Happy Hacking8

Abuse of flaw could give attackers greater access to devices even than its owner

影响厂商:HackerOne(https://hackerone.com/security) 
通过 UpdateInvitationPreferencesMutation GraphQL 操作，黑客可以绕过“邀请偏好”设置中的最小赏金数量限制

T-Soft E-Commerce 4 - change 'admin credentials' Cross-Site Request Forgery (CSRF)

Church Management System 1.0 - 'search' SQL Injection (Unauthenticated)

WordPress 5.7 - 'Media Library' XML External Entity Injection (XXE) (Authenticated)

Online Food Ordering System 2.0 - Remote Code Execution (RCE) (Unauthenticated)

Church Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)

Budget and Expense Tracker System 1.0 - Authenticated Bypass

Vulnerability has now been addressed in the Microsoft Teams add-on

Disclosure comes two years after privacy-busting flaw was discovered

It will be one year since NIST released their final version of SP800-53 Revision 5 on September 23, 2020.  As a quick reminder SP800-53 is the document issued by NIST that specifies the Security and Privacy Controls that need to be used by agencies of the Federal government.
The post NIST SP800-53 Revision 5, One Year Later appeared first on K2io.
The post NIST SP800-53 Revision 5, One Year Later appeared first on Security Boulevard.

The month of September is designated “National Insider Threat Awareness Month,” and based on the number of cybersecurity incidents that involve employees, perhaps every month should be insider threat awareness month. Insider Risk Summit This week at the Insider Risk Summit, industry experts shared their thoughts on how to mitigate insider risks with discussions about..
The post Perceptions of Insider Risk 2021 appeared first on Security Boulevard.

TIGMINT是一款功能强大的开源情报GUI软件框架，该工具针对Twitter、Instagram和地理标记应用设计。

Cybersecurity has become a critical concern in every business sector nowadays due to organizations’ growing dependency on technologies. Research by Immersive Lab reported that in 2019 there were more than 20,000 new vulnerabilities. Not only that, TechRepublic reported that global companies experienced a 148% spike in ransomware attacks after COVID-19 hit the world. So, for […]… Read More
The post Everything You Need to Know about Cyber Crisis Tabletop Exercises appeared first on The State of Security.
The post Everything You Need to Know about Cyber Crisis Tabletop Exercises appeared first on Security Boulevard.

In 2021, there are two words that can send a cold chill down the spine of any Cybersecurity professional and business leader; Phishing and Ransomware. Research carried out by the Data Analytics and training company CybSafe, identified that 22% of all cyber incidents reported in the first quarter of 2021 were ransomware attacks. According to […]… Read More
The post The Digital Pandemic – Ransomware appeared first on The State of Security.
The post The Digital Pandemic – Ransomware appeared first on Security Boulevard.

Cybercriminals attacked with gusto in the first half of 2021 and attacks show no signs of slowing down. In just the first half of the year, malicious actors exploited dangerous vulnerabilities across different types of devices and operating systems, leading to major attacks that shut down fuel networks and extracted millions from enterprises. These were..
The post Ransomware Attacks Growing More Sophisticated appeared first on Security Boulevard.

September 2021 marks the third year of National Insider Threat Awareness Month (NITAM), which, according to the NITAM website, aims to help prevent “exploitation of authorized access to cause harm to an organization or its resources.” The acting director of the National Counterintelligence and Security Center, Michael J. Orlando, recently recognized this month of data..
The post Protecting Data From Insider Threats appeared first on Security Boulevard.

#内网渗透 pentestlab.blog上面的文章一直以来都比较实用易懂 PetitPo...

快速发现域内有没有证书服务 certutil.exe

该活动始于2021年7月25日，攻击者使用了大量开源工具来避免检测，难以确定攻击的归因。

The latest on the iMessage Zero-Click exploit that affects Apple iOS, MacOS and WatchOS devices (update your Apple devices now!), the names and home addresses of 111,000 British firearm owners have been dumped online, and details on over 60 million fitness tracking records exposed via an unsecured database. ** Links mentioned on the show ** […]
The post iMessage Zero-Click Exploit, Leaked Guntrader Firearms Data, 60 Million Fitness Tracking Records Exposed appeared first on The Shared Security Show.
The post iMessage Zero-Click Exploit, Leaked Guntrader Firearms Data, 60 Million Fitness Tracking Records Exposed appeared first on Security Boulevard.

Paradise 勒索软件源码在 XSS.IS 黑客论坛上被泄露。

0x00 前言
在之前的文章《域渗透——DCSync》曾系统的整理过DCSync的利用方法，本文将要针对利用DCSync导出域内所有用户hash这一方法进行详细介绍，分析不同环境下的利用思路，给出防御建议。
0x01 简介
本文将要介绍以下内容：
利用条件
利用工具
利用思路
防御建议
0x02 利用条件
获得以下任一用户的权限：
Administrators组内的用户
Domain Admins组内的用户
Enterprise Admins组内的用户
域控制器的计算机帐户
0x03 利用工具
1.C实现(mimikatz)
实现代码：
https://github.com/gentilkiwi/mimikatz/blob/master/mimikatz/modules/lsadump/kuhl_m_lsadump_dc.c#L27
示例命令：
(1)导出域内所有用户的hash
mimikatz.exe "lsadump::dcsync /domain:test.com /all /csv" exit
(2)导出域内administrator帐户的hash
mimikatz.exe "lsadump::dcsync /domain:test.com /user:administrator /csv" exit
2.Python实现(secretsdump.py)
示例命令：
python secretsdump.py test/Administrator:DomainAdmin123!@192.168.1.1
3.Powershell实现(MakeMeEnterpriseAdmin)
核心代码使用C Sharp实现，支持以下三个功能：
通过DCSync导出krbtgt用户的hash
使用krbtgt用户的hash生成Golden ticket
导入Golden ticket
注：
我在测试环境下实验结果显示，生成Golden ticket的功能存在bug，导入Golden ticket后无法获得对应的权限
4.C Sharp实现
我在(MakeMeEnterpriseAdmin)的基础上做了以下修改：
支持导出所有用户hash
导出域sid
导出所有域用户sid
代码已上传至github，地址如下：
https://github.com/3gstudent/Homework-of-C-Sharp/blob/mas

0x00 前言
MailEnable提供端到端的解决方案，用于提供安全的电子邮件和协作服务。引用自官方网站的说法：最近的一项独立调查报告称MailEnable是世界上最受欢迎的Windows邮件服务器平台。 对于MailEnable的开发者API，我在官方网站上只找到了AJAX API的说明文档，所以本文将要尝试编写Python脚本，实现对MailEnable邮件的访问，记录开发细节，开源代码。
0x01 简介
本文将要介绍以下内容：
环境搭建
开发细节
开源代码MailEnableManage.py
0x02 环境搭建
1.安装
安装前需要安装IIS服务和.Net 3.5，否则无法正常配置Web访问
MailEnable下载地址：http://www.mailenable.com/download.asp
2.配置
启动MailEnableAdmin.msc，在MailEnable Management->Messaging Manager->Post Offices下配置邮件服务器信息
如下图
默认登录页面：
http://mewebmail.localhost/mewebmail/Mondo/lang/sys/login.aspx
3.开启Web管理页面
参考资料：
http://www.mailenable.com/kb/content/article.asp?ID=ME020132
启动MailEnableAdmin.msc，选择MailEnable Management->Servers->localhost->Services and Connectors->WebAdmin，右键单击并从弹出菜单中选择Properties，选择Configure...按钮，进行安装
如下图
启动MailEnableAdmin.msc，在MailEnable Management->Messaging Manager->Post Offices下选择已配置的Post Office，右键单击并从弹出菜单中选择Properties，切换到Web Admin标签，启用web administration
如下图
选择指定用户，将属性修改为管理员
默认管理页面：
http://mewebmail.localhost/meadmin/Mondo/lang/sys/login.aspx
注：
如果忘记了用户的明文口令，可以查看默

FOFA 免费在线高级搜索小工具 本人之前发现的一个网站，现在开始限量了，但对于没...

今天会讲解到利用主从复制RCE、本地Redis主从复制RCE反弹shell、SSRF Redis 反弹shell、Redis知识拓展、Red...

Date: 2021-09-19 22:51 UTC
OS:
PHP Version: Irrelevant
Package: Website problem
Title: just a live bug test

Summary
Hi !
Hope that everything’s doing good for everyone!
This weekend, with a couple of teammates, participated on the hacktivitycon 2021, organized by hackerone, pretty cool CTF, thanks to the organizers !
This was a chill CTF for us, so I spend many hours on a couple of pwnable challenges, so here’s the write up for them. Special thanks for dplastico, for the apañe ❤️
Summary
Sharp
Summary
Leak
Exploit
shellcoded
Shelle-2
Sharp
This was a kind of (not again) a note challenge.
Thanks to the author for not doing a note chall, lol :D
The main purpose of this binary is to create a very bad database written in C, allocating “names” for the entry of the db.
This Consist on one initial chunk, that will have a integer with the amount of entries, and an array of pointers to strings for the entries names.
The only main thing that was strange, was the use of the libc 2.31, at least, not safe linking yet.
binary
libc.so.6
Summary
The principal use of this binary, is to serve as a database written in C, so, the main

Our thanks to DEFCON for publishing their tremendous DEFCON Conference Cloud Village videos on the groups' YouTube channel.
Permalink
The post DEF CON 29 Cloud Village – Magno Logan’s ‘Workshop Kubernetes Security 101 Best Practices’ appeared first on Security Boulevard.

Branch target
Many architectures encode a branch/jump/call instruction with PC-relative addressing, i.e. the distance to the target is encoded in the instruction. In an executable or shared object (called a component in ELF), if the target is bound to the same component, the instruction has a fixed encoding at link time; otherwise the target is unknown at link time and there are two choices:
text relocation
indirection
In All about Global Offset Table, I mentioned that linker/loader developers often frowned upon text relocations because the text segment will be unshareable. In addition, the number of relocations would be dependent on the number of calls, which can be large.
1
2
3
4
5
6
7
8
9

call foo # R_X86_64_PC32
call foo # R_X86_64_PC32

=>

# The instructions are patched at runtime.
# On ELF x86-64, the R_X86_64_PC32 relocation type is used.
call ...
call ...

Therefore, the prevailing scheme is to add a level of indirection analogous to that provided by the Global Offset Table for data.
Procedure Linka

各地民航纷纷开展了网络安全检查工作，通过检查发现民航的整体网络安全意识和重视程度显著提高。

via the textual amusements of Thomas Gx, along with the Illustration talents of Etienne Issartia and superb translation skillset of Mark Nightingale - the creators of CommitStrip!
Permalink
The post CommitStrip ‘Coding Maturity’ appeared first on Security Boulevard.

打卡打卡

Our thanks to DEFCON for publishing their outstanding DEFCON Conference Blockchain Village Videos on the groups' YouTube channel.
Permalink
The post DEF CON 29 Blockchain Village – Yaz Khoury’s ‘Surviving 51 Percent Attacks’ appeared first on Security Boulevard.

注入攻击新方式：通过DNS隧道传输恶意载荷 by ourren

更多最新文章，请访问SecWiki

影响厂商:XVIDEOS 奖励:100.0USD 危险等级:low
文本注入或内容欺骗的禁止页面

注入攻击新方式：通过DNS隧道传输恶意载荷 https://mp.weixin.qq.com/s/gyRxwCkeLlSRbbuPV4xziw