SecWiki周刊（第222期)

SecWiki周刊（第222期）

2018/05/28-2018/06/03

安全资讯

[新闻] 基于RISC-V的安全芯片方案
https://www.solidot.org/story?sid=56661

安全技术

[Web安全] 对某Flask应用的简单审计
http://foreversong.cn/archives/1206

[Web安全] side-channel-attacking-browsers-through-css3-features
https://www.evonide.com/side-channel-attacking-browsers-through-css3-features/

[工具] 史上最强内网渗透知识点总结
https://mp.weixin.qq.com/s/U2MqcjA_YmMlajJzvDCZZw

[工具] w8fuckcdn:扫描全网获得真实IP自动化程序
https://github.com/boy-hack/w8fuckcdn

[其它] remote-authentication-geofeasibility-tool-geologonalyzer.html
https://www.fireeye.com/blog/threat-research/2018/05/remote-authentication-geofeasibility-tool-geologonalyzer.html

[漏洞分析] Gitlab远程代码执行漏洞分析
http://blackwolfsec.cc/2018/05/30/Gitlab_rce/

[数据挖掘] scylla:一款高质量的免费代理 IP 池工具
https://github.com/imWildCat/scylla

[比赛] 2018信息安全铁人三项数据赛题解
https://www.anquanke.com/post/id/146704

[漏洞分析] syzkaller: unsupervised, coverage-guided kernel fuzzer
https://github.com/google/syzkaller

[编程技术] jackfrued/Python-100-Days: Python
https://github.com/jackfrued/Python-100-Days

[比赛] SUCTF 2018 Web Writeup
http://sec2hack.com/ctf/suctf-2018-web-writeup.html

[运维安全] SecurityManageFramwork：企业内网安全管理平台
https://github.com/qianniaoge/-SecurityManageFramwork

[恶意分析] SideWinder“响尾蛇”APT组织（T-APT-04）：针对南亚的定向攻击威胁
http://www.freebuf.com/articles/paper/172628.html

[Web安全] Bypass 360主机卫士SQL注入防御（多姿势）
https://mp.weixin.qq.com/s/rfc9tOkKT3gGHwRSrRbtGQ

[运维安全] Docker容器安全最佳实践白皮书V1.0
http://www.dosec.cn/dosecwp.pdf

[编程技术] 爬虫调度篇[Web 漏洞扫描器]
https://mp.weixin.qq.com/s/MO40KHt7cAMg5HPpydJgOg

[其它] eos-bp-nodes-security-checklist: EOS超级节点安全执行指南
https://github.com/slowmist/eos-bp-nodes-security-checklist

[漏洞分析] RCE with Git submodule分析-CVE-2018-11235
https://xz.aliyun.com/t/2371

[运维安全] insight: 洞察-应用系统资产/漏洞全生命周期/安全知识库平台
https://github.com/creditease-sec/insight?from=timeline&isappinstalled=0

[漏洞分析] serianalyzer: A static byte code analyzer for Java deserialization gadget
https://github.com/mbechler/serianalyzer

[设备安全] 360 Marvel Team IOT安全系列第一篇dji mavic破解
https://www.anquanke.com/post/id/146478

[数据挖掘] 用Python对用户评论典型意见进行数据挖掘
https://mp.weixin.qq.com/s/37Ufu4ENqtYONoul2jK7uA

[Web安全] AssassinGo: 基于Go的高并发可拓展式Web渗透框架
https://xz.aliyun.com/t/2362

[恶意分析] Phorpiex malware spreads GandCrab phishing emails
http://blog.inquest.net/blog/2018/05/29/phorpiex-spreads-gandcrab/

[Web安全] Web安全研究人员是如何炼成的？
https://xz.aliyun.com/t/2358

[漏洞分析] 从Ethernaut学习智能合约审计(二)
https://www.bubbles966.cn/blog/2018/05/07/analyse_dapp_by_ethernaut_2/

[Web安全] 渗透技巧--XSS三重URL编码绕过实例
https://mp.weixin.qq.com/s/27_ElU2oqsv9Wu6yvZ-7DQ

[恶意分析] DNS-Analysis: 非法域名挖掘与画像系统
https://github.com/Shallownight/DNS-Analysis

[Web安全] 如何渗透测试以太坊dApps
https://www.anquanke.com/post/id/146602

[数据挖掘] Kaggle 项目实战（教程） = 文档 + 代码 + 视频
https://github.com/apachecn/kaggle

[取证分析] snare: Super Next generation Advanced Reactive honEypot
https://github.com/mushorg/snare

[Web安全] Mysql UDF BackDoor
https://xz.aliyun.com/t/2365

[Web安全] GyoiThon: growing penetration test tool using Machine Learning
https://github.com/gyoisamurai/GyoiThon

[设备安全] IoTSecurity101: From IoT Pentesting to IoT Security
https://github.com/V33RU/IoTSecurity101

[恶意分析] Microsoft SQL Server 做C2的木马
https://securityintelligence.com/new-banking-trojan-mnubot-discovered-by-ibm-x-force-research/

[漏洞分析] 从Ethernaut学习智能合约审计(一)
https://www.bubbles966.cn/blog/2018/05/05/analyse_dapp_by_ethernaut/

[Web安全] phpMyadmin提权那些事
https://bbs.ichunqiu.com/thread-41091-1-1.html?from=sec

[Web安全] 利用Java反射和类加载机制绕过JSP后门检测
https://mp.weixin.qq.com/s/6a0t7qs1Wf7_Qq71ZrqH5Q

[恶意分析] VPNFilter-新型IoT Botnet深度解析
https://mp.weixin.qq.com/s/SnchceLdNX7JYiWfSH2Hmw

[杂志] SecWiki周刊（第221期)
https://www.sec-wiki.com/weekly/221

[漏洞分析] EOS节点远程代码执行漏洞细节
http://blogs.360.cn/blog/eos-node-remote-code-execution-vulnerability/

[运维安全] PublicMonitors: 公网IP列表端口服务及弱口令周期扫描
https://github.com/grayddq/PublicMonitors

[编程技术] 图说设计模式 — Graphic Design Patterns
http://design-patterns.readthedocs.io/zh_CN/latest/index.html

[Web安全] 暴破助攻提权：ruadmin
https://github.com/yangyangwithgnu/ruadmin

[观点] 洋葱式信息安全观察-起点：IT规划
https://www.sec-un.org/%e6%b4%8b%e8%91%b1%e5%bc%8f%e4%bf%a1%e6%81%af%e5%ae%89%e5%85%a8%e8%a7%82%e5%af%9f-%e8%b5%b7%e7%82%b9%ef%bc%9ait%e8%a7%84%e5%88%92/

[Web安全] GraphQL - Security Overview and Testing Tips
https://blog.doyensec.com/2018/05/17/graphql-security-overview.html

[恶意分析] JavaScript based Bot using Github C&C
http://www.pwncode.club/2018/05/javascript-based-bot-using-github-c.html

[取证分析] 远程身份验证地理位置分析工具—GeoLogonalyzer
http://www.4hou.com/tools/11890.html

[数据挖掘] 用分布式深度森林算法检测套现欺诈
https://mp.weixin.qq.com/s/dWVPLd3T5uEnCANdDa1Qfw

[恶意分析] Quick analysis of malware created with NSIS
https://isc.sans.edu/diary/rss/23703

[论文] 基于用户数据改变检测并阻止勒索软件
http://www.arkteam.net/?p=3676

[恶意分析] 优化更新 php backdoor for Windows
https://micropoor.blogspot.jp/2018/05/php-backdoor-for-windows.html

[数据挖掘] 数字金融反欺诈白皮书
http://finance.qq.com/original/caijingzhiku/yzzk12.html

-----微信ID：SecWiki-----
SecWiki，13年来一直专注安全技术资讯分析！
SecWiki：https://www.sec-wiki.com

本期原文地址: SecWiki周刊(第222期)

SecWiki周刊（第222期）

最新公告

友情链接

SecWiki公众号

安全学术圈