SecWiki周刊(第36期)
2014/11/03-2014/11/09
安全资讯
明鉴半自动化渗透测试工具新版本V1.0.0.1正式发布
http://www.youxia.org/mingjian-shentou-1-0-0-1.html
http://www.youxia.org/mingjian-shentou-1-0-0-1.html
小心你的会员卡:黑客超低价出售希尔顿酒店集团会员卡和积分
http://www.freebuf.com/news/50535.html
http://www.freebuf.com/news/50535.html
浅析 iOS 指纹识别 Touch ID 的安全性
http://blog.netsh.org/posts/touch-id-security_1926.netsh.html
http://blog.netsh.org/posts/touch-id-security_1926.netsh.html
我国自主研发的“网络身份证”技术成熟并展开试点
http://www.youxia.org/eid.html
http://www.youxia.org/eid.html
Github上敏感信息泄露 众多厂商躺枪
http://bobao.360.cn/news/detail/743.html
http://bobao.360.cn/news/detail/743.html
ShellShock vulnerability exploited in SMTP servers
http://www.scmagazine.com/smtp-servers-exploited-in-bash-bug-attack/article/380337/
http://www.scmagazine.com/smtp-servers-exploited-in-bash-bug-attack/article/380337/
安全技术
Webscan360的防御与绕过
http://drops.wooyun.org/tips/3790
http://drops.wooyun.org/tips/3790
Modsecurity原理分析--从防御方面谈WAF的机制
http://drops.wooyun.org/tips/3804
http://drops.wooyun.org/tips/3804
第五季极客大挑战writeup
http://drops.wooyun.org/tips/3434
http://drops.wooyun.org/tips/3434
wooyun monthy -8
http://pan.baidu.com/s/1gdAFu6J
http://pan.baidu.com/s/1gdAFu6J
SSLStrip 终极版 —— location 瞒天过海
http://www.cnblogs.com/index-html/p/sslstrip-plus.html
http://www.cnblogs.com/index-html/p/sslstrip-plus.html
CVE-2014-0038内核漏洞原理与本地提权利用代码实现分析
http://drops.wooyun.org/papers/3795
http://drops.wooyun.org/papers/3795
论如何优雅地蹭饭:克隆篡改公司饭卡(M1卡)
http://www.freebuf.com/articles/wireless/50123.html
http://www.freebuf.com/articles/wireless/50123.html
CTF Field Guide
https://trailofbits.github.io/ctf/
https://trailofbits.github.io/ctf/
ssctf writeup by anhkgg
http://anhkgg.gitcafe.com/ssctf-2014-11-1/
http://anhkgg.gitcafe.com/ssctf-2014-11-1/
Analysis of Uroburos, using WinDbg
https://blog.gdatasoftware.com/blog/article/analysis-of-uroburos-using-windbg.html
https://blog.gdatasoftware.com/blog/article/analysis-of-uroburos-using-windbg.html
嵌入式设备hacking笔记——网络摄像头hacking
http://bobao.360.cn/learning/detail/84.html
http://bobao.360.cn/learning/detail/84.html
漏洞挖掘分析:QCMS V2.0命令执行与暴绝对路径漏洞
http://www.freebuf.com/vuls/50506.html
http://www.freebuf.com/vuls/50506.html
Crypto Attacker Burp Plugin
http://webstersprodigy.net/2014/10/28/crypto-attacker-burp-plugin/
http://webstersprodigy.net/2014/10/28/crypto-attacker-burp-plugin/
Rootpipe:可获取苹果Mac OS X Yosemite系统最高权限的严重漏洞
http://www.freebuf.com/vuls/50168.html
http://www.freebuf.com/vuls/50168.html
Wget FTP软链接攻击漏洞(CVE-2014-4877)
http://www.freebuf.com/vuls/49641.html
http://www.freebuf.com/vuls/49641.html
ECSHOP Vul Tag_PHP_Code Execute Getshell
http://www.cnblogs.com/LittleHann/p/4077491.html
http://www.cnblogs.com/LittleHann/p/4077491.html
捆绑安装浏览器:技术剖析搜狗输入法中的猫腻
http://www.freebuf.com/tools/49546.html
http://www.freebuf.com/tools/49546.html
PHISHING MESSAGES WITH LINKS TO FAKE WEBMAIL LOGIN PAGES
http://www.malware-traffic-analysis.net/2014/11/08/index.html
http://www.malware-traffic-analysis.net/2014/11/08/index.html
教你解密Gh0st 1.0远控木马VIP版配置信息
http://drops.wooyun.org/tips/3589
http://drops.wooyun.org/tips/3589
How I REVERSE ENGINEERED GOOGLE DOCS To Play Back Any Document’s Keystrokes
http://features.jsomers.net/how-i-reverse-engineered-google-docs/
http://features.jsomers.net/how-i-reverse-engineered-google-docs/
Reflected File Download Attack 中文
http://drops.wooyun.org/papers/3771
http://drops.wooyun.org/papers/3771
SSCTF Writeup
http://drops.wooyun.org/tips/3603
http://drops.wooyun.org/tips/3603
让高大上的Bash破壳漏洞不再难理解(上)
http://www.freebuf.com/articles/system/50065.html
http://www.freebuf.com/articles/system/50065.html
Power Of Linked List, Xcon slides & additional thoughts
http://www.k33nteam.org/blog.htm
http://www.k33nteam.org/blog.htm
Powershell tricks#Bypass AV
http://x0day.me/index.php/archives/powershell-tricks-bypass-av.html
http://x0day.me/index.php/archives/powershell-tricks-bypass-av.html
SSCTF2014 QUAL WriteUp
http://www.secpulse.com/archives/1754.html
http://www.secpulse.com/archives/1754.html
关于聚合数据窃取用户通讯录的完整分析
https://blog.swan.im/analysis-of-juhe-data-who-steal-user-contacts-book/
https://blog.swan.im/analysis-of-juhe-data-who-steal-user-contacts-book/
浅谈信息安全早期预警理论模型–早期预警系统的整体模型
http://www.vrshield.org/?p=26
http://www.vrshield.org/?p=26
Mac OS X Live Forensics 107: Mac Malware
http://lockboxx.blogspot.hk/2014/11/mac-os-x-live-forensics-107-mac-malware.html
http://lockboxx.blogspot.hk/2014/11/mac-os-x-live-forensics-107-mac-malware.html
SQLiGODs 简单实例
http://www.91ri.org/11275.html
http://www.91ri.org/11275.html
2014 ISG信息安全技能竞赛writeup
http://bobao.360.cn/news/detail/734.html
http://bobao.360.cn/news/detail/734.html
Exploiting CVE-2014-4113 on Windows 8.1
http://www.exploit-db.com/download_pdf/35152
http://www.exploit-db.com/download_pdf/35152
从p0sixspwn源码看越狱流程、原理、目的
http://bbs.pediy.com/showthread.php?p=1327502#post1327502
http://bbs.pediy.com/showthread.php?p=1327502#post1327502
Root Cause Analysis of CVE-2014-1772
http://blog.trendmicro.com/trendlabs-security-intelligence/root-cause-analysis-of-cve-2014-1772-an-internet-explorer-use-after-free-vulnerability/
http://blog.trendmicro.com/trendlabs-security-intelligence/root-cause-analysis-of-cve-2014-1772-an-internet-explorer-use-after-free-vulnerability/
KdExploitMe:A kernel driver to practice writing exploits against
https://github.com/clymb3r/KdExploitMe
https://github.com/clymb3r/KdExploitMe
Inside Spying FinSpy for Android
http://2014.hack.lu/archive/2014/inside_spying_v1.4.pdf
http://2014.hack.lu/archive/2014/inside_spying_v1.4.pdf
SSCTF逆向部分Writeup
http://www.programlife.net/ssctf-reverse-writeup.html
http://www.programlife.net/ssctf-reverse-writeup.html
利用中转输出表制作HijackDll
http://bbs.pediy.com/showthread.php?t=154269
http://bbs.pediy.com/showthread.php?t=154269
ISG 2014 Final Pepper Analysis
https://blog.leoc.io/blog/20141103/isg-final-pepper/
https://blog.leoc.io/blog/20141103/isg-final-pepper/
The 5000$ Google XSS
http://blog.it-securityguard.com/bugbounty-the-5000-google-xss/
http://blog.it-securityguard.com/bugbounty-the-5000-google-xss/
NAGA & PIOWIND 2014 APP应用攻防竞赛第二阶段题目解析
http://bbs.pediy.com/showthread.php?p=1328679#post1328679
http://bbs.pediy.com/showthread.php?p=1328679#post1328679
关于RFD漏洞利用的一些思路
http://xteam.baidu.com/?p=67
http://xteam.baidu.com/?p=67
基于情报感知的信息安全:威胁情报标准
http://weibo.com/p/2304185610604c0102v7l2
http://weibo.com/p/2304185610604c0102v7l2
利用ROP绕过DEP(Defeating DEP with ROP)调试笔记
http://drops.wooyun.org/papers/3602
http://drops.wooyun.org/papers/3602
反击:人肉OSX系统某木马作者
http://www.91ri.org/11266.html
http://www.91ri.org/11266.html
Detecting and Exploiting the HTTP PUT Method
http://www.smeegesec.com/2014/10/detecting-and-exploiting-http-put-method.html
http://www.smeegesec.com/2014/10/detecting-and-exploiting-http-put-method.html
What You Need to Know About WireLurker
http://www.zdziarski.com/blog/?p=4140
http://www.zdziarski.com/blog/?p=4140
Heybe Toolkit:Penetration Testing Automation Toolkit
https://github.com/heybe
https://github.com/heybe
Android 5.0 原厂镜像正式公布
http://bbs.kafan.cn/thread-1784703-1-1.html
http://bbs.kafan.cn/thread-1784703-1-1.html
ssctf-crack
http://bigtang.org/ssctf-crack/
http://bigtang.org/ssctf-crack/
Powershell tricks::Powershell Remoting
http://drops.wooyun.org/tips/3473
http://drops.wooyun.org/tips/3473
WIRELURKER: A New Era in iOS and OS X Malware
https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf
https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf
安全专题
开源Web批量扫描工具
https://www.sec-wiki.com/topic/53
https://www.sec-wiki.com/topic/53
BIOS bootkit相关资料
https://www.sec-wiki.com/topic/52
https://www.sec-wiki.com/topic/52
-----微信ID:SecWiki-----
SecWiki,13年来一直专注安全技术资讯分析!
SecWiki:https://www.sec-wiki.com本期原文地址: SecWiki周刊(第36期)
