Hacking Book | Free Online Hacking Learning


secwiki weekly (issue 146)

Posted by agaran at 2020-03-22

Safety technology

[event] yandex.ru 13505910 user data leaks (download attached) http://www.mottoin.com/93910.html

[web security] free webshell killing tool http://www.shellpub.com/

[device security] wordlist: brute force dictionary library (IP Camera default password) https://github.com/jeanphorn/wordlist

[wireless security] WiFi universal key principle and reverse analysis (query WiFi password) http://blog.csdn.net/u011725101/article/details/53612617

[malicious analysis] implicit for Volatility: analyze malware from memory image http://blog.jpcert.or.jp/2016/12/a-new-tool-to-d-d6bc.html

[device security] Internet of things Security Overview white paper http://blog.nsfocus.net/white-paper-security/

[vulnerability analysis] the decryption process of a CTF: https://xuanlan.zhihu.com/p/24422859

[data mining] Stanford Course: Data Mining for cyber securityhttp://web.stanford.edu/class/cs259d/

[web security] vulnerability warning: SQL injection vulnerability in Joomla extension DT register http://www.motoin.com/93862.html

[web security] addthis widget calls PostMessage API, which leads to XSS vulnerability in millions of websites http://www.motoin.com/94130.html

[web security] Nagios core < 4.2.2 curl command injection / code execution http://www.motoin.com/93936.html

[vulnerability analysis] unauthorized SQL injection vulnerability in password management software teampass http://www.button.com/93751.html

[vulnerability analysis] Chrome OS exploit: one byte overflow and symlinks https://google project zero.blogspot.tw/2016/12/chrome-os-exploit-one-byte-overflow-and.html

[web security] bruteforcer: password for distributed multithreading rar file (download with tools) http://www.freebuf.com/sectool/122481.html

[O & M security] use MSIEXEC to bypass the application whitelist http://www.button.com/94150.html

[tools] official Manual: basic use of atom https://atom-china.org/t/atom/62

[vulnerability analysis] Splunk enterprise < = 6.4.3 server side Request Forgery vulnerability http://www.button.com/93646.html

[malicious analysis] analysis of cryptofile2 ransomware serverhttps://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/12/asert-thread-intelligence-report-2016-06-ransomware-server-analysis.pdf

[web security] flash framework injection popular science http://www.motoin.com/94149.html

[malicious analysis] Analyze Linux / Mirai. B worm http://www.button.com/93625.html

[malicious analysis] malware training sets: a machine learning dataset for everyone http://marcoramili.blogspot.jp/2016/12/malware-training-sets-machine-learning.html

[web security] [exclusive] XSS bypass Cookbook https://xianzhi.aliyun.com/forum/read/536.html

[web security] online kill webshell tool http://n.shellpub.com/

[programming technology] highanonproxypool: proxypool https://github.com/eastrd/highanonproxypool

[web security] vulscritp: intranet penetration script https://github.com/0xwindows/vulscritp

[programming technology] proxy pool: simple crawler proxy pool https://github.com/jhao104/proxy pool

[mobile security] Android security's intent_scheme_url attack http://yaq.qq.com/blog/16

[malicious analysis] Computer Virus Encyclopedia http://virus.wikidot.com/

[programming technology] TDD method development penetration testing tool: agent scanner (second episode) http://www.freebuf.com/sectool/122124.html

[wireless security] secret identity authentication weapon - voiceprint recognition! https://jaq.alibaba.com/community/art/show?articleid=661

[other] MODBUS stage: using PLCs as a payload / shellcode distribution system: http://www.shelliscomming.com/2016/12/modbus-stage-using-plcs-as.html

[malicious analysis] Mikey - a Linux Keylogger (malicious backdoor analysis) http://www.morphick.com/resources/lab-blog/mikey-linux-keylogger

[operation and maintenance security] data leakage events: https://www.internetsociety.org/globalinternetreport/2016/data-and-trends/? Gclid = cny9l7mg7nacfyavvaodwyygsa 35; collapse259

[web security] the way to fuzzy test paper / rich text storage XSS https://github.com/martinzhou2015/paper/blob/master/% E5% AF% 8C% E6% 96% 87% E6% 9C% AC% E5% ad% 98% E5% 82% A8% E5% 9E% 8bxss% E7% 9A% 84% E6% A8% A1% E7% B3% 8A% E6% B5% 8b% E8% AF% 95% E4% B9% 8b% E9% 81% 93.pdf

[forensic analysis] seccon 2016 forensic Title writeuphttps://lightless.me/archives/seccon-2016-forensics-wp.html

[vulnerability analysis] ms16-063 patch analysis (jscript9. DLL) http://www.button.com/93762.html

[vulnerability analysis] Netgear Series Router Command Execution Vulnerability Analysis http://paper.seebug.org/145/

[web security] rar_crack: open source rar brute force cracking tool https://github.com/bend/rar_crack

[web security] the best PHP security practice course https://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html

[web security] WordPress Theme back door analysis http://paper.seebug.org/140/

[magazine] sec wiki weekly (issue 145) https://www.sec-wiki.com/weekly/145

[web security] analysis of XSS vulnerability in Yahoo mailbox storage http://www.freebuf.com/vuls/122455.html

[vulnerability analysis] Microsoft Word onetabledocumentstream integer underflow vulnerability analysis (cve-2016-7290) http://www.motif.com/93865.html

[mobile security] China mobile phone system security test report (full text) http://www.aqniu.com/industry/21693.html

[other] password guidance: simplifying your approachhttp://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach

[malicious analysis] McAfee for Linux vulnerability writeuphttp://www.motoin.com/94066.html

[vulnerability analysis] garric: an automatic generation tool for malformed samples http://www.asm64.com/garric/

[equipment safety] both hardware and software are applied. Thoroughly disclose the breastplate of syscan360 conference and crack the mystery http://bobao.360.cn/learning/detail/3288.html

[malicious analysis] the most complete njrat communication protocol analysis in history http://www.freebuf.com/articles/network/122244.html

[tool] vane: open source WordPress security detection tool http://www.button.com/93624.html

[web security] using PHP's mail function for remote code execution https://www.saotn.org/expand-phps-mail-get-remote-code-execution

1 & scene = 2 & srcid = 1214gewamueagvevyuxbqzqs & from = timeline × Rd

[tools] whistle: cross platform web debugging agent tool http://www.button.com/94052.html

[mobile security] mobile application penetration testing cheat sheet https://github.com/tanprathan/mobileapp-pentest-cheat sheet

[web security] how to build your own password cracking rig http://www.netmux.com/blog/how-to-build-a-password-cracking-rig

[vulnerability analysis] the state of WordPress securityhttps://blog.ripstech.com/2016/the-state-of-wordpress-security/

[mobile security] cve-2016-6771: Android voice mailbox forgery vulnerability analysis https://security.tencent.com/index.php/blog/msg/110

[tools] [using scripts] McAfee virus scan enterprise for Linux - remote code executionhttps://github.com/netwrkspider/dedsectools

[web security] cracking Magento passwords for $1https://gwillem.gitlab.io/2016/12/16/cracking-magento-passwords/