Hacking8 安全信息流
最近更新
| 时间 | 节点 | |
|---|---|---|
| 2024年5月1日 20:12 | freebuf |
全国网络安全标准化技术委员会发布《网络安全技术 网络安全众测服务要求》,将在2024年11月1日正式实施。 |
| 2024年5月1日 19:40 | Stories by SAFARAS K A on Medi |
Hello, hackers! In this article, I want to tell you a story on how I accidentally discovered an IDOR vulnerability on Coursera’s programs while I was also learning and trying to get the GCP (Google Cybersecurity Certificate) for fun. A little bit of background about Coursera Coursera is a for-profit U.S.-based global massive open online course provider founded in 2012 by Stanford University computer science professors Andrew Ng and Daphne Koller. Coursera works with universities and other organizations to offer online courses, certifications, and degrees in a variety of subjects. — Wikipedia Okay first off, what is IDOR? Fig 1. A simple diagram on how IDOR works Simply put, an Insecure Direct Object Reference (IDOR) vulnerability refers to a type of vulnerability that lets attackers freely modify objects (it may be modify a user account, view files, etc..) without getting into the target’s account directly. A short background It started off when I was trying to comment on their forum while I was on the learni |
| 2024年5月1日 17:52 | Github关注 |
Extracts the top level domain (TLD) from the URL given. |
| 2024年5月1日 17:38 | CXSECURITY Database RSS Feed - |
Topic: Travel-Manager-OTMSP-1.0 Multiple SQLi Risk: Medium Text:## Titles: Travel-Manager-OTMSP-1.0 Multiple SQLi ## Author: nu11secur1ty ## Date: 05/01/2024 ## Vendor: https://mayurik.com... " 主题:旅行管理器-OTMSP-1.0 多个SQLi风险:中等\n文本:## 标题:旅行管理器-OTMSP-1.0 多个SQLi\n## 作者:nu11secur1ty\n## 日期:2024年5月1日\n## 供应商:https://mayurik.com..." |
| 2024年5月1日 17:38 | CXSECURITY Database RSS Feed - |
Topic: osCommerce 4 - Reflected XSS Risk: Low Text:# Exploit Title: osCommerce 4 - Reflected XSS # Exploit Author: CraCkEr # Date: 22/04/2024 # Vendor: osCommerce ltd. # Vend... |
| 2024年5月1日 17:38 | CXSECURITY Database RSS Feed - |
Topic: Doctor Appointment Management System 1.0 Cross Site Scripting Risk: Low Text:# Application Name: Doctor Appointment Management System # Software Link: [Download Link](https://phpgurukul.com/doctor-appoin... " 主题:医生预约管理系统1.0跨站脚本风险:低\n\n文本:# 应用名称:医生预约管理系统\n# 软件链接:[下载链接](https://phpgurukul.com/doctor-appointment-management-system-10/)\n\n将以上英文翻译为中文,要求信达雅:\n\n主题:医生预约管理系统1.0跨站脚本风险:低\n\n文本:# 应用名称:医生预约管理系统\n# 软件链接:[下载链接](https://phpgurukul.com/doctor-appointment-management-system-10/)" |
| 2024年5月1日 17:38 | CXSECURITY Database RSS Feed - |
Topic: Kemp LoadMaster Unauthenticated Command Injection Risk: High Text:## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-... " 主题:Kemp LoadMaster未认证命令注入风险:高\n文本:## # 本模块需要Metasploit:https://metasploit.com/download # 当前源代码:https://github.com/rapid7/metasploit-..." |
| 2024年5月1日 16:33 | Exploitalert |
Travel-Manager-OTMSP-1.0 Multiple SQLi " 旅行管理器-OTMSP-1.0 多个 SQL 注入漏洞" |
| 2024年5月1日 16:33 | Exploitalert |
Doctor Appointment Management System 1.0 Cross Site Scripting " 医生预约管理系统 1.0 跨站脚本攻击漏洞" |
| 2024年5月1日 16:33 | Exploitalert |
Kemp LoadMaster Unauthenticated Command Injection " 金普负载大师未认证命令注入" |
| 2024年5月1日 16:03 | Github_POC |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ValvePress Automatic allows SQL Injection.This issue affects Automatic: from n/a through 3.92.0.
[GitHub]PoC for wordpress takeover in CVE-2024-27956
" 下列文字翻译为中文:不当处理SQL命令中使用的特殊元素('SQL注入')漏洞在ValvePress自动允许SQL注入。此问题影响自动:从n/a到3.92.0。\n[GitHub]针对CVE-2024-27956的WordPress接管PoC(证明概念)"
|
| 2024年5月1日 15:33 | hackone |
影响厂商:IBM 奖励: 危险等级:critical " 通过在IBM您的学习端点中更改HTTP方法,实现不安全直接对象引用保护的绕过。" |
| 2024年5月1日 15:33 | hackone |
影响厂商:b'IBM'(https://hackerone.com/ibm) " \"通过在IBM您的学习端点更改HTTP方法,实现不安全直接对象引用保护绕过。\"" |
| 2024年5月1日 15:12 | freebuf |
Noisy是一款功能强大的DNS和HTTP/S网络流量噪音生成工具,可以在进行常规网络浏览时在后台生成随机的HTTP/DNS网络流量噪声。 |
| 2024年5月1日 13:12 | freebuf |
揭秘QuasarRAT:一款开源工具,如何一步步成为黑客利器? |
| 2024年5月1日 10:12 | freebuf |
本文详细记录了对Zyxel 设备固件进行提取的方法和过程,并进行了详细分析。 |
| 2024年5月1日 09:41 | Github_POC |
In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data. [GitHub]Update of https://github.com/1337g/CVE-2017-12149 to work with python3 " 在JBoss应用服务器随Red Hat企业应用平台5.2版中发现,HTTP Invoker的ReadOnlyAccessFilter类的doFilter方法没有限制对其执行反序列化的类,从而允许攻击者通过构造的序列化数据执行任意代码。\n[GitHub] 将https://github.com/1337g/CVE-2017-12149更新为支持python3。" |
| 2024年5月1日 09:41 | Github_POC |
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QTS 4.5.4.2627 build 20231225 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later [GitHub]writeup and PoC for CVE-2024-32766 (QNAP) OS command injection, chained attack for auth bypass. " 已报告称,一种操作系统命令注入漏洞影响了多个QNAP操作系统版本。如果该漏洞被利用,用户可以通过网络执行命令。我们已在以下版本中修复了该漏洞:QTS 5.1.3.2578 build 20231110及之后的版本,QTS 4.5.4.2627 build 20231225及之后的版本,QuTS hero h5.1.3.2578 build 20231110及之后的版本,QuTS hero h4.5.4.2626 build 20231225及之后的版本,以及QuTScloud c5.1.5.2651及之后的版本。\n[GitHub] CVE-2024-32766(QNAP)操作系统命令注入的writeup和PoC,用于绕过认证的链式攻击。" |
| 2024年5月1日 08:52 | 看雪论坛 |
引言 在逆向工程领域,IDA Pro 是一款广受赞誉的反汇编和调试工具,它支持多种主流的指令集,为开发者和安全研究人员提供了强大的分析能力。然而,一些特殊的指令集,如 VMP(Virtual Machine Protection)指令集,可能并不在 IDA 的支持列表中。目前,随着攻防对抗技术的发 ... |
| 2024年5月1日 08:12 | freebuf |
创新沙盒解读:Antimatter。 |
| 2024年5月1日 06:32 | Github关注 |
Expriments |
| 2024年5月1日 06:12 | Github关注 | |
| 2024年5月1日 05:38 | Offensive OSINT |
Open Source Surveillance is an affordable and powerful OSINT system designed for both companies and individuals. It allows to gather real-time geo data from a variety of social media platforms and numerous other open sources. Try it on Open Source Surveillance Real time intelligence gathering tool Links Other projects & " 开源监控是一款实惠且强大的开源情报(OSINT)系统,适用于公司和个体用户。它允许从各种社交媒体平台和众多其他开源渠道实时收集地理数据。\n请尝试使用\n开源监控\n实时情报收集工具\n链接其他项目&" |
| 2024年5月1日 04:03 | Github_POC |
VFS Sandbox Escape in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox. [GitHub]Exploit CrushFTP CVE-2024-4040 " VFS沙箱逃逸在所有版本小于10.7.1和11.1.0的CrushFTP中,以及在所有平台上,允许具有低权限的远程攻击者从VFS沙箱之外的文件系统读取文件。\n[GitHub]利用CrushFTP CVE-2024-4040" |
| 2024年5月1日 03:38 | Stories by SAFARAS K A on Medi |
Exploring Honeypots And The Art of Cybersecurity Deception Photo by Hanna Balan on Unsplash Introduction Ever wanted a front-row seat to watch attackers at work? Bored of reading about attacker techniques and frameworks like MITRE? Would you like to gain firsthand insight into how real-world attacks unfold? Honeypots are a great way to get that experience. What started as a small experiment after accidentally leaving a Python web server running on a test machine has turned into a personal project to dive deeper into honeypots and share the experience with you. Honeypots offer a unique way to learn about cybersecurity attacks by attracting and studying real-world attackers. Setting up a honeypot allows you to observe and analyze threats in real-time, helping you gain practical experience and insight into how attackers operate. I’m exploring honeypots because I believe that to be effective in cybersecurity, you need to see the action up close, not just read about it. Throughout this article, we’ll discuss what |
| 2024年5月1日 03:35 | Real-time communications secur |
Welcome to the April edition of the VoIP and WebRTC security monthly newsletter. In this edition, we cover: Kamailio World 2024 review Our short and longer presentation on insecure Kamailio configuration patterns Changes to the newsletter Updates to T-Pot honeypot, sngrep security fixes, Mitel IP Phone vulnerabilities New security course on WebRTC by BlogGeek.me And some more! RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. " 欢迎阅读本月VoIP和WebRTC安全每月通讯的四月版。在本期中,我们涵盖了以下内容:\n\n1. Kamailio World 2024回顾\n2. 我们关于不安全Kamailio配置模式的长短篇演讲\n3. 通讯录的更改\n4. T-Pot蜜罐、sngrep安全修复以及Mitel IP电话漏洞的更新\n5. BlogGeek.me推出的新WebRTC安全课程\n6. 以及其他内容!\n\nRTCSec通讯是一份免费的定期通讯,为您提供关于VoIP和WebRTC安全的评论和新闻。" |
| 2024年5月1日 02:52 | Github关注 |
Simple reverse ICMP shell |
| 2024年5月1日 01:52 | Github关注 |
Used for AI model generation, next-generation Blender rendering engine, texture enhancement&generation (based on ComfyUI) |
| 2024年5月1日 00:34 | Packet Storm |
Red Hat Security Advisory 2024-2377-03 - An update for zziplib is now available for Red Hat Enterprise Linux 9. " 红帽安全公告2024-2377-03 - 针对红帽企业Linux 9的zziplib更新现已可用。" |
| 2024年5月1日 00:34 | Packet Storm |
Red Hat Security Advisory 2024-2387-03 - An update for mod_jk and mod_proxy_cluster is now available for Red Hat Enterprise Linux 9. Issues addressed include cross site scripting and information leakage vulnerabilities. " 红帽安全公告2024-2387-03 - 针对Red Hat Enterprise Linux 9的mod_jk和mod_proxy_cluster更新现已可用。解决的问题包括跨站脚本和信息泄漏漏洞。" |