzzer功能中的验证码识别。 |
2024年5月6日 09:13 | Github关注 |
PPPwn - PlayStation 4 PPPoE RCE |