最近更新
时间 | 节点 | |
---|---|---|
2024年5月6日 10:13 | 补天社区 |
用友NC runStateServlet注入漏洞分析 |
2024年5月6日 10:13 | freebuf |
在实际复现过程中也遇到了很多的问题,关键就是要利用前后端服务器对数据包的处理不同。 |
2024年5月6日 09:53 | Github关注 |
burp手工检测fastjson辅助 |
2024年5月6日 09:53 | 先知社区 | |
2024年5月6日 09:53 | 先知社区 | |
2024年5月6日 09:53 | 先知社区 | |
2024年5月6日 09:53 | 先知社区 | |
2024年5月6日 09:33 | 先知社区 | |
2024年5月6日 09:23 | starlabs |
Earlier this year, in mid-January, you might have come across this security announcement by GitHub. In this article, I will unveil the shocking story of how I discovered CVE-2024-0200, a deceptively simple, one-liner vulnerability which I initially assessed to likely be of low impact, and how I turned it into one of the most impactful bugs in GitHub’s bug bounty history. Spoiler: The vulnerability enabled disclosure of all environment variables of a production container on GitHub. " 今年年初,大约在1月中旬,您可能会看到GitHub发布的这个安全公告。在本文中,我将揭示我如何发现CVE-2024-0200这个看似简单的一行漏洞,并将其转变为GitHub漏洞赏金历史上最具影响力的漏洞之一的惊人故事。剧透:这个漏洞允许泄露GitHub上所有生产容器的环境变量。" |
2024年5月6日 09:22 | SkullSecurity |
This is a write-up for turing-complete, turing-incomplete, and turing-incomplete64 from the BSides San Francisco 2024 CTF! turing-complete is a 101-level reversing challenge, and turing-incomplete is a much more difficult exploitation challenge with a very similar structure. turing-incomplete64 is a 64-bit version of turing-incomplete, which isn’t necessarily harder, but is different. Let’s look at the levels! turing-complete My ideas doc said “Turing Machine?” from a long time ago. I don’t really remember what I was thinking, but what I decided was to make a simple reversing challenge with a finite tape and 4 operations - go left, go right, read, and write. All commands and responses are binary (1s and 0s), which is hinted at by the instructions being a series of binary bits. The actual main loop, in C, is quite simple: uint8_t tape[128]; // ...write the flag to the tape... for(;;) { uint8_t a = r(); if(a == 2) break; uint8_t b = r(); if(b == 2) break; if(a == 0 && b == 0) { ptr++; } else if(a == 0 && b == 1 |
2024年5月6日 09:21 | SkullSecurity |
Slay the Spider is a Minesweeper-like game where the user and computer try to uncover a spider. The challenge name and trappings are based on Slay the Spire, which is one of my favourite games. When you start the game, there are several different enemy AI options: 1: The Angry One - Plays at Random 2: Cheater Mc Cheaterly - Knows the best places to play 3: Smartypants - Uses magical super AI for the best chance of winning 4: Captain Fastidious - Is sure that playing left to right is best Those are loosely based on the classes from Slay the Spire. The third - Smarypants - is the key. It chooses the target square based on a silly algorithm: case AI_SMART: // Picks the average of the human move and the last computer move move.row = (human_move.row + last_computer_move.row) / 2; move.col = (human_move.col + last_computer_move.col) / 2; The problem is that the human_move.row and human_move.col are set even when the move is invalid: static move_t do_human_turn(game_t *game) { move_t move; printf("It's your (human) |
2024年5月6日 09:20 | SkullSecurity |
This is a write-up for Safer Streets. I apparently wrote this in more “note to self” style, not blog style, so enjoy! First, browse the application. You should be able to create an error: $ curl 'http://localhost:8080/display?name=test' Error in script /app/server.rb: No such file or directory @ rb_sysopen - /app/data/test Note that has a image/jpeg content-type, so it might confuse the browser. That issue grants access to two primitives: a) Read any file via path traversal b) The full path to the server For example: $ curl -s 'http://localhost:8080/display?name=../server.rb' | head -n20 require 'json' require 'sinatra' require 'pp' require 'singlogger' require 'open3' ::SingLogger.set_level_from_string(level: ENV['log_level'] || 'debug') LOGGER = ::SingLogger.instance() # Ideally, we set all these in the Dockerfile set :bind, ENV['HOST'] || '0.0.0.0' set :port, ENV['PORT'] || '8080' SAFER_STREETS_PATH = ENV['SAFER_STREETS'] || '/app/safer-streets' SCRIPT = File.expand_path(__FILE__) LOGGER.info("Checking for |
2024年5月6日 09:19 | SkullSecurity |
No Tools is a fairly simple terminal challenge, something for new players to chew on. I suspect there are several different ways to solve it, but the basic idea is to read a file using only built-in functions from sh. I personally solved it with the read built-in: $ read FLAG < /home/ctf/flag.txt && echo $FLAG CTF{where-are-my-tools} Another solution that my co-organizer developed used exec: $ exec < /home/ctf/flag.txt $ /bin/sh: 2: CTF{where-are-my-tools}: not found " 无工具挑战是一个相对简单的终端挑战,适合新手玩家尝试。\n我认为解决这个问题有几种不同的方法,但基本思路是仅使用sh内置函数读取文件。\n我本人是用read内置函数解决的:\n$ read FLAG < /home/ctf/flag.txt && echo $FLAG CTF{where-are-my-tools}\n我的另一位共同组织者开发的解决方案使用了exec:\n$ exec < /home/ctf/flag.txt $ /bin/sh: 2: CTF{where-are-my-tools}: not found" |
2024年5月6日 09:19 | SkullSecurity |
The premise of the three challenges cant-give-in, cant-give-in-secure, and cant-give-in-securer are to learn how to exploit and debug compiled code that’s loaded as a CGI module. You might think that’s unlikely, but a surprising number of enterprise applications (usually hardware stuff - firewalls, network “security” appliances, stuff like that) is powered by CGI scripts. You never know! This challenge was inspired by one of my co-workers at GreyNoise asking how to debug a CGI script. I thought it’d be cool to make a multi-challenge series in case others didn’t know! This write-up is intended to be fairly detailed, to help new players understand their first stack overflow! Part 1: cant-give-in The vulnerability First, let’s look at the vuln! All three challenges have pretty similar vulnerabilities, but here’s what the first looks like: char *strlength = getenv("CONTENT_LENGTH"); if(!strlength) { printf("ERROR: Please send data!"); exit(0); } int length = atoi(strlength); read(fileno(stdin), data, length); if( |
2024年5月6日 09:14 | Blog on STAR Labs |
Earlier this year, in mid-January, you might have come across this security announcement by GitHub. In this article, I will unveil the shocking story of how I discovered CVE-2024-0200, a deceptively simple, one-liner vulnerability which I initially assessed to likely be of low impact, and how I turned it into one of the most impactful bugs in GitHub’s bug bounty history. Spoiler: The vulnerability enabled disclosure of all environment variables of a production container on GitHub. " 今年年初,大约在1月中旬,您可能会看到GitHub发布的这个安全公告。在本文中,我将揭示我如何发现CVE-2024-0200这个看似简单的一行漏洞,并将其转变为GitHub漏洞赏金历史上最具影响力的漏洞之一的故事。剧透:这个漏洞允许泄露GitHub上所有生产容器的环境变量。" |
2024年5月6日 09:13 | 补天社区 |
用yakit的热加载魔术方法实现webfuzzer功能中的验证码识别。 |
2024年5月6日 09:13 | Github关注 |
PPPwn - PlayStation 4 PPPoE RCE |
2024年5月6日 09:13 | freebuf |
PSTI 明确禁止使用 "admin "或 "12345 "等弱密码或容易被猜到的默认密码,还要求制造商公布联系方式,以便用户报告漏洞。 |
2024年5月6日 08:13 | Github关注 |
Deep Reinforcement Learning: Zero to Hero! |
2024年5月6日 08:13 | freebuf |
创新沙盒:VulnCheck。 |
2024年5月6日 05:17 | CXSECURITY Database RSS Feed - |
Topic: Kobiz Design - Blind Sql Injection Risk: Medium Text:********************************************************* #Exploit Title: Kobiz Design - Blind Sql Injection #Date: 2024-05-0... |
2024年5月6日 05:17 | CXSECURITY Database RSS Feed - |
Topic: Oracuz - Blind Sql Injection Risk: Medium Text:********************************************************* #Exploit Title: Oracuz - Blind Sql Injection #Date: 2024-05-03 #Ex... |
2024年5月6日 05:17 | CXSECURITY Database RSS Feed - |
Topic: htmlLawed 1.2.5 Remote Command Execution Risk: High Text:#!/bin/bash # Exploit Title: htmlLawed < = 1.2.5 - Remote Code Execution # Date: 2024-05-02 # Exploit Author: Miguel Redo... |
2024年5月6日 04:33 | Github关注 |
Okta Verify and Okta FastPass Abuse Tool |
2024年5月6日 04:14 | Github_POC |
Clario through 2024-04-11 for Desktop has weak permissions for %PROGRAMDATA%\Clario and tries to load DLLs from there as SYSTEM. [GitHub] Clario through 2024-04-11 for Windows Desktop has weak permissions for %PROGRAMDATA%\Clario and tries to load DLLs from there as SYSTEM. " 截至2024年4月11日,Clario桌面版权限较弱,试图以系统身份从%PROGRAMDATA%\\Clario加载DLL。\n[GitHub] 截至2024年4月11日,Windows桌面版Clario权限较弱,试图以系统身份从%PROGRAMDATA%\\Clario加载DLL。" |
2024年5月6日 03:43 | Github_POC |
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized. [GitHub]Fix open source package uses tough-cookie 2.5.0 to process their clients' cookies. Unfortunately, it is affected by CVE-2023-26136. " 版本在 4.1.3 之前的 tough-cookie 软件包,在使用 CookieJar 时由于处理 Cookie 不当,导致拒绝公共后缀模式(rejectPublicSuffixes=false)下容易出现原型污染漏洞。此问题源于对象初始化的方式。\n\n[GitHub] 修复开源软件包使用 tough-cookie 2.5.0 处理客户端的 Cookie。不幸的是,它受到了 CVE-2023-26136 影响。" |
2024年5月6日 00:13 | SecWiki周报 |
大模型安全开源项目汇总 https://mp.weixin.qq.com/s/ofMytXbFEhkaCDQWQy0KqA |
2024年5月5日 21:13 | Github关注 |
Specific C2 Detection Tool Written To Detect C2 Servers From Rhadamanthys Stealer Malware. |
2024年5月5日 20:33 | Github关注 |
A .NET Runtime for Cobalt Strike's Beacon Object Files |
2024年5月5日 20:33 | Github关注 |